Re: BulletProof software

From: mgm (mgmombo_at_hotmail.com)
Date: 07/22/05 

Date: Thu, 21 Jul 2005 22:34:36 -0500

Amen to Scott and a big thank you to all you contributed.
If anyone can offer some added input after reviewing the logs, it would be
greatly appreciated. Thanks..mgm

I have NAV 2005, spybot s&d, Adaware, ZoneAlarm Pro(all updated) and all
XP's latest and grestest patch/update software running behind a hardware
firewall (router) and STILL got the BulletProof mess.

After checking my application event logs, I noted that the BPS mess begins
executing at 4:15 AM everyday. Adaware and Spybot also auto execute in the
wee hrs. 2:15 and 3AM.
By checking the event log, I got BPS CLSID and found it in the registry.
With this ID I hope to let SpyBlaster block it from executing tomorrow am.
Wesley Vogel requested some logs, so here they are. I hope they can help
others to clean up or, better yet, avoid the mess
Application event log:
>>>>Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1004
Date: 7/21/2005
Time: 4:15:02 AM
User: XXXXX\Administrator
Computer: XXXXX
Description:
Detection of product '{0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E}', feature
'SpywareRemover', component '{23332A7D-C96D-4A86-830C-71CBE466BA78}' failed.
The resource 'C:\Program
Files\BulletProofSoft.com\SpywareRemover\LSPFix.exe' does not exist.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\{0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E}<<<<<<

Initial SpyBot run that "fixed" BulletProof" (removed)
>>>>BPS Spyware Remover: System file (File, fixed)
  C:\Program Files\BulletProofSoft.com\SpywareRemover\Spyware.exe

BPS Spyware Remover: System file (File, fixed)
  C:\Program
Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe

BPS Spyware Remover: Program directory (Directory, fixed)
  C:\Program Files\BulletProofSoft.com\SpywareRemover\

BPS Spyware Remover: Program group (Directory, fixed)
  C:\Documents and Settings\All Users\Start
Menu\Programs\BulletProofSoft.com

BPS Spyware Remover: Shared DLL (1 apps) (Registry value, fixed)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\P
rogram Files\BulletProofSoft.com\SpywareRemover\Spyware.exe

BPS Spyware Remover: Shared DLL (1 apps) (Registry value, fixed)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDlls\C:\P
rogram
Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe<<<<<<<<<
<<<

Initial Spybot Startup list (this and the initial scan was done from
SafeMode) I recognize all processes here.
>>>>Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
   file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
   size: 58992
    MD5: e5f9b0314442ea5816518c64b02f10a2

Located: HK_LM:Run, DeviceDiscovery
command: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
   file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
   size: 229437
    MD5: 7eef9e578d2aa3d562d074bfdfe56825

Located: HK_LM:Run, HP Component Manager
command: "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
   file: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
   size: 241664
    MD5: f5f1a8cdd473d55f9bf6fe23f715b0fa

Located: HK_LM:Run, HP Software Update
command: "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
   file: C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
   size: 49152
    MD5: 6ad9dcb0257b10ea458165f70634dabc

Located: HK_LM:Run, HPDJ Taskbar Utility
command: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
   file: C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
   size: 188416
    MD5: b25f66fdaa5a0389500c8a9e0433e5a5

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
   file: C:\WINDOWS\system32\NeroCheck.exe
   size: 155648
    MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
   file: C:\WINDOWS\system32\RUNDLL32.EXE
   size: 33280
    MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
   file: C:\WINDOWS\system32\nwiz.exe
   size: 741376
    MD5: a4ae9ba1e10cb9f6c0949c4db91a1f72

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
   file: C:\WINDOWS\SOUNDMAN.EXE
   size: 77824
    MD5: 6351b9d79370a6795921fa3c3950ded6

Located: HK_LM:Run, Symantec NetDriver Monitor
command: C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
   file: C:\PROGRA~1\SYMNET~1\SNDMon.exe
   size: 100056
    MD5: f9418981ee4d7e995d359833adab59d5

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common
iles\Real\Update_OB\realsched.exe" -osboot
   file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
   size: 180269
    MD5: b8e684df9a97497edd2f87444a6307fb

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
   file: C:\WINDOWS\system32\ctfmon.exe
   size: 15360
    MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
   file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
   size: 29696
    MD5: deb88aef013dd1eefb462d7cad642166

Located: Startup (common), ZoneAlarm Pro.lnk
command: C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
   file: C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
   size: 422984
    MD5: 3b2d0ab3d2dbc4cbbd6b9cd9be59a799

Located: Startup (disabled), Acrobat Assistant (DISABLED)
command: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
   file: C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrotray.exe
   size: 217193
    MD5: 78bfe3201ada2fe02d1e35d2488e5f55

Located: Startup (disabled), Adobe Gamma Loader (DISABLED)
command: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
   file: C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
   size: 113664
    MD5: c2ff17734176cd15221c10044ef0ba1a

Located: Startup (disabled), Microsoft Office (DISABLED)
command: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
   file: C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
   size: 83360
    MD5: 5bc65464354a9fd3beaa28e18839734a

Located: Startup (disabled), ZoneAlarm Pro (DISABLED)
command: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe -nopopup
   file: C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
   size: 422984
    MD5: 3b2d0ab3d2dbc4cbbd6b9cd9be59a799<<<<<
"Wm. Scott Miller" <Scott.Miller@spamkillerwvinsurance.gov> wrote in message
news:%23KnT1ijjFHA.576@tk2msftngp13.phx.gbl...
> mgm:
>
> If I were you, I'd learn how to remove spyware, adware, virus, etc
manually
> because not every one is going to be caught by every tool out there. Of
> course try to find a tool to remove it for you, but when that fails, there
> is only manual, especially if you want if off instead of waiting for a def
> update. After all there is always a lag time between release of a
> spyware/adware/virus/worm/etc and the tools ability to remove it. Use
> Ad-Aware, Spybot S&D, etc, but also make sure you know what is running on
> that machine and what might not belong. Blind trust in those companies to
> find everything out there is a HUGE mistake.
>
> To do this manually, you can use several tools. Most of them I've gotten
> from www.sysinternals.com (not associated, just like their tools). Here
is
> a list of the ones I use:
>
> 1. Process Manager -- Task Manager replacement that shows alot more
> information (like what is running inside those svchost.exe's)
> 2. SigCheck -- Check to see what files in your Windows and
Windows/System32
> etc directories have no signitures or unverifiable signitures (WARNING:
> Some Microsoft files still do not have sigs so use tool to highlight
> possible hoax programs, but make sure you don't go deleting everything it
> finds)
> 3. AutoRuns -- You have probably used MSConfig. This is much more
advanced
> and usful for finding that program and where it is starting from.
> 4. PortMon -- What ports on your machine are listening for connections
and
> what programs they belong to.
>
> If you cannot find the program with these, then you have bigger
> problems.....
>
> Scott
>
> "mgm" <mgmombo@hotmail.com> wrote in message
> news:%235IxkrYjFHA.3336@tk2msftngp13.phx.gbl...
> >a couple of months ago I installed Norton Anti-Virus. Now when ever I
run
> > Ad-Aware, BulletProof Spy detector places shortcuts in a new folder on
my
> > desktop.
> >
> > Is anyone here familiar with BulletProof? Is this part of a Norton
suite?
> > Do I have to be concerned about the security of my XP pro box?
> >
> >
>
>

Relevant Pages

  • trace ip
    ... >Ascend digital modem box, his last attack I logged he ... >authentication and is being logged into our RAD logs. ... It is all command ...
    (microsoft.public.security)
  • Re: Bad protocol version identification ^V^C^A
    ... other standard command could be used instead. ... disabling it would not make any sense. ... the cracker was apparently hoping that the SSH daemon he ... logs or not. ...
    (Incidents)
  • Re: any way to track commands of a user logged in through ssh
    ... ssh service was shut down. ... lnxnubie - Always a Linux Newbie ... Even if I do as u implied above, the logs just give me the time stamp ... ssh...`top` command does give me the terminal on which the particular ...
    (comp.os.linux.misc)
  • Re: osx cron jobs
    ... to read the logs. ... you can just Go to Folder (in the Finder's Go ... or look up the command. ... Yes, I had to define the "croncheck" command for this to work, but I only ...
    (comp.sys.mac.system)
  • Re: Win XP Hanges on startup, registry run key is corrupted
    ... Winguy; ... >> how to find the program that is hanging up the startup. ... Boot into Safe Mode with Command Prompt. ... > General tab, ...
    (microsoft.public.windowsxp.help_and_support)