|
20 Jan 05 - 05:11 AM (#1383001) Subject: Tech: WARNING: Lyrics domain installs trojans From: MudGuard Before you read on: DO NOT VISIT THAT SITE! It will install a trojan on your computer. This will happen even if you use a secure browser like Firefox, not only with Internet Explorer. As Mudcat is about Lyrics, I just want to warn you - yesterday I was looking for some lyrics (by google, as it was not the type of lyrics found on Mudcat) and clicked on the first hit (using firefox). Within half a second, Internet Explorer popped up ... Despite immediately cutting off the internet connection, the damage was done - I had a trojan on board ... I just finished cleaning my system (took me ~6 hours). DO NOT VISIT THAT SITE! The domain is www.lyricsdomain.com DO NOT VISIT THAT SITE! I intentionally did not make a blueclicky for it - and I took measures against simple copy/paste... (might look funny in very old browsers, but I don't care ...) |
|
20 Jan 05 - 05:26 AM (#1383006) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: Joe Offer Yeah, it's gotten to the point that I don't visit lyrics sites unless I know and trust them (several are listed toward the top of the FAQ). I don't know of any that have installed trojans, but I've come across many that have attempted to install spyware or other unwelcome software on my computer, or flood me with popups and porn. If you do a Google search for lyrics, you may want to view the lyrics from the "Cached" link from Google, instead of going to the site. -Joe Offer- |
|
20 Jan 05 - 07:48 AM (#1383067) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: GUEST,Paul Burke If you install a firewall e.g. Zone Alarm, and configure it to ask you for permission before IE can access the web, you will get a chance to stop it before any damage is done. Also run SpyBot (the spyware detector, not the virus!) regularly to clean up anything that has got through. As well as your antivirus program of course. |
|
20 Jan 05 - 07:59 AM (#1383079) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: JennyO Thanks for the warning Joe. Fortunately it appears I have never visited it. |
|
20 Jan 05 - 09:00 AM (#1383126) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: The Fooles Troupe MudGuard - I find it difficult to believe that it got thru shields (so would like to know what shields you were running) - of course if you have none installed, well, some of us have been rabbiting on a bit about that.... |
|
20 Jan 05 - 12:30 PM (#1383307) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: Don Firth I have ZoneAlarm, AdAware, and Norton Antiviris on my computer, and when I visited a lyrics site, Bullseye, an adware program (tracks where I go and flips up pop-up ads) still got through, and I can't get rid of it. I even went in and tried to delete it from the registry, but it's still there. When I try a straight delete of the .exe file (bargains.exe), an error message pops up saying that I'm not authorized to delete it. Neither AdAware nor SpyHunter can remove it. I delete the data files it accumulates, which cripples it, but I have to do this a couple times a day! . . . kill the bastards!!! Don Firth |
|
20 Jan 05 - 12:39 PM (#1383318) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: Cluin Don, search for a little program called CWShredder and download and run that. I had a similar bug here and it took running that utility a couple of times to completely remove it (used along with Spybot S&D and AdAware as well). Now I run it regularly to be sure. |
|
20 Jan 05 - 12:43 PM (#1383324) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: JohnInKansas Symantec Security Response: Adware Bargain.Buddy This crud is usually embedded in another "program" that you download and install. There's always the possibility that your version came with something unusual, but as the "bargains.exe" file normally is distributed, the Symantec instructions should enable you to clean it up. John |
|
20 Jan 05 - 01:11 PM (#1383358) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: Don Firth Been there, done that. I tried the Symantec removal instructions (several times) and it's still there. Which is to say, I removed it from the registry, but a search for "bargains.exe" still turns it up, and "Bullseye" pop-ups keep appearing. As I mentioned, I delete the data files that accompany it and it goes limp for awhile, but somehow it manages to reconstitute itself. Don Firth |
|
20 Jan 05 - 01:17 PM (#1383367) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: MudGuard Don, from my experience yesterday, it does not help to remove stuff in normal mode. Run the machine in Safe mode and then run AdAware, SpyBot, Virus checker and control the registry. And manually delete the bad .exe files. Btw, analysis of the problem by an expert revealed that a firewall would have been of absolutely no help at all - all the stuff came in through HTTP - started by a Java Applet (but in the page there are also other mechanisms like ActiveX and so on to get that stuff into the machine). |
|
20 Jan 05 - 02:11 PM (#1383437) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: JohnInKansas WinXP in particular has an automatic "System Restore." If this is turned on, a backup of your registry, including the infection, is likely to be copied back after you run the Norton procedure, as soon as you reboot. If you turn off System Restore, all old copies of the registry will be immediately deleted, so it can't come back on you. Start - Settings - Control Panel, scroll down and double click on System, Select the System Restore Tab and put a check mark in the "Turn Off System Restore on all drives" box. (Turn it back on after you get clean.) If you're worried about needing a "go-back," make a manual copy from regedit. Start - run, type regedit, hit enter, chose File-Export, and put a copy of the registry somewhere else (where system restore can't find it). If you need it, double-clicking on the .reg file will put everything back. Since this malware normally comes as part of some other program you download and install (often without knowing it) you may need to think back about what you may have allowed to be downloaded, and look for it in Add/Remove programs. If it was part of a program, that program will probably quit working if you remove the malware, so you might as well just uninstall the program. Most anti-crud programs are safe, and if one you trust finds something you should let the program remove (or disable) it. Some malware of this sort comes with an uninstall, if you can find it. The problem with this one is that the uninstall may have the name of the program it was embedded in. You should ALWAYS try Control Panel Add/Remove Programs before trying to manually remove pieces, since you're much more likely to get everything that way. Manually deleting individual files is a last resort, since that may "break" the uninstall scripts. Sometimes the "last desparate act" that works is to go back and get "reinfected," so that Control Panel's Add/Remove programs can rebuild the script and will be able to do a real uninstall. That's the normal procedure for Kazaa's spyware components. John |
|
20 Jan 05 - 09:38 PM (#1383834) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: GUEST,.gargoyle John in Kansas - excellent point - re: System Restore in XP
I was called upon to find/restore lost files on a machine that had been upgraded to XP.
Hell broke loose when the "System Restore" released a version of SasserWorm that was "trapped" in deleated e-mail.
Sincerely, |
|
20 Jan 05 - 11:52 PM (#1383922) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: Cluin Maybe you keep reinfecting your computer from the same source, Don? You've probably thought of that, though. |
|
21 Jan 05 - 12:29 AM (#1383940) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: GUEST http://pcworld.com/downloads/file_description/0,fid,23611,00.asp BHO demon another useful anti malware tool |
|
01 Feb 05 - 07:01 PM (#1396225) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: saulgoldie I was recovering my wife's machine last night. McAfee didn't find anything, but *buddy.* and *bargain.* kept coming up. I tried to delete them from the registry, but obviously did not find all instances. I finally opened up AdAware, updated to the current definition, and it found 200+ instances of bad stuff, mostly related to those two. AdAware had not been run on her machine since 140 days ago when the "bad things" definitions were much different. My wife had been using IE, and some times had "engaged" various pop-up warnings about computer vulnerability. She has also visited some bargain sites. I have advised her to 1) use Netscape (or maybe Firefox); b) NEVER answer ANY pup-ups except to click on the "X" to close them; c) to be VERY careful about which sites she visits, and d) to run AdAware every week, or perhaps even after visiting any questionable site. (She likes travel bargains.) Her computer is fine, now, and I think she will be more wary. I hope that other 'Catters are, as well, perhaps by learning from my example and the others presented here. BTW, some of these spyware/trojans/malwares hi-jack people's machines and use them to send out spam. Didjoo know? |
|
01 Feb 05 - 08:27 PM (#1396332) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: Mary in Kentucky I got overrun last month and spent a month cleaning up. The folks at spywareinfo.com (forum) were extremely helpful. They have numerous programs to diagnose where the bad stuff is. And yes, it was deep in the system, Adaware and SpyBot can't delete it. I had to delete over 100 .dll files. I suspect I got overwhelmed in December when I clicked on a cutesy Christmas card that probably had activeX stuff. Once one creep got in, I think it stood at the hole and waved to all the other creeps, "Come on in guys!" That obnoxious Bargain Buddy is what started me seriously cleaning up. That and the fact that surfing was so slow; I was almost imobilized. (I thought I had Cook Web Search, thus tried CWShredder, but that wasn't the problem. These creeps disguise themselves as all kinds of things. They are also aggresively sabotaging the sites which help fight them. I was hijacked unmercifully.) I learned that the malware creeps got more aggressive in November. Also, the large virus protection programs don't strive to get rid of adware. I now have Firefox - love it. (plus Adaware, Spybot, a good virus checker, and a firewall...will get two more and Eudora when I have time to.) |
|
02 Feb 05 - 03:09 PM (#1396909) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: saulgoldie ...and she installed something called ErrorGuard. A web search turns up a lot of conflicting commentary on it which tells me that it is quite questionable. I would disuade anyone from using it, if the opportunity comes up. It sounds like a bad thingie. I have told her not to use it, and I will likely uninstall it. Everyone, keep on your toes. No laws can ever fully protect you from everything, even if they were carefully crafted and thoroughly enforced. Ultimately, it is up to each and every computer user. |
|
03 Feb 05 - 12:37 AM (#1397477) Subject: RE: Tech: WARNING: Lyricsdomain installs trojans From: The Fooles Troupe Highly recommended is MailWasher - I use the unsupported freebie. It allows you to set up rules etc, and sort thru the incoming pile - looking at the subject lines and senders and see if you are correctly there as a proper recipient or just in the 'BCC List' - even peeking at part of the text without damaging your machine. You then delete the crap - and take FAR less time to do your mail download - especially since many viral loads need about 30 Kb to carry the infection - you can even tell if there are the typical sorts of attachments that nasties come with, especially in Multifart MIME message attachments. |