re: belgiandip.com
Monday, March 29, 2004 at 6:42 pm
Windows XP Annoyances Discussion Forum
Posted by Sleepy
(1 messages posted)
NOTE: I'm using Win98 SE.
Well, this has been some 24 hrs.
Not only did I have Lycos SideSearch and eZula installed without my consent, I also
came down with a trojan.exe and the belgiandip/illtemperedsomethingorother.com runaround.
There were over 170 ezula.exe(s) on my system. I'm not clear what all I did to remove
the belgiandip curse, except for ITEM 5, so I'll try to recall to the best of my
abilities, with apologies:
Only use this info as a guide. I can't recommend it, except for ITEM 5.
(1)Go to
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.Q
and look for this link: Trend Micro System Cleaner
follow the download instructions. The cleaner found the trojan files REVOP.EXE &
TRIPPXXA.EXE
(2) I regret that in my haste I did not note the exact location and name of the folder
before deleting it, but try looking in the Windows folder for something like a BXXS5
folder. You'll know it when you open it. It is full of files like BINGOPARLOR.xxx,
CASH.xxx, etc. I deleted this folder because I never visited a bingo site.
(3) Run REGEDIT and look for this folder:
HKEY_CURRENT_USER > SOFTWARE > MICROSOFT > WINDOWS > CURRENTVERSION > EXPLORER >
DOC FIND SPEC MRU
The first time I checked, the entries were as follows:
(DEFAULT) (value not set)
a "belgiandip"
b "PUP.EXE"
c ""
d "o.dll"
e "over.exe"
f "dbcji32o.exe"
g "reduic.exe"
h "pup.dll"
i "tucows"
j "o.bat"
MRUList "aicghdjfbe"
I deleted the entire KEY
(the folder DOC FIND SPEC MRU, and everything in it.
I then ran Internet Explorer. Belgiandip returned.
I again opened REGEDIT and checked for DOC FIND SPEC MRU
SAME FOLDER (this folder was REGENERATED):
(DEFAULT) (value not set)
a ""
b "XADSQ"
c "REVOP.EXE"
d "TRIPPXXA.EXE"
e "NETSKY Q"
f "Internet Explorer"
g "mm32i.exe"
h "illtemperedsomethingorother.com"
i "tio404n.exe"
j "BookedSpace.dll"
MRUList "dacbjihgfe"
The files listed and their order was different everytime I checked it. The value
"NETSKY Q" was reinserted AFTER running Trend Cleaner. I again deleted this KEY(the
folder).
(4) I right-clicked Internet Explorer > Temp Internet Files Settings button (on the
General page) > the View Objects button. There were 4 files with classid numbers
for names and no creation date. Even though they were labeled "from Microsoft" the
lack of information was suspect. I deleted them.
(5) Run Find and look for the file bsx32.ini. Open it and check for entries of names
of files like
those found in the (something like a BXXS5 folder).
I deleted it.
Again, my apologies. It's been a long day.
(6) Run Find and look for the file BXXS5.dll
I vanquished belgiandip/illtemperedsomethingorother.com by deleting it.
- Written in response to:
- re: belgiandip.com (Johannes Drescher: Sunday, February 8, 2004 at 7:26 am)
Responses to this message:
|
|
All messages in this thread [show all]
 |  |  | re: belgiandip.com (Sleepy: Mon, Mar 29, 2004, 6:42 pm) |
| |
| |
Return to the Windows XP Discussion Forum
|
|
