bug program file that is not removeable!

[Ouroboros]

A good firewall should close and/or stealth NetBIOS 139...then the only problem left is sanitizing your comp...if you run a Windows OS, it may take some work, but just research it...it's logged in the registry. Try a program called RegVac found on www.cnet.com, the software scan should recognize it as a suspect program, and ask you to delete its associations with everything...do that.

Ouroboros

[Aryoche]

Most likely the reason ZoneAlarm didn't catch the open port BladeRunner was using is that it had already established it's connection prior to the install of the firewall. AFAIK, the firewall should have been installed and configured -prior- to the actual online connectivity. Then the blocking should have worked.

Just out of curiousity, what type of connection are we talking about here? DSL? Cable? *shudder* Dial-up? If it's DSL/Cable, I would not only suggest one of the many firewalls out there, but also a router using NAT via DHCP in / DHCP out. It's not fool proof, and will not substitute for an actual firewall, but it -is- an added layer of protection.

If I can find it, I have some detailed instructions on removal of BladeRunner that may be of assistance. If I can find them, I'll post them.

Joining in a little late,
-Aryoche

[xmaddness]

Here are some links I found that may be usefull..

http://www.bsoft.swinternet.co.uk/tr...ade_runner.htm

http://www.dark-e.com/archive/trojans/blade/index.shtml

I hope that helps.

[hagbard]

Howdy yall, the only reason I am on this fourm is because of this thread. A win98 customer called MS support (Me) last night because he was getting an error with kill pokemon at boot "execption e-socket in module killpokemon.exe" this had broken IE and outlook express.
I did some searching on the internet on killpokemon.exe and edventually after trying a few search engines came up with this thread.

Ratman2 gave me the info I needed I did a search for the bladerunner trogan on www.norton.com and removed the system-tray entry form the run key however the trogan just recreated it.

What edventually solved the issue for us was to boot to MS-DOS and then delete killpokemon.exe (it was in a kazaa folder) then power off the computer to clear the memory then boot into windows and remove the system-tray entry from the run key in the reg. This was a new improved version of the bladerunner trogan. I stayed 2 hours over the end of my shift removeing it just because I love fighting viruses and now trogans and winning

FYI and thanks Ratman2

[Seeker_319]

I ran in to a few of these things before and somtimes the thing can be well hidden. One thing to try is use regedit and see if you can spot anything thats loading that shouldnt be or does not need to be under hkey local machine/software/microsoft/windows/current version/run and anything else with run ie..runonce...runservicesonce here you might find what is loading. I would also run sysedit and take a look at the autoexec.bat and config.sys files then look at the load= line in the win.ini
I would be surprised if the was a link in the startup folder but its worth a look.

another route is to use a prog to give you a list of all proccesses running you could try sysinternals.com there is a prog there called process explorer also I run a windowed netstat prog to monitor connections using tcpview.exe from the same site. with these two you should be able to track down the "pirate bastard file"

Hope this adds to the information you asked for!