Written by: David Middleton < >

Created Aug 24 2001, modified Aug 24 2001

I have recently come across an ingenious but insidious ad program. I am not the only one who uses the computer that I found it on so I can’t say where it came from. I am going to call the program transponder after the registry entry that it makes. I have not fully torn it apart, but I do have a good idea of how it works. I also have a good idea of how to remove it.

Transponder is an adware program that causes pop-up banners to open while you surf the web. The ingenious part (I think) is that it uses a counter that counts down as you surf and back up to a maximum of 700 as you sit idle. If you do not surf enough, or if you surf too slow, ads don’t come up. When you surf fast, and the counter hits zero, an ad pops open. This helps to hide the program because you are not sure which page launched the ad. Of course if you are an Internet developer like myself, and are checking links on a site that you know has no pop-ups (or ads), their stealth tricks don’t help them.

After I found that I had a stealth adware program on my computer I ran ad-aware, and zone alarm and neither one found anything. Positive that the program was there I searched for hours until I found it. I first found transponder in the registry, but I was stopped there as some of the fields are encrypted. Here is a copy of the registry entry under HKEY_LOCAL_MACHINE\Software\Transponder:

"DistID"="C3005Octav"
"InstID"="{91C3F649-8116-11D5-80EE-00A0244A4DF1}"
"HighestListIndex"=dword:0000010f
"MesgDisplayCounter"=dword:000002b7
"CustomerInsurance"=dword:00000000
"EventCounter"=dword:000031da
"TransMesgCounter"=dword:00000070
"Status"=dword:00000002
"BatchTrigger"=dword:00001388
"SysInfoTrigger"=dword:000001f4
"MotsThreshold"=dword:00000014
"LastAdCode"="1"
"LastAdTime"="997503193|0|997295177|0"
"CountryCode"="US"
"SEndPoint"="’›–‚ÀÀ͆ˆŽŒ�™›ŽÜ˜ƒƒ‘‘œ–�”Š†“ŽŽÌœŸ›Í�–Ž�™‰›�œŸÀ‘—ˆ™Ž—ŽÀ€›�‘±›ŽÍ"
"CEndPointHost"="‰Ÿ—†”†‰Ü˜ƒƒ‘‘œ–�”Š†“ŽŽÌœ‡†"
"CEndPointPath"="Õ�Ž“™„‘†•�‡Ý‰Š�„–Š–Ý¿™‡œŽ§ƒœžƒ‡€"

The next thing that I did was run a sniffer on the network while I triggered an ad. Transponder sent a request to its server, received a response and popped an ad open. I found that the transponder server sends the information to my computer as to which ad to open. I also found a reporting page that stated transponder had served about 350,000 ads in the last six hours. Wow! Satisfied that I found what I was looking for I removed the entry from the registry and though my trouble was over. That was until something added transponder to the registry again. Realizing that there must be another file that helps transponder communicate with IE I did a find files containing text: transponder on my local drives hoping to find it. I found a file called IEHelper.dll and it just looked too suspicious. I went to MSDos mode and renamed the file to IEHelper.dl_ and restarted windows. I then removed the transponder entry from the registry (again) and everything has been fine since.

So in summary to remove transponder you should:

1. Boot you computer in MSDos mode and change c:\windows\system Iehelper.dll to something like Iehelper.dl_ or Iehelper.bak
2. boot windows and run regedit and under HKEY_LOCAL_MACHINE\Software remove the entire section called transponder.

P.S. Here is the information from the siniffer: