| HELP Download trojan virus
Belt.exe
I have Norton antivirus
it has latest definitions
today it identified a virus
report says
Belt.exe within C:\Documents and settings\one of my user names\Local settings\Temp\Belt.cab
is infected with the Download Trojan virus
There was 2 files
Tried to quaranteen them 1 did but no joy with the other
tried to delete that one and it says it cant
read up on their further recommendations and it says to disable restore ( on XP)
and scan in safe mode have done this it detected it but was unable to fix it
Tried adaware and spybot found loads of stuff but not what i was looking for
have looked on google and am now onto my third trojan detection program
It has detected loads of stuff but still not the one im looking for
Im now stuck over to you guys any ideas
Belt.exe and Susp.exe
Belt.exe and Susp.exe is part of the Transponder Better Internet Gang
Dec 11, 2003
As of Dec 10, 2003, I now have
a sample of every known transponder from the first one that appeared in 1999
(IEHelper.dll) to the two newest ones that are now being seen on the Internet
which are Belt.exe and Susp.exe.
Although many think both are
trojans or viruses, they are in fact programs that work in conjunction with
the Bi.dll for management of the popup advertising that is foisted by
offeroptimizer.com
which is registered to Alan Murray.
From inside the code of the Belt.exe
and Susp.exe, they both have the same coding and information which directly
links Better Internet Inc. to IPInsight.com that is not accessable but its server
still is and is registered to Daniel Kaufman that was the CEO of Dash.com
with Joshua Abram who is linked to Direct-Revenue.com and aBetterInternet.com,
and the rest of the transponder sites with Alan Murray. All of which can be
linked to Blackstonedata and VX2.cc.
The Fies:
Belt.exe
Modified: Friday, August 15, 2003, 3:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.
Container Belt.cab contains Belt.exe, Belt.ini, Belt.inf
Two known paths are to the Belt.cab and the Belt.exe
hxxp://69.20.5.39/download/cabs/BI5101/Belt.cab
hxxp://69.20.5.39/download/cabs/BI5101/belt.exe
Susp.exe
Modified: Friday, August 15, 2003, 4:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.
Container Susp.cab containing Susp.exe, Susp.ini, Sups.inf
The Code I found using NotePad:
Belt.exe code
V S _ V E R S I O N _ I N F O
S t r i n g F i l e I n f o 0 4 0 9 0 4 b 0
C o m m e n t s
C o m p a n y N a m e B e t t e r
I n t e r n e t I n c
F i l e D e s c r i p t i o n
w w w . a b e t t e r i n t e r n e t . c o m 6
F i l e V e r s i o n 0 , 1 ,
1 , 3
I n t e r n a l N a m e F
L e g a l C o p y r i g h t C o p y r i g h t ©
2 0 0 2
L e g a l T r a d e m a r k s
O r i g i n a l F i l e n a m e
P r i v a t e B u i l d
P r o d u c t N a m e :
P r o d u c t V e r s i o n 0 , 1 , 1
, 3
S p e c i a l B u i l d D
V a r F i l e I n f o $
T r a n s l a t i o n
S e n t r y S t u b . e x e i s a s
t u b i n s t a l l e r
f o r t h e c o m p a n y ' s I P - S
e n t r y
a p p l i c a t i o n - b o t h d i s t r i b u t
e d b y
I P - I n s i g h t C o r p o r a t i o n , a D e l a
w a r e
C o r p o r a t i o n .
P l e a s e s e e h t t p : / / w w w . i p i n s
i g h t . c o m f o r m o r e d e t a i
l s
Susp.exe code
V S _ V E R S I O N _ I N F O
S t r i n g F i l e I n f o `0 4 0 9 0 4 b 0
C o m m e n t s
C o m p a n y N a m e B e t t e r
I n t e r n e t I n c .
F i l e D e s c r i p t i o n
w w w . a b e t t e r i n t e r n e t . c o m 6
F i l e V e r s i o n 0 , 1 ,
1 , 3
I n t e r n a l N a m e F
L e g a l C o p y r i g h t C o p y r i g h t ©
2 0 0 2
L e g a l T r a d e m a r k s
O r i g i n a l F i l e n a m e
P r i v a t e B u i l d
P r o d u c t N a m e :
P r o d u c t V e r s i o n 0 , 1 , 1
, 3
S p e c i a l B u i l d D
V a r F i l e I n f o $
T r a n s l a t i o n
S e n t r y S t u b . exe is a s t u b i n s t a
l l e r f o r
the c o m p a n y ' s I P - S e n t r y a p p l i c a t
i o n
- b o t h d i s t r i b u t e d b y
I P - I n s i g h t C o r p o r a t i o n ,
a D e l a w a r e C o r p o r a t i o n .
P l e a s e s e e h t t p : / / w w w . i p i n s i
g h t . c o m f o r m o r e d e t a i l
s .
The Original Sentry.exe from IP-Insight
File Properties:
Company: IP-Insight Corporation
Sentry.exe
Size: 76.0 KB (77,824 bytes)
Version: 0, 0, 1, 3
Internal Name: SentryStub
Original Name: SentryStub.exe
Product Name: IP-Sentry Stub
Comments: SentryStub.exe is a stub installer for the company's
IP-Sentry application -both distributed by IP-Insight Corporation, a
Delaware Corporation. Please see http://www.ipinsight.com for more details.
NOTE: Ad-Aware 6.181 with current Reference file detects all 3 objects
Softpanorama Recommended
Transponder AdWare
Program (Guest)
Information
about Transponder (and derivatives)
SpywareInfo:
Aadcom
and.doxdesk.com
Parasite Detection Script - Alerts you if you have VX2, Toptext, etc. parasites
installed!
BHO Cop - Hypnos' article on thehun.net walks you through using BHO Cop to remove
Transponder.
Transponder Video from Hypnos - An informative video showing the Transponder parasite
in action on an infected system. Note: In the video are pictures of "adult" popup
ads--as always, view at your own discretion.
VX2 Homepage -
some mentions of what it does and removal info.
Credits
Blackstone Data Transponder was and continues to be among the most difficult
pieces of spyware to research. This would not be possible without the huge amounts
of help and information provided by Robert (dualsmp),
Dingo (SpywareInfo),
Andrew (and.doxdesk.com)
and others, as well as the grc.spyware community. A big thanks to everyone!
If anyone I have forgotten, please let me know!
"All trademarks are hereby acknowledged as the property of their respective owners."
So don't even THINK about suing me :)
Registry Keys
HKEY_CLASSES_ROOT\clsid\{00000000-59d4-4008-9058-080011001200}
HKEY_CLASSES_ROOT\clsid\{00000049-8f91-4d9c-9573-f016e7626484}
HKEY_CLASSES_ROOT\clsid\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_CLASSES_ROOT\clsid\{38601801-2ff5-4a62-95da-d2007161c1b4}
HKEY_CLASSES_ROOT\clsid\{79849612-a98f-45b8-95e9-4d13c7b6b35c}
HKEY_CLASSES_ROOT\clsid\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_CLASSES_ROOT\dlmaxdll.dlmaxdllobj
HKEY_CLASSES_ROOT\dlmaxdll.dlmaxdllobj.1
HKEY_CLASSES_ROOT\interface\{bb0d5adc-028d-4185-9288-722ddce2c757}
HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser
helper objects\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_CLASSES_ROOT\tpusn
HKEY_CLASSES_ROOT\tpusn tpusn_once 1
HKEY_CLASSES_ROOT\typelib\{230c3786-1c2c-45bd-9d2d-9d277fce6289}
HKEY_CLASSES_ROOT\typelib\{92daf5c1-2135-4e0c-b7a0-259abfcd3904}
HKEY_CURRENT_USER\software\dlmax
HKEY_LOCAL_MACHINE\software\classes\clsid\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\dbi
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{30000273-8230-4dd4-be4f-6889d1e74167}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{79849612-a98f-45b8-95e9-4d13c7b6b35c}
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\guardian
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser
helper objects\{00000049-8f91-4d9c-9573-f016e7626484}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser
helper objects\{00000097-7c67-4ba6-8b42-05128941688a}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser
helper objects\{000006b1-19b5-414a-849f-2a3c64ae6939}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/kmg14100.exe\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/kmg14100.exe\{30000273-8230-4dd4-be4f-6889d1e74167}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\59ac6bev
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\belt
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\lkmkrlj
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved\{ddffa75a-e81d-4454-89fc-b9fd0631e726}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\abi-1
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dbi
HKEY_LOCAL_MACHINE\software\twaintec
Manual Removal
How to
remove Aurora-Nailfix - TechSpot OpenBoardsMethod 1) Manually.
---------------------
NOTE: this text was copied from
TheJoker on the BroadbandReports Forum
http://www.broadbandreports.com/forum/remark,13685446
You may want to
print out or make a copy of these instructions before starting, because
you will not be able to
connect to the internet during most of this fix.
Please download, install, and update the free version of Ewido trojan
scanner:
http://www.ewido.net/en/download/
- When installing, under "Additional Options" uncheck "Install background
guard" and "Install
scan via context menu".
- When you run ewido for the first time, you will get a warning "Database could
not be found!". Click OK. We will fix this in a moment.
- From the main Ewido screen, click on
update in the left menu, then
click the Start update button.
- After the update finishes (the status bar at the bottom will display "Update
successful")
- Exit Ewido. DO NOT scan yet.
Download CCleaner from
http://www.ccleaner.com/ccdownload.asp and install, but do not run it yet.
Please download the Nail/Aurora Spyware Fix from
http://www.noidea.us/easyfile/file....050515010747824. (Alternate download
link: dknoppix mirror
http://www.dknoppix.com/cgi-bin/download.cgi?Nailfix)
Unzip it to the desktop but do NOT run yet.
Reboot into Safe Mode. To do this with
Windows XP, you can follow these steps from
Microsoft:
- Restart your computer and start pressing the F8 key on your keyboard. On a
computer that is configured for booting to multiple
operating systems, you can press the F8 key when you the Boot Menu appears.
- Select an option when the Windows Advanced Options menu appears, and then
press ENTER.
- When the Boot menu appears again, and the words "Safe Mode" appear in blue
at the bottom, select the installation that you want to start, and then press
ENTER.
Once in Safe Mode, please double-click on nailfix.cmd that you unzipped
earlier. Your
desktop and icons will disappear and reappear, and a window should open
and close very quickly --- this is normal.
Next, run CCleaner.
- Uncheck "Cookies" under "Internet Explorer".
-
If you are running Firefox: ,then click on the "Applications" tab and
uncheck "Cookies" under "Firefox".
- Click on Run Cleaner in the lower right-hand corner. This can take quite a
while to run.
Now run Ewido again.
- Click on the Scanner button in the left menu, then click on the
Start button. This scan can take quite a while to run, so time to go get
a drink and a snack....
- If Ewido finds anything, it will
pop up a notification. You can select "clean" and check the boxes "Perform
action with all infections" and "Create encrypted backup" before clicking on
OK.
- When the scan finishes, click on "Save Report". This will create a
text file. Make sure you know where to find this file again.
Then run HijackThis, click Scan, and place a checkmark by the
following items:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
ANY O2 - BHO: that has (file missing)
ANY O2 - BHO: that has (no name) AND (no file)
ANY O3 - Toolbar: that has (no name)
AND (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
OR
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
(file missing).
Finally, restart your computer in normal mode and post a new HijackThis log
(as an attachment with .txt extension), as well as the log from
the Ewido scan.
================================================== ===================================
Method 2) Automated, paid for.
--------------------------------
If the above is too complicated, you can download a trial version of
Adware
Away from:
http://www.adwareaway.com/ which MAY get rid of it in trial-mode.
It DOES get rid of it in one go, if you BUY their program for $29.95
This is NOT a plug for them, and I can NOT verify that the program works as
declared. I have not been infected (yet).
================================================== ===================================
Method 3) Automated, free, BUT...
------------------------------------
Some forum-users have reported success, using the (free)
spyware removal tool from
http://www.mypctuneup.com/evaluate.php?b=aurora
Do NOT go anywhere else on that website!
Others have used a similar (or the same?) tool, downloaded from www-abetterinternet-com,
AKA DirectRevenue.
Big CAVEAT:
To the best of my knowledge, all three (mypctuneup, ABetterInternet and DirectRevenue)
are one and the same dubious outfit!
DirectRevenue are the MAKERS of Aurora, for Pete's sake!!
Check this out first, before you decide to go the FREE way (I wouldn't):
http://netrn.net/spywareblog/archiv...hreatens-again/
Examples
SWI Forums how to remove 'abetterinternet'twine Apr 4 2005, 06:14 AMhi, i have the malware 'abetterinternet' on my pc, i have been trying various
things but cannot seem to remove it. I did post about this last night but
the heading was very poor and also my log will be different, so here is
the fresh one:
Logfile of HijackThis v1.99.1
Scan saved at 12:14:32, on 04/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\procexp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tesco.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.tiny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tesco.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.tiny.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670}
- C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7}
- c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
- C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
/nosplash
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program
Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}
- C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} -
(no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: Yahoo! Hearts -
http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) -
http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class)
-
http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5co...b?1099927694734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) -
http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class)
-
http://www.live365.com/players/play365.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object)
-
http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
-
http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}:
NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS3\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}:
NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program
Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
jw50Apr 8 2005, 01:25 PM
Hi twine, welcome to the forums.
Run HijackThis and place checks beside each of the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsf31.dll
After you check these items, close all browsers and windows, except
for HijackThis, then click on the Fix Checked button on HijackThis.
Run HijackThis and post a new log.
twine
Apr 8 2005, 02:31 PMHi jw50, thanks for the help. I did what you required, only the third line
you asked me to check wasnt there. this one: O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B}
- C:\WINDOWS\System32\nsf31.dll. Perhaps this was what i cured myself. But
i did check the first two so here is my new log:
Logfile of HijackThis v1.99.1
Scan saved at 20:30:51, on 08/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GlobeSoft\AbuseShield\NTx\AbuseShieldSrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\GlobeSoft\AbuseShield\NTX\ASTray.exe
C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\interMute\SpySubtract\spysub.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tesco.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.tiny.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.tesco.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.tiny.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670}
- C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7}
- c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88}
- C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [AbuseShieldTray] "C:\Program Files\GlobeSoft\AbuseShield\\NTX\ASTray.exe"
O4 - HKCU\..\Run: [WinMem] C:\Program Files\blcorp\UWCSuite\WinMem\WinMem.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
/nosplash
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\spysub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program
Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}
- C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} -
(no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: Yahoo! Hearts -
http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) -
http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class)
-
http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5co...b?1099927694734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) -
http://everquest2.station.sony.com/systemscan/soesysinfo.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class)
-
http://www.live365.com/players/play365.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object)
-
http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
-
http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}:
NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS3\Services\Tcpip\..\{02140554-AFE2-4C51-8A9B-24ABE58B0620}:
NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: AbuseShieldSrv - Globesoft AB - C:\Program Files\GlobeSoft\AbuseShield\NTx\AbuseShieldSrv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program
Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
jw50Apr 8 2005, 03:07 PM
Hi twine,
That BHO was really the only thing that was bad in your log, it looks good
now.
Are you still having any problems?
VERY IMPORTANT:
Your operating system and Internet browser are out of date. This can leave
you seriously vulnerable to malware and hackers.
I strongly suggest you go to
Windows Update and install all critical updates. To get to the Windows
Update site using IE just click on Tools, Windows Update.
These are some recommendations that will significantly decrease the chances
that you will have problems with malware in the future:
1) Regularly go to
http://windowsupdate.microsoft.com and download all the "critical updates"
for Windows, including the latest version of Internet Explorer. This can
patch many of the security holes through which attackers can gain access
to your computer. You should also turn on the Windows automatic update feature.
2) In order to protect yourself against spyware, you should consider
installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be
found
here.
Microsoft Anti-Spyware
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing
on your computer may be found
here.
SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware
and hijackers may be found
here.
Keeping these programs up-to-date and running them regularly can prevent
a great deal of spyware hassle.
3) Please consider using an alternate browser. Mozilla's Firefox
browser is fantastic; it is much more secure than Internet Explorer, immune
to almost all known browser hijackers, and also has the best built-in popup
blocker (as an added benefit!) that I have ever seen. If you are interested,
Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
4) Also make sure to run your antivirus software regularly, and to
keep it up-to-date.
Please also read Tony Klein's excellent article:
How I got Infected in the First Place
twine
Apr 9 2005, 09:28 AMevrything seems ok now. I can resolve most issues on my pc but with this
vx2 i panicked because i couldnt get rid of it, hence the submission on
this forum. I already have installed all the programs you recommend, although
i havent installed sp2 for xp yet. I may have to install it, all be it reluctantly.
thanks for your help in this matter.
jw50Apr 9 2005, 02:40 PM
Glad we could help.
If you need this topic reopened, please request this by sending the moderating
team an
email with the address of the thread. This applies only to the original
topic starter. Everyone else please begin a New Topic.
Home
- The home of Spybot-S&D!
Webhelper - Direct-Revenue Transponder Gang Fifth Columnists Adware Sleeper Agents
|
Direct-Revenue - Vx2
Transponder Gang Fifth Columnists with Adware Sleeper Agents
|
|
|
|Home
|
|
Updated:
03/12/2019
|
| Before I
start, so that those reading this write up will understand why I have entitled
this "Direct-Revenue - VX2 Transponder Gang
Fifth Columnists Adware Sleeper Agents" below you will
find two sets of difinitions, the first from the dictinary and the second
is my own difinitions. |
| |
|
Transponder: |
Transponder according
to Webster Dictionary:
A radio or radar set that upon receiving a designated
signal emits a radio signal of its own and that is used especially for the
detection, identification, and location of objects.
|
Webhelper Transponder
definition as it relates to the Transponder Gangs adware Variants
|
|
One of the transponder variant dll's that once installed transmits
three types of signals to its controlling server.
The first is called a ROUTIN CHECKIN. This one transmits
the users information along with a unique ID given along with the product
that was installed to the controlling server, which creates or updates the
users profile in their online database.
The second is called MOTTS CHECKIN which transmits
the users information and checks for updates to reinstall or new objects
that need to be installed. This transmission also updates the .ini files
and cookies of theirs that will help the offeroptimizer.com ad server send
back signals that will generate pop up ads on the users computer.
The last type is the standard transmission that sends
the users data to its controlling servers, and any third party ad servers,
tracks the users surfing habits, and collects and transmits any information
from online forms filled out by the user from any of the popup ads generated
by the offeroptimizer or through their 3 rd party ad server partners and
affiliates.
|
Dictionary definition of a Fifth Columists
Secret or subversive group: a secret or
subversive group that seeks to undermine the efforts of others and promote
its own ends.
|
Dictionary definition of Sleeper Agent:
Spy inactive until called into action: a spy or secret
agent who lives an ordinary life until called into action.
|
Now my own definitions of Fifth Columnists and Adware
Sleeper Agents
|
| Adware Fifth Columnist:
Online Marketing groups that seek to underminse the
efforts of users to rid themselves of unwanted infestations or the marketing
groups adware.
|
Adware Sleeper
Agents:
Adware files that are inactive until called into action by scripts embedded
into web site pages. These files are remains of past infestations that
never were detected as they were never active, usually living in temp folders
or the downloaded program folders and hidden from view by the average user.
|
|
|
|
As of December 26, 2004, I ran an infestation of the Transponder gangs LocalNRD.dll
transponder BHO adware variant and I went to MyPcTuneup.com to uninstall
their adware per #12 Termination and Removal of Software of
their EULA (End User License Agreement) at abetterinternet.com where they
state the following
From their EULA at abetterinternet.com
By entering into this Agreement,
you represent to BetterInternet that you have intentionally chosen to install
the Software and that you will personally uninstall the Software from your
computer if you no longer wish the application to be present on your computer
by going to http://mypctuneup.com/.
While you may choose to delete the Software from your computer at anytime
by following the instructions herein, some third party applications
may attempt to delete, disable or modify the Software with or without notice
to you. You further represent to BetterInternet that BetterInternet may
store a cookie, computer file or other unique identifier on your computer
to identify you and automatically repair or reinstall the Software if
any third party application attempts to delete, disable or modify the Software.
BetterInternet may terminate this Agreement or your right to continue to
use the Software at any time.
Further, you agree that you will not initiate, permit, authorize or assist
any third party or application to remove the Software from your computer,
or disrupt its operation or the operation of any other user. You agree that
removal of the Software from your computer will only be performed by
you pursuant to the instructions set forth herein.
The above EULA entries are made even more clearer when reading the
Direct Revenue's Portfolio write up by the gangs newest software developer
EnvionSoftware they have started using in the code of the transponder
variants and other component files they use.
DirectRevenue
For this provider of contextual advertising
services to Internet-based marketers, Envion Software developed a remarkable
Windows application that is co-installed with Direct Revenue's modules
by users who sign up for its marketing. Our app collects data from their
systems (installed hardware and software), and watches for any changes
to the system configuration or any attempts to remove Direct Revenue's
modules. Our app also monitors for any ant virus or firewall programs
that try to block or interfere with the modules. We are currently developing
the data encryption piece for the client machines.
(12/27/2004, Envion Software, http://envionsoftware.com/portfolio/directrevenue/)
What the above EULA and Envion Software statements really mean
is that the gang is starting to act like Fifth Columnists who place sleeper
agents into users computers to later be able to re-infest those computers
at a later time without the users knowledge or permission by stating
it is illegal to use other 3rd party security software like
Adaware, Pest Patrol, or even Anti-Virus and firewall software like that
from Mcafee to help detect and remove the transponder adware and must
use only their uninstaller at Mypctuneup.com.
In fact, right now in many of the transponder files there is hidden
xml code that even list the above 3rd party security software
and from the statements from EnvionSoftware "…any attempts to remove
Direct Revenue's modules… monitors for any ant virus or firewall programs
that try to block or interfere with the modules" they look like
they are trying to set up software that would when called from a script
that would be called from a site or rotational ad server, could stop
or delete users Anti-virus and firewall software to be able to
insure they can re-infest users computers without being blocked and also
stop or delete Adaware and Pest Patrol if the security software tries
to detect and remove their infestations of their transponder adware which
they state they will do per their EULA.
When infesting myself with their localNRD.dll transponder variant,
it registers the localNRD.dll as a BHO (Browser helper Object) and loads
it as a process along with making over 10 registry entries. They
also install various other executable files that one, their Polall*.exe
(Calling home) generates a 38kb executable file in the users windows folder
and an entry in the HKLM Run of the registry called mnklins.exe.
As of 12/26/2004, this file called mnklins.exe which replaced
their kzgasg.exe that was being created in earlier infestations and
is the file that actually when it transmits calls new installs, updates,
and/or re-infest users while the transponder BHO variant localNRD.dll
transmits users data and handles the calls for popup ads.
Along with the LocalNRD.dll, two other executables along with a third
that is downloaded during the transponders first check in transmission
were their conscorr.exe (Ipinsight Sentry.exe), ln_reco.exe,
and randreco.exe which was downloaded after the first transmission
and each contains the hidden xml code.
These files along with the Mnklins.exe all transmit at one time or
another and are used to update, install new 3rd
party adware, and re-install any missing transponder adware
into the users computer.
Their Mypctuneup.com uninstall process has gone through at least three
changes over the past six months since they first started offering help
in uninstalling their transponder adware. The first was an online
submission form. The second was a direct link to their uninstaller,
and now the third being a direct download to run their uninstaller.
The first uninstall process found at Mypctuneup.com required users
to fill out and submit an online form requesting the link to their uninstaller.
This usually took up to seven days before receiving an email back with a
special link that had a validation code in it. Once clicking on the
link, you would then have to fill in a special form with another validation
code which then would then run an online scan of the computer for any BHO
registry entry of their transponder variants. If found, users would
be required to run an install of their Remall.exe that would then delete
only the BHO registry entry and then drop a file named Killpol.exe that
would delete any IPinsght Sentry executables in the HKLM of the RUN of the
registry and the file in the windows folder. What was bad is that
if a user had the mxtarget.dll variant, it would transmit after the remall.exe
was run and download a mx_reco.exe that would transmit and re-infest the
mxtarget.dll variant and its file components before a user had a chance
to restart their computers to unload the BHO from the processes.
Their second process came about only about two months ago where
it dropped the emailing for their validation code and could run their scan
immediately with the same results as that of their first uninstall process.
However, it was here that they added their new uninstaller file that is
now being used and was offered only after the first scan was completed or
a message that none of their partner's adware was found.
Their latest uninstaller process uses their newest uninstaller
file that still requires users to be connected and enter a validation code
but this is after they have downloaded the uninstaller file and runs it.
Even though the transponder gang has changed their process in
the use of their uninstallers, what is scanned and actually cleaned still
remains unchanged. With all the files and registry entries
made by a transponder infestation, the only two thing that their
uninstaller does is scan the Internet Explorer Browser Helper Objects
area of the registry and if one of their variants are found, the uninstaller
file thunstall.exe deletes the registry entry and unloads the dll
variant from the computers processes. The second is the uninstaller
scans the HKLM Run of the registry and if it finds their callinhome file
which right now is the mnklins.exe and then delete the actual file.
In conclusion, all the above can be condensed to mean that the Direct-Revenue
Transponder Gang are now acting like a Fifth Columnist with all their
files they leave behind as adware sleeper agents so that in weeks or months
after using their Mypctuneup.com uninstallers can find that they may once
again be infested with the same or even a newer transponder variant and
could well find that their Adaware and/or Pest Patrol or even their Anti-Virus
software like Mcafee and their firewall software may be disabled, blocked,
or even worse still deleted from their computers because of the Transponder
Gangs #12 of their EULA and from what their software developer EnvionSoftware
has stated on their website on what their modules they create for Direct-Revenue
are supposed to do.
|
Example of their XML found
in their Ln_reco.exe : Names in red are valid security software and the
black bold are the transponder variants while all else are other 3rd party
adware groups.
|
| |
| |
|
<?xml version="1.0"?>
<queryRegistry partnerID="1" partnerData="CommandLine" bundleID="102"
preHost="thinstall" prePath="bi/servlet/ThinstallPre" postHost="thinstall"
postPath="bi/servlet/ThinstallPost" >
<key hive="HKCR" path="Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}"
subtree="no"/>
<key hive="HKCU" path="SOFTWARE\180solutions" subtree="no"/>
<key hive="HKLM" path=<?xml version="1.0"?>
<queryRegistry partnerID="1" partnerData="CommandLine" bundleID="102"
preHost="thinstall" prePath="bi/servlet/ThinstallPre" postHost="thinstall"
postPath="bi/servlet/ThinstallPost" >
<key hive="HKCR" path="Interface\{57A0E747-3863-4D20-A811-950C84F1DB9B}"
subtree="no"/>
<key hive="HKCU" path="SOFTWARE\180solutions" subtree="no"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\AboutURLs"
subtree="no"/>
<key hive="HKCU" path="SOFTWARE\Lavasoft\AD-Aware"
subtree="no"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-aware
5" subtree="no"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\BTGrab" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\BTIEIN" subtree="no"/>
<key hive="HKLM" path="SOFTWARE\CLRSCH" subtree="no"/>
<key hive="HKCU" path="SOFTWARE\ceres" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\DBi" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\DHost" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Gator.com" subtree="no"/>
<key hive="HKLM" path="SOFTWARE\GatorTest" subtree="no"/>
<key hive="HKCU" path="SOFTWARE\intexp" subtree="yes"/>
The intexp is the wupdt.exe
<key hive="HKLM" path="SOFTWARE\IPInsight" subtree="yes"/>
<key hive="HKCU" path="SOFTWARE\LocalNrd" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Main\ins"
subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\McAfee"
subtree="no"/>
<key hive="HKLM" path="SOFTWARE\McAfee.com"
subtree="no"/>
<key hive="HKCU" path="SOFTWARE\morphacl" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\180solutions\msbb" subtree="no"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msbb"
subtree="no"/>
<key hive="HKLM" path="SOFTWARE\MSView" subtree="yes"/>
<key hive="HKCU" path="SOFTWARE\MultiMPP" subtree="yes"/>
<key hive="HKCU" path="Software\mxtarget" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\nCase"
subtree="no"/>
<key hive="HKLM" path="SOFTWARE\PestPatrol"
subtree="no"/>
<key hive="HKLM" path="SOFTWARE\RespondMiter" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Search"
subtree="no"/>
<key hive="HKCU" path="Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing" subtree="yes" />
<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Toolbar"
subtree="no"/>
<key hive="HKLM" path="SOFTWARE\TPS108" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Twaintec" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Internet Explorer\Main\uni"
subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
subtree="keysOnly"/>
<key hive="HKCU" path="SOFTWARE\VB" subtree="no"/>
<key hive="HKCU" path="Software\VoiceIP" subtree="yes"/>
<key hive="HKLM" path="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherCast"
subtree="no"/>
<key hive="HKLM" path="SOFTWARE\WhenUSave" subtree="no"/>
<key hive="HKLM" path="SOFTWARE\Zserv" subtree="yes"/>
<procList checkin="both"/>
<persist />
</queryRegistry> |
|
|
|
History
Belt.exe and
Susp.exe
Belt.exe and Susp.exe is part of the Transponder Better Internet Gang
Dec 11, 2003
As of Dec 10, 2003, I now
have a sample of every known transponder from the first one that appeared
in 1999 (IEHelper.dll) to the two newest ones that are now being seen on
the Internet which are Belt.exe and Susp.exe.
Although many think both
are trojans or viruses, they are in fact programs that work in conjunction
with the Bi.dll for management of the popup advertising that is foisted
by
offeroptimizer.com which is registered to Alan Murray.
From inside the code of the
Belt.exe and Susp.exe, they both have the same coding and information which
directly links Better Internet Inc. to IPInsight.com that is not accessable
but its server still is and is registered to Daniel Kaufman that was
the CEO of Dash.com with Joshua Abram who is linked to Direct-Revenue.com
and aBetterInternet.com, and the rest of the transponder sites with Alan
Murray. All of which can be linked to Blackstonedata and VX2.cc.
|
The Fies:
Belt.exe
Modified: Friday, August 15, 2003, 3:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc. Container Belt.cab contains
Belt.exe, Belt.ini, Belt.inf
Two known paths are to the Belt.cab and the Belt.exe
hxxp://69.20.5.39/download/cabs/BI5101/Belt.cab
hxxp://69.20.5.39/download/cabs/BI5101/belt.exe
Susp.exe
Modified: Friday, August 15, 2003, 4:18:20 PM
Size: 80.0 KB (81,920 bytes)
Version: 0,1,1,3
Company: Better Internet Inc.
Container Susp.cab containing Susp.exe, Susp.ini, Sups.inf
|
The Code I found using NotePad:
Belt.exe code
V S _ V E R S I O N _ I N F O
S t r i n g F i l e I n f o 0 4 0 9 0 4 b 0
C o m m e n t s
C o m p a n y N a m e B e t t e r
I n t e r n e t I n c
F i l e D e s c r i p t i o n
w w w . a b e t t e r i n t e r n e t . c o m 6
F i l e V e r s i o n 0 , 1 ,
1 , 3
I n t e r n a l N a m e F
L e g a l C o p y r i g h t C o p y r i g h t
© 2 0 0 2
L e g a l T r a d e m a r k s
O r i g i n a l F i l e n a m e
P r i v a t e B u i l d
P r o d u c t N a m e :
P r o d u c t V e r s i o n 0 , 1 ,
1 , 3
S p e c i a l B u i l d D
V a r F i l e I n f o $
T r a n s l a t i o n
S e n t r y S t u b . e x e i s a
s t u b i n s t a l l e r
f o r t h e c o m p a n y ' s I P
- S e n t r y
a p p l i c a t i o n - b o t h d i s t r i b
u t e d b y
I P - I n s i g h t C o r p o r a t i o n , a D e
l a w a r e
C o r p o r a t i o n .
P l e a s e s e e h t t p : / / w w w . i p i
n s i g h t . c o m f o r m o r e d
e t a i l s
Susp.exe code
V S _ V E R S I O N _ I N F O
S t r i n g F i l e I n f o `0 4 0 9 0 4 b 0
C o m m e n t s
C o m p a n y N a m e B e t t e r
I n t e r n e t I n c .
F i l e D e s c r i p t i o n
w w w . a b e t t e r i n t e r n e t . c o m 6
F i l e V e r s i o n 0 , 1 ,
1 , 3
I n t e r n a l N a m e F
L e g a l C o p y r i g h t C o p y r i g h t
© 2 0 0 2
L e g a l T r a d e m a r k s
O r i g i n a l F i l e n a m e
P r i v a t e B u i l d
P r o d u c t N a m e :
P r o d u c t V e r s i o n 0 , 1 ,
1 , 3
S p e c i a l B u i l d D
V a r F i l e I n f o $
T r a n s l a t i o n
S e n t r y S t u b . exe is a s t u b i n s
t a l l e r f o r
the c o m p a n y ' s I P - S e n t r y a p p l i c
a t i o n
- b o t h d i s t r i b u t e d b y
I P - I n s i g h t C o r p o r a t i o n ,
a D e l a w a r e C o r p o r a t i o n .
P l e a s e s e e h t t p : / / w w w . i p i n
s i g h t . c o m f o r m o r e d e
t a i l s .
|
The Original Sentry.exe from IP-Insight
File Properties:
Company: IP-Insight Corporation
Sentry.exe
Size: 76.0 KB (77,824 bytes)
Version: 0, 0, 1, 3
Internal Name: SentryStub
Original Name: SentryStub.exe
Product Name: IP-Sentry Stub
Comments: SentryStub.exe is a stub installer for the company's
IP-Sentry application -both distributed by IP-Insight Corporation, a
Delaware Corporation. Please see http://www.ipinsight.com for more details.
NOTE: Ad-Aware 6.181 and Newer detects all!
|
Society
Groupthink :
Two Party System
as Polyarchy :
Corruption of Regulators :
Bureaucracies :
Understanding Micromanagers
and Control Freaks : Toxic Managers :
Harvard Mafia :
Diplomatic Communication
: Surviving a Bad Performance
Review : Insufficient Retirement Funds as
Immanent Problem of Neoliberal Regime : PseudoScience :
Who Rules America :
Neoliberalism
: The Iron
Law of Oligarchy :
Libertarian Philosophy
Quotes
War and Peace
: Skeptical
Finance : John
Kenneth Galbraith :Talleyrand :
Oscar Wilde :
Otto Von Bismarck :
Keynes :
George Carlin :
Skeptics :
Propaganda : SE
quotes : Language Design and Programming Quotes :
Random IT-related quotes :
Somerset Maugham :
Marcus Aurelius :
Kurt Vonnegut :
Eric Hoffer :
Winston Churchill :
Napoleon Bonaparte :
Ambrose Bierce :
Bernard Shaw :
Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient
markets hypothesis :
Political Skeptic Bulletin, 2013 :
Unemployment Bulletin, 2010 :
Vol 23, No.10
(October, 2011) An observation about corporate security departments :
Slightly Skeptical Euromaydan Chronicles, June 2014 :
Greenspan legacy bulletin, 2008 :
Vol 25, No.10 (October, 2013) Cryptolocker Trojan
(Win32/Crilock.A) :
Vol 25, No.08 (August, 2013) Cloud providers
as intelligence collection hubs :
Financial Humor Bulletin, 2010 :
Inequality Bulletin, 2009 :
Financial Humor Bulletin, 2008 :
Copyleft Problems
Bulletin, 2004 :
Financial Humor Bulletin, 2011 :
Energy Bulletin, 2010 :
Malware Protection Bulletin, 2010 : Vol 26,
No.1 (January, 2013) Object-Oriented Cult :
Political Skeptic Bulletin, 2011 :
Vol 23, No.11 (November, 2011) Softpanorama classification
of sysadmin horror stories : Vol 25, No.05
(May, 2013) Corporate bullshit as a communication method :
Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000):
the triumph of the US computer engineering :
Donald Knuth : TAoCP
and its Influence of Computer Science : Richard Stallman
: Linus Torvalds :
Larry Wall :
John K. Ousterhout :
CTSS : Multix OS Unix
History : Unix shell history :
VI editor :
History of pipes concept :
Solaris : MS DOS
: Programming Languages History :
PL/1 : Simula 67 :
C :
History of GCC development :
Scripting Languages :
Perl history :
OS History : Mail :
DNS : SSH
: CPU Instruction Sets :
SPARC systems 1987-2006 :
Norton Commander :
Norton Utilities :
Norton Ghost :
Frontpage history :
Malware Defense History :
GNU Screen :
OSS early history
Classic books:
The Peter
Principle : Parkinson
Law : 1984 :
The Mythical Man-Month :
How to Solve It by George Polya :
The Art of Computer Programming :
The Elements of Programming Style :
The Unix Hater’s Handbook :
The Jargon file :
The True Believer :
Programming Pearls :
The Good Soldier Svejk :
The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society :
Ten Commandments
of the IT Slackers Society : Computer Humor Collection
: BSD Logo Story :
The Cuckoo's Egg :
IT Slang : C++ Humor
: ARE YOU A BBS ADDICT? :
The Perl Purity Test :
Object oriented programmers of all nations
: Financial Humor :
Financial Humor Bulletin,
2008 : Financial
Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related
Humor : Programming Language Humor :
Goldman Sachs related humor :
Greenspan humor : C Humor :
Scripting Humor :
Real Programmers Humor :
Web Humor : GPL-related Humor
: OFM Humor :
Politically Incorrect Humor :
IDS Humor :
"Linux Sucks" Humor : Russian
Musical Humor : Best Russian Programmer
Humor : Microsoft plans to buy Catholic Church
: Richard Stallman Related Humor :
Admin Humor : Perl-related
Humor : Linus Torvalds Related
humor : PseudoScience Related Humor :
Networking Humor :
Shell Humor :
Financial Humor Bulletin,
2011 : Financial
Humor Bulletin, 2012 :
Financial Humor Bulletin,
2013 : Java Humor : Software
Engineering Humor : Sun Solaris Related Humor :
Education Humor : IBM
Humor : Assembler-related Humor :
VIM Humor : Computer
Viruses Humor : Bright tomorrow is rescheduled
to a day after tomorrow : Classic Computer
Humor
The Last but not Least Technology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org
was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP)
without any remuneration. This document is an industrial compilation designed and created exclusively
for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong
to respective owners. Quotes are made for educational purposes only
in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness
of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.
Last modified:
March 12, 2019
| 
