How To Clean the Spies In Your Computer?

Manual Spy Bot Removal > BookedSpace

BookedSpace is an Internet Explorer Browser Helper Object used to show advertising.

Free PC Health Check - find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

Variants
BookedSpace/Remanent : early variant (around July 2003) with filename rem00001.dll, controlling server 66.225.192.199.

BookedSpace/BS2 and BookedSpace/BS3 : newer revisions (August 2003) with filename bs2.dll or bs3.dll, controlling server www.bookedspace.com.

Distribution
BookedSpace/Remanent is silently installed by MThree MP3 to WAV converter. BookedSpace/BS2 is silently installed by FreeWire's FreeMP3Player. The origin of BookedSpace/BS3 is currently unknown.

Advertising
Yes. BookedSpace can contact its controlling server when a new page is visited, which may direct it to open pop-up ads.

Privacy violation
Yes. When the controlling server is contacted, the URL of the current page is passed along with a user ID for tracking purposes.

Security issues
Yes. May download and install third-party software as directed by its controlling server. BookedSpace/BS2 has been seen to install the BargainBuddy , nCase and eBates parasites.

Stability problems
Seems to stop IE address bar searches from working.

Removal
Open a DOS command prompt windows (from Start->Programs->Accessories), and enter the following commands, for the Remanent variant:

cd "%WinDir%System"
regsvr32 /u ".. em00001.dll"
Or, for the BS2 variant:

cd "%WinDir%System"
regsvr32 /u "..s2.dll"
Or, for the BS3 variant:

cd "%WinDir%System"
regsvr32 /u "..s3.dll"

Next, for BS2 and BS3, open the registry (click 'Start', choose 'Run', enter 'regedit'), find the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun, and delete the entry 'BookedSpace' (BS2 variant) or 'Bsx3' (BS3 variant).

Restart the computer and you should be able to delete the 'rem00001.dll', 'bs2.dll' or 'bs3.dll' file in the Windows folder. You can also open the registry and delete the key HKEY_LOCAL_MACHINESoftwareRemanent or HKEY_LOCAL_MACHINE_SoftwareBookedSpace to clean up, if you like.

Free PC Health Check - find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

MS Media Player GUID

Overview
MS Media Player GUID is a warning that the Window Media player may transmits an anonymous Global Uniquie IDentifier (GUID) to the streaming servers when you download content.

The following is the information given at Microsoft Security Bulletin MS01-029: "... a potential privacy vulnerability that was recently identified. This issue could be exploited by a malicious set of web sites to distinguish a user. While this issue would not by itself enable a web site to identify the user, it could enable the correlation of user information to potentially build a composite description of the user." Source

The existance of this GUID on your system may also indicated that your system does not have all critical updates and service packs installed.

Detection
Bazooka Adware and Spyware Scanner detects MS Media Player GUID. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

How to remove the GUID

Go to www.windowsupdate.com and install all critical updates and service packs. Go on with the following steps if Bazooka still reports MS Media Player GUID.

Windows Media Player 6.4 users: the privacy setting is selected via a new option, which can be reached by going to the menu item View / Options then selecting the player tab and de-selecting "Allow Internet sites to uniquely identify your player".

Windows Media Player 7.1 users: the privacy setting is toggled via the existing option under the tools menu, on the player tab and deselect the option "Allow Internet sites to uniquely identify your player". Windows Media Player 9.0 users: Click Tools -> Options -> Privacy, uncheck "Send unique Player ID to content providers."

If Bazooka still reports MS Media Player GUID, go on with the following steps.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Delete 'HKEY_CURRENT_USER Software Microsoft MediaPlayer Player Settings Client ID'.

Exit the registry editor.

Problems uninstalling? Click here.

Please support me
Thank you for using my site. Please help me to keep this site and software up-to-date.

Contact information for MS Media Player GUID's vendor In order to provide correct, accurate and updated information about MS Media Player GUID I encourage the vendor to contact me if any part of this write-up needs a revision.

Free PC Health Check - find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

W32.Backdoor.Nibu

Overview
W32.Backdoor.Nibu is a trojan horse, with many variants. You can read more at Symantec.

Classification
Trojan Horse

Files
load32.exe, Dllreg.exe, Vxdmgr32.exe, Rundllw.exe, patch.exe, netda.exe, swchost.exe

Log references
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14]

Detection
Bazooka Adware and Spyware Scanner detects W32.Backdoor.Nibu. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

Uninstall procedure
Please go to the anti-virus recommendation page. You can find both free products or use one of the trials to remove the virus.

Manual removal
Please follow the instructions below if you would like to remove W32.Backdoor.Nibu manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If W32.Backdoor.Nibu remains on your system after stepping through the removal instructions, please double-check by stepping through them again. Start your computer in safe mode.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Browse to the key:

'HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run'
In the right pane, delete the value called 'load32', if it exists.
Exit the registry editor.
Restart your computer.
Start Windows Explorer and delete:
%SystemDir%swchost.exe
%SystemDir% etda.exe
%SystemDir%load32.exe
Note: %SystemDir% is a variable (?). By default, this is C:WindowsSystem (Windows 95/98/Me), C:WINNTSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

Free PC Health Check - find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

FavoriteMan has many variants:

FavoriteMan/Lwz installs lwz.dll. Data file is SysLdr.dll. Controlling server is www.f1organizer.com.
FavoriteMan/F1 installs F1.dll. Data file is SysLdr.dll. Controlling server is www.prize4all.com.
FavoriteMan/FOne
FavoriteMan/FOne is a replacement for the Lwz variant. Filename is FOne.dll, data file is SysLdr.dll. Controlling server is www.f1organizer.com.
FavoriteMan/Ofrg's program file is called ofrg.dll. It stores its data in a file called favboot.dll. Its controlling server is www.yourspecialoffers.com. FavoriteMan/Favorite installs favorite.dll. Data file is FavMan.dll. Controlling server is also www.yourspecialoffers.com.

FavoriteMan/SpyAssault
FavoriteMan sometimes causes IE to lock up for a variable period of time, occasionally indefinitely, when a new browser process is started. This may be something to do with its trying to contact its servers on startup. Also crashes may occur when very long URLs are used.

How to Remove FavoriteMan?

FavoriteMan/F1 and FavoriteMan/ZZ offer a removal feature: Click Start >Settings > Control Panel > Add/Remove programs, choose 'F1' or 'ZZ' and click 'Remove'.

To manually remove other variants of FavoriteMan:

Unregister FavoriteMan. Open a DOS command prompt window (Click Start > Run, type 'command'(for Windows 98/Me) or 'cmd' (for Windows 2000/XP) and enter the following commands: cd "%WinDir%System" regsvr32 /u favorite.dll

Note: Change the filename 'favorite.dll' to match the variant you have. This can be ofrg.dll, favorite.dll, lwz.dll, F1.dll, ZZ.dll, mpz300.dll, trk.dll, Gr02.dll, Aess.dll, Ss32.dll or emesx.dll; in in the case of the IMZ variant it will have a random eleven-letter filename. (eg. troallystbr.dll). You can usually find the culprit by opening the System folder choosing View->Arrange icons by->Modified, then looking near the bottom of the window.

Restarting the computer.

Delete the program file. The software can be found in the System folder. On Windows 95/98/Me this is the folder called 'System' in the Windows folder; on Windows NT, 2000 and XP it is called 'System32'. Look for one of the filenames listed above.

Delete the data file favboot.dll, FavMan.dll, SysLdr.dll, mbr32.dll, im64.dll or dlh0st.dll in the same folder (it isn't a DLL at all). Open the registry editor ( Start > Run, type regedit) , locate the key 'HKEY_CURRENT_USERSoftwareMicrosoftWindows',find and delete the entries 'Counter', 'Server' and 'Object' in it.

Free PC Health Check - find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!

Online Trojan

Overview
Online Trojan changes your Internet Explorer settings.

Classification
Trojan Horse

Files
svchost.exe, msto32.dll, svchostc.exe, svchosts.exe

Log references
Log 89

Vendor
Unknown

Privacy policy
No privacy policy available.

Detection
Bazooka Adware and Spyware Scanner detects Online Trojan. Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and other potentially unwanted applications. Read more »

Manual removal
Please follow the instructions below if you would like to remove Online Trojan manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If Online Trojan remains on your system after stepping through the removal instructions, please double-check by stepping through them again. Start your computer in safe mode.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Browse to the key:
'HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run'
In the right pane, delete the value called 'Online Service', if it exists.
Exit the registry editor.
Start Windows Explorer and delete:
%WinDir%svchost.exe
%WinDir%msto32.dll
%SystemDir%svchostc.exe
%SystemDir%svchosts.exe
Note: %SystemDir% is a variable (?). By default, this is C:WindowsSystem (Windows 95/98/Me), C:WINNTSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

Note: %WinDir% is a variable (?). By default, this is C:Windows (Windows 95/98/Me/XP) or C:WINNT (Windows NT/2000).

Start Microsoft Internet Explorer.
In Internet Explorer, click Tools -> Internet Options.
Click the Programs tab -> Reset Web Settings.

Nabaza.com specializes in building, designing, implementing, managing and maintaining corporate website to boost sales of your company. Email william@nabaza.com for information on functional, dynamic webpage designing with affordable packages. Subscribe for free: http://www.nabaza.com/subscribe.htm

Rebrandable ebooks, software for free
Free Advertising Space
Put Nabaza.com In your desktop

Rape: Security firm won’t be axed The Times, South Africa - 11 hours ago Tygerberg Hospital will not fire its security contractor, despite the abduction and rape of a medical student from its grounds on Monday last week. ... Rape: Hospital 'window-dressing' News24.com How Bok's sister survived attack News24 Rugby community 'shattered' by rape Independent Online The Times - Independent Online all 50 news articles

Radio Iowa

Illegal immigration raid strikes heartland Kansas City Star, MO - 8 hours ago Agents with US Immigration and Customs Enforcement entered the plant at about 10 am looking for evidence of identity theft, use of stolen Social Security ... Hundreds Are Arrested in US Sweep of Meat Plant New York Times Iowa meatpacking plant raided in ID theft investigation USA Today UPDATE 3-Immigration arrests top 300 at Iowa meat plant Reuters The Associated Press - Gazette Online all 385 news articles

International Organization for Migration in Philippines Upgrades ... CNNMoney.com - 2 hours ago A security update was called for because IOM's daily operations in the Philippines depend on a stable, highly secure network that can enable an ...

CBC.ca

Vancouver Olympics security cameras raise privacy concerns CBC.ca, Canada - 17 hours ago Closed-circuit security cameras help provide public security, but also raise concerns about invasive surveillance. (Mike Laanela/CBC) The RCMP plans to ... Private security firms say no way to meet demand of 2010 Winter Games The Canadian Press Olympic update Vancouver Sun No room at the Inn for feds Leader Post all 36 news articles

Malaysia Star

Palestinian PM ties better security to more jobs The Associated Press - 1 hour ago The tough realities in the Jenin district, the latest target of Fayyad's security plan, illustrate his juggling act. The prime minister is trying to ... Palestinian Prime Minister Fayyad: PA is going ahead with security ... International Middle East Media Center PLO: Israeli Decision to Transform Part of its Security Leadership ... WAFA - Palestine News Agency America's elusive search for Arab-Israeli peace Jerusalem Post Arab News - Monday Morning all 462 news articles

WSBT-TV

Feds: No threat directed at 500 Indianapolis Star, United States - 3 hours ago In an internal FBI/Homeland Security Department assessment released Monday to local police, officials said such sporting events, which draw hundreds of ... US government says no credible terror threat to upcoming Indy 500 PR-Inside.com (Pressemitteilung) Feds: No credible terror threat to Indy 500 WLFI.com all 223 news articles

Gulf Times

Security forces launch hunt for militants in Samba Thaindian.com, Thailand - 58 minutes ago Security forces began combing the dense forest in the area early Tuesday. Police said they are leaving nothing to chance. On Monday, one militant who had ... Samba: 3 arrested, cash recovered Zee News Terror returns to Jammu Hindustan Times Samba battle fells militant Calcutta Telegraph Merinews - Howrah News Service all 90 news articles

Malaysia Star

5+1 should revise views on Iran: MP Tehran Times, Iran - 14 hours ago TEHRAN -- The negative judgment of the five permanent members of the UN Security plus Germany (the 5+1 group) should be revised, MP Mahmud Mohammadi said ... Iran regime rejects incentives offered by world powers NCR-Iran.org MP: Iran welcomes talks with G5+1 PRESS TV Proposals show 5+1, Iran favor dialogue: analysts Tehran Times Tehran Times - PRESS TV all 418 news articles

Blunt Federal Letters Tell Students They’re Security Threats New York Times, United States - 5 hours ago By SCOTT SHANE WASHINGTON — A German graduate student in oceanography at MIT applied to the Transportation Security Administration for a new ID card ...

Blocks & Files

Communiques from the security front, sir ZDNet UK, UK - 19 hours ago "I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice ... DWP data security negligence continues Data quality news DWP staff ignoring new data protection rules Current IT news from heise online DWP admits pension details leak VNUNet.com Politics.co.uk - ComputerworldUK all 15 news articles