WurldMedia Description:
An IE browser helper object that detects
visits to known sites and redirects them through
a third-party server in order to take the
affiliate fees. WurldMedia even steals the fees
from other webmasters when you use their own
links.
WurldMedia/bpboh : first variant released with
early Preview Releases. You have this variant if
there is a file called "bpboh.dll" in
your Windows directory. Presumbly the name should
have been 'bpbho' (Buyers' Port Browser Helper
Object), but someone made a typo. There will also
be a 'rdxrNNNN.de' file containing an encoded
target list. (NNNN is some numbers, looks like a
date.)
WurldMedia/mbho : installs 'mbho.dll' and the
'rdxr' data file in the System directory instead
of the Windows directory. Installer is not so
stealthy and includes an option to prompt the
user before redirecting a merchant site. However,
if "enable" (the default option) is
chosen on any of these prompts, it will be silent
again forever.
WurldMedia/MSCStat : in this variant you get
an 'MSCStat.exe' system tray program in the
System directory, with an 'msc(numbers).de' file
and 'ad(numbers).de.xml' as well as the files
from the mbho variant. WurldMedia/MSCStat2 : the
MSCStat.exe file is renamed MSCStat2, and there
is finally an entry in Add/Remove Programs, which
disables the software (though it leaves behind
the files and some registry entries).
WurldMedia/MShop , WurldMedia/MPohs and
WurldMedia/MDef have new IDs and filenames:
m030106shop.dll, m030206pohs.dll and mdefshop.dll,
respectively.
WurldMedia/Mo , WurldMedia/Moaa ,
WurldMedia/Moz
. The BHO is renamed mo030414s.dll,
moaa030425s.dll or moz030715s.dll and has a
random class ID; the mscstat process is renamed
mostat.exe and there is a configuration program
called moconfig.exe.
WurldMedia/TChk is bundled with the Mo, Moaa
and Moz variants. It checks for the existance of
the WurldMedia BHO, and, if it finds it missing,
contacts its controlling server xnef.com. At the
time of writing this server is not responding,
but it is suspected that if it were working it
would direct TChk to reinstall the software.
WurldMedia/TChk tries to escape detection by
using a completely random filename and ID.
Also known as: Morpheus Shopping Club,
WURLD Shopping Community, BuyersPort.
WurldMedia Automatic Removal:
Using Spyware Doctor
to detect and remove WurldMedia AUTOMATICALLY!
Sponsored Links:
WurldMedia Manual Removal:
Later variants of WurldMedia add a
"Shopping Community" entry to the
Control Panel's Add/Remove Programs option, which
should remove the software. (Though it will try
quite hard to persuade you not to.)
TChk variant
If you have WurldMedia/TChk, you must remove
it before trying to remove any other variant you
have. To do this you will have to open the
registry (click 'Start', choose 'Run', enter 'regedit')
and open the key HKEY_CLASSES_ROOT\Tchk.TChkBHO\CLSID.
On the right, the '(Default)' value should hold a
class ID, a long string of hexadecimal digits in
groups separated with dashes. Note down this ID
then delete the entire Tchk.TChkBHO key, as well
as Tchk.TChkBHO.1.
Open the key HKEY_CLASSES_ROOT\CLSID and find
the subkey with the same name as the class ID you
noted. Click the 'InprocServer32' subkey and note
down the filename given in the '(Default)' entry.
Then delete the key with the class ID for its
name. Also delete the entry of the same name from
the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects.
When you next restart the machine, you should
be able to delete the file with the name you
noted down.
Other variants
Before you can delete the DLL, you will need
to deregister it. Open a DOS command prompt
window (from Start->Programs->Accessories)
and enter (for the bpboh variant):
cd "%WinDir%\System"
regsvr32 /u ..\bpboh.dll
Or, for Mbho, MSCStat or MSCStat2 variants:
cd "%WinDir%\System"
regsvr32 /u mbho.dll
Or, for the MShop variant:
cd "%WinDir%\System"
regsvr32 /u m030106shop.dll
Or, for the MPohs variant:
cd "%WinDir%\System"
regsvr32 /u m030206pohs.dll
Or, for the MDef variant:
cd "%WinDir%\System"
regsvr32 /u mdefshop.dll
Or, for the Mo variant:
cd "%WinDir%\System"
regsvr32 /u mo030414s.dll
Or, for the Moaa variant:
cd "%WinDir%\System"
regsvr32 /u moaa030425s.dll
Or, for the Moz variant:
cd "%WinDir%\System"
regsvr32 /u moz030715s.dll
After restarting the computer, you should be
able to delete the DLL from the System folder
(inside the Windows folder, called 'System32'
under Windows NT/2000/XP or 'System' under
Windows 95/98/Me). In the Bpboh variant it is in
the Windows folder instead.
In the Bpboh, Mbho, MSCStat and MSCStat2
variants, you can also delete the 'rdxrNNNNNN'
file in the same directory (the extension will be
'.dat' for the bpboh variant, or '.de' for the
other variants; NNNNNN is a date-like six-digit
number).
If you have the MSCStat variant you should
delete 'MSCStat.exe', 'adNNNNNN.de.xml' and 'mscNNNNNN.de'.
If you have MSCStat2 or later variants, you can
remove 'MSCStat2.exe'.
In you have Mo or Moaa variants, you should
delete 'mostat.exe', 'moconfig.exe' and
'moz02NNNNNN.de'.
Finally, there is also a key called 'morp'
(Mo, Moaa variants) or 'rdxr' (older variants) in
the registry key HKEY_LOCAL_MACHINE\Software in
the registry which you can delete to clean up if
you like.
More
Removal Instructions for Adware/Spyware Programs -
'W'
| 
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)