Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 13 of 13 Posts

·
Registered
Joined
·
6,563 Posts
Discussion Starter · #1 ·
Hello,

I've just run Spybot and found BDE Projector key present on my computer. Spybot removed the key.

On running Regedit and searching for BDE, I came across this key

HKEY_USERS\S-1-5-21-2025429265-1060284298-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BDEADF00-C265-11d0-BCED-00A0C90AB50F}

Is it a legitimate one for some other application, or is it the BDE projector key?

Thanks for any advice you may be able to give.

Bye,
Penny. :)
 

·
Registered
Joined
·
46 Posts
This is a free thing offered to view/listen to rich media and stands for brilliant digital url=www.brilliantdigital.com and is spyware.To get rid of,start by uninstalling in the control panel. If you've had this program installed for a while you need to get rid of everything BDE + b3d in regestry and in common files such as documents and settings. and kill in the task mgr.,all bde and programfilesdir+\altnet\download manager\adm.exe. Restart your pc and this should solve the problem. Questions?? feel free to direct email me.
 

·
Registered
Joined
·
6,563 Posts
Discussion Starter · #3 ·
Hello ironmaixden,

Thank you very much for your reply. I will make sure I wipe the nasty thing off my computer. I will certainly email you if I run across problems.

Best wishes,
Bye,
Penny. :)
 

·
Registered
Joined
·
9,396 Posts
Hi Pen............if you want to post an HijackThis log we can see what loaded BDE and if anything else needs removing.
;)
 

·
Registered
Joined
·
4,699 Posts
The original date on this when i copied it to a MS Word file was 04/03/2002 so there may be a few more reg entires these days....not sure. But even if BDE has added more, this should give you a "good running start" on getting it removed. BDE is installed as part of several P2P downloading programs, so if you use P2P be aware that removing BDE may prevent the program from working.

Do a file search for bde*.* in your Windows system directory. Search
and destroy the following:
c:\Windows\BDE (the folder and everything in it)
c:\Windows\Temp\Brilliant (the folder and everything in it)
c:\Windows\SYSTEM\bdedata2.dll
c:\Windows\SYSTEM\bdedownloader.dll
c:\Windows\SYSTEM\bdefdi.dll
c:\Windows\SYSTEM\bdeinsta2.dll
c:\Windows\SYSTEM\bdeinstall.exe
c:\Windows\SYSTEM\bdesecureinstall.cab
c:\Windows\SYSTEM\bdesecureinstall.exe
c:\Windows\SYSTEM\bdeverify.dll
c:\Windows\SYSTEM\bdeverify.exe

Now fire up Regedit and delete the following trails:
HKEY_CLASSES_ROOT\.b3ds
HKEY_CLASSES_ROOT\b3ds_auto_file
HKEY_CLASSES_ROOT\BDESmartInstaller.BDESmartInstaller
HKEY_CLASSES_ROOT\BDESmartInstaller.BDESmartInstaller.1
HKEY_CLASSES_ROOT\CLSID\{67925165-C4B6-11D2-B9C6-0000E84F59A6}
HKEY_CLASSES_ROOT\TypeLib\{82FC7881-AACC-11D2-B9C6-0000E842E40A}
HKEY_LOCAL_MACHINE\Software\Brilliant Digital Entertainment
HKEY_LOCAL_MACHINE\Software\Zupdate
Additionally, the B3D Projector configures itself to update silently at
system startup. To remove this (yes, not even this is removed at
uninstall), delete the b3dUpdate value at HKEY_LOCAL_MACHINE\Software
\Microsoft\Windows\CurrentVersion\Run.

http://www.geocities.com/Pentagon/Quarters/5077/new/cleankazaa.html

add this to your host file
127.0.0.1 www.brilliantdigital.com
127.0.0.1 desktop.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
 

·
Registered
Joined
·
6,563 Posts
Discussion Starter · #6 ·
Hello Steve,

I will do that, thank you for telling me about it. Will download Hijack and get working on it.

Bye,
Penny.

Hello Nitehawk,

Thank you very much for the extras. I'll post a Hijack This Log and see if there are any entries left. I see this nasty is listed in my Spybot log as being dealt with. But you never know. I don't use a separate downloader.

Bye,
Penny.

NiteHawk said:
The original date on this when i copied it to a MS Word file was 04/03/2002 so there may be a few more reg entires these days....not sure. But even if BDE has added more, this should give you a "good running start" on getting it removed. BDE is installed as part of several P2P downloading programs, so if you use P2P be aware that removing BDE may prevent the program from working.

Do a file search for bde*.* in your Windows system directory. Search
and destroy the following:
c:\Windows\BDE (the folder and everything in it)
c:\Windows\Temp\Brilliant (the folder and everything in it)
c:\Windows\SYSTEM\bdedata2.dll
c:\Windows\SYSTEM\bdedownloader.dll
c:\Windows\SYSTEM\bdefdi.dll
c:\Windows\SYSTEM\bdeinsta2.dll
c:\Windows\SYSTEM\bdeinstall.exe
c:\Windows\SYSTEM\bdesecureinstall.cab
c:\Windows\SYSTEM\bdesecureinstall.exe
c:\Windows\SYSTEM\bdeverify.dll
c:\Windows\SYSTEM\bdeverify.exe

Now fire up Regedit and delete the following trails:
HKEY_CLASSES_ROOT\.b3ds
HKEY_CLASSES_ROOT\b3ds_auto_file
HKEY_CLASSES_ROOT\BDESmartInstaller.BDESmartInstaller
HKEY_CLASSES_ROOT\BDESmartInstaller.BDESmartInstaller.1
HKEY_CLASSES_ROOT\CLSID\{67925165-C4B6-11D2-B9C6-0000E84F59A6}
HKEY_CLASSES_ROOT\TypeLib\{82FC7881-AACC-11D2-B9C6-0000E842E40A}
HKEY_LOCAL_MACHINE\Software\Brilliant Digital Entertainment
HKEY_LOCAL_MACHINE\Software\Zupdate
Additionally, the B3D Projector configures itself to update silently at
system startup. To remove this (yes, not even this is removed at
uninstall), delete the b3dUpdate value at HKEY_LOCAL_MACHINE\Software
\Microsoft\Windows\CurrentVersion\Run.

http://www.geocities.com/Pentagon/Quarters/5077/new/cleankazaa.html

add this to your host file
127.0.0.1 www.brilliantdigital.com
127.0.0.1 desktop.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
 

·
Registered
Joined
·
6,563 Posts
Discussion Starter · #7 ·
Hello Steve,

Here's the log. I use Mozilla but I see that the Log has been taken by IE.

Logfile of HijackThis v1.97.7
Scan saved at 19:09:52, on 05/04/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\Desktop Architect\datray.exe
C:\Program Files\DigiGuide\client01.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://antwrp.gsfc.nasa.gov/apod/astropix.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Architect] "C:\Program Files\Desktop Architect\datray.exe" -S
O4 - Startup: DigiGuide.lnk = C:\Program Files\DigiGuide\client.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_05) -
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software/instantsupport/tool/files/MotivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0001-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_05) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks,
Penny.
 

·
Registered
Joined
·
6,563 Posts
Discussion Starter · #9 ·
Hello Winchester,

Sorry, I don't even know what the item is. I don't use IE very often, being a Mozilla user. Is there something I should change or delete regarding this entry?

Thanks,
Bye,
Penny.
 

·
Registered
Joined
·
2,438 Posts
O6 items indicate Internet Explorer restrictions. It is usually recommended to fix items such as this, unless the user has used a security program to lock their browser settings.

I'm not sure about Mozilla and whether HJT shows something similar for that browser ... wait until a Mozilla user stops by.
 
1 - 13 of 13 Posts
Status
Not open for further replies.
Top