 |
Home>Tips & Articles>Remove Adware & Spyware>
Remove WurldMedia Spyware
About WurldMedia
WurldMedia is an IE browser helper object that detects visits to known sites and redirects them through a third-party server in order to take the affiliate fees. WurldMedia even steals the fees from other webmasters when you use their own links.
Remove this spyware using Spyware Doctor
WurldMedia has dozens of variants:
- WurldMedia/bpboh: initial variant. You have this variant if there is a file called "bpboh.dll" in your Windows directory. Presumbly the name should have been 'bpbho' (Buyers' Port Browser Helper Object), but someone made a typo. There will also be a 'rxdrNNNN.de' file containing an encoded target list. (NNNNNN is some numbers, looks like a date.)
- WurldMedia/mbho: installs 'mbho.dll' and the 'rdxr' data file in the System directory instead of the Windows directory. Installer is not so stealthy and includes an option to prompt the user before redirecting a merchant site. However, if "enable" (the default option) is chosen on any of these prompts, it will be silent again forever.
- WurldMedia/MDef
- WurldMedia/Mo, WurldMedia/Moaa, WurldMedia/Moz. The BHO is renamed mo030414s.dll, moaa030425s.dll or moz030715s.dll and has a random class ID; the mscstat process is renamed mostat.exe and there is a configuration program called moconfig.exe.
- WurldMedia/Moaa
- WurldMedia/Mostat. In this newest variant, MoStat.exe will run in your systray.
- WurldMedia/Moz
- WurldMedia/MPohs
- WurldMedia/MSCStat: in this variant you get an 'MSCStat.exe' system tray program in the System directory, with an 'msc(numbers).de' file and 'ad(numbers).de.xml' as well as the files from the mbho variant. WurldMedia/MSCStat2: the MSCStat.exe file is renamed MSCStat2, and there is finally an entry in Add/Remove Programs, which disables the software (though it leaves behind the files and some registry entries).
- WurldMedia/MShop, WurldMedia/MPohs and WurldMedia/MDef have new IDs and filenames: m030106shop.dll, m030206pohs.dll and mdefshop.dll, respectively.
- WurldMedia/TChk is bundled with the Mo, Moaa and Moz variants. It checks for the existance of the WurldMedia BHO, and, if it finds it missing, contacts its controlling server xnef.com. At the time of writing this server is not responding, but it is suspected that if it were working it would direct TChk to reinstall the software. WurldMedia/TChk tries to escape detection by using a completely random filename and ID
How to Remove WurldMedia?
Later variants of WurldMedia add a "Shopping Community" entry to the Control Panel's Add/Remove Programs option, which should remove the software.
Follow these steps to manually remove it from your machine.
TChk variant
- If you have WurldMedia/TChk, you must remove it before trying to remove any other variant you have.
To do this you need first find out the filename of the BHO DLL. Open the registry editor (click Start > Run, and enter 'regedit') and open the key HKEY_CLASSES_ROOT\Tchk.TChkBHO\CLSID. On the right pane, the '(Default)' value should hold a class ID, a long string of hexadecimal digits in groups separated with dashes. Note down this ID then delete the entire Tchk.TChkBHO key, as well as Tchk.TChkBHO.1.
- Open the key HKEY_CLASSES_ROOT\CLSID and find the subkey with the same name as the class ID you noted. Click the 'InprocServer32' subkey and note down the filename given in the '(Default)' entry. Then delete the key with the class ID for its name. Also delete the entry of the same name from the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects.
- Restart the machine, you should be able to delete the file with the name you noted down.
Other variants
- Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:
For the bpboh variant:
cd "%WinDir%\System"
regsvr32 /u ..\bpboh.dll
Or, for Mbho, MSCStat or MSCStat2 variants:
cd "%WinDir%\System"
regsvr32 /u mbho.dll
Or, for the MShop variant:
cd "%WinDir%\System"
regsvr32 /u m030106shop.dll
Or, for the MPohs variant:
cd "%WinDir%\System"
regsvr32 /u m030206pohs.dll
Or, for the MDef variant:
cd "%WinDir%\System"
regsvr32 /u mdefshop.dll
Or, for the Mo variant:
cd "%WinDir%\System"
regsvr32 /u mo030414s.dll
Or, for the Moaa variant:
cd "%WinDir%\System"
regsvr32 /u moaa030425s.dll
Or, for the Moz variant:
cd "%WinDir%\System"
regsvr32 /u moz030715s.dll
- Restart windows.
- Delete the DLL from the System folder (inside the Windows folder, called 'System32' under Windows NT/2000/XP or 'System' under Windows 95/98/Me).
In the Bpboh variant it is in the Windows folder instead.
In the Bpboh, Mbho, MSCStat and MSCStat2 variants, you can also delete the 'rdxrNNNNNN' file in the same directory (the extension will be '.dat' for the bpboh variant, or '.de' for the other variants; NNNNNN is a date-like six-digit number).
If you have the MSCStat variant you should delete 'MSCStat.exe', 'adNNNNNN.de.xml' and 'mscNNNNNN.de'.
If you have MSCStat2 or later variants, you can remove 'MSCStat2.exe'.
In you have Mo or Moaa variants, you should delete 'mostat.exe', 'moconfig.exe' and 'moz02NNNNNN.de'.
- Open the registry( Start > Run > regedit), locate the registry key HKEY_LOCAL_MACHINE\Software, there is also a subkey called 'morp' (Mo, Moaa variants) or 'rdxr' (older variants), delete the entry.
Remove spyware using PestPatrol
Remove other programs:
|
|
|
