1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Cannot edit registry

Discussion in 'Earlier Versions of Windows' started by cycos, Sep 16, 2004.

Thread Status:
Not open for further replies.
  1. cycos

    cycos Thread Starter

    Joined:
    Apr 26, 2004
    Messages:
    23
    I've been trying to edit the Windows registry to get rid of the bssx5.dll entry, but I can't make any permanent changes. Everything I change returns. Is there a program preventing me from making changes to the registry?
    I can't make changes to two entries in HJT either. Here is my log:

    Logfile of HijackThis v1.98.2
    Scan saved at 5:26:29 AM, on 09/16/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\DESKTOP\UTILITIES\HIJACK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dogpile.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\norton\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunOnce: [CCDECODE0] rundll32.exe streamci,StreamingDeviceSetup {562370a8-f8dd-11d2-bc64-00a0c95ec22e},GLOBAL,{07DAD660-22F1-11d1-A9F4-00C04FBBDE8F},C:\WINDOWS\INF\CCDECODE.inf,CCDECODE.Interface.Install
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/controls/iptdweb/ikcntrls.cab
    O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave.com/content/combat_medic/CMonline.dll
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.dpec.com/dpec/shared/cabs/awswaxf.cab
    O16 - DPF: LEGO Stormrunner - http://mindstorms.lego.com/stormrunner/stormrunner1-1-0.cab

    I would like to get rid of the references to bxxs5.dll and PC-Cillin (uninstall problems- posted in different thread in Other Software forum.) What can I do?
    Thanks
    -cycos
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    BookedSpace is an Internet Explorer Browser Helper Object used to show advertising.

    Variants

    BookedSpace/Remanent: early variant (around July 2003) with filename rem00001.dll, controlling server 66.225.192.199.

    BookedSpace/BS2, BookedSpace/BS3, BookedSpace/BS4, BookedSpace/BS5: newer revisions (August 2003) with filename bs2.dll, bs3.dll, oo4.dll and bsx5.dll or bxxs5.dll, controlling server www.bookedspace.com.

    Distribution

    BookedSpace/Remanent is silently installed by MThree MP3 to WAV converter. BookedSpace/BS2, BS3 and BXXS5 are silently installed by versions of FreeWire and FreeMP3Player.

    What it does

    Advertising

    Yes. BookedSpace can contact its controlling server when a new page is visited, which may direct it to open pop-up ads.

    Privacy violation

    Yes. When the controlling server is contacted, the URL of the current page is passed along with a user ID for tracking purposes.

    Security issues

    Yes. May download and install third-party software as directed by its controlling server. The later variants have been seen to install the BargainBuddy, nCase, MySearch/MyWay, TVMedia, DownloadWare and TopMoxie/eBates parasites.

    Stability problems

    Seems to stop IE address bar searches from working.

    Removal

    Open a DOS command prompt windows (from Start->Programs->Accessories), and enter the following commands, for the Remanent variant:

    cd "%WinDir%\System"
    regsvr32 /u "..\rem00001.dll"

    Or, for the BS2 variant:

    cd "%WinDir%\System"
    regsvr32 /u "..\bs2.dll"

    Or, for the BS3 variant:

    cd "%WinDir%\System"
    regsvr32 /u "..\bs3.dll"

    Or, for the OO4 variant:

    cd "%WinDir%\System"
    regsvr32 /u "..\oo4.dll"

    Or, for the BXS5 variant:

    cd "%WinDir%\System"
    regsvr32 /u "..\bxs5.dll"
    regsvr32 /u "..\bxxs5.dll"

    Next, for non-Remanent variants, open the registry (click 'Start', choose 'Run', enter 'regedit'), find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and check for the entry 'BookedSpace' (BS2 variant), 'Bsx3' (BS3 variant), 'Oo4' (BS4 variant), or 'Bxxs5' or 'Bxsx5' (BS5 variant).

    Restart the computer and you should be able to delete the 'rem00001.dll', 'bs2.dll', 'bs3.dll', 'oo4.dll', 'bsx5.dll' or 'bxxs5.dll' file in the Windows folder. For the BS5 variant, you can also delete the 'bsx32' folder.

    You can also open the registry and delete the key HKEY_LOCAL_MACHINE\Software\Remanent or HKEY_LOCAL_MACHINE_Software\BookedSpace to clean up, if you like.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/274589

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice