Limited Time!
Totally FREE Web Design!
Click here!

Parasite: BookedSpace

This record last updated Tue Sep 20 2005 00:34:14

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

BookedSpace is an Internet Explorer Browser Helper Object used to show advertising.

Variants

BookedSpace/Remanent: early variant (around July 2003) with filename rem00001.dll, controlling server 66.225.192.199.

BookedSpace/BS2, BookedSpace/BS3, BookedSpace/BS4, BookedSpace/BS5: newer revisions (August 2003) with filename bs2.dll, bs3.dll, oo4.dll and bsx5.dll or bxxs5.dll, controlling server www.bookedspace.com.

Distribution

BookedSpace/Remanent is silently installed by MThree MP3 to WAV converter. BookedSpace/BS2, BS3 and BXXS5 are silently installed by versions of FreeWire and FreeMP3Player.

What it does

Advertising

Yes. BookedSpace can contact its controlling server when a new page is visited, which may direct it to open pop-up ads.

Privacy violation

Yes. When the controlling server is contacted, the URL of the current page is passed along with a user ID for tracking purposes.

Security issues

Yes. May download and install third-party software as directed by its controlling server. The later variants have been seen to install the BargainBuddy, nCase, MySearch/MyWay, TVMedia, DownloadWare and TopMoxie/eBates parasites.

Stability problems

Seems to stop IE address bar searches from working.

Removal

Open a DOS command prompt windows (from Start->Programs->Accessories), and enter the following commands, for the Remanent variant:

cd "%WinDir%\System"
regsvr32 /u "..\rem00001.dll"

Or, for the BS2 variant:

cd "%WinDir%\System"
regsvr32 /u "..\bs2.dll"

Or, for the BS3 variant:

cd "%WinDir%\System"
regsvr32 /u "..\bs3.dll"

Or, for the OO4 variant:

cd "%WinDir%\System"
regsvr32 /u "..\oo4.dll"

Or, for the BXS5 variant:

cd "%WinDir%\System"
regsvr32 /u "..\bxs5.dll"
regsvr32 /u "..\bxxs5.dll"

Next, for non-Remanent variants, open the registry (click ‘Start’, choose ‘Run’, enter ‘regedit’), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and check for the entry ‘BookedSpace’ (BS2 variant), ‘Bsx3’ (BS3 variant), ‘Oo4’ (BS4 variant), or ‘Bxxs5’ or ‘Bxsx5’ (BS5 variant).

Restart the computer and you should be able to delete the ‘rem00001.dll’, ‘bs2.dll’, ‘bs3.dll’, ‘oo4.dll’, ‘bsx5.dll’ or ‘bxxs5.dll’ file in the Windows folder. For the BS5 variant, you can also delete the ‘bsx32’ folder.

You can also open the registry and delete the key HKEY_LOCAL_MACHINE\Software\Remanent or HKEY_LOCAL_MACHINE_Software\BookedSpace to clean up, if you like.