How To Clean the Spies In Your Computer?

Manual Spy Bot Removal> BookedSpace

BookedSpace is an Internet Explorer Browser Helper Object used to show advertising.

Free PC Health Check – find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

Variants

BookedSpace / Remanent: early variant (around July 2003) with filename rem00001.dll, controlling server 66.225.192.199.

BookedSpace / BS2 and BookedSpace / BS3: newer revisions (August 2003) with filename bs2.dll or bs3.dll, controlling server [http://www.bookedspace.com].

Distribution

BookedSpace / Remanent is silently installed by MThree MP3 to WAV converter. BookedSpace / BS2 is silently installed by FreeWire's FreeMP3Player. The origin of BookedSpace / BS3 is currently unknown.

Advertising

Yes. BookedSpace can contact its controlling server when a new page is visited, which may direct it to open pop-up ads.

Privacy violation

Yes. When the controlling server is contacted, the URL of the current page is passed along with a user ID for tracking purposes.

Security issues

Yes. May download and install third-party software as directed by its controlling server. BookedSpace / BS2 has been seen to install the BargainBuddy, nCase and eBates parasites.

Stability problems

Seems to stop IE address bar searches from working.

Removal

Open a DOS command prompt windows (from Start-> Programs-> Accessories), and enter the following commands, for the Remanent variant:

cd "% WinDir% System"

regsvr32 / u ".. rem00001.dll"

Or, for the BS2 variant:

cd "% WinDir% System"

regsvr32 / u ".. bs2.dll"

Or, for the BS3 variant:

cd "% WinDir% System"

regsvr32 / u ".. bs3.dll"

Next, for BS2 and BS3, open the registry (click 'Start', choose 'Run', enter 'regedit'), find the key HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Run, and delete the entry 'BookedSpace' BS2 variant) or 'Bsx3' (BS3 variant).

Restart the computer and you should be able to delete the 'rem00001.dll', 'bs2.dll' or 'bs3.dll' file in the Windows folder. You can also open the registry and delete the key HKEY_LOCAL_MACHINE Software Remanent or HKEY_LOCAL_MACHINE_Software BookedExpace to clean up, if you like.

Free PC Health Check – find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

MS Media Player GUID

Overview

MS Media Player GUID is a warning that the Window Media player may transmits an anonymous Global Uniquie IDentifier (GUID) to the streaming servers when you download content.

The following is the information given at Microsoft Security Bulletin MS01-029: "… a potential privacy vulnerability that was recently identified. itself enable a web site to identify the user, it could enable the correlation of user information to potentially build a composite description of the user. " Source

The existence of this GUID on your system may also indicate that your system does not have all critical updates and service packs installed.

Detection

Bazooka Adware and Spyware Scanner detects MS Media Player GUID. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

How to remove the GUID

Go to http://www.windowsupdate.com and install all critical updates and service packs. Go on with the following steps if Bazooka still reports MS Media Player GUID.

Windows Media Player 6.4 users: the privacy setting is selected via a new option, which can be reached by going to the menu item View / Options then selecting the player tab and de-selecting "Allow Internet sites to uniquely identify your player".

Windows Media Player 7.1 users: the privacy setting is toggled through the existing option under the tools menu, on the player tab and deselect the option "Allow Internet sites to uniquely identify your player".
Windows Media Player 9.0 users: Click Tools -> Options -> Privacy, uncheck "Send unique Player ID to content providers."

If Bazooka still reports MS Media Player GUID, go on with the following steps.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Delete 'HKEY_CURRENT_USER Software Microsoft MediaPlayer Player Settings Client ID'.

Exit the registry editor.

Problems uninstalling? Click here.

Please support me

Thank you for using my site. Please help me keep this site and software up-to-date.

Contact information for MS Media Player GUID's vendor
In order to provide correct, accurate and updated information about MS Media Player GUID I encourage the vendor to contact me if any part of this write-up needs a revision.

Free PC Health Check – find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

W32.Backdoor.Nibu

Overview

W32.Backdoor.Nibu is a trojan horse, with many variants. You can read more at Symantec.

Classification

Trojan Horse

Files

load32.exe, Dllreg.exe, Vxdmgr32.exe, Rundllw.exe, patch.exe, netda.exe, swchost.exe

Log references

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]

Detection

Bazooka Adware and Spyware Scanner detects W32.Backdoor.Nibu. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

Uninstall procedure

Please go to the anti-virus recommendation page. You can find both free products or use one of the trials to remove the virus.

Manual removal

Please follow the instructions below if you would like to remove W32.Backdoor.Nibu manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If W32.Backdoor.Nibu remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Browse to the key:

'HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run'

In the right pane, delete the value called 'load32', if it exists.

Exit the registry editor.

Restart your computer.

Start Windows Explorer and delete:

% SystemDir% swchost.exe

% SystemDir% netda.exe

% SystemDir% load32.exe

Note:% SystemDir% is a variable (?). By default, this is C: Windows System (Windows 95/98 / Me), C: WINNT System32 (Windows NT / 2000), or C: Windows System32 (Windows XP).

Free PC Health Check – find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

FavoriteMan has many variants:

FavoriteMan / Lwz installs lwz.dll. Data file is SysLdr.dll. Controlling server is http://www.f1organizer.com .

FavoriteMan / F1 installs F1.dll. Data file is SysLdr.dll. Controlling server is http://www.prize4all.com .

FavoriteMan / FOne

FavoriteMan / FOne is a replacement for the Lwz variant. Filename is FOne.dll, data file is SysLdr.dll. Controlling server is http://www.f1organizer.com .

FavoriteMan / Ofrg's program file is called ofrg.dll. It stores its data in a file called favboot.dll. Its controlling server is [http://www.yourspecialoffers.com]. FavoriteMan / Favorite installs favorite.dll. Data file is FavMan.dll. Controlling server is also [http://www.yourspecialoffers.com].

FavoriteMan / SpyAssault

FavoriteMan sometimes causes IE to lock up for a variable period of time, sometimes indefinitely, when a new browser process is started. This may be something to do with its trying to contact its servers on startup. Also crashes may occur when very long URLs are used.

How to Remove FavoriteMan?

FavoriteMan / F1 and FavoriteMan / ZZ offer a removal feature: Click Start> Settings> Control Panel> Add / Remove programs, choose 'F1' or 'ZZ' and click 'Remove'.

To manually remove other variants of FavoriteMan:

Unregister FavoriteMan. Open a DOS command prompt window (Click Start> Run, type 'command' (for Windows 98 / Me) or 'cmd' (for Windows 2000 / XP) and enter the following commands:
cd "% WinDir% System"
regsvr32 / u favorite.dll

Note: Change the filename 'favorite.dll' to match the variant you have. This can be ofrg.dll, favorite.dll, lwz.dll, F1.dll, ZZ.dll, mpz300.dll, trk.dll, Gr02.dll, Aess.dll, Ss32.dll or emesx.dll; in in the case of the IMZ variant it will have a random eleven-letter filename. (eg .roallystbr.dll). You can usually find the culprit by opening the System folder choosing View-> Arrange icons by-> Modified, then looking near the bottom of the window.

Restarting the computer.

Delete the program file. The software can be found in the System folder. On Windows 95/98 / Me This is the folder called 'System' in the Windows folder; on Windows NT, 2000 and XP it is called 'System32'. Look for one of the filenames listed above.

Delete the data file favboot.dll, FavMan.dll, SysLdr.dll, mbr32.dll, im64.dll or dlh0st.dll in the same folder (it is not a DLL at all).
Open the registry editor (Start> Run, type regedit), locate the key 'HKEY_CURRENT_USER Software Microsoft Windows', find and delete the entries 'Counter', 'Server' and 'Object' in it.

Free PC Health Check – find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

Online Trojan

Overview

Online Trojan changes your Internet Explorer settings.

Classification

Trojan Horse

Files

svchost.exe, msto32.dll, svchostc.exe, svchosts.exe

Log references

Log 89

Vendor

Unknown

Privacy policy

No privacy policy available.

Detection

Bazooka Adware and Spyware Scanner detects Trojan Online. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

Manual removal

Please follow the instructions below if you would like to remove Online Trojan manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If Online Trojan remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Browse to the key:

'HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run'

In the right pane, delete the value called 'Online Service', if it exists.

Exit the registry editor.

Start Windows Explorer and delete:

% WinDir% svchost.exe

% WinDir% msto32.dll

% SystemDir% svchostc.exe

% SystemDir% svchosts.exe

Note:% SystemDir% is a variable (?). By default, this is C: Windows System (Windows 95/98 / Me), C: WINNT System32 (Windows NT / 2000), or C: Windows System32 (Windows XP).

Note:% WinDir% is a variable (?). By default, this is C: Windows (Windows 95/98 / Me / XP) or C: WINNT (Windows NT / 2000).

Start Microsoft Internet Explorer.

In Internet Explorer, click Tools -> Internet Options.

Click the Programs tab -> Reset Web Settings.

Leave a Reply