Your generous donations help keep this site online! Click here to support cexx.org.
Transponder AdWare program


Written by: David Middleton < >
Created Aug 24 2001, modified Aug 24 2001
I have recently come across an ingenious but insidious ad program. I am not the only one who uses the computer that I found it on so I can’t say where it came from. I am going to call the program transponder after the registry entry that it makes. I have not fully torn it apart, but I do have a good idea of how it works. I also have a good idea of how to remove it.

Transponder is an adware program that causes pop-up banners to open while you surf the web. The ingenious part (I think) is that it uses a counter that counts down as you surf and back up to a maximum of 700 as you sit idle. If you do not surf enough, or if you surf too slow, ads don’t come up. When you surf fast, and the counter hits zero, an ad pops open. This helps to hide the program because you are not sure which page launched the ad. Of course if you are an Internet developer like myself, and are checking links on a site that you know has no pop-ups (or ads), their stealth tricks don’t help them.

After I found that I had a stealth adware program on my computer I ran ad-aware, and zone alarm and neither one found anything. Positive that the program was there I searched for hours until I found it. I first found transponder in the registry, but I was stopped there as some of the fields are encrypted. Here is a copy of the registry entry under HKEY_LOCAL_MACHINE\Software\Transponder:

"DistID"="C3005Octav"
"InstID"="{91C3F649-8116-11D5-80EE-00A0244A4DF1}"
"HighestListIndex"=dword:0000010f
"MesgDisplayCounter"=dword:000002b7
"CustomerInsurance"=dword:00000000
"EventCounter"=dword:000031da
"TransMesgCounter"=dword:00000070
"Status"=dword:00000002
"BatchTrigger"=dword:00001388
"SysInfoTrigger"=dword:000001f4
"MotsThreshold"=dword:00000014
"LastAdCode"="1"
"LastAdTime"="997503193|0|997295177|0"
"CountryCode"="US"
"SEndPoint"="’›–‚†ˆŽŒ™›Ž˜ƒƒ‘‘œ–”Š†“ŽŽœŸ›͐–Ž™‰›œŸ‘—ˆ™Ž—Ž€›‘›Ž"
"CEndPointHost"="‰Ÿ—†”†‰˜ƒƒ‘‘œ–”Š†“ŽŽœ‡†"
"CEndPointPath"="ՍŽ“™„‘†•‡‰Š„–Š–ݿ™‡œŽƒœžƒ‡€"

The next thing that I did was run a sniffer on the network while I triggered an ad. Transponder sent a request to its server, received a response and popped an ad open. I found that the transponder server sends the information to my computer as to which ad to open. I also found a reporting page that stated transponder had served about 350,000 ads in the last six hours. Wow! Satisfied that I found what I was looking for I removed the entry from the registry and though my trouble was over. That was until something added transponder to the registry again. Realizing that there must be another file that helps transponder communicate with IE I did a find files containing text: transponder on my local drives hoping to find it. I found a file called IEHelper.dll and it just looked too suspicious. I went to MSDos mode and renamed the file to IEHelper.dl_ and restarted windows. I then removed the transponder entry from the registry (again) and everything has been fine since.

So in summary to remove transponder you should:

  1. Boot you computer in MSDos mode and change c:\windows\system Iehelper.dll to something like Iehelper.dl_ or Iehelper.bak
  2. boot windows and run regedit and under HKEY_LOCAL_MACHINE\Software remove the entire section called transponder.

If you just want to see if you have it look under HKEY_LOCAL_MACHINE\Software for transponder.

Now all I have to do is de-compile the dll and find out how they did what they did. I’ll save that for another day.

I hope that this information helps, David Middleton

P.S. Here is the information from the siniffer:

Date: Mon, 13 Aug 2001 17:25:39 GMT Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) Resin/2.0.0 mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Connection: close Transfer-Encoding: chunked Content-Type: text/html 464 <hr><b>General Configuration Pairs</b> avoiddomains=doubleclick.net|linkshare.com|commissionjunction.com batchtrigger=5000 cendpointhost=sputnik.blackstonedata.net cendpointpath=/blackstone/servlet/EventHandler countrycodeout=US customerinsurance=3 motsthreshold=20 nextcheckin=700 sendpoint=http://transctl.blackstonedata.net/blackstone/servlet/TransCtl status=2 sysinfotrigger=500 <br><b>Context Adds and Deletes</b> contextadd=cars.com|carsdirect.com|chevrolet.com|cycletrader.com|ebaymotors.com|edmunds.com|ehonda.com|ford.com|gm.com|gmbuypower.com|gmc.com|harley-davidson.com|honda.com|honda2001.com|hondamotorcycle.com|jeepunpaved.com|kawasaki.com|kbb.com|kia.com|lexus.com|mazdausa.com|motorcycle.com|nada.com|nadaguides.com|off-road.com|oldsmobile.com|pontiac.com|saturnbp.com|stoneage.com|subaru.com|toyota.com|yamaha-motor.com| <br><b>Ad Control Pairs</b> adcode=1 adfocus=0 adheight=350 adplacement=2 adtime=997723539|0|0|0 adurl=http://207.246.105.42/blackstone/assembler/mots.php adwidth=550
CEXX.ORG Maintainer note: Also check out this related link about Transponder Spyware.
  Previous Page    Next Page
Home   E-mail   Copyrights and Disclaimers