Friday
2008-11-29, 23:59
The following instructions have been created to help you to get rid of "BDE Projector" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
networked
Description:
According to News.com (http://news.com.com/2100-1023-873181.html), the BDE Software contains technologie that would allow Brilliant Digital to turn every computer with BDE installed into a node of a Brilliant controlled network. Thus Brilliant could use your computer for distributed computing without your knowledge.
Supposed Functionality:
Plays 3d online files, stealth P2P network
Links (be careful!):
Website: http://www.brilliantdigital.com/
Product: http://www.brilliantdigital.com/content.asp?ID=437
Privacy: http://www.brilliantdigital.com/content.asp?ID=531
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "b3dUpdate".
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "bdeplayer".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$SYSDIR>\bdedata2.dll".
The file at "<$SYSDIR>\bdeload.dll".
The file at "<$SYSDIR>\bdeinsta2.dll".
The file at "<$SYSDIR>\bdeinstall.exe".
The file at "<$SYSDIR>\bdesecureinstall.cab".
The file at "<$SYSDIR>\bdesecureinstall.exe".
The file at "<$SYSDIR>\bdeverify.dll".
The file at "<$SYSDIR>\bdeverify.exe".
The file at "<$SYSDIR>\bdeinsta25.dll".
The file at "<$SYSDIR>\bdedownloader.dll".
The file at "<$SYSDIR>\bdefdi.dll".
The file at "<$SYSDIR>\bdeinsta3.dll".
The file at "<$SYSDIR>\bdeinstallman3.exe".
The file at "<$SYSDIR>\BDEInstallProgress3.dll".
The file at "<$WINDIR>\Downloaded Program Files\bdeinstallman.inf".
Make sure you set your file manager to display hidden and system files. If BDE Projector uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$WINDIR>\Temp\Brilliant".
The directory at "<$WINDIR>\Temp\BDECache".
The directory at "<$WINDIR>\BDE".
The directory at "<$WINDIR>\bdeuninstall".
Make sure you set your file manager to display hidden and system files. If BDE Projector uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "b3ds_auto_file" at "HKEY_CLASSES_ROOT\".
Delete the registry key "b3d_auto_file" at "HKEY_CLASSES_ROOT\".
Delete the registry key "b3dini_auto_file" at "HKEY_CLASSES_ROOT\".
Delete the registry key "Brilliant Digital Entertainment" at "HKEY_CLASSES_ROOT\Software\".
Delete the registry key "Brilliant Digital Entertainment" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key ".b3d" at "HKEY_CLASSES_ROOT\".
Delete the registry key ".b3dini" at "HKEY_CLASSES_ROOT\".
Delete the registry key ".b3ds" at "HKEY_CLASSES_ROOT\".
Delete the registry key "BDEsecureinstall.exe" at "HKEY_CLASSES_ROOT\Applications\".
Delete the registry key "BDEViewer.exe" at "HKEY_CLASSES_ROOT\Applications\".
Delete the registry key "{7DAB5F7A-8C49-4538-A1C2-78D81FDF3F9B}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "installman.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "ZUpdate" at "HKEY_LOCAL_MACHINE\Software\".
A key in HKEY_CLASSES_ROOT\ named "BDEPLAYER.BDEPlayerCtrl", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDESmartInstaller.BDESmartInstaller", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDESmartInstaller25.BDESmartInstaller25", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDEInstallMan3.BDEInstallMan3", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDESmartInstaller3.BDESmartInstaller3", plus associated values.
A key with a likely random name in HKEY_CLASSES_ROOT\CLSID\ that has "BDEPlayer Control" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\CLSID\ that has "BDESmartInstaller25 Class" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\CLSID\ that has "BDESmartInstaller Class" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Typelibs\ that has "bdeplay 1.0 Type Library" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Typelibs\ that has "BDEInstallerComponent 1.0 Type Library" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Interfaces\ that has "IBDESmartInstaller" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Interfaces\ that has "_IATLPlayerEvents" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Interfaces\ that has "IATLPlayer" as its default value data.
Delete the registry key "{8721F16D-CBF8-4CE5-B924-18D64E12E77E}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\".
References to the file "bdedownloader.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdefdi.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdeinsta2.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdeinsta3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdeinstallman3.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "BDEInstallProgress3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdedownloader.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "bdeinsta2.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "bdeinsta3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "bdeinstallman3.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "BDEInstallProgress3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
Delete the registry key "{5AAA506A-CEB1-441A-9F05-43FAE6B8A495}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8721F16D-CBF8-4CE5-B924-18D64E12E77E}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{817B054A-DE21-44E2-B2D5-B7BDD3F26A42}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BAF2D92F-B610-4BA1-86D0-464D26DDCA69}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F2AC7A7B-DFFE-4036-8561-54C88EFE544A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5FBF618A-82CC-4E96-BC3D-C91C48E94B3E}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{74CDA0EC-917B-4330-9702-6D4796D2D5EF}" at "HKEY_CLASSES_ROOT\TypeLib\".
If BDE Projector uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
networked
Description:
According to News.com (http://news.com.com/2100-1023-873181.html), the BDE Software contains technologie that would allow Brilliant Digital to turn every computer with BDE installed into a node of a Brilliant controlled network. Thus Brilliant could use your computer for distributed computing without your knowledge.
Supposed Functionality:
Plays 3d online files, stealth P2P network
Links (be careful!):
Website: http://www.brilliantdigital.com/
Product: http://www.brilliantdigital.com/content.asp?ID=437
Privacy: http://www.brilliantdigital.com/content.asp?ID=531
Removal Instructions:
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "b3dUpdate".
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "bdeplayer".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$SYSDIR>\bdedata2.dll".
The file at "<$SYSDIR>\bdeload.dll".
The file at "<$SYSDIR>\bdeinsta2.dll".
The file at "<$SYSDIR>\bdeinstall.exe".
The file at "<$SYSDIR>\bdesecureinstall.cab".
The file at "<$SYSDIR>\bdesecureinstall.exe".
The file at "<$SYSDIR>\bdeverify.dll".
The file at "<$SYSDIR>\bdeverify.exe".
The file at "<$SYSDIR>\bdeinsta25.dll".
The file at "<$SYSDIR>\bdedownloader.dll".
The file at "<$SYSDIR>\bdefdi.dll".
The file at "<$SYSDIR>\bdeinsta3.dll".
The file at "<$SYSDIR>\bdeinstallman3.exe".
The file at "<$SYSDIR>\BDEInstallProgress3.dll".
The file at "<$WINDIR>\Downloaded Program Files\bdeinstallman.inf".
Make sure you set your file manager to display hidden and system files. If BDE Projector uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$WINDIR>\Temp\Brilliant".
The directory at "<$WINDIR>\Temp\BDECache".
The directory at "<$WINDIR>\BDE".
The directory at "<$WINDIR>\bdeuninstall".
Make sure you set your file manager to display hidden and system files. If BDE Projector uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "b3ds_auto_file" at "HKEY_CLASSES_ROOT\".
Delete the registry key "b3d_auto_file" at "HKEY_CLASSES_ROOT\".
Delete the registry key "b3dini_auto_file" at "HKEY_CLASSES_ROOT\".
Delete the registry key "Brilliant Digital Entertainment" at "HKEY_CLASSES_ROOT\Software\".
Delete the registry key "Brilliant Digital Entertainment" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key ".b3d" at "HKEY_CLASSES_ROOT\".
Delete the registry key ".b3dini" at "HKEY_CLASSES_ROOT\".
Delete the registry key ".b3ds" at "HKEY_CLASSES_ROOT\".
Delete the registry key "BDEsecureinstall.exe" at "HKEY_CLASSES_ROOT\Applications\".
Delete the registry key "BDEViewer.exe" at "HKEY_CLASSES_ROOT\Applications\".
Delete the registry key "{7DAB5F7A-8C49-4538-A1C2-78D81FDF3F9B}" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "installman.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "ZUpdate" at "HKEY_LOCAL_MACHINE\Software\".
A key in HKEY_CLASSES_ROOT\ named "BDEPLAYER.BDEPlayerCtrl", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDESmartInstaller.BDESmartInstaller", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDESmartInstaller25.BDESmartInstaller25", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDEInstallMan3.BDEInstallMan3", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "BDESmartInstaller3.BDESmartInstaller3", plus associated values.
A key with a likely random name in HKEY_CLASSES_ROOT\CLSID\ that has "BDEPlayer Control" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\CLSID\ that has "BDESmartInstaller25 Class" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\CLSID\ that has "BDESmartInstaller Class" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Typelibs\ that has "bdeplay 1.0 Type Library" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Typelibs\ that has "BDEInstallerComponent 1.0 Type Library" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Interfaces\ that has "IBDESmartInstaller" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Interfaces\ that has "_IATLPlayerEvents" as its default value data.
A key with a likely random name in HKEY_CLASSES_ROOT\Interfaces\ that has "IATLPlayer" as its default value data.
Delete the registry key "{8721F16D-CBF8-4CE5-B924-18D64E12E77E}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\".
References to the file "bdedownloader.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdefdi.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdeinsta2.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdeinsta3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdeinstallman3.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "BDEInstallProgress3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\.
References to the file "bdedownloader.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "bdeinsta2.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "bdeinsta3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "bdeinstallman3.exe" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
References to the file "BDEInstallProgress3.dll" at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\.
Delete the registry key "{5AAA506A-CEB1-441A-9F05-43FAE6B8A495}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8721F16D-CBF8-4CE5-B924-18D64E12E77E}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{817B054A-DE21-44E2-B2D5-B7BDD3F26A42}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{BAF2D92F-B610-4BA1-86D0-464D26DDCA69}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F2AC7A7B-DFFE-4036-8561-54C88EFE544A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5FBF618A-82CC-4E96-BC3D-C91C48E94B3E}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{74CDA0EC-917B-4330-9702-6D4796D2D5EF}" at "HKEY_CLASSES_ROOT\TypeLib\".
If BDE Projector uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.