View Full Version : Ping-Mike M. re: boxer
heirloom
May 26th 04, 03:01 AM
Hey Mike,
I have tried to find the post you made to a user that had a pest you
referred to (I think) as something to do with 'boxer'. I remembered one of
the filenames you mentioned (bxxs5) and found something on my machine called
'VirtuMonde'.
If it is related, I have the manual removal instructions for your perusal:
Follow these steps to remove VirtuMonde from your machine. Begin by backing
up your registry and your system, and/or setting a Restore Point, to prevent
trouble if you make a mistake.
Remove AutoRun Reference:
Go To the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run. If you
find the value windowsupd, delete it and reboot the machine immediately.
Unregister DLLs:
Unregister these DLLs with Regsvr32, then reboot:
systemroot+\system32\cidrules.dll
Clean Registry:
Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\appid\bookedspace.dll
HKEY_CLASSES_ROOT\appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}
HKEY_CLASSES_ROOT\clsid\{0019c3e2-dd48-4a6d-abcd-8d32436323d9}
HKEY_CLASSES_ROOT\interface\{05080e6b-a88a-4cfd-8c3d-9b2557670b6e}
HKEY_CURRENT_USER\software\microsoft\windowsupd
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\bxxs5
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\windowsupd
HKEY_LOCAL_MACHINE\software\targetsoft
HKEY_USERS\.default\software\microsoft\internet
explorer\toolbar\webbrowser\{42cdd1bf-3ffb-4238-8ad1-7859df00b1d6}
Remove Files:
Remove these files (if present) with Windows Explorer:
systemroot+\system32\cidrules.dll
Remove Directories:
Remove these directories (if present) with Windows Explorer:
profilepath+\local settings\temp\vupd
programfilesdir+\earn
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++
The above is from the Pest Patrol site.....the app that found the crapware
on my machine.....I have no idea how it got on here.
Heirloom, old and can't trust anything
Mike M
May 27th 04, 07:57 PM
Hi Heirloom,
Not Boxer by rather BookedSpace.
BXXS5.DLL is a malicious file associated with the BookedSpace parasite. For
more details including how to remove this pest see
http://www.kephyr.com/spywarescanner/library/bookedspace/index.phtml.
It looks from what you have posted that VirtuMonde includes more than just
BookedSpace and seems to include TargetSoft
(http://www.kephyr.com/spywarescanner/library/targetsoft.inetadpt/index.phtml)
which can cause winsock problems. I'm also a bit worried about the windowsupd
reference.
AdAware should be picking up VirtuMondo since mid February but given the rate
these pests morph its probably best to try and prevent their arrival than
getting rid of them.
Cheers,
--
Mike M
heirloom > wrote:
> Hey Mike,
> I have tried to find the post you made to a user that had a pest
> you referred to (I think) as something to do with 'boxer'. I remembered
> one of the filenames you mentioned (bxxs5) and found something on my
> machine called 'VirtuMonde'.
> If it is related, I have the manual removal instructions for your perusal:
>
> Follow these steps to remove VirtuMonde from your machine. Begin by
> backing up your registry and your system, and/or setting a Restore Point,
> to prevent trouble if you make a mistake.
> Remove AutoRun Reference:
>
> Go To the key
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run. If you
> find the value windowsupd, delete it and reboot the machine immediately.
>
>
>
> Unregister DLLs:
>
> Unregister these DLLs with Regsvr32, then reboot:
>
> systemroot+\system32\cidrules.dll
>
> Clean Registry:
>
> Remove these registry items (if present) with RegEdit:
>
> HKEY_CLASSES_ROOT\appid\bookedspace.dll
> HKEY_CLASSES_ROOT\appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}
> HKEY_CLASSES_ROOT\clsid\{0019c3e2-dd48-4a6d-abcd-8d32436323d9}
> HKEY_CLASSES_ROOT\interface\{05080e6b-a88a-4cfd-8c3d-9b2557670b6e}
> HKEY_CURRENT_USER\software\microsoft\windowsupd
> HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\bxxs5
> HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\windowsupd
> HKEY_LOCAL_MACHINE\software\targetsoft
> HKEY_USERS\.default\software\microsoft\internet
> explorer\toolbar\webbrowser\{42cdd1bf-3ffb-4238-8ad1-7859df00b1d6}
>
> Remove Files:
>
> Remove these files (if present) with Windows Explorer:
>
> systemroot+\system32\cidrules.dll
>
> Remove Directories:
>
> Remove these directories (if present) with Windows Explorer:
>
> profilepath+\local settings\temp\vupd
> programfilesdir+\earn
> ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++
> The above is from the Pest Patrol site.....the app that found the crapware
> on my machine.....I have no idea how it got on here.
> Heirloom, old and can't trust anything
heirloom
May 27th 04, 09:40 PM
Hey Mike,
Yeah, BookedSpace!.......that's why my search didn't uncover any
reference!
After cleaning out the VirtuMonde the other night, my wife managed to get it
again while I was gone yesterday. I got it cleaned out (again) and have
gone to all the sites she had visited and have not been able to find where
it came from. Apparently, I have enough "blocks" on here, that the only
indication of the infection has been the reg entry and a file in the TIF. I
have not found any of the other symptoms mentioned in the articles. I have
read that it has to be manually installed or installed with other software,
but, I (or my wife) have not done either. I am at a loss on how it got in.
Do you know if the Spybot TeaTimer would block its' incursion?
Might give that a go. Thank you, Sir.
Heirloom, old and trying to figure it out
"Mike M" > wrote in message
...
> Hi Heirloom,
>
> Not Boxer by rather BookedSpace.
>
> BXXS5.DLL is a malicious file associated with the BookedSpace parasite.
For
> more details including how to remove this pest see
> http://www.kephyr.com/spywarescanner/library/bookedspace/index.phtml.
>
> It looks from what you have posted that VirtuMonde includes more than just
> BookedSpace and seems to include TargetSoft
>
(http://www.kephyr.com/spywarescanner/library/targetsoft.inetadpt/index.phtm
l)
> which can cause winsock problems. I'm also a bit worried about the
windowsupd
> reference.
>
> AdAware should be picking up VirtuMondo since mid February but given the
rate
> these pests morph its probably best to try and prevent their arrival than
> getting rid of them.
>
> Cheers,
> --
> Mike M
>
>
> heirloom > wrote:
>
> > Hey Mike,
> > I have tried to find the post you made to a user that had a pest
> > you referred to (I think) as something to do with 'boxer'. I remembered
> > one of the filenames you mentioned (bxxs5) and found something on my
> > machine called 'VirtuMonde'.
> > If it is related, I have the manual removal instructions for your
perusal:
> >
> > Follow these steps to remove VirtuMonde from your machine. Begin by
> > backing up your registry and your system, and/or setting a Restore
Point,
> > to prevent trouble if you make a mistake.
> > Remove AutoRun Reference:
> >
> > Go To the key
> > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run. If you
> > find the value windowsupd, delete it and reboot the machine immediately.
> >
> >
> >
> > Unregister DLLs:
> >
> > Unregister these DLLs with Regsvr32, then reboot:
> >
> > systemroot+\system32\cidrules.dll
> >
> > Clean Registry:
> >
> > Remove these registry items (if present) with RegEdit:
> >
> > HKEY_CLASSES_ROOT\appid\bookedspace.dll
> > HKEY_CLASSES_ROOT\appid\{0dc5cd7c-f653-4417-aa43-d457be3a9622}
> > HKEY_CLASSES_ROOT\clsid\{0019c3e2-dd48-4a6d-abcd-8d32436323d9}
> > HKEY_CLASSES_ROOT\interface\{05080e6b-a88a-4cfd-8c3d-9b2557670b6e}
> > HKEY_CURRENT_USER\software\microsoft\windowsupd
> > HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\bxxs5
> >
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\windowsupd
> > HKEY_LOCAL_MACHINE\software\targetsoft
> > HKEY_USERS\.default\software\microsoft\internet
> > explorer\toolbar\webbrowser\{42cdd1bf-3ffb-4238-8ad1-7859df00b1d6}
> >
> > Remove Files:
> >
> > Remove these files (if present) with Windows Explorer:
> >
> > systemroot+\system32\cidrules.dll
> >
> > Remove Directories:
> >
> > Remove these directories (if present) with Windows Explorer:
> >
> > profilepath+\local settings\temp\vupd
> > programfilesdir+\earn
> > ++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++
> > The above is from the Pest Patrol site.....the app that found the
crapware
> > on my machine.....I have no idea how it got on here.
> > Heirloom, old and can't trust anything
>
>
vBulletin® v3.6.4, Copyright ©2000-2024, Jelsoft Enterprises Ltd.