PDA

View Full Version : Manual Removal Guide for BPSSpywareRemover



Friday
2008-11-28, 18:12
The following instructions have been created to help you to get rid of "BPSSpywareRemover" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
The program is installed through a downloaded .exe file. It produces false positives in order to threaten the user to purchase the full version. It also flags Spybot S&D. Used to have Uses a stolen Spybot-S&D database and is therefore a copyright infringement.
Supposed Functionality:
supposed to be an anti-spyware software
Removal Instructions:

Desktop:

Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

Shortcuts named "BPS Spyware Remover.lnk" and pointing to "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware & Adware Remover\SpyRem.exe".
Shortcuts named "BPS Remover.lnk" and pointing to "<$PROGRAMFILES>\BPS Remover\BPSRem.exe".

Start Menu:

Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.

Groups named "BulletProofSoft.com".

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "BPS Spyware Remover".
Entries named "BPS Spyware Remover" and pointing to "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "AdwraeCops by BulletProofSoft.com_is1".
Products that have a key or property named "BPS Spyware Remover_is1".
Products that are named "SpywareRemover".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$DESKTOP>\BPS Spyware Remover.lnk".
The file at "<$DESKTOP>\BPS Spyware & Adware Remover.lnk".
The file at "<$DESKTOP>\BPS Spyware Remover.lnk".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Box.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Core.dll".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\DataBase.ini".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\DB1.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\DB2.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\DB3.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\DB4.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\DB5.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\English.inf".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\English.jpg".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Errors.txt".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Espanol.inf".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Espanol.jpg".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Francais.inf".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Francais.jpg".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\guard.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Help.chm".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\home.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\hosts".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Italiano.inf".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Italiano.jpg".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Mask.skn".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Purchase.bps".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Scan Session.txt".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Splash.spl".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\SpyRem.exe".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\update.cli".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\update.exe".
The file at "<$DESKTOP>\BPS Spyware Remover.lnk".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware & Adware Remover\Core.dll".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware & Adware Remover\SpyRem.exe".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware & Adware Remover\unins000.exe".
The file at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware & Adware Remover\update.exe".
The file at "<$COMMONPROGRAMS>\BulletProfSoft.com\BPS Remover\BPS Spyware-Adware Remover.lnk".
The file at "<$COMMONPROGRAMS>\BulletProfSoft.com\BPS Remover\Help.lnk".
The file at "<$COMMONPROGRAMS>\BulletProfSoft.com\BPS Remover\Uninstall.lnk".
The file at "<$PROGRAMFILES>\BPS Remover\Box.bps".
The file at "<$PROGRAMFILES>\BPS Remover\BPSRem.exe".
The file at "<$PROGRAMFILES>\BPS Remover\Core.dll".
The file at "<$PROGRAMFILES>\BPS Remover\DataBase.ini".
The file at "<$PROGRAMFILES>\BPS Remover\DB.fix".
The file at "<$PROGRAMFILES>\BPS Remover\Errors.txt".
The file at "<$PROGRAMFILES>\BPS Remover\EXCLUDEL.DAT".
The file at "<$PROGRAMFILES>\BPS Remover\exList.dat".
The file at "<$PROGRAMFILES>\BPS Remover\FixConf.exe".
The file at "<$PROGRAMFILES>\BPS Remover\guard.bps".
The file at "<$PROGRAMFILES>\BPS Remover\Help.chm".
The file at "<$PROGRAMFILES>\BPS Remover\home.bps".
The file at "<$PROGRAMFILES>\BPS Remover\hosts".
The file at "<$PROGRAMFILES>\BPS Remover\Ignorelst98".
The file at "<$PROGRAMFILES>\BPS Remover\Ignorelstxp".
The file at "<$PROGRAMFILES>\BPS Remover\Purchase.bps".
The file at "<$PROGRAMFILES>\BPS Remover\Scan Session.txt".
The file at "<$PROGRAMFILES>\BPS Remover\scanning.bps".
The file at "<$PROGRAMFILES>\BPS Remover\Splash.spl".
The file at "<$PROGRAMFILES>\BPS Remover\unins000.dat".
The file at "<$PROGRAMFILES>\BPS Remover\unins000.exe".
The file at "<$PROGRAMFILES>\BPS Remover\update.cli".
The file at "<$PROGRAMFILES>\BPS Remover\update.exe".
Make sure you set your file manager to display hidden and system files. If BPSSpywareRemover uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover".
The directory at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware Remover\Patches".
The directory at "<$PROGRAMFILES>\BulletProofSoft.com\BPS Spyware & Adware Remover".
The directory at "<$COMMONPROGRAMS>\BulletProfSoft.com".
The directory at "<$COMMONPROGRAMS>\BulletProfSoft.com\BPS Remover".
The directory at "<$PROGRAMFILES>\BPS Remover".
The directory at "<$PROGRAMFILES>\BulletProofSoft.com\SpywareRemover".
The directory at "<$WINDIR>\Desktop\Spyware Adware Remover".
The directory at "<$WINDIR>\Installer\{7BF99148-BD9D-4241-B6A9-6518CA0F736D}".
Make sure you set your file manager to display hidden and system files. If BPSSpywareRemover uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

Delete the registry key "BPS Security Console Toolbar" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "BPS Spyware Remover" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "{1A3EB014-CA94-441E-916A-5EEC0F1F8B7F}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6F207CDD-8D94-45D5-9FC7-5C7DB4FC4D66}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8983D0BB-85E4-41EE-99F1-BACFD98AB5CF}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C4E2C9DE-6708-475B-B462-47BF82EFF9A2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{C5AF178A-50F1-4DFC-ADAC-A8F4DA291698}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{FC7E0855-AF08-47CC-BA6D-04012F2024A1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{39AE7EEA-5F68-4677-A540-D21E9D83ADBC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{853CAAE4-51B7-45B4-9AD8-5BED5F859060}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{99583B07-8478-4587-B277-A69830F100D5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B575FCE6-61E6-46B9-A332-E5D53DA387C9}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{DB8FA9FA-4515-4866-815D-00F28BFDF751}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E29FA7FA-AB93-4D55-9443-0498A1DD9C13}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E858B4F9-DF5C-4A01-861C-D70097169ED5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{29E2D973-9427-4B50-8730-91EB90146EA5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C60D2164-9D83-4491-81C3-B2693D50BBEA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{C6A736C7-AEC9-41A3-8F1B-13A46EB05D7F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{AEA388AC-112C-4668-BB5F-F04C878B8E31}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{602E2CE0-53F7-11D2-A7F4-00A0C91110C3}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "Core.Backup", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.Error", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.Loading", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.Monitor", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.Remove", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.Scan", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.ThreadControl", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.ThreadLaunch", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Core.Worker", plus associated values.
Delete the registry key "BPS Console Toolbar" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "BPS Remover" at "HKEY_CURRENT_USER\Software\".
A key in HKEY_CLASSES_ROOT\ named "BPSCore.Backup", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BPSCore.Error", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BPSCore.Loading", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BPSCore.Remove", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BPSCore.Scan", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BPSCore.ThreadControl", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BPSCore.ThreadLaunch", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BPSCore.Worker", plus associated values.
Delete the registry key "{CCAF88BD-430E-4735-84DA-87B2BCA2420E}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{DE9BE0B6-6282-45C1-89E0-6DC449033B23}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7E0EA78D-E2BD-4DC4-8139-3C80FEA5388C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{B46BB0D4-73BC-426F-822D-06CF4D5D5AE9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{921064A0-DA49-40B6-B8CE-0E9F3C925E2D}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{F01F5B97-4493-47C7-881E-17C065B899EC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4222FB6A-87F1-4867-8639-3B07B79B2EA2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{509F840C-8FBE-4B39-8135-7AE4F77211BE}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{36B7E21C-6920-4357-9F20-2F4DEAA68B9B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{428155C1-9F82-42F2-BA2A-0D345AC1DBD0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{4CC02772-63BD-40E5-9B67-F1FA7B0FE86C}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5A4A2071-9CFC-4A4B-AF90-B0617EF6AFCF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{6739850A-55B9-44F5-B2DE-BFF77171E413}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{7BFDA862-F7A8-44BE-B1FF-CD0DDD081021}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{81DEFA06-8F0B-425B-8D21-0A4C2051434A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B1D363B7-4BA3-47C4-9DD8-B8AC959EFCE4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B596BD2B-770F-4416-90E2-58F2DB502D6B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FF077F61-3E89-4CB0-8644-7CFAC5356BA0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "Spyware / Adware Remover" at "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\".
References to the file "BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "BulletProofSoft.com\SpywareRemover\scr56en-Win98-me-nt4.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "BulletProofSoft.com\SpywareRemover\scripten-WIN2000.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "BulletProofSoft.com\SpywareRemover\Spyware.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
If BPSSpywareRemover uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.