Your generous donations help keep this site online! Click here to support cexx.org.

Advertising Spyware: Blackstone Data Transponder and its derivatives






It is hard to tell where this piece of spyware originated. It was first seen as Blackstone Data's Transponder, but repackaged versions of the same product are popping up under several different companies. It is currently distributed under these names:


According to the VX2 website:

The software goes along with the user of the software as they are surfing around the web and builds reports on the activity.
The software monitors the click stream activity of the consumer and communicates with servers.
The software monitors some activity of the PC and communicates with servers.
It is a Browser Helper Object that is distributed with unknown third-party software, including AudioGalaxy Satellite. While the user is browsing the Web, it will pop up advertisements based on what page is being visited, what's being searched for, how quickly the user is surfing, etc. Transponder's ad-displaying algorithm appears to weight the occurrence of ads in such a way that they appear to come from the page(s) being visited.
 
 

For the remainder of this document, the terms "VX2", "Transponder", etc. will be used interchangably to refer to this class of spyware product.



Jump to:


Removal Procedures

Since the product is supplied by several companies with minor changes, first you must determine which you are infected with. We strongly recommend using one of these spyware removal tools to remove this parasite, as they can painlessly detect and remove all the known variants. Or, please use one of the links below to jump to the removal procedure for the particular distribution that appears on your system.

VX2 RespondMiter (VX2.dll) (installed by AudioGalaxy, iMesh and others)
Blackstone Data Transponder (IEHelper.dll)
AADCOM: Please follow Transponder instructions.
NetPal
TPS108.DLL


VX2 RespondMiter Removal Procedure
Select VX2 from Windows Add/Remove Programs dialogue located in Control Panel. Press Add/Remove.

If this entry is not present, do the following:

  1. Close Internet Explorer if running.
  2. Search for and delete all copies of VX2.dll. Use Windows' Find File dialogue to find all copies.
If one or more copies cannot be deleted (file in use)...

Easy Way:

  1. Use "Find..." to locate VX2.dll on your system. Note the path where it is installed (e.g. C:\Windows\VX2.dll)
  2. Select Start > Run, and type the following:
    1.  
      regsvr32 /u "C:\Windows\VX2.dll"


    replacing C:\Windows\VX2.dll with the path you noted earlier. (You should then see a message window such as "DllUnregisterServer in C:\Windows\VX2.dll succeeded.")

  3. Delete VX2.dll


Hard Way: (from VX2 web site)

  1. Start Registry Editor. To do this, select “Start” and then “Run” and type “regedit” in the Run box that appears.
  2. Delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662} and any associated values. This is most easily accomplished by pressing F3 to bring up the Search dialogue, and typing in part of the number in {}'s. After verifying that it is the correct key, press Delete to remove it. You may need to press F3 again until all occurrences are found.
  3. Restart the computer and delete all copies of VX2 that could not be deleted before.

Blackstone Data Transponder Removal Procedure

This is the official uninstall information from the Blackstone docs, with some formatting and grammatical fixups to improve readability.
 
Step 
Description
Expected Result
1
Click "Start" in the task bar, then select "Control Panel"
"Control Panel" Window is opened
2
In "Control Panel" window select "ADD/REMOVE Programs" Look For "BlackStone" 
"BlackStone" should be found in the "ADD/REMOVE Programs"
3
If "BlackStone" is found Select it and click the "Remove" button to remove it
"BlackStone" should be removed.
4
If "BlackStone" is not present in the "ADD/REMOVE Programs" close any open Web browsers.
All the browsers should be closed.
5
Click "Start", select the Search button and search for "IEHelper.dll" in the "C: drive".
"IEHelper.dll" file should be found.
6
Delete "IEHelper.dll" 
"IEHelper.dll" file should be deleted.
7
Click "Start", select the Search button and search for "domlst.cch" in the "C: drive".
"domlst.cch" file should be found.
8
Delete "domlst.cch" 
"domlst.cch" should be deleted.
9
IF the system does not permit the file to be deleted... Select "START" then select "Run", type "regedit" and press "ok".
A new "Registry Editor" window is opened.
10
In the left side of the Registry Editor, select the key and its subkeys as follows.
HKEY_LOCAL_MACHINE-----SOFTWARE-----Microsoft-----Windows---CurrentVersion-----Explorer-----BrowserHelperObjects\
You should find the "{00000000-5eb9-11d5-9d45-009027c14662}" key
11
Delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
The key is deleted.
12
Reboot the computer. Click "Start", then click "Search". Search for "IEHelper.dll"
You should able to find the "IEHelper.dll" file now.
13
Now delete IEHelper.dll
The "IEHelper.dll" should be able delete now.
14
Reboot the computer now, and search again for "IEHelper.dll"
You should not be able to find the "IEhelper.dll" file any where in your system.
15
Click Start button on the task bar and click the "Run...".
a Run window is opened at the down left corner of the desktop.
16
Type "regedit" in the Run window and press "ok"
A new "Registry Editor" window is opened. 
17
Search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662} 
If the key if still found, proceed to the next step.
You should not find the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-5eb9-11d5-9d45-009027c14662}
key.
18
Follow from step 5 to step 10.
This time the uninstall succeeded. It may be a good idea to check by repeating the steps 1 through 17.


NetPal Removal Procedure
The NetPalNow site now provides a removal utility for its trash.

Unfortunately, Net Pal seems to really take VX2's capabilities up on the offer of installing more spyware -- whether the removal utility also wipes out the third-party spyware downloaded by NetPal remains to be seen. At the time of this writing, there are several additional components installed [ClickTheButton, yourspecialoffers.com, FavoriteMan, and an unknown start page hijacker], and probably more I don't know about. Also, it is difficult to determine which files and Registry keys belong to which spyware.
There is not a verified removal procedure as of yet. If you are an advanced user, you can try the following and see if it works:

Remove the following Registry entries:

Transponder keys

(Unknown product) - may be part of the above Favoriteman keys Restart the computer, then search for and delete the following files:

VX2/Transponder files

(Unknown product) FavoriteMan files


 This information thanks to Andrew, Jerry, and posts on the Lavasoft forums.

TPS108 Removal Procedure

Easy Way: (follows VX2.DLL removal procedure)

  1. Use "Find..." to locate tps108.dll on your system. Note the path where it is installed (e.g. C:\Windows\tps108.dll)
  2. Select Start > Run, and type the following:
    1.  
      regsvr32 /u "C:\Windows\tps108.dll"


    replacing C:\Windows\tps108.dll with the path you noted earlier. (You should then see a message window such as "DllUnregisterServer in C:\Windows\tps108.dll succeeded.")
    Delete tps108.dll


Hard Way: (from their Web site)

To remove TPS108:
 

  1. From the control Panel select ADD/REMOVE Programs.

  2. Select TPS108 and Remove.


If TPS108 is not present:
 

  1. Close all the internet explorer browsers.
  2. Search your "C" drive for TPS108.dll.
  3. Delete TPS108.dll.


If the system does not permit the file to be deleted proceed
as follows:
 

  1. Select “Start” and then “Run” and type “regedit”.
  2. Find the and delete the entry named HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/

  3. CurrentVersion/Explorer/Brows erHelperObjects/
    {0000026A-8230-4DD4-BE4F-6889D1E74167}.
  4. delete the "{{0000026A-8230-4DD4-BE4F-6889D1E74167}

  5. entry.
  6. Reboot computer.
  7. Search your "C" drive for TPS108.dll.
  8. Delete TPS108.dll.


Privacy Concerns

The software covertly collects all sorts of information about your Web surfing habits, including lists of Web sites you visit (and even sites you've visited before installing their software), any terms you enter into a search engine, and contents of online forms--including "secure" forms using SSL encryption(!). The company has the audacity to claim that this is done "in order to save you the time and trouble of submitting such information to us yourself". It also stores cookies to persistently identify you across sessions.

The software collects and transmits your full name name and e-mail address as used by the Outlook mail client. It also transmits back a laundry list of information about your system, which is described in more detail below. Finally, the software transmits details about your interaction with the software.

The software also includes an auto-update capability with the stated purpose of updating not only the VX2 spyware itself, but also installing additional third-party programs, including additional spyware.


Information Gathered by Transponder

Upon its first load, VX2.dll will look for a file in your Windows directory called oeminfo.ini. If present, this file contains information about your computer provided by the OEM--who you bought it from, serial #/etc., processor and configuration, tech support info, and maybe your name. (IIRC, this information is displayed if you go to Start > Settings > ControlPanel > System and view the first tab.) More information about the oeminfo.ini file is available here.

Transponder then connects to sputnik.vx2.cc and transmits data. The information transmitted includes, but is not limited to, the following:
 

On first connection, or when triggered remotely:
The data transmission is most likely encoded (sample). At intervals after the initial contact, the software will perform at least two types of "calling home": the ROUTINE_CHECKIN and MOTS_CHECKIN (Message Of The Session checkin) to a server starting with transctl*. (These include transctl*.blackstonedata.net, transctl*.vx2.cc, etc.) Each checkin request transmits the user's country code, a cookie data string, a tracking GUID that was created during its installation, the software that installed the spyware, and its version number. Some other checkin "modes" exist but have not been observed in action.

A stated purpose of the information Transponder gathers is to send direct mail (a.k.a. spam), possibly with the help of NetGeo (see later). I am guessing this to mean Outlook users (or former Outlook users) will get more spam thanks to this spyware.

In the Privacy Policy, VX2 asserts "We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords." Examining the spyware's source code (more on that later as well), the "technical measures" are the following:

In either case, the field is overwritten with X's before transmitting. Interestingly, VX2 passes the buck when the high-precision (sarcasm intended) password check fails, by stating that surfing with their spyware "may result in some personal information being included in URL data [...] Such instances are rare and are the result of poor security practices by these third party websites."  I get the feeling many third-party Web sites would beg to differ. (As if Blackstone has any right to talk about poor security practices.)

Portions from the VX2 Privacy Policy as of 10/21/01:

"VX2’s software collects and transmits to VX2’s servers the URLs of the Web pages visited on your browser. URLs are the addresses of the web pages that your browser visits (http://www.VX2.com, for example). The VX2 software collects and maintains information on both current and historical browsing. VX2 will use this information to build a summary of your interests and general web trends.

VX2’s software also collects some information from online forms that you fill out. This information is automatically sent to VX2 in order to save you the time and trouble of submitting such information to us yourself. We have undertaken technical measures to make sure that VX2 never collects credit card numbers, account numbers or passwords. If such data data were, despite VX2’s best efforts, ever inadvertently collected VX2 would immediately purge such information from its database.

VX2’s software also collects the query terms entered into search engines. VX2 uses this information to help generate a more complete summary of its users' interests and general internet trends.

When you install VX2’s software, it collects several bits of information about the configuration of your computer. This information includes information about the computer's hardware configuration, such as the amount of free space on your hard drive, and software configuration, such as the version of the operating system. These examples are representative, and the specific information collected may vary from time to time. This information is used to determine whether the VX2 software is compatible with your computer. It may also be used to help generate a more complete summary of your interests when appropriate.

It is possible that, in some instances, the operation of certain third party websites may result in some personal information being included in URL data, which can result in that data being captured in the course of the normal operation of the VX2 software. Such instances are rare and are the result of poor security practices by these third party websites. In the unlikely instance that such information is captured, it may be stored in our database, but it will not be used or disclosed in any manner inconsistent with our Privacy Policy.

Occasionally, VX2 may collect information about your interaction with the VX2 software. This may include information such as how often users use the software. This information is used to access the effectiveness of our products and services. It may be shared with VX2’s partners for the purpose of evaluating the success of marketing programs.

The VX2 software and cookies: The VX2 software uses cookies to identify itself to the VX2 server. The cookie maintains a unique anonymous id for you as a user. We  use this information to allow you to opt out of the VX2 service if you so choose. It is also used to organize the information in our database and help our artificial intelligence algorithms to discern the various preferences and interests of each user."

Some other portions are of interest:
"From time to time, VX2 may decide to update it's software in order for it to work at it's peak performance. Upgrades may include third party applications. Certain third party applications may have to be installed in order for the software to work properly. VX2 users are not responsible for these additions and/or updates, they will be done automatically in the background while you are surfing the web in order to cause the least amount of inconvenience to our users as possible."



Security Concerns

Suffice it to say that I would not trust these fools with my grocery list. Those who have already been had by this spyware should be concerned about Blackstone's security practices (or lack thereof) as they pertain to users' personal information.

Much of the information you see below was gathered thanks to bad password security and generally bumbling idiocy on the part of your friendly neighbourhood spyware company. (We did not "hack" into their systems; they gave out their (un-changed software default) admin password complete with detailed online explaining how to log into the administration system :)  I stumbled on them when they came up in Google's search results. If you've ever wanted a sneak peek inside a spyware company, take the .

For a period of a little over a week, Blackstone Data Transponder infectees may have seen this ad campaign, inserted into Blackstone's lineup by my fictional cohort, Jane Morgandorfer.. (Think it may have had something to do with Blackstone changing their passwords? :) I deactivated the ad-campaign when it caused the load on my server to suddenly quadruple, jumping from about 45k requests/day at that time to 170k. Apparently, Transponder infections are more widespread than I had previously thought.

This graphic, found on a Blackstone cohort's server, appears to give a detailed description of how Transponder works. Beware: apparently, the same idiots who run the Blackstone servers also did the graphic--much of the text is scrunched and very hard to read! The line "Periodic export to warehouse for mining & Direct mail" I found particularly unnerving.

Other in-the-clear files included keyword-hierarchy listings, code signers and what appear to be certificates and privatekeys (.spc, .pbk, .pvk).

Another anti-spyware advocate wandering Blackstone's unsecured servers obtained the complete c++ source code of the application. This has been very helpful in determining the software's capabilities and possible security concerns.

The newest incarnation, TPS108, was recently discovered in with Blackstone's files. Some mild digging leads to an interesting find :)
 


The Bad Guys


Suspected Supporters
 


Transponder Technology

I'm not suggesting ANY guilt on the part of the makers of these third-party tools used by AADCOM/Blackstone/etc. They are general-purpose software that has no apparent connection to these creepy scum.

Ad campaign insertion, management and billing are handled by OASIS (Open-source Ad Serving and Inventory System): http://oasis.sourceforge.net/

Communicating with Sputnik (VX2, yadayada) is done via Java servelets at transctl*.blackstonedata.net and transctl*.vx2.cc, which are for all intents and purposes the same server (e.g. accessing a bogus file on blackstonedata.net, *.vx2.cc is listed on the 404 error page). The servelets are run with Caucho Technologies' Resin 2.0.2 software: http://www.caucho.com/

The data for OASIS and other things is stored in an SQL database, periodically exported to Mindset Interactive and NetGeo.

Whois Data (further evidences that many of these companies are in fact one and the same)

blackstonedata.com
  Registrant:
  Blackstone Data Corporation (BLACKSTONEDATA-DOM)
     PO Box 27103 C/o VX2 Corporation
     Las Vegas, NV 89126
     US

VX2.cc
  Registrant:
  vx2 (VX52-DOM)
     po box 27103
     Las Vegas, NV 89126
     US

Both list a Hotmail address as their admin, tech. and billing contact.

aadcom.com
  Registrant:
  AADCOM (AADCOM2-DOM)
     34700 Pacific Coast Hwy
     Capistrano Beach, CA 92624
     US

Admin., etc. contact is at internettechcorp.com
 

Transponder Advertisers

These advertisers are currently listed as active in Blackstone's system. However, some of them are test entries and many have invalid billing addresses. A number of these are listed as having unpaid invoices. (Maybe has something to do with the invalid billing addys? :)
 
AADcom.com Ad Power Zone alinq.com alinq468 ARS
Barnes And Noble (test) Bettergolf Bid Clix Casino CasinoOnNet
Civil War Facts Inc (test) creditcardmenu CyberErotica Fast Cash Feature Price
HomeGain JDR Media kentucky Lending Universe LowerMyBills
Magellan Magellan: Team Nova & Trim Life Mindset Opt-In / Opt-Out MyInk.com New York Times (test)
NextCard No Credit Card Needed OASIS OptionHotline Orbitz
Playsys PriceQuotes Pyramid Casino Shockwave Marketing SlickStreet
Steve Smith Test Advertiser TEST PYRAMIDCASINO The Baby Outlet Traffix
TranzAct Media X10.com Zmedia

 


Windows Failure issue associated with Transponder
 
It has been reported to me that a number of users have experienced complete failure of MSIE and Windows Explorer as a result of infection by the Transponder parasite. The common symptoms are that Internet Explorer will not start at all (nothing happens), and trying to restart Windows Explorer only repaints the existing desktop. One such occurance is reported on a Windows 2000 system. The symptoms cleared up once Transponder/VX2 was removed.

Links
Transponder AdWare Program (Guest)
Information about Transponder (and derivatives)
SpywareInfo: Aadcom
and.doxdesk.com Parasite Detection Script - Alerts you if you have VX2, Toptext, etc. parasites installed!
BHO Cop - Hypnos' article on thehun.net walks you through using BHO Cop to remove Transponder.
Transponder Video from Hypnos - An informative video showing the Transponder parasite in action on an infected system. Note: In the video are pictures of "adult" popup ads--as always, view at your own discretion.


VX2 Homepage - some mentions of what it does and removal info.
 

Credits
Blackstone Data Transponder was and continues to be among the most difficult pieces of spyware to research. This would not be possible without the huge amounts of help and information provided by Robert (dualsmp), Dingo (SpywareInfo), Andrew (and.doxdesk.com) and others, as well as the grc.spyware community. A big thanks to everyone!

If anyone I have forgotten, please let me know!



 

"All trademarks are hereby acknowledged as the property of their respective owners." So don't even THINK about suing me :)