PDA

View Full Version : Manual Removal Guide for BookedSpace



Friday
2008-11-28, 18:12
The following instructions have been created to help you to get rid of "BookedSpace" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
BookedSpace is a BHO that displays ads. The URLs of visited pages can be sent to third parties in combination with a user ID.
BookedSpace may also download and install other third-party software (malware). It is installed without user consent.
Supposed Functionality:
Booked is silently installed with other software (e.g. MThree MP3 to WAV).
Privacy Statement:
Disclaimer of Warranties. ALL SERVICES AND SOFTWARE PROVIDED BY BOOKEDSPACE ARE PROVIDED
"AS IS." BOOKEDSPACEAND ITS AFFILIATES, SUBSIDIARIES, PARENT COMPANIES, AGENTS, NETWORK
SERVICE PROVIDERS, PARTNERS, OR EMPLOYEES MAKE NO WARRANTY TO YOU OR ANY OTHER PERSON OR
ENTITY, WHETHER EXPRESS, IMPLIED, OR STATUTORY, AS TO THE DESCRIPTION, QUALITY, TITLE,
NONINFRINGEMENT, MERCHANTABILITY, COMPLETENESS, OR FITNESS FOR A PARTICULAR USE OR PURPOSE
AS TO THE SERVICES OR SOFTWARE PROVIDED TO YOU, OR AS TO ANY OTHER MATTER, ALL SUCH WARRANTIES
HEREBY BEING EXPRESSLY EXCLUDED AND DISCLAIMED. YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR
YOUR USE OF THE SOFTWARE OR SERVICES. NEITHER BOOKEDSPACE NOR ANY OF ITS AFFILATES, SUBSIDIARIES,
PARENT COMPANIES, AGENTS, NETWORK SERVICE PROVIDERS, PARTNERS, OR EMPLOYEES WARRANTS THAT
THE SOFTWARE OR SERVICES WILL BE FREE FROM ANY VIRUS OR OTHER CODE THAT IS CONTAMINATING OR
DESTRUCTIVE BY NATURE AND YOU ARE RESPONSIBLE FOR IMPLEMENTING AND MAINTAINING SUFFICIENT
PROCEDURES TO SATISFY YOUR PARTICULAR REQUIREMENTS FOR ACCURACY OF DATA INPUT AND OUTPUT
AS WELL AS PROTECTION FROM SUCH VIRUSES OR OTHER CODE THAT MAY CONTAMINATE OR DESTROY YOUR
SYSTEM OR DATA.
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "OSS" and pointing to "<$WINDIR>\rk.exe -boot".
Entries named "bxxs5" and pointing to "*bxxs5.dll*".
Entries named "bxxs5".
Entries pointing to "oo1.dll,DllRun".
Entries pointing to "oo2.dll,DllRun".
Entries pointing to "oo3.dll,DllRun".
Entries pointing to "oo4.dll,DllRun".
Entries pointing to "bs1.dll,DllRun".
Entries pointing to "bs2.dll,DllRun".
Entries pointing to "bs3.dll,DllRun".
Entries pointing to "bs4.dll,DllRun".
Entries pointing to "bsx5.dll,DllRun".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$WINDIR>\cfg32p.dll".
The file at "<$WINDIR>\ygvjngjw.ini".
The file at "<$WINDIR>\bsx32.ini".
The file at "<$SYSDIR>\ventaa.exe".
A file with an unknown location named "ventaa.exe".
The file at "<$WINDIR>\Srrvundo.dll".
The file at "<$WINDIR>\Srrvundo.ini".
The file at "<$WINDIR>\libbz2.dll".
The file at "<$WINDIR>\bsx32.ini".
The file at "<$WINDIR>\bxxs5.dll".
The file at "<$WINDIR>\bsx32.ini".
A file with an unknown location named "bxxs5.dll".
The file at "<$WINDIR>\bxsx5.dll".
Make sure you set your file manager to display hidden and system files. If BookedSpace uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$WINDIR>\bsx32".
The directory at "<$LOCALSETTINGS>\Temp\bs5A2.tmpbsx32".
The directory at "<$LOCALSETTINGS>\Temp\bs5A4.tmpbsx32".
The directory at "<$LOCALSETTINGS>\Temp\bs5A6.tmpbsx32".
Make sure you set your file manager to display hidden and system files. If BookedSpace uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry value "{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\".
Delete the registry key "{0019C3E2-DD48-4A6D-ABCD-8D32436323D9}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{7A8267B0-B59E-9C73-26F1-7A0CE4DA80C0}" at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
Delete the registry key "{379918C5-FEE1-4BEC-BDD0-718C8E669303}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6B9F63EE-F3CC-C6F2-7CAF-01BE1CE401D6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7A8267B0-B59E-9C73-26F1-7A0CE4DA80C0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7A8267B0-B59E-9C73-26F1-7A0CE4DA80C0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry value "{379918C5-FEE1-4BEC-BDD0-718C8E669303}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
Delete the registry key "{4AA0679C-6A1B-3DF9-9A7B-C9D13A5BAED5}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{0FF97BFE-184F-A542-238E-B1C1B0DB89D9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{28D2A3F1-87C9-E9E5-85A8-AA52B5BEEF52}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4AA0679C-6A1B-3DF9-9A7B-C9D13A5BAED5}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry value "{28D2A3F1-87C9-E9E5-85A8-AA52B5BEEF52}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
A key in HKEY_CLASSES_ROOT\ named "BookedSpace.Extension.5", plus associated values.
Delete the registry key "{0DC5CD7C-F653-4417-AA43-D457BE3A9622}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "{0DC5CD7C-F653-4417-AA43-D457BE3A9622}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "Bookedspace" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "{0DC5CD9C-F603-4417-AA43-D457BE3A9622}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "BookedSpace.DLL" at "HKEY_CLASSES_ROOT\AppID\".
A key in HKEY_CLASSES_ROOT\ named "BookedSpace.Extension", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BookedSpace.Extension.4", plus associated values.
Delete the registry key "{0019C3E2-DD48-4A6D-AB2D-8D32436313D9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{05080E6B-B08A-4CFD-8C3D-9B2557770B6E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0DC5CD9C-F603-4417-AA43-D457BE3A9622}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{0019C3E2-DD48-4A6D-AB2D-8D32436313D9}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\".
Delete the registry key "{0019C3E2-DD48-4A6D-ABCD-8D32436313D9}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\".
If BookedSpace uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.