So how do I handel it from here then?
Do I have to install Netscape to get access to the internet?
Can I just delete the vx2.dll ?
If so, how do I delete files since my explorer an seach is unavalable, right
Can't wait for the next step.................
this is the web page:
Advertising Spyware: Blackstone Data Transponder and its derivatives
It is hard to tell where this piece of spyware originated. It was first seen
as Blackstone Data's Transponder, but repackaged versions of the same
product are popping up under several different companies. It is currently
distributed under these names:
Transponder (Blackstone Data Corp.)
VX2 / RespondMiter / Sputnik (VX2 Corp.)
AADCOM Extreme Targeting (Aadcom Corp.)
NetPal (NetPalNow / Mindset Interactive)
TPS108 Transponder (tps108.org), for DigitalRooster.com - Deceptively
labeled as an "free movie viewer" to see "hardcore adult content".
According to the VX2 website:
The software goes along with the user of the software as they are surfing
around the web and builds reports on the activity.
The software monitors the click stream activity of the consumer and
communicates with servers.
The software monitors some activity of the PC and communicates with servers.
It is a Browser Helper Object that is distributed with unknown third-party
software, including AudioGalaxy Satellite. While the user is browsing the
Web, it will pop up advertisements based on what page is being visited,
what's being searched for, how quickly the user is surfing, etc.
Transponder's ad-displaying algorithm appears to weight the occurrence of
ads in such a way that they appear to come from the page(s) being visited.
For the remainder of this document, the terms "VX2", "Transponder", etc.
will be used interchangably to refer to this class of spyware product.
----------------------------------------------------------------------------
----
Jump to:
Removal Procedures
Blackstone Data Transponder, AADCOM
VX2 RespondMiter (Sputnik)
NetPal
TPS108
Privacy Concerns
Information Collection
Security Concerns
Additional Information
Windows failure issue associated with Transponder
----------------------------------------------------------------------------
----
Removal Procedures
Since the product is supplied by several companies with minor changes, first
you must determine which you are infected with. We strongly recommend using
one of these spyware removal tools to remove this parasite, as they can
painlessly detect and remove all the known variants. Or, please use one of
the links below to jump to the removal procedure for the particular
distribution that appears on your system.
VX2 RespondMiter (VX2.dll) (installed by AudioGalaxy, iMesh and others)
Blackstone Data Transponder (IEHelper.dll)
AADCOM: Please follow Transponder instructions.
NetPal
TPS108.DLL
VX2 RespondMiter Removal Procedure
Select VX2 from Windows Add/Remove Programs dialogue located in Control
Panel. Press Add/Remove.
If this entry is not present, do the following:
Close Internet Explorer if running.
Search for and delete all copies of VX2.dll. Use Windows' Find File dialogue
to find all copies.
If one or more copies cannot be deleted (file in use)...
Easy Way:
Use "Find..." to locate VX2.dll on your system. Note the path where it is
installed (e.g. C:\Windows\VX2.dll)
Select Start > Run, and type the following:
regsvr32 /u "C:\Windows\VX2.dll"
replacing C:\Windows\VX2.dll with the path you noted earlier. (You should
then see a message window such as "DllUnregisterServer in C:\Windows\VX2.dll
succeeded.")
Delete VX2.dll
Hard Way: (from VX2 web site)
Start Registry Editor. To do this, select "Start" and then "Run" and type
"regedit" in the Run box that appears.
Delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper
Objects\{00000000-5eb9-11d5-9d45-009027c14662} and any associated values.
This is most easily accomplished by pressing F3 to bring up the Search
dialogue, and typing in part of the number in {}'s. After verifying that it
is the correct key, press Delete to remove it. You may need to press F3
again until all occurrences are found.
Restart the computer and delete all copies of VX2 that could not be deleted
before.
Blackstone Data Transponder Removal Procedure
This is the official uninstall information from the Blackstone docs, with
some formatting and grammatical fixups to improve readability.
Step Description Expected Result
1 Click "Start" in the task bar, then select "Control Panel" "Control Panel"
Window is opened
2 In "Control Panel" window select "ADD/REMOVE Programs" Look For
"BlackStone" "BlackStone" should be found in the "ADD/REMOVE Programs"
3 If "BlackStone" is found Select it and click the "Remove" button to remove
it "BlackStone" should be removed.
4 If "BlackStone" is not present in the "ADD/REMOVE Programs" close any open
Web browsers. All the browsers should be closed.
5 Click "Start", select the Search button and search for "IEHelper.dll" in
the "C: drive". "IEHelper.dll" file should be found.
6 Delete "IEHelper.dll" "IEHelper.dll" file should be deleted.
7 Click "Start", select the Search button and search for "domlst.cch" in the
"C: drive". "domlst.cch" file should be found.
8 Delete "domlst.cch" "domlst.cch" should be deleted.
9 IF the system does not permit the file to be deleted... Select "START"
then select "Run", type "regedit" and press "ok". A new "Registry Editor"
window is opened.
10 In the left side of the Registry Editor, select the key and its subkeys
as follows.
HKEY_LOCAL_MACHINE-----SOFTWARE-----Microsoft-----Windows---CurrentVersion--
---Explorer-----BrowserHelperObjects\ You should find the
"{00000000-5eb9-11d5-9d45-009027c14662}" key
11 Delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
r Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662} The key is deleted.
12 Reboot the computer. Click "Start", then click "Search". Search for
"IEHelper.dll" You should able to find the "IEHelper.dll" file now.
13 Now delete IEHelper.dll The "IEHelper.dll" should be able delete now.
14 Reboot the computer now, and search again for "IEHelper.dll" You should
not be able to find the "IEhelper.dll" file any where in your system.
15 Click Start button on the task bar and click the "Run...". a Run window
is opened at the down left corner of the desktop.
16 Type "regedit" in the Run window and press "ok" A new "Registry Editor"
window is opened.
17 Search for
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
r Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
If the key if still found, proceed to the next step. You should not find the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browse
r Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
key.
18 Follow from step 5 to step 10. This time the uninstall succeeded. It may
be a good idea to check by repeating the steps 1 through 17.
NetPal Removal Procedure
The NetPalNow site now provides a removal utility for its trash.
Unfortunately, Net Pal seems to really take VX2's capabilities up on the
offer of installing more spyware -- whether the removal utility also wipes
out the third-party spyware downloaded by NetPal remains to be seen. At the
time of this writing, there are several additional components installed
[ClickTheButton, yourspecialoffers.com, FavoriteMan, and an unknown start
page hijacker], and probably more I don't know about. Also, it is difficult
to determine which files and Registry keys belong to which spyware.
There is not a verified removal procedure as of yet. If you are an advanced
user, you can try the following and see if it works:
Remove the following Registry entries:
Transponder keys
HKEY_CLASSES_ROOT\Software\CLASSES\CLSID\{C7ADE150-743D-11D4-8141-00E029626F
6A}
HKEY_CLASSES_ROOT\Software\CLASSES\TypeLib\{09533F03-264D-45D6-92B0-E80F5289
0F92}
HKEY_CLASSES_ROOT\Software\Microsoft\Windows\Current
Version\explorer\Browser Helper
Objects\{C7ADE150-743D-11D4-8141-00E029626F6A}
(Unknown product) - may be part of the above
HKEY_CLASSES_ROOT\CLSID\{C7ADE150-743D-11D4-8141-00E029626F6A}
HKEY_LOCAL_MACHINE\Software\Classes\TrackIExplore
HKEY_LOCAL_MACHINE\Software\Classes\TrackIExplore.1
Favoriteman keys
HKCR\CLSID\{139D88E5-C372-469D-B4C5-1FE00852AB9B}
HKCR\CLSID\{DA5E961F-F519-403C-9744-0D4376B1B0B5}
HKCR\Favorite.FavoriteMan
HKCR\Favorite.FavoriteMan.1
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper
Objects\{139D88E5-C372-469D-B4C5-1FE00852AB9B}
Restart the computer, then search for and delete the following files:
VX2/Transponder files
netpal.dll
vxsystem.dll
hi5.dll
hi6.dll
favboot.dll
kernellos.dll
(Unknown product)
reg3322.dll - apparently a Homepage Hijacker
FavoriteMan files
ofrg.dll - Another BHO called 'FavoriteMan'
This information thanks to Andrew, Jerry, and posts on the Lavasoft forums.
TPS108 Removal Procedure
Easy Way: (follows VX2.DLL removal procedure)
Use "Find..." to locate tps108.dll on your system. Note the path where it is
installed (e.g. C:\Windows\tps108.dll)
Select Start > Run, and type the following:
regsvr32 /u "C:\Windows\tps108.dll"
replacing C:\Windows\tps108.dll with the path you noted earlier. (You should
then see a message window such as "DllUnregisterServer in
C:\Windows\tps108.dll succeeded.")
Delete tps108.dll
Hard Way: (from their Web site)
To remove TPS108:
From the control Panel select ADD/REMOVE Programs.
Select TPS108 and Remove.
If TPS108 is not present:
Close all the internet explorer browsers.
Search your "C" drive for TPS108.dll.
Delete TPS108.dll.
If the system does not permit the file to be deleted proceed
as follows:
Select "Start" and then "Run" and type "regedit".
Find the and delete the entry named
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/
CurrentVersion/Explorer/Brows erHelperObjects/
{0000026A-8230-4DD4-BE4F-6889D1E74167}.
delete the "{{0000026A-8230-4DD4-BE4F-6889D1E74167}
entry.
Reboot computer.
Search your "C" drive for TPS108.dll.
Delete TPS108.dll.
Privacy Concerns
The software covertly collects all sorts of information about your Web
surfing habits, including lists of Web sites you visit (and even sites
you've visited before installing their software), any terms you enter into a
search engine, and contents of online forms--including "secure" forms using
SSL encryption(!). The company has the audacity to claim that this is done
"in order to save you the time and trouble of submitting such information to
us yourself". It also stores cookies to persistently identify you across
sessions.
The software collects and transmits your full name name and e-mail address
as used by the Outlook mail client. It also transmits back a laundry list of
information about your system, which is described in more detail below.
Finally, the software transmits details about your interaction with the
software.
The software also includes an auto-update capability with the stated purpose
of updating not only the VX2 spyware itself, but also installing additional
third-party programs, including additional spyware.
Information Gathered by Transponder
Upon its first load, VX2.dll will look for a file in your Windows directory
called oeminfo.ini. If present, this file contains information about your
computer provided by the OEM--who you bought it from, serial #/etc.,
processor and configuration, tech support info, and maybe your name. (IIRC,
this information is displayed if you go to Start > Settings > ControlPanel >
System and view the first tab.) More information about the oeminfo.ini file
is available here.
Transponder then connects to sputnik.vx2.cc and transmits data. The
information transmitted includes, but is not limited to, the following:
On first connection, or when triggered remotely:
User's full name (from Outlook setup,
"HKEY_CURRENT_USER\Software\Microsoft\Internet Account
Manager\Accounts\00000001")
User's E-mail address (from Outlook setup)
Processor type, manufacturer and speed
Contents of the oeminfo.inf file
List of installed printers
List of installed applications from Add/Remove Programs
Amount of physical memory (RAM) installed
Hard drive size and free space remaining
Language ID
Time zone
Browser name and version
Operating system version
Intermittently during normal Web browsing:
Web site URLs being visited
Unique identification cookie (stored in Registry; will not show up in IE
Cookies directory)
Contents of all online forms, even 'secure' ones, unless entry field name
contains 'pas', 'pwd' or 'pin', or the data appears to be a valid credit
card number (more info below)
Values of various counters related to Transponder's operation
Referral codes telling them what product or company installed the spy on
your system
The data transmission is most likely encoded (sample). At intervals after
the initial contact, the software will perform at least two types of
"calling home": the ROUTINE_CHECKIN and MOTS_CHECKIN (Message Of The Session
checkin) to a server starting with transctl*. (These include
transctl*.blackstonedata.net, transctl*.vx2.cc, etc.) Each checkin request
transmits the user's country code, a cookie data string, a tracking GUID
that was created during its installation, the software that installed the
spyware, and its version number. Some other checkin "modes" exist but have
not been observed in action.
A stated purpose of the information Transponder gathers is to send direct
mail (a.k.a. spam), possibly with the help of NetGeo (see later). I am
guessing this to mean Outlook users (or former Outlook users) will get more
spam thanks to this spyware.
In the Privacy Policy, VX2 asserts "We have undertaken technical measures to
make sure that VX2 never collects credit card numbers, acount numbers or
passwords." Examining the spyware's source code (more on that later as
well), the "technical measures" are the following:
Passwords
A password is detected by checking if the form-field's name contains 'pas',
'pwd', or 'pin'.
Credit card #s
A credit-card number is detected by checking for proper number of digits,
dashes or spaces between blocks of 4 digits, etc.
In either case, the field is overwritten with X's before transmitting.
Interestingly, VX2 passes the buck when the high-precision (sarcasm
intended) password check fails, by stating that surfing with their spyware
"may result in some personal information being included in URL data [...]
Such instances are rare and are the result of poor security practices by
these third party websites." I get the feeling many third-party Web sites
would beg to differ. (As if Blackstone has any right to talk about poor
security practices.)
Portions from the VX2 Privacy Policy as of 10/21/01:
"VX2's software collects and transmits to VX2's servers the URLs of the Web
pages visited on your browser. URLs are the addresses of the web pages that
your browser visits (
http://www.VX2.com, for example). The VX2 software
collects and maintains information on both current and historical browsing.
VX2 will use this information to build a summary of your interests and
general web trends.
VX2's software also collects some information from online forms that you
fill out. This information is automatically sent to VX2 in order to save you
the time and trouble of submitting such information to us yourself. We have
undertaken technical measures to make sure that VX2 never collects credit
card numbers, account numbers or passwords. If such data data were, despite
VX2's best efforts, ever inadvertently collected VX2 would immediately purge
such information from its database.
VX2's software also collects the query terms entered into search engines.
VX2 uses this information to help generate a more complete summary of its
users' interests and general internet trends.
When you install VX2's software, it collects several bits of information
about the configuration of your computer. This information includes
information about the computer's hardware configuration, such as the amount
of free space on your hard drive, and software configuration, such as the
version of the operating system. These examples are representative, and the
specific information collected may vary from time to time. This information
is used to determine whether the VX2 software is compatible with your
computer. It may also be used to help generate a more complete summary of
your interests when appropriate.
It is possible that, in some instances, the operation of certain third party
websites may result in some personal information being included in URL data,
which can result in that data being captured in the course of the normal
operation of the VX2 software. Such instances are rare and are the result of
poor security practices by these third party websites. In the unlikely
instance that such information is captured, it may be stored in our
database, but it will not be used or disclosed in any manner inconsistent
with our Privacy Policy.
Occasionally, VX2 may collect information about your interaction with the
VX2 software. This may include information such as how often users use the
software. This information is used to access the effectiveness of our
products and services. It may be shared with VX2's partners for the purpose
of evaluating the success of marketing programs.
The VX2 software and cookies: The VX2 software uses cookies to identify
itself to the VX2 server. The cookie maintains a unique anonymous id for you
as a user. We use this information to allow you to opt out of the VX2
service if you so choose. It is also used to organize the information in our
database and help our artificial intelligence algorithms to discern the
various preferences and interests of each user."
Some other portions are of interest:
"From time to time, VX2 may decide to update it's software in order for it
to work at it's peak performance. Upgrades may include third party
applications. Certain third party applications may have to be installed in
order for the software to work properly. VX2 users are not responsible for
these additions and/or updates, they will be done automatically in the
background while you are surfing the web in order to cause the least amount
of inconvenience to our users as possible."
This gives the company carte-blanche to install other software on your PC,
including additional third-party spyware.
Security Concerns
Suffice it to say that I would not trust these fools with my grocery list.
Those who have already been had by this spyware should be concerned about
Blackstone's security practices (or lack thereof) as they pertain to users'
personal information.
Much of the information you see below was gathered thanks to bad password
security and generally bumbling idiocy on the part of your friendly
neighbourhood spyware company. (We did not "hack" into their systems; they
gave out their (un-changed software default) admin password complete with
detailed instructions online explaining how to log into the administration
system
I stumbled on them when they came up in Google's search results.
If you've ever wanted a sneak peek inside a spyware company, take the
(un)Guided Tour .
For a period of a little over a week, Blackstone Data Transponder infectees
may have seen this ad campaign, inserted into Blackstone's lineup by my
fictional cohort, Jane Morgandorfer.. (Think it may have had something to do
with Blackstone changing their passwords?
I deactivated the ad-campaign
when it caused the load on my server to suddenly quadruple, jumping from
about 45k requests/day at that time to 170k. Apparently, Transponder
infections are more widespread than I had previously thought.
This graphic, found on a Blackstone cohort's server, appears to give a
detailed description of how Transponder works. Beware: apparently, the same
idiots who run the Blackstone servers also did the graphic--much of the text
is scrunched and very hard to read! The line "Periodic export to warehouse
for mining & Direct mail" I found particularly unnerving.
Other in-the-clear files included keyword-hierarchy listings, code signers
and what appear to be certificates and privatekeys (.spc, .pbk, .pvk).
Another anti-spyware advocate wandering Blackstone's unsecured servers
obtained the complete c++ source code of the application. This has been very
helpful in determining the software's capabilities and possible security
concerns.
The newest incarnation, TPS108, was recently discovered in with Blackstone's
files. Some mild digging leads to an interesting find
The Bad Guys
Mindset Interactive (mindseti.com), provider of downloadable screensavers,
installs Transponder with the screensavers. They also appear to be heavily
involved with administration of Blackstone's operations.
Blackstone Data Corporation (
www.blackstonedata.com) appears to be the first
company caught red-handed with this spyware. Although their Web page is no
longer publicly accessible, their other servers are still up and running new
campaigns.
Disk11 Technology Solutions (?) (
www.disk11.com) is a Web hosting and
technology company that currently has administrative privileges on the
server, and may or may not have other involvement. They appear to have some
responsibility for coding the spyware itself and/or testing it for
reliability. Reportedly, Disk11 admits to having hosted the Blackstone Data
Transponder "for a (very) brief period of time", but will not deal with
Blackstone now or in the foreseeable future. However, as of January 27,
2001, they are still hosting an active account for Blackstone, complete with
new and updated files.
AADCOM (
www.aadcom.com, formerly USABanners.com) is also hyping its
whiz-bang targeting technology, which turns out to be none other than
Blackstone Data Transponder. Although they have many listings on
Blackstone's ad server, they do not have administrator privileges. (They may
just be reselling thru one of the listed admins.)
NetPal Interactive (
www.netpal.com) is also distributing Transponder...as a
stand-alone software utility! They promise Great Deals, Special Offers,
yadayada, out the yin-yang if you install Transponder, which is a Free Gift,
btw. Because they're just so nice. (Beware: Clicking on their "download"
link will attempt to auto-install Transponder from a .cab file. Use
caution!)
Internet Technology Corp. (
www.internettechcorp.com) - Quite possibly the
granddaddy of them all! They describe themselves as a "well funded business
incubator for starting and growing Internet businesses". A veritable
venture-capital breeder-reactor of seedy Internet companies, Internet Tech.
Corp. spun off some or all of the above, excluding Disk11, including Mindset
Interactive.
Suspected Supporters
NetGeo (
www.netgeo.com) - A "geolocation" service, that tries to figure out
the geographic location of an Internet user. The stated purpose is to
provide companies "highly accurate, real-time information about who is
visiting their web sites". Data from Blackstone's database is periodically
uploaded to NetGeo's.
Mindset Interactive (again) - They too are listed as having a database
synced with Blackstone's. The nature and extent of this additional
involvement is unclear.
Akamai - Again, the nature of their involvement is unclear. It is stated
only as "Akamai pulls source files" in Blackstone's internal documentation.
They may just be doing caching of Blackstone's files as they do with their
other customers.
TrueData (?) - This reference is also found in Blackstone's internal docs.
The brains behind the whole operation? Or just a company providing database
dupe-checking software? This is unclear as well. About the only "TrueData" I
could find sells database-checking software.
Transponder Technology
I'm not suggesting ANY guilt on the part of the makers of these third-party
tools used by AADCOM/Blackstone/etc. They are general-purpose software that
has no apparent connection to these creepy scum.
Ad campaign insertion, management and billing are handled by OASIS
(Open-source Ad Serving and Inventory System):
http://oasis.sourceforge.net/
Communicating with Sputnik (VX2, yadayada) is done via Java servelets at
transctl*.blackstonedata.net and transctl*.vx2.cc, which are for all intents
and purposes the same server (e.g. accessing a bogus file on
blackstonedata.net, *.vx2.cc is listed on the 404 error page). The servelets
are run with Caucho Technologies' Resin 2.0.2 software:
http://www.caucho.com/
The data for OASIS and other things is stored in an SQL database,
periodically exported to Mindset Interactive and NetGeo.
Whois Data (further evidences that many of these companies are in fact one
and the same)
blackstonedata.com
Registrant:
Blackstone Data Corporation (BLACKSTONEDATA-DOM)
PO Box 27103 C/o VX2 Corporation
Las Vegas, NV 89126
US
VX2.cc
Registrant:
vx2 (VX52-DOM)
po box 27103
Las Vegas, NV 89126
US
Both list a Hotmail address as their admin, tech. and billing contact.
aadcom.com
Registrant:
AADCOM (AADCOM2-DOM)
34700 Pacific Coast Hwy
Capistrano Beach, CA 92624
US
Admin., etc. contact is at internettechcorp.com
Transponder Advertisers
These advertisers are currently listed as active in Blackstone's system.
However, some of them are test entries and many have invalid billing
addresses. A number of these are listed as having unpaid invoices. (Maybe
has something to do with the invalid billing addys?
AADcom.com Ad Power Zone alinq.com alinq468 ARS
Barnes And Noble (test) Bettergolf Bid Clix Casino CasinoOnNet
Civil War Facts Inc (test) creditcardmenu CyberErotica Fast Cash Feature
Price
HomeGain JDR Media kentucky Lending Universe LowerMyBills
Magellan Magellan: Team Nova & Trim Life Mindset Opt-In / Opt-Out MyInk.com
New York Times (test)
NextCard No Credit Card Needed OASIS OptionHotline Orbitz
Playsys PriceQuotes Pyramid Casino Shockwave Marketing SlickStreet
Steve Smith Test Advertiser TEST PYRAMIDCASINO The Baby Outlet Traffix
TranzAct Media X10.com Zmedia
Windows Failure issue associated with Transponder
It has been reported to me that a number of users have experienced complete
failure of MSIE and Windows Explorer as a result of infection by the
Transponder parasite. The common symptoms are that Internet Explorer will
not start at all (nothing happens), and trying to restart Windows Explorer
only repaints the existing desktop. One such occurance is reported on a
Windows 2000 system. The symptoms cleared up once Transponder/VX2 was
removed.
Links
Transponder AdWare Program (Guest)
Information about Transponder (and derivatives)
SpywareInfo: Aadcom
and.doxdesk.com Parasite Detection Script - Alerts you if you have VX2,
Toptext, etc. parasites installed!
BHO Cop - Hypnos' article on thehun.net walks you through using BHO Cop to
remove Transponder.
Transponder Video from Hypnos - An informative video showing the Transponder
parasite in action on an infected system. Note: In the video are pictures of
"adult" popup ads--as always, view at your own discretion.
[AVI - 12 Meg.]
VX2 Homepage - some mentions of what it does and removal info.
Credits
Blackstone Data Transponder was and continues to be among the most difficult
pieces of spyware to research. This would not be possible without the huge
amounts of help and information provided by Robert (dualsmp), Dingo
(SpywareInfo), Andrew (and.doxdesk.com) and others, as well as the
grc.spyware community. A big thanks to everyone!
If anyone I have forgotten, please let me know!
----------------------------------------------------------------------------
