B3D Killer - remove BDE/B3D scumware...

Quote:

=(i get error not a valid win 32 aplication error when i try to run it

I think you need the Visual Basic run-time. Search http://www.micrososft.com for the VB 6 SP5 run-time installer.

Oops - misspelled that above link.

But here's the direct link: http://www.microsoft.com/downloads/release.asp?ReleaseID=28337&LangID=20&LangDIR=en-us&OpSysID=9801&Search=Keywords&Value=Visual+Basic&Show=Alpha&Start=&Page=0

[Rxdoxx]

Thank you!!!!!
Ran the program, KaZaa still works.

Did a search and found a number of files remaining, mostly .gag files Deleted them also.

I have my system backed up on a second HD. *Didn't see it clean the registry that was still there. Copied it to the D drive and tried running it from there also, so looks like your great program hits the active registry.

Final thing I am looking for is a list of files. I'm hesitant to delete everything with BDE in it. Still finding msxbde40.dll , mspbde40.dll , KBDE.KBD , and NETCBDEC.INF .
NETCBDEC.INF was a hidden file. I unhid and went looking just in case they had tried to sneak something in that way.

(Javacool, if you remember me, you'll remember I tend to go overboard with these things), still some questions in my mind, but I am very happy and grateful for the program. Thank you again.

[javacool]

Quote:

Thank you!!!!!
Ran the program, KaZaa still works.

Did a search and found a number of files remaining, mostly .gag files Deleted them also.

Glad the program worked well for you.

Quote:

I have my system backed up on a second HD. *Didn't see it clean the registry that was still there. Copied it to the D drive and tried running it from there also, so looks like your great program hits the active registry.

That is correct, the program only affects the active registry.

Quote:

Final thing I am looking for is a list of files. I'm hesitant to delete everything with BDE in it. Still finding msxbde40.dll , mspbde40.dll , KBDE.KBD , and NETCBDEC.INF .
NETCBDEC.INF was a hidden file. I unhid and went looking just in case they had tried to sneak something in that way.

You shouldn't have to delete any other files if you ran my program - it gets rid of all the Brilliant Digital files installed - including those installed with the newest KaZaA (which has a newer version of Brilliant Digital).

WARNING: I generally wouldn't go around deleting everything with BDE in it - many are IMPORTANT system files. If you ran my program, you should be fine.
(This also applies to registry entries - there are many that include the string "BDE" that are important for windows, and then there are some that don't contain the string that are Brilliant Digital entries - my program should get rid of ALL the Brilliant registry entries too, so you won't have to manually search for any more.)

_{Note: if you really do want to check those files out to make sure they are legit, you can right click on the file, and select properties - that should tell you what company/software that file is from.}

Quote:

(Javacool, if you remember me, you'll remember I tend to go overboard with these things), still some questions in my mind, but I am very happy and grateful for the program. Thank you again.

I don't forget that easily. *

No problem with answering the questions, and you're quite welcome for the program.

If you have any other questions, don't hesitate to ask. *

[spy1]

javacool - I'd like to thank you for the program, too (yes, I came up clean everywhere).

You, Robin Keir ( http://keir.net/bde.html ) and AdAware are all to be highly commended for leaping all over that thing and beating it to death - for free! Pete

[GhostWerm]

Nice work javacool. Ive made a post on elitehackers.com: http://www.elitehackerz.com/ubb/ultimatebb.php?ubb=get_topic;f=8;t=000681 and mirrored your download as well as given a link to your download page. Keep finding those files and keys and updating the program...very cool indeed!

[Mr.Blaze]

bandwith problem
set up mass acounts at tripod with difrent e-maill adress

copy page at free servers upload to several tripods.


just paste the several urls of mirrors from tripods to free servers

but keep the tripods non asochiated wite freeservers

keep handy all your tripod acounts and pass words

never log in with rember me from now on.

mask ip

and always use internet sweeper to wipe out cookies ect after each visit to tripod and on to the next one.

im just guessing this is how its done=)

hey its for a good cause security =)why every one looking at me funny=)

* * * Javacool


* * * I am extending "thank you" from eight familes.

* * * today using your great lil program I cleaned their computers of <brilliant>.......the program worked wonderfully.........several of these computers were win95.......

* * *hip hip hooray....job well done....get-em Javacool!!

[GhostWerm]

If you need more mirros just let me know. I know how much of a pain it is to try to host files on a free servers. If you would like to use my link as a direct download mirror go ahead: *http://www.barrnun.com/bdkiller.exe

If you need anything else: domain name, webspace, mirrors, etc.. just send me an email and I will see what I can do to hook you up. Again, good job *

[Jooske]

Not sure which version i ran, as downloading 1.1.2 where it said "the newest version" it asked for username/password, so guess i had the 1.1 from ??
Coming up so clean, that i wondered if the program was even working . A little message would be helpfull i guess.
Never used Kazaa, could have been in another software... so good to be clean! *

[weh]

Nice work!

Perhaps you can answer a couple of questions...
In your study of this software were you able to determine how Brilliant software downloads and updates? Specifically, is the update function provided by KaZaa, or once Brilliant's software is present on a system does it function and update on its own? *(Does KaZaa have to be running for Brilliant to do its stuff?)

I am particularly interested in what you know about the ability of the software to re-infect a PC.

On an infected machine I was not able to detect any additional processes running in the task list - *so if KaZaa is not running can Brilliant still manipulate the machine?

[spy1]

Anyone who has been affected by 'Brilliant' should also check for (and delete if there) C:\WINDOWS\SYSTEM\bde3d_refk7.dll (or at the very least, un-register it). Pete

[javacool]

Quote:

Nice work!

Perhaps you can answer a couple of questions...
In your study of this software were you able to determine how Brilliant software downloads and updates? Specifically, is the update function provided by KaZaa, or once Brilliant's software is present on a system does it function and update on its own? *(Does KaZaa have to be running for Brilliant to do its stuff?)

I am particularly interested in what you know about the ability of the software to re-infect a PC.

On an infected machine I was not able to detect any additional processes running in the task list - *so if KaZaa is not running can Brilliant still manipulate the machine?

Actually, I do have a couple answers for those questions.

1) As far as I can tell, the updating only goes through the Zupdate program. It seems as though this program must run itself BEFORE most other things load (pretty suspicious) - which I believe is an attempt to circumvent outbound protecting software.

2) Kazaa does NOT have to be running for the Brilliant Digital software to function. Side note: Reports have indicated that the Kazaa software pings a strange outside IP address, and that this pinging stops once Brilliant is uninstalled...

3) As for your other question - the only components known as of yet are the B3D player and associated download components. The download components are, of course, the most dangerous, as they will allow the download of the "distributed computing" application part at a later date. As of now, no reports have come in of this new part being pushed out or activated, but supposedly, it soon will.

Hope this was somewhat useful to you, and I will post more later if I get a chance.

Hey as for bandw I have a few dedicated servers on my hands I can mir the file for you.

It can be on
www.visualdysfunction.com
www.obtainroot.com
www.gladewater.net
www.fekt.org
www.fektnetworks.com
etc..

and yes it is great thank you for helping us all with that great program

[spy1]

Javacool - I notice from this posting that the latest AA reflist update concerns a new version of Brilliant.

http://www.lavasoft.de/cgi-bin/forum...t=ST;f=20;t=16

Are you going to update your program, too? Pete

[Mike_Healan]

It looks like BDE is planning to update it's crap every week now. I believe Urizen intends to match them with a new reflist each time.

[javacool]

Quote:

Javacool - I notice from this posting that the latest AA reflist update concerns a new version of Brilliant.

http://www.lavasoft.de/cgi-bin/forum...t=ST;f=20;t=16

Are you going to update your program, too? Pete

As soon as I obtain more information on this new version (and to make sure its not a version my program already covers) I will update B3D Killer's detection database. I have not yet found a new version of BDE online, however - but I will download the BDE Player from Brilliant Digital's website again today, and the same with Kazaa, to make sure it doesn't install anything new. (If I can confirm it does, you can be sure an update will be put out.) *

[javacool]

Quote:

It looks like BDE is planning to update it's crap every week now. I believe Urizen intends to match them with a new reflist each time.

As I will, as soon as I can get my hands on the newest version of their "scum"...

[Paul Wilders]

Nice going, javacool!

Quote:

As I will, as soon as I can get my hands on the newest version of their "scum"...

Seems like you will have to update on a weekly basis as well...

regards.

paul

[javacool]

Quote:

Nice going, javacool!




Seems like you will have to update on a weekly basis as well...

regards.

paul

That seems to be the case.

In my investigation, which I just completed, I have found traces of a new version of BDE in the KaZaA 1.6 download (which, although the version number of KaZaA has not changed, installs different and/or more files/folders/registry keys).

A B3D Killer update is on its way...

[javacool]

B3D Killer v1.6 is now out.

See http://www.security-pro.co.uk/yabb/Y...num=1018913387.

Or go directly to http://www.wilderssecurity.com/B3DKiller.html to get it.


Additions in v1.6:
-Added new files, folders, and registry entries installed with the latest version of BDE to the detection database.

[Checkout]

Just an aside - my ZA logs show an attack from a service called "KAZAA" this morning. *Coincidence?

Quote:

That seems to be the case.

In my investigation, which I just completed, I have found traces of a new version of BDE in the KaZaA 1.6 download (which, although the version number of KaZaA has not changed, installs different and/or more files/folders/registry keys).

A B3D Killer update is on its way...

Hi! I have used bde-killer 1.1.2 on my PC and then installed kazaa lite a few days ago (I´m running Windows XP professional... maybe u want know it). Now i´ve found: in Wininit.ini "/system32/bdeinstal2" -it´s a link to a non existing file- and, in system32, this files from Brilliant: bde3d_ref2.dll, bdeinsta25.dll, bdeload.dll, BDESac10.dll and BDERastDx6_30002.dll. My lastest version of kazaa was 1.5.1. Hope this will be helpfull for you. Any question e-mail me el_tercer_hombre@hotmail.com. Sorry for my bad english. Bye.

Hi,

Didn't completely remove all traces. *The folder "C:\WINDOWS\BDE" and it's subdirectories "b3dlogo", "Cache", "movies", "mskin", & "Update" cannot be removed on this Win XP (NTFS) machine. *They are "access denied" and considered to be "critical system files".

Already tried to remove via "Add/Remove Programs" prior to B3D Killer. *Ad-Aware can't remove these directories, either. *Booting into safe mode doesn't work.

What do you think?

David

[javacool]

Quote:

Hi,

Didn't completely remove all traces. *The folder "C:\WINDOWS\BDE" and it's subdirectories "b3dlogo", "Cache", "movies", "mskin", & "Update" cannot be removed on this Win XP (NTFS) machine. *They are "access denied" and considered to be "critical system files".

Already tried to remove via "Add/Remove Programs" prior to B3D Killer. *Ad-Aware can't remove these directories, either. *Booting into safe mode doesn't work.

What do you think?

David

This is VERY strange...

It could be a new version/variant of BDE - or just something weird with how it installed itself on your system.

I'll have to look into this - if more people are having this occurance, and I can replicate it...Brilliant Digital has DEFINITELY made its software a trojan (if it can't be removed by simple deletion or uninstall - you can delete even WINDOWS folders/files, so this could be VERY malicious behavior).

-javacool