Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
Glad to hear it. Keep having fun.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:%23guCaFujFHA.3568@TK2MSFTNGP10.phx.gbl,
mgm <mgmombo@hotmail.com> hunted and pecked:
> Yes, all was done in safe mode and finally the BPS has been removed. All
> BPS has been removed and blocked via Spybot and SpywareBlaster... AND most
> important, it's really gone. Again, thanks to all for your input
> "Wesley Vogel" <123WVogel955@comcast.net> wrote in message
> news:epIeMXtjFHA.1968@TK2MSFTNGP14.phx.gbl...
>> mgm,
>>
>> You have a bunch of other trash that you do not need running, but we
>> better
>> stick to BPSSR for now.
>>
>> Did you try to run Spybot S&D and Ad-Aware in Safe Mode like Malke
>> suggested? Some malware like to conceal themselves in areas that Windows
>> protects while using them. Safe mode will prevent those application
>> accesses, and therefore unprotect the malware.
>>
>> Did you download, install and run HijackThis in Safe Mode like Malke
>> suggested?
>>
>> 4) HijackThis
>>
http://www.spywareinfo.com/~merijn/downloads.html
>>
>> 4a) HijackThis (direct download)
>>
http://aumha.org/downloads/hijackthis.zip
>>
>> HijackThis log tutorial
>>
http://www.spywareinfo.com/~merijn/htlogtutorial.html
>>
>> HijackThis Log Tutorial
>>
http://www.aumha.org/a/hjttutor.htm
>>
>> How to use HijackThis to remove Browser Hijackers & Spyware
>>
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#warning
>>
>> Is there a listing for BulletProofSoft SpywareRemover in Add or Remove
>> Programs?
>>
>> Was the MsiInstaller Warning about a failed uninstall? Did you try to
>> uninstall BPSSR using Add or Remove Programs? If you didn't, try it.
>> Never
>> mind you mentioned that it wasn't listed. So what caused the
>> MsiInstaller Warning?
>>
>> CLSID {0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E} appears to be BPSSR.
>>
>> Also look for {0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E} in
>> %appdata%\Microsoft\Installer
>> or
>> C:\Documents and Settings\Your Name Here\Application
>> Data\Microsoft\Installer
>> and
>> %windir%\Installer
>> or
>> C:\WINDOWS\Installer
>> And delete the {0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E} folder. This ought
>> to
>> prevent BPSSR from getting installed again.
>>
>> Spyware.exe & PopUpWatch.exe would appear to be the BPSSR program. Make
>> sure that you use Task Manager to *KILL* both of these before running
>> Spybot
>> S&D, etc.
>>
>> Open Task Manager...
>> Ctrl + Shift + Esc | Processes tab | Click on the Image name header to
>> alphabetize the list | Locate Spyware.exe & PopUpWatch.exe | Right click
>> each one | End Process | Answer YES to the Warning that popsup | Make
>> sure that there isn't more than one of each running | Close Task Manager
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:%23mhAN5mjFHA.1444@TK2MSFTNGP10.phx.gbl,
>> mgm <mgmombo@hotmail.com> hunted and pecked:
>>> Amen to Scott and a big thank you to all you contributed.
>>> If anyone can offer some added input after reviewing the logs, it would
>>> be
>>> greatly appreciated. Thanks..mgm
>>>
>>> I have NAV 2005, spybot s&d, Adaware, ZoneAlarm Pro(all updated) and all
>>> XP's latest and grestest patch/update software running behind a hardware
>>> firewall (router) and STILL got the BulletProof mess.
>>>
>>> After checking my application event logs, I noted that the BPS mess
>>> begins
>>> executing at 4:15 AM everyday. Adaware and Spybot also auto execute in
>>> the wee hrs. 2:15 and 3AM.
>>> By checking the event log, I got BPS CLSID and found it in the registry.
>>> With this ID I hope to let SpyBlaster block it from executing tomorrow
>>> am.
>>> Wesley Vogel requested some logs, so here they are. I hope they can
>>> help others to clean up or, better yet, avoid the mess
>>> Application event log:
>>>>>>> Event Type: Warning
>>> Event Source: MsiInstaller
>>> Event Category: None
>>> Event ID: 1004
>>> Date: 7/21/2005
>>> Time: 4:15:02 AM
>>> User: XXXXX\Administrator
>>> Computer: XXXXX
>>> Description:
>>> Detection of product '{0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E}', feature
>>> 'SpywareRemover', component '{23332A7D-C96D-4A86-830C-71CBE466BA78}'
>>> failed. The resource 'C:\Program
>>> Files\BulletProofSoft.com\SpywareRemover\LSPFix.exe' does not exist.
>>>
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>>
>>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
>>> Management\ARPCache\{0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E}<<<<<<
>>>
>>> Initial SpyBot run that "fixed" BulletProof" (removed)
>>>>>>> BPS Spyware Remover: System file (File, fixed)
>>> C:\Program Files\BulletProofSoft.com\SpywareRemover\Spyware.exe
>>>
>>> BPS Spyware Remover: System file (File, fixed)
>>> C:\Program
>>> Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe
>>>
>>> BPS Spyware Remover: Program directory (Directory, fixed)
>>> C:\Program Files\BulletProofSoft.com\SpywareRemover\
>>>
>>> BPS Spyware Remover: Program group (Directory, fixed)
>>> C:\Documents and Settings\All Users\Start
>>> Menu\Programs\BulletProofSoft.com
>>>
>>> BPS Spyware Remover: Shared DLL (1 apps) (Registry value, fixed)
>>>
>>>
>>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\P
>>> rogram Files\BulletProofSoft.com\SpywareRemover\Spyware.exe
>>>
>>> BPS Spyware Remover: Shared DLL (1 apps) (Registry value, fixed)
>>>
>>>
>>
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\P
>>> rogram
>>>
>>
Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe<<<<<<<<<
>>> <<<
>>>
>>> Initial Spybot Startup list (this and the initial scan was done from
>>> SafeMode) I recognize all processes here.
>>>>>>> Located: HK_LM:Run, ccApp
>>> command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
>>> file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
>>> size: 58992
>>> MD5: e5f9b0314442ea5816518c64b02f10a2
>>>
>>> Located: HK_LM:Run, DeviceDiscovery
>>> command: C:\Program Files\Hewlett-Packard\Digital
>>> Imaging\bin\hpotdd01.exe
>>> file: C:\Program Files\Hewlett-Packard\Digital
>>> Imaging\bin\hpotdd01.exe
>>> size: 229437
>>> MD5: 7eef9e578d2aa3d562d074bfdfe56825
>>>
>>> Located: HK_LM:Run, HP Component Manager
>>> command: "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
>>> file: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
>>> size: 241664
>>> MD5: f5f1a8cdd473d55f9bf6fe23f715b0fa
>>>
>>> Located: HK_LM:Run, HP Software Update
>>> command: "C:\Program Files\Hewlett-Packard\HP Software
>>> Update\HPWuSchd2.exe" file: C:\Program Files\Hewlett-Packard\HP
>>> Software Update\HPWuSchd2.exe size: 49152
>>> MD5: 6ad9dcb0257b10ea458165f70634dabc
>>>
>>> Located: HK_LM:Run, HPDJ Taskbar Utility
>>> command: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
>>> file: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
>>> size: 188416
>>> MD5: b25f66fdaa5a0389500c8a9e0433e5a5
>>>
>>> Located: HK_LM:Run, NeroFilterCheck
>>> command: C:\WINDOWS\system32\NeroCheck.exe
>>> file: C:\WINDOWS\system32\NeroCheck.exe
>>> size: 155648
>>> MD5: 3e4c03cefad8de135263236b61a49c90
>>>
>>> Located: HK_LM:Run, NvCplDaemon
>>> command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
>>> file: C:\WINDOWS\system32\RUNDLL32.EXE
>>> size: 33280
>>> MD5: da285490bbd8a1d0ce6623577d5ba1ff
>>>
>>> Located: HK_LM:Run, nwiz
>>> command: nwiz.exe /install
>>> file: C:\WINDOWS\system32\nwiz.exe
>>> size: 741376
>>> MD5: a4ae9ba1e10cb9f6c0949c4db91a1f72
>>>
>>> Located: HK_LM:Run, SoundMan
>>> command: SOUNDMAN.EXE
>>> file: C:\WINDOWS\SOUNDMAN.EXE
>>> size: 77824
>>> MD5: 6351b9d79370a6795921fa3c3950ded6
>>>
>>> Located: HK_LM:Run, Symantec NetDriver Monitor
>>> command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
>>> file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
>>> size: 100056
>>> MD5: f9418981ee4d7e995d359833adab59d5
>>>
>>> Located: HK_LM:Run, TkBellExe
>>> command: "C:\Program Files\Common
>>> iles\Real\Update_OB\realsched.exe" -osboot
>>> file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
>>> size: 180269
>>> MD5: b8e684df9a97497edd2f87444a6307fb
>>>
>>> Located: HK_CU:Run, ctfmon.exe
>>> command: C:\WINDOWS\system32\ctfmon.exe
>>> file: C:\WINDOWS\system32\ctfmon.exe
>>> size: 15360
>>> MD5: 24232996a38c0b0cf151c2140ae29fc8
>>>
>>> Located: Startup (common), Adobe Reader Speed Launch.lnk
>>> command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
>>> file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
>>> size: 29696
>>> MD5: deb88aef013dd1eefb462d7cad642166
>>>
>>> Located: Startup (common), ZoneAlarm Pro.lnk
>>> command: C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
>>> file: C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
>>> size: 422984
>>> MD5: 3b2d0ab3d2dbc4cbbd6b9cd9be59a799
>>>
>>> Located: Startup (disabled), Acrobat Assistant (DISABLED)
>>> command: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
>>> file: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
>>> size: 217193
>>> MD5: 78bfe3201ada2fe02d1e35d2488e5f55
>>>
>>> Located: Startup (disabled), Adobe Gamma Loader (DISABLED)
>>> command: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
>>> file: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
>>> size: 113664
>>> MD5: c2ff17734176cd15221c10044ef0ba1a
>>>
>>> Located: Startup (disabled), Microsoft Office (DISABLED)
>>> command: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
>>> file: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
>>> size: 83360
>>> MD5: 5bc65464354a9fd3beaa28e18839734a
>>>
>>> Located: Startup (disabled), ZoneAlarm Pro (DISABLED)
>>> command: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe -nopopup
>>> file: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
>>> size: 422984
>>> MD5: 3b2d0ab3d2dbc4cbbd6b9cd9be59a799<<<<<
>>> "Wm. Scott Miller" <Scott.Miller@spamkillerwvinsurance.gov> wrote in
>>> message news:%23KnT1ijjFHA.576@tk2msftngp13.phx.gbl...
>>>> mgm:
>>>>
>>>> If I were you, I'd learn how to remove spyware, adware, virus, etc
>>>> manually because not every one is going to be caught by every tool out
>>>> there. Of course try to find a tool to remove it for you, but when
>>>> that fails, there is only manual, especially if you want if off
>>>> instead of waiting for a def update. After all there is always a lag
>>>> time between release of a spyware/adware/virus/worm/etc and the tools
>>>> ability to remove it. Use Ad-Aware, Spybot S&D, etc, but also make
>>>> sure you know what is running on that machine and what might not
>>>> belong. Blind trust in those companies to find everything out there
>>>> is a HUGE mistake.
>>>>
>>>> To do this manually, you can use several tools. Most of them I've
>>>> gotten
>>>> from www.sysinternals.com (not associated, just like their tools).
>>>> Here is a list of the ones I use:
>>>>
>>>> 1. Process Manager -- Task Manager replacement that shows alot more
>>>> information (like what is running inside those svchost.exe's)
>>>> 2. SigCheck -- Check to see what files in your Windows and
>>>> Windows/System32 etc directories have no signitures or unverifiable
>>>> signitures (WARNING: Some Microsoft files still do not have sigs so use
>>>> tool to highlight possible hoax programs, but make sure you don't go
>>>> deleting everything it finds)
>>>> 3. AutoRuns -- You have probably used MSConfig. This is much more
>>>> advanced and usful for finding that program and where it is starting
>>>> from.
>>>> 4. PortMon -- What ports on your machine are listening for connections
>>>> and what programs they belong to.
>>>>
>>>> If you cannot find the program with these, then you have bigger
>>>> problems.....
>>>>
>>>> Scott
>>>>
>>>> "mgm" <mgmombo@hotmail.com> wrote in message
>>>> news:%235IxkrYjFHA.3336@tk2msftngp13.phx.gbl...
>>>>> a couple of months ago I installed Norton Anti-Virus. Now when ever I
>>>>> run Ad-Aware, BulletProof Spy detector places shortcuts in a new
>>>>> folder on my desktop.
>>>>>
>>>>> Is anyone here familiar with BulletProof? Is this part of a Norton
>>>>> suite? Do I have to be concerned about the security of my XP pro box?