LimeWire Trojan removal.

["Dom De Vitto" <Dom () DeVitto com>]

Here goes:
To clean up LimeWire 2.0.2 you need to:
+ kill any running adp.exe and bargins.exe processes.
+ Remove the \program files\adp\ directory
+ Remove the \program files\Bargain Buddy\ directory
+ Remove the entry for adp.exe and bargins.exe from HK_LOCAL_MACHINE..run.
+ Remove HK_LOCAL_MACHINE\SOFTWARE\Microsoft\adp\ (the cheek!)
+ Install & run Lavasoft Add-Aware 5.62 (it doesn't seem to spot "Ad
Popper")
+ Check any personal firewall logs for oddities.
+ Run LimeWire - javaw
+ Check any personal firewall logs for oddities.

Dom (no relation to ad-aware, btw)
NB. It looks like Ad Popper calls:
http://adp.ikena.com/update.asp?partner=%s&type=software
which returns the text:
version=7378 url=http://adp.ikena.com:80/file/bbi7378.exe size=153957
artifact=bbi7378.exe
Which appears to be "Bargin Buddy", at least today it is.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Dom De Vitto                               Secure Technologies Ltd
  mailto:dom () devitto com                       Mob. +44 7855 805 271
  http://www.devitto.com                       Fax. +44 8700 548 750
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

> -----Original Message-----
> From: Jonas M Luster [mailto:jluster () d-fensive com]
> Sent: 31 December 2001 20:48
> To: vuln-dev () securityfocus com
> Subject: Re: Clicktilluwin DLDER Trojan
>
>
> Quoting Michael Watson (mmwatson () peoplepc com):
>
> > something weird is going on. maybe the limeware and kazaa
> people got hacked
> > and someone is having a little fun, or maybe they are
> intentionally doing
> > this for some reason. isn't there some kind of legal way for this to be
>
> They get paid for it. Smuggling ad-ware or spyware into seemingly free
> applications is, well, common behavior.
>
> http://www.lavasoftusa.com/index.html can help.