Transponder.BTGrab

H

HighBlue

Transponder.BTGrab keeps showing up every time I run a
scan with Aluria, and even after removal it comes back
every time I go online. And it must be in deep cover
because none of my full system searches find the BTGrab
file anywhere -- either open or archived or hidden -- in
any folders. On top of that, I've checked the registry
for the usual suspects -- that is, all filenames related
to BTGrab, which are listed on dozens on internet anti-
spyware websites. None of those registry values, files,
or keys show up in my registry.

By the way, Zone Alarm doesn't even recognize it and I've
got 4 other firewalls on my system. And to top it off,
the BTGrab transponder apparently acts like a back door
for all sorts of spyware. EVERYTHING seems to go right
through all my firewalls now. I have to remove at least
five spyware programs every time I go online, and that's
with firewalls from Zone Alarm, SpyBot S&D, MSAS, my
service provider, AND with IE set to block ALL cookies!
So the transponder must be sponsoring them into my system
and working around my internet preferences.

Now, I know this is a ABetterInternet trojan, so I went
to their website and downloaded their uninstall program
for BTGrab, then ran it. No luck... this trojan is like
the Energizer Bunny. I've tried everything I can think
of, tried following all the manual removal procedures (at
least three times) and nothing's worked.

Anybody got any ideas? Judging by everything I've read,
there are no anti-spyware or anti-virus programs that can
prevent or remove this one... I'm seriously considering
an alternative solution... a sledgehammer.

I read a message here in which someone wrote that there's
a special corner of Hell waiting for the transponder
gang. At this point I might be willing to commit an
unforgivable sin if the devil would give me a few minutes
of torturing them in their corner.
 
G

Guest

I appreciate you trying to help, but I've been to that
website and read almost everything on it. That's where I
really started to get a picture of the BTGrab trojan, and
I've already run HijackThis multiple times.

Yes, I found some other spyware using HijackThis, but the
BTGrab files do not show up anywhere in my system until
Aluria finds and temporarily removes them... after every
time I go online. Like now... when I leave here and go
offline, and then scan with Aluria, I'll have a cookie
that's listed as a BTGrab variant. I'll also have other
cookies that are listed as variants too, even though I've
only visited this one website.

MSAS, Spybot, and Zone Alarm don't even recognize BTGrab,
by the way, much less prevent it. And even though Aluria
does recognize the trojan, it can't permanently eliminate
it from my system... just temporarily.

So the real problem is that it's impossible to manually
delete this trojan because I simply can't find it.

But thanks again for trying. I guess I'll just have to
live with it until some programmer can find a workable
solution and write the software to eliminate it.

I can understand why all the small anti-spyware providers
haven't solved this problem, but it's hard to imagine why
Microsoft hasn't put anyone on it yet.
 
T

Tom Emmelot

(e-mail address removed) schreef:
I appreciate you trying to help, but I've been to that
website and read almost everything on it. That's where I
really started to get a picture of the BTGrab trojan, and
I've already run HijackThis multiple times.

Yes, I found some other spyware using HijackThis, but the
BTGrab files do not show up anywhere in my system until
Aluria finds and temporarily removes them... after every
time I go online. Like now... when I leave here and go
offline, and then scan with Aluria, I'll have a cookie
that's listed as a BTGrab variant. I'll also have other
cookies that are listed as variants too, even though I've
only visited this one website.

MSAS, Spybot, and Zone Alarm don't even recognize BTGrab,
by the way, much less prevent it. And even though Aluria
does recognize the trojan, it can't permanently eliminate
it from my system... just temporarily.

So the real problem is that it's impossible to manually
delete this trojan because I simply can't find it.

But thanks again for trying. I guess I'll just have to
live with it until some programmer can find a workable
solution and write the software to eliminate it.

I can understand why all the small anti-spyware providers
haven't solved this problem, but it's hard to imagine why
Microsoft hasn't put anyone on it yet.




ActiveX so maybe


within System
Click to expand...
Hello,

look here:

http://nl.trendmicro-europe.com/ent...php?LYstr=VMAINDATA&vNav=1&VName=TROJ_BISPY.B

Regards, >*< TOM >*<
 
P

plun

Hi

First send a suspected spyware report to MS about this, menu
tools within MSAS.

This is from doxdesk and first you must unregister belonging dll file

"Or, for the BTGrab variant:

cd "%WinDir%\System"
regsvr32 /u ..\BTGrab.dll "

http://www.doxdesk.com/parasite/Transponder.html

And MS is also small in this world of antispyware but
MSAS is really good already compared with similar products.

It is also a problem I believe with abetterinternet and belonging
transponders beacuse all users click "YES" to this companys
EULA. And this company has already been in conflicts with
other antispyware vendors so we will see if MS is tougher ?

;)
 
A

AndyManchesta

The easiest way to see if its BT grab causing this is to
un-register the .dll if it doesnt exist then its
something else probably related to the transponder gang
if it does exist you can then usually just clean up to
remove the other traces.Ive not checked web helper so let
me know if its something you've already tried.


Turn Off system restore :

Goto start > right click my computer > choose properties
then goto system restore and check the box ' Turn off
Click to expand...
system restore ' then press apply, you can set a new
restore point when you are clean by following the above
but unchecking turn off system restore then pressing
apply


Download Ccleaner

http://download.ccleaner.com/download119bin.asp


Download the betterinternet remover from symantec:

http://securityresponse.symantec.com/avcenter/FixBinet.exe



boot into safe mode to delete the files,run the remover
and check the registry(reboot and keep tapping F8 then
choose safe mode)



When you get in safe mode Open a command prompt .Goto
start > then run and type

cmd

on the prompt screen copy and paste this:



cd "%WinDir%\System"
regsvr32 /u ..\BTGrab.dll


then press enter.Let me know if its found .if it is ,its
just been unregistered so can now be removed .

If it was unregistered you may need to enable hidden
files and folders to find the file.

Go to Start then search > goto tools on the top bar> then
click Folder Options-> then goto the View tab .

make sure that 'Show hidden files and folders' is
enabled. 'Display the contents of system folders' is
checked & 'Hide extentions for known file types ' is not
checked then press apply

You can set this back later by opening the same page and
pressing 'restore defaults' then pressing apply,

Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane,
click on the 'More advanced options' at the bottom. Make
sure that Search system folders, Search hidden files and
folders, and Search subfolders are checked.


after you done this search for :


BTGrab.dll


It should be located here c:\WINDOWS\system32\BTGrab.dll

and delete if found


in safe mode run the Symantec removal tool by double
clicking it.Run it twice if files are found



For the reg commands it could infect alot of area's the
removal tool from symantec will remove them all ;)

HKEY_CLASSES_ROOT\CLSID\{00000000-59D4-4008-9058-
080011001200}
HKEY_CLASSES_ROOT\CLSID\{0000607D-D204-42C7-8E46-
216055BF9918}
HKEY_CLASSES_ROOT\CLSID\{D5E06663-DE78-4A48-BB81-
7C9AFF2E49E4}
HKEY_CLASSES_ROOT\CLSID\{000006B1-19B5-414A-849F-
2A3C64AE6939}
HKEY_CLASSES_ROOT\CLSID\{00000000-F09C-02B4-6EC2-
AD0300000000}
HKEY_CLASSES_ROOT\CLSID\{00000097-7C67-4BA6-8B42-
05128941688A}
HKEY_CLASSES_ROOT\CLSID\{00000250-0320-4DD4-BE4F-
7566D2314352}
HKEY_CLASSES_ROOT\CLSID\{00000035-92F8-407F-98A5-
7D8ADA59B6BB}
HKEY_CLASSES_ROOT\CLSID\{00000026-8735-428D-B81F-
DD098223B25F}
HKEY_CLASSES_ROOT\Interface\{94984402-B480-45C7-AD2D-
84E5EB52CFCD}
HKEY_CLASSES_ROOT\Interface\{C45C774D-5ECC-4D9E-94E1-
AC57189C4435}
HKEY_CLASSES_ROOT\Interface\{C08175C6-B2B2-47FC-AF1A-
32F77A6CB673}
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-
06A0D843444A}
HKEY_CLASSES_ROOT\Interface\{59EBB576-CEB0-42FA-9917-
DA6254A275AD}
HKEY_CLASSES_ROOT\Interface\{4534CD6B-59D6-43FD-864B-
06A0D843444A}
HKEY_CLASSES_ROOT\Interface\{72322CE2-D1C1-423E-9748-
FF7E7F1E47C3}
HKEY_CLASSES_ROOT\TypeLib\{2390AAA5-E65C-4404-BD3B-
3A9EAC22C0A5}
HKEY_CLASSES_ROOT\TypeLib\{BBE6D461-41FC-4100-A629-
B9D2162BEFAA}
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-
038C116594EC}
HKEY_CLASSES_ROOT\TypeLib\{8E0D8965-B97B-468D-8306-
A05929E439C1}
HKEY_CLASSES_ROOT\TypeLib\{230C3786-1C2C-45BD-9D2D-
9D277FCE6289}
HKEY_CLASSES_ROOT\TypeLib\{690BCCB4-6B83-4203-AE77-
038C116594EC}
HKEY_CLASSES_ROOT\TypeLib\{09049E4F-8D9E-4C8A-A952-
5BAF1A115C59}
HKEY_CLASSES_ROOT\BiDll.BiDllObj.1
HKEY_CLASSES_ROOT\MxTarget.MxTargetDllObj.1
HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj
HKEY_CLASSES_ROOT\BTGrabDll.BTGrabDllObj.1
HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj
HKEY_CLASSES_ROOT\DLMaxDll.DLMaxDllObj.1
HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj
HKEY_CLASSES_ROOT\sPeerDll.sPeerDllObj.1
HKEY_CLASSES_ROOT\VoiceIPDll.VoiceIPDllObj.1
HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj
HKEY_CLASSES_ROOT\sPeer2Dll.sPeer2DllObj.1
HKEY_CLASSES_ROOT\PynixDll.PynixDllObj
HKEY_CLASSES_ROOT\PynixDll.PynixDllObj.1
HKEY_CLASSES_ROOT\VX2.VX20BJ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{00000097-7C67-4BA6-
8B42-05128941688A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{000006B1-19B5-414A-
849F-2A3C64AE6939}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{00000000-F09C-02B4-
6EC2-AD0300000000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{00000000-59D4-4008-
9058-080011001200}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{00000250-0320-4DD4-
BE4F-7566D2314352}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{00000035-92F8-407F-
98A5-7D8ADA59B6BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{00000026-8735-428D-
B81F-DD098223B25F}
HKEY_CURRENT_USER\Software\DLMax
HKEY_CURRENT_USER\Software\MxTarget
HKEY_CURRENT_USER\Software\BTGrab
HKEY_CURRENT_USER\Software\VoiceIP
HKEY_CURRENT_USER\Software\morphacl
HKEY_CURRENT_USER\Software\speer
HKEY_CURRENT_USER\Software\speer2
HKEY_CURRENT_USER\Software\pynix
HKEY_CLASSES_ROOT\AppID\XParam.DLL
HKEY_CLASSES_ROOT\AppID\{4D980B0A-C3EF-4965-A58F-
7F64F3B42E79}
HKEY_CLASSES_ROOT\CLSID\{36A59337-6EEF-40AE-94B1-
ED443A0C4740}
HKEY_CLASSES_ROOT\Interface\{19C8E563-D989-47CE-BED8-
EA72B5EB62D6}
HKEY_CLASSES_ROOT\TypeLib\{EE6AE627-8F18-4986-BEAD-
52073EDFC776}
HKEY_CLASSES_ROOT\XParam.XParamObj
HKEY_CLASSES_ROOT\XParam.XParamObj.1



After running the removal tool Goto start the run and
type :


prefetch


delete the contents of this folder



Run Ccleaner on all 3 settings (windows,applications &
issues)and clear anything found


Reboot


That should remove Btgrab and any related files but let
me know if you have problems.Re-enable system retore if
you are clean again.


Regards Andy
 
G

Guest

Tom,
I visited the Trend Micro website. Thanks.

Disabled system restore, went to safe mode, went into the
registry, followed the instructions to the letter, and
none of those keys or values are in the registry folders
to which they pointed. That was the third or fourth time
I've tried finding those various items in my registry...
still no luck. But thanks. I also ran their free scan
of my system and got the message "congratulations... your
system is clean" or something to that effect.

Now I'm going to sign offline, run Aluria again and see
if it's still there (it was just before I came here).

If Transponder.BTGrab IS still there, (and I'd expect it
is) then I may start getting REALLY suspicious that the
trojan could actually be bundled with Aluria's software!

Weirder things have happened.
 
A

AndyManc

Nice work plun !


So that means the .dll isnt registered anymore , still
try searching for the file and running the symantec
remover with system restore turned off to remove other
posssible entries,clear the prefetch folder and run
Ccleaner let me know if it still exists after that .


Andy
 
G

Guest

Andy,

Thanks, but I'm sorry to report that it only worked until
I tried to update Aluria. I followed your instructions
to the letter -- twice, actually -- and the file
BTGrab.dll was not found. I ran the cleaner four times
on all three settings... basically, I did everything.

Now I'm thinking that your instructions were probably the
exact process that *would have* erased the transponder,
but there must be another problem I'm just not seeing.
And the first thing that popped into my mind was the fact
that after running through your instructions I then ran a
scan with MSAS -- no spyware found -- and another scan
with Spybot S&D -- again, no spyware found -- and finally
a scan with Aluria -- voila! no spyware found! At that
point I was thinking things like, "Got to tell the wife
we need to have a son... name him Andy..."

But -- and here's the kicker -- I decided to check for an
update to my Aluria program, so I clicked the "updates"
button in the program, and the window popped up to tell
me there are "no updates available". So just to satisfy
my curiosity, I ran one more scan using Aluria -- voila!
It found that Transponder.BTGrab trojan again!

Now I'm wondering if Aluria software is infected... sort
of a mule for that transponder. The ONLY connection that
I had to the internet between the times I ran the first
scan with Aluria and the second one with Aluria was my
connection when I tried to update their software.

By the way, the Symantec scan did NOT find any indication
of BetterInternet spyware/trojans on my computer.

It's definitely getting curiouser and curiouser...

Thanks for taking the time to help... this one's a doozy.
 
A

AndyManchesta

Hi again


It's Good news Symantec's remover found nothing and you
couldnt find the file it means it doesnt exist !

The issue is clearly with Aluria i did some searching and
found this:

----------------------------------------------------------

Aluria (Prog 1.0.23 - Scan Eng. v1.02.14 - Def. Ver. 5-27-
2005) has suddenly detected Transponder.BTGrab (Cookie)
and many variants. The variants are every cookie in my
Cookie directory. When I have Aluria remove
Transponder.BTGrab it also removes all of the cookies. It
indicates that the problem is removed but each time I run
Aluria the Transponder.BTGrab is there and all of the new
cookies are listed as variants. I have looked everywhere
for an explanation and manual removal of the culprit and
have been unsuccessful. Anyone have any suggestions?
Thanks, Mike

mallison
----------------------------------------------------------
--
2005.06.07, 01:07 PM
AluriaKetema
Super Moderator Join Date: May 2005
Posts: 13

Known Issue


We are aware of this issue with Transponder.BTGrab and
are working to have it fixed ASAP. For now simply ignore
the cookie being labeled as BTGrab.

----------------------------------------------------------



You can read the above letter here :


http://www.aluriasoftware.com/forum/thread844.html




And here's the main forum page :

http://www.aluriasoftware.com/forum/





Im glad you worked through all the steps as you can be
confident it doesnt exist and after finding the above on
Aluria's site it safe to say its a false positive



Regards


Andy Manc
 
G

Guest

Thanks Andy,

I'd read that thread on the Aluria message board before,
but assumed that their advice to ignore it meant that the
people at Aluria were working on a fix, but hadn't come
up with it yet.

Well okay then... I'll just ignore it.

Thanks again for your help (and thanks to plun and Tom
and others who also offered their help!)
 
G

Guest

Thank you for pointing me to that article!

NOW it makes sense WHY a trojan from BetterInternet would
continue showing up in my scans and WHY Aluria's advice
would be just to "ignore it".

My guess would be that Aluria's programmers are creating
a new bundle for another new partner -- BetterInternet --
and if so, then I wouldn't be surprised if they included
it as part of their next update.

After I leave this message board I'm going into Safe Mode
and deleting Aluria software. Some might say that could
be a drastic solution, but I'm not willing to take the
risk, as well as unhappy with their covertly open-ended
advice to "ignore it" (without further explanation) when
it applies to one of the most notorious group of spyware
promulgators on the web... I simply won't support it!

Thank you again for your help.
 
P

plun

(e-mail address removed) expressed precisely :
Thanks again for your help (and thanks to plun and Tom
and others who also offered their help!)
Click to expand...

No probs ;)

Transponders and cookies............ but that is a complete
different story ! Maybe something for MS to look at ;)
 
A

AndyManchesta

No problem glad to help ,

You really should contact Aluria ,I've never used them
myself but if you have payed for the remover i dont think
its acceptable that it keeps showing your system as
BTgrab infected.

Looking at their forum the first impression is that they
do no answer most letters that say anything bad about the
product but maybe they just dont have the answers,


Try emailing them direct for a answer :



(e-mail address removed).

(e-mail address removed)



If you dont get a reply then maybe phone them to see how
long its going to take to fix.


Aluria Software
725 Primera Blvd
Suite 220
Lake Mary, FL 32746

Customer Service
For general questions about Aluria Software Products,
such as registration or billing, please call Customer
Service.
Phone: 1.888.627.4650 (option 1)
International: 1.407.833.8700
Fax: 1.407.833.8500


Spyware Hotline
For Spyware Related issues or questions, or to report new
spyware, please call the Spyware Hotline.
Phone: 1.888.627.4650 (option 2)
International: 1.407.833.8700
Fax: 1.407.833.8500



Regards


Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Removal of Transponder Pynix 3
Anti-Rookits 4
Defender and Live OneCare 28
Recurring Threats 2
peper trojan downloader 3
Spyware missed by Microsoft found by SpySweeper 2
Intermittent pop-ups 11
Regenerating spyware 2

Top