Tip: Run a free scan for common Windows errors ad

re: belgiandip.com Wednesday, December 17, 2003 at 4:17 pm Posted by MBUSA (51 messages posted) Well i dont really know why pop up stopper isnt blocking a pop up for you? Did you tell the pop up stopper to block any popups from that site? I have found that the new Yahoo! Companion has a excellent Pop-up stopper and can be configured to fit you needs. Google has one also and is just as good as Yahoo! Yahoo! Companion Google Toolbar[Reply or follow-up to this message] re: belgiandip.com Wednesday, December 17, 2003 at 4:18 pm Posted by MBUSA (51 messages posted) Sorry..bad link to Yahoo! Yahoo! Companion >href="http://toolbar.google.com">Google Toolbar[Reply or follow-up to this message] re: belgiandip.com Wednesday, December 17, 2003 at 4:25 pm Posted by L Esl (879 messages posted) BT ... You didn't say so I have to ask ... do you run an up-to-date anti-virus program? do you operative from behind firewall protection? do you run PREVENTATIVE scumware blocking programs such as SpywareGuard and/or SpywareBlaster? do you check your system periodically for scumware with such programs as AdAware and/or Spybot Search & Destroy? If the answers to any of these is NO, you might want to consider the following: You may want to go to www.wildersecurity.net and download, install, and run browser hijack blaster. It would also be a good time to re-assess your general security for on-line activity. If you do not currently have these, you might consider getting them (in addition to the browser hijack blaster): download, install, and invoke a good FREE software firewall: Zone Alarm; (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=pdb_za1) download, install, UPDATE, and run: AdAware (http://www.lavasoft.de/) , Spybot Search & Destroy (http://www.safer-networking.org/) download, install, UPDATE, and run: SpywareGuard (http://www.wilderssecurity.net/spywareguard.html), SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) download, install and run: browser hijack blaster (http://www.wilderssecurity.com/bhblaster.html) download, install Google toolbar & activate the pop-up blocker. (http://www.toolbar.google.com/) The approach I would use for all of this is to first turn off system restore so that these programs can search your WHOLE system then ... 1) download all the items; 2) disconnect from the internet connection; closing ALL open programs, including any anti-virus you may have or firewalls that may be active; 3) install each of the items; 4) activate the firewall; 5) reconnect to the internet; 6) update each item you installed (not necessary for the toolbar); 7) run a) either of the two bot cleaners (AdAware or Spybot S&D) and choose to clean any scum found; b) the other of the two bot cleaners and choose to clean any scum found; c) the browser hijack blaster and clean the scum found with that; d) invoke the two "defenders" against scumware even getting into your system, Spyware Blaster and Spyware Guard. Anytime you're on-line is a good time to have all this arsenal active! Hope this is helpful to you. L On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Wednesday, December 17, 2003 at 4:30 pm Posted by werner (7087 messages posted) checked Google and all it came up with was BAHAMAS 24.244.185.70>I would instruct my Firewall to block this particular Address. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Wednesday, December 17, 2003 at 8:18 pm Posted by BT (3 messages posted) I am running McAfee Firewall and Virus program, Browser HiJack Blaster, AdAware 6, and the Google popup stopper. None of them have been able to kill it. When doing a Google search for belgiandip.com, my own IP address comes up on the screen. I ve added belgiandip.com to Mcafee banned addresses, but still getting the pop up. McAfee tells me Im trying to view a banned site, but would prefer to get no pop up at all. The popup is advertising. Mosting for smileys related to Yahoo. When going to the directed site from the popup page, it sends me to download.funwebproducts.com. On doing a google of funwebproducts, I got a reference for sophos. http://www.sophos.com/virusinfo/analyses/trojadclickn.html . Im not sure if Ive been hit by a trojan, but if so, McAfee hasnt picked it up. Will keep working on it. Thanks all for feedback. On Wednesday, December 17, 2003 at 4:17 pm, Mark wrote: >Well i dont really know why pop up stopper isnt blocking a pop up for you? Did you >tell the pop up stopper to block any popups from that site? I have found that the >new Yahoo! Companion has a excellent Pop-up stopper and can be configured to fit >you needs. Google has one also and is just as good as Yahoo! > >Yahoo! Companion >href="http://toolbar.google.com">Google Toolbar[Reply or follow-up to this message] re: belgiandip.com Thursday, December 18, 2003 at 9:52 am Posted by Jazz (2029 messages posted) Try this link: - http://www.panicware.com/product_psfree.html Good luck -=JAZZ=- On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Thursday, December 18, 2003 at 12:24 pm Posted by werner (7087 messages posted) can you find and kill the Process in Taskmanager.When you sweep with Antispyware or Antivirusprogram is yor Systemrestore disabled?Checked in Services? On Wednesday, December 17, 2003 at 4:30 pm, werner wrote: >checked Google and all it came up with was >BAHAMAS 24.244.185.70>I would instruct my Firewall to block this particular Address. > > [Reply or follow-up to this message] re: belgiandip.com Thursday, December 18, 2003 at 2:52 pm Posted by werner (7087 messages posted) Just a Thought! Is your WINOWS MESSENGER SERVICE disabled?I MEAN WINDOWS not MSN. On Wednesday, December 17, 2003 at 8:18 pm, BT wrote: >I am running McAfee Firewall and Virus program, Browser HiJack Blaster, AdAware 6, >and the Google popup stopper. None of them have been able to kill it. When doing >a Google search for belgiandip.com, my own IP address comes up on the screen. I ve >added belgiandip.com to Mcafee banned addresses, but still getting the pop up. McAfee >tells me Im trying to view a banned site, but would prefer to get no pop up at all. > >The popup is advertising. Mosting for smileys related to Yahoo. When going to the >directed site from the popup page, it sends me to download.funwebproducts.com. > [Reply or follow-up to this message] re: belgiandip.com Friday, December 19, 2003 at 3:27 pm Posted by BT (3 messages posted) I think I got it! Windows\Sysytem32 \reduic.exe. The file wasnt even visible on the Windows Task Manager. Was able to find it using Security Task manager http://www.webattack.com/get/securitytask.html. Will keep my fingers crossed! Thanks for help BT On Wednesday, December 17, 2003 at 8:18 pm, BT wrote: >I am running McAfee Firewall and Virus program, Browser HiJack Blaster, AdAware 6, >and the Google popup stopper. None of them have been able to kill it. When doing >a Google search for belgiandip.com, my own IP address comes up on the screen. I ve >added belgiandip.com to Mcafee banned addresses, but still getting the pop up. McAfee >tells me Im trying to view a banned site, but would prefer to get no pop up at all. > >The popup is advertising. Mosting for smileys related to Yahoo. When going to the >directed site from the popup page, it sends me to download.funwebproducts.com. > [Reply or follow-up to this message] re: belgiandip.com Sunday, February 8, 2004 at 7:26 am Posted by Johannes Drescher (1 messages posted) I ran a "whois" on belgiandip.com: Whoisproxy: $Revision: 1.5 $ (c)2001 ActiveISP Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: BELGIANDIP.COM Registrar: TUCOWS INC. Whois Server: whois.opensrs.net Referral URL: http://domainhelp.tucows.com Name Server: NS1.DATAPIPE.NET Name Server: NS2.DATAPIPE.NET Status: ACTIVE Updated Date: 05-sep-2003 Creation Date: 21-aug-2003 Expiration Date: 21-aug-2004 >>> Last update of whois database: Sun, 8 Feb 2004 07:04:01 EST <<< NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. TERMS OF USE: You are not authorized to access or query our Whois database through the use of electronic processes that are high-volume and automated except as reasonably necessary to register domain names or modify existing registrations; the Data in VeriSign Global Registry Services' ("VeriSign") Whois database is provided by VeriSign for information purposes only, and to assist persons in obtaining information about or related to a domain name registration record. VeriSign does not guarantee its accuracy. By submitting a Whois query, you agree to abide by the following terms of use: You agree that you may use this Data only for lawful purposes and that under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, or facsimile; or (2) enable high volume, automated, electronic processes that apply to VeriSign (or its computer systems). The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of VeriSign. You agree not to use electronic processes that are automated and high-volume to access or query the Whois database except as reasonably necessary to register domain names or modify existing registrations. VeriSign reserves the right to restrict your access to the Whois database in its sole discretion to ensure operational stability. VeriSign may restrict or terminate your access to the Whois database for failure to abide by these terms of use. VeriSign reserves the right to modify these terms at any time. The Registry database contains ONLY .COM, .NET, .EDU domains and Registrars. Registrant: BruggeNet 71 Lakeview Drive Suite 398 Gibbsboro, NJ 08026 US Domain name: BELGIANDIP.COM Administrative Contact: Van der Smoot, Auric avsmoot@bruggenet.net 71 Lakeview Drive Suite 398 Gibbsboro, NJ 08026 US +1.7029670216 Technical Contact: Van der Smoot, Auric avsmoot@bruggenet.net 71 Lakeview Drive Suite 398 Gibbsboro, NJ 08026 US +1.7029670216 Registration Service Provider: NatNames.com -- $15 Domain Names!, support@natnames.com 770.471.9075 http://natnames.com This company may be contacted for domain login/passwords, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 06-Oct-2003. Record expires on 21-Aug-2004. Record created on 21-Aug-2003. Domain servers in listed order: NS1.DATAPIPE.NET 64.27.65.13 NS2.DATAPIPE.NET 64.27.64.76 The Data in the Tucows Registrar WHOIS database is provided to you by Tucows for information purposes only, and may be used to assist you in obtaining information about or related to a domain name's registration record. Tucows makes this information available "as is," and does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass, unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of any Registry Operator or ICANN-Accredited registrar, except as reasonably necessary to register domain names or modify existing registrations. The compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of Tucows. Tucows reserves the right to terminate your access to the Tucows WHOIS database in its sole discretion, including without limitation, for excessive querying of the WHOIS database or for failure to otherwise abide by this policy. Tucows reserves the right to modify these terms at any time. By submitting this query, you agree to abide by these terms. NOTE: THE WHOIS DATABASE IS A CONTACT DATABASE ONLY. LACK OF A DOMAIN RECORD DOES NOT SIGNIFY DOMAIN AVAILABILITY. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Monday, March 1, 2004 at 12:23 am Posted by Cyber Spyder (6 messages posted) I believe i have found an answer to your POPup problem. I too was getting the belgiandip popups after going to certain web pages, gotradio.com was one of them where i was bombarded with popups, browser hijackers, and my cd-rom drives all popped open. After doing some research i traced all problems back to passthison.com where they openly admit doing these types of things to convince people to buy spyware removal tools from their advertisers. Long story short, I spoke to Val Starr, president of gotradio.com and she had the advertisers removed along with their popup attack banners. Well they somehow did it again and now i started getting the belgiandip.com crap. Here is what i noticed: A program called pup.exe in the c:\prgram files dir was creating a file called over.exe which in turn was causing popups. After deleting the files i thought i had the problem solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this nasty little bastard. Opened task manager and saw no unusual tasks running. Decided to reboot, did, upon opening task manager again i noticed this little S.O.B. running dbcji32o.exe which if right clicked on and properties checked was codenamed totempole by some idiots called werule. The original filename is pup.exe... created by the dbcji32o.exe file So i hope this helps you and everyone else out because none of the spyware tools i tried could find this one. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Wednesday, March 3, 2004 at 11:06 am Posted by Mike (2 messages posted) Adaware Plus with popups turned off appears to stop it. I never identified the exe. file that was doing it though. Was driving me bonkers. On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wrote: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > [Reply or follow-up to this message] re: belgiandip.com Friday, March 5, 2004 at 5:42 pm Posted by dubyadee (1 messages posted) Thank you for your response as I am having the same problem. Unfortunately, I'm not sure how to interpret your message into a solution. Could you be more specific? Thanks. On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wr te: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > [Reply or follow-up to this message] re: belgiandip.com Friday, March 5, 2004 at 8:55 pm Posted by Cyber Spyder (6 messages posted) Sorry, To be more specific, look at your task manager at all running tasks, and find the file/files dbcji32o.exe OR over.exe OR pup.exe and END TASK if they are running. The root file (the file that generates pup.exe and over.exe) is dbcji32o.exe which should be in your windows\system32 folder. If not, do a search for that file and delete it. Be sure you delete PUP.EXE and or OVER.EXE also. Then use your run command to run msconfig and go to the startup tab and uncheck the box next to that file you just deleted. It's also a good idea to open regedit and delete the key that loaded the file to begin with (SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Don't use regedit unless you're sure you know what you're doing, as this could prove to be problematic to say the least if you delete the wrong key. Also, these guys might have made files with different names so the dbcji32o.exe might not be the same file name on your system. Just look for a file running in task manager that is probably similar to this one. If you have any doubts, find whatever file you think is causing the problem and then locate it on your hard drive. Right click on it and check properties and if the file indicates that it's original name was PUP.EXE or if it was created by totempole or werule, it's probably the one you need to delete. On Friday, March 5, 2004 at 5:42 pm, dubyadee wrote: > > >Thank you for your response as I am having the same problem. Un ortunately, I'm >not sure how to interpret your message into a solution. Could you be more specific? > Thanks. > [Reply or follow-up to this message] re: belgiandip.com Friday, March 5, 2004 at 8:57 pm Posted by Quoc Nguyen (1 messages posted) On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? To kill it i suggest: you open your process monitor, kill elephont.exe, run a search, delete all references to it, then run the regedit and find all references to elephont.exe|delete ; you will also find as Cyber Spider did dbcji32o.exe, delete also then you gotta delete the 2 references just like Cyber in C:\Program Files\ That has done it for me Hope it help ! [Reply or follow-up to this message] re: belgiandip.com Saturday, March 6, 2004 at 9:12 pm Posted by ray (3 messages posted) I searched for dbcji32o.exe but came up with nothing i found pup.exe and open.exe and delted them put im still haveing the problem. Can anyone offer any more hel ? [Reply or follow-up to this message] re: belgiandip.com Saturday, March 6, 2004 at 11:28 pm Posted by Cyber Spyder (6 messages posted) Most likely you have a different file name that's creating the PUP.EXE files. With me, the dbcji32o.exe file would run at bootup, then once i ran internet explorer it would create pup.exe and then dbcji32o.exe would hide itself so that you would only see the pup.exe running. You have to boot your pc and immediately run task manager before opening any files and look for a running task that you don't recognize. If you're unsure of deleting a strange file, go to that file wherever it may be on your hard drive (most likely in the windows\system32\ folder) then right click on that file and check properties. Look at the info on each line in its profile. If you see the names totempole, pup.exe, over.exe, or werule in there, that's the file to delete. The pup.exe, over.exe, and open.exe files are all red herrings created by the elusive file that hides itself after bootup. On Saturday, March 6, 2004 at 9:12 pm, ray wrote: > >I searched for dbcji32o.exe but came up with nothing i found pup.exe and open.exe >and delted them put im still haveing the problem. Can anyone offer any more hel > >? [Reply or follow-up to this message] re: belgiandip.com Sunday, March 7, 2004 at 2:42 pm Posted by ray (3 messages posted) Firstly Thank you for your help, but to my lack of computer skills I need a little more. I rebooted and found the program Ibengd and oftpubs. Neither of which I reconizied. The first sparked my intrest due to it strange title, but when I shearched for it, my computer came up with nothing. I searched for the other and agian nothing. I made sure that the search was searching all of my computer and it was. I rebooted agian with the plan to right click it and find its properties as someone before me said you could, but the programs did not come up. Instead I got a whole new slew of strange programs. Including a program called werule. I right clicked and nothing happened. I quess my windows program is to old. I searched for werule and to no surprise came up empty. What should I do? Agian Thanks [Reply or follow-up to this message] re: belgiandip.com Sunday, March 7, 2004 at 2:46 pm Posted by Erika (3 messages posted) Hi everyone- I found this forum while trying to get this freekin' "belgiandip" popup thing off of my computer. Thank God for this forum!!! My DH accidentally clicked on a popup last Thurs and its been with us ever since. I did manage to get rid of it though - I downloaded the aforementioned Security Task Manager, which was able to find the original program (the normal Win 98 Task Manager wouldn't show this thing). Security Task Manager found an application called OYJ.exe in my system folder. The company name associated w/ it was Totempole/werule. The weird thing was that the modification date on this program was something like 2/13/04, & not the date that all of this happened (3/4/04). I had been manually going through everything trying to find a program that had totempole associated w/ it, but of course I was using the modification date to help me sort all that out. No wonder I kept blowing past it. So, I hope this can help someone with this crap! BTW - Security Task Manager (a limited free trial download) still lists OYJ.exe after a reboot, but it is greyed out & is tagged as being "not active". There is no sign of this program in any file, so I don't understand why its still being listed, & of course I'm concerned that something is still lurking. But for now the popups & sluggish performance are gone. n Saturday, March 6, 2004 at 11:28 pm, Cyber Spyder wrote: > > >Most likely you have a different file name that's creating the PUP.EXE files. With >me, the dbcji32o.exe file would run at bootup, then once i ran internet explorer >it would create pup.exe and then dbcji32o.exe would hide itself so that you would >only see the pup.exe running. You have to boot your pc and immediately run task >manager before opening any files and look for a running task that you don't recognize. >If you're unsure of deleting a strange file, go to that file wherever it may be on >your hard drive (most likely in the windows\system32\ folder) then right click on >that file and check properties. Look at the info on each line in its profile. If >you see the names totempole, pup.exe, over.exe, or werule in there, that's the file >to delete. The pup.exe, over.exe, and open.exe files are all red herrings created >by the elusive file that hides itself after bootup. > [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 1:30 am Posted by Cyber Spyder (6 messages posted) Make sure when you search for the files in question that you chose to show ALL files, especially hidden files and folders. The programs are most likely in the C:\windows\system32\ folder or you might check c:\program files. Also, if you can't find the file, don't rely on the windows search tool to locate it, use file explorer to find the file manually by going to the two main folders i mentioned above. If you're seeing the program in task manager, you can't right click on it that way. You have to end task then find the files on your hard drive, then right click on them and check properties. On Sunday, March 7, 2004 at 2:42 pm, ray wrote: > >Firstly Thank you for your help, but to my lack of computer skills I need a little >more. I rebooted and found the program Ibengd and oftpubs. Neither of which I reconizied. >The first sparked my intrest due to it strange title, but when I shearched for it, >my computer came up with nothing. I searched for the other and agian nothing. I made >sure that the search was searching all of my computer and it was. I rebooted agian >with the plan to right click it and find its properties as someone before me said >you could, but the programs did not come up. Instead I got a whole new slew of strange >programs. Including a program called werule. I right clicked and nothing happened. >I quess my windows program is to old. I searched for werule and to no surprise came >up empty. What should I do? > >Agian Thanks [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 9:09 am Posted by Erika (3 messages posted) I did what Cyber Spyder suggested - looking for the file manually. However, I was looking for a file w/ a modification date of 3/4 (the day this happened). When I finally found the file, the date on it was something like 2/12, or 2/13. I would suggest downloading the Security Task Manager (a free trial download that goes fast) at http://www.neuber.com/ and use it right after a reboot. My normal windows task manager wouldn't show this program, the the STM did. HTH! On Monday, March 8, 2004 at 1:30 am, Cyber Spyder wrote: > >Make sure when you search for the files in question that you chose to show ALL files, >especially hidden files and folders. The programs are most likely in the C:\windows\system32\ > folder or you might check c:\program files. Also, if you can't find the file, >don't rely on the windows search tool to locate it, use file explorer to find the >file manually by going to the two main folders i mentioned above. If you're seeing >the program in task manager, you can't right click on it that way. You have to end >task then find the files on your hard drive, then right click on them and check properties. > > > > http://www.neuber.com/ [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 9:24 am Posted by Mike (2 messages posted) My thanks to Erica, I have downloaded Sucurity Task Manager. It was easy to use and soon found the file MDE actually ecupd.exe. So quarantined it and so far the problem has stopped. Thanks again Erica! On Sunday, March 7, 2004 at 2:46 pm, Erika wrote: > >Hi everyone- >I found this forum while trying to get this freekin' "belgiandip" popup thing off >of my computer. Thank God for this forum!!! > >My DH accidentally clicked on a popup last Thurs and its been with us ever since. > >I did manage to get rid of it though - I downloaded the aforementioned Security Task >Manager, which was able to find the original program (the normal Win 98 Task Manager >wouldn't show this thing). > >Security Task Manager found an application called OYJ.exe in my system folder. The >company name associated w/ it was Totempole/werule. The weird thing was that the >modification date on this program was something like 2/13/04, & not the date that >all of this happened (3/4/04). I had been manually going through everything trying >to find a program that had totempole associated w/ it, but of course I was using >the modification date to help me sort all that out. No wonder I kept blowing past >it. > >So, I hope this can help someone with this crap! BTW - Security Task Manager (a >limited free trial download) still lists OYJ.exe after a reboot, but it is greyed >out & is tagged as being "not active". There is no sign of this program in any file, >so I don't understand why its still being listed, & of course I'm concerned that >something is still lurking. But for now the popups & sluggish performance are gone. > > > > >n Saturday, March 6, 2004 at 11:28 pm, Cyber Spyder wrote: >> >> >>Most likely you have a different file name that's creating the PUP.EXE files. With >>me, the dbcji32o.exe file would run at bootup, then once i ran internet explorer >>it would create pup.exe and then dbcji32o.exe would hide itself so that you would >>only see the pup.exe running. You have to boot your pc and immediately run task >>manager before opening any files and look for a running task that you don't recognize. >>If you're unsure of deleting a strange file, go to that file wherever it may be >on >>your hard drive (most likely in the windows\system32\ folder) then right click >on >>that file and check properties. Look at the info on each line in its profile. If >>you see the names totempole, pup.exe, over.exe, or werule in there, that's the file >>to delete. The pup.exe, over.exe, and open.exe files are all red herrings created >>by the elusive file that hides itself after bootup. >> > [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 3:46 pm Posted by attorney bo schimers (1 messages posted) I deleted a file called vshelln.exe. Zone Alarm kept asking me to allow werule to acess the internet. werule was also attempting to acess vshelln.exe installed by a company called totempole. Hopefully this gets rid of it. [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 7:18 pm Posted by Cyber Spyder (6 messages posted) I have a question erika... You responded twice to my posts, and both times you mentioned this security task manager, then when i look at the posts in here somehow the URL for neuber software shows up at the bottom of my post that was quoted in your reply. How did the link for neuber software get into the quoted text of my original post since i never put it there to begin with? I know that can't happen unless someone does it manually. If you're going to use my quoted text in your replies DO NOT add links to my messages that were not there to begin with! You seem very set on getting people to DL this software, what's in it for you? Please scroll down and have a look at the bottom of your quoted text...... On Monday, March 8, 2004 at 9:09 am, Erika wrote: > >I did what Cyber Spyder suggested - looking for the file manually. However, I was >looking for a file w/ a modification date of 3/4 (the day this happened). When I >finally found the file, the date on it was something like 2/12, or 2/13. I would >suggest downloading the Security Task Manager (a free trial download that goes fast) >at http://www.neuber.com/ and use it right after a reboot. My normal windows task >manager wouldn't show this program, the the STM did. HTH! > > > > DON'T USE NEUBER SOFTWARE!!!!!!!!!!!! Don't modify people's quoted text! [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 7:45 pm Posted by Erika (3 messages posted) Hi Cyber Spyder- Sorry - wasn't trying to offend or stir up a turd. Here's what happened: I posted that note that pissed you off & accidentally hit the "quicklink" button. That created a little popup box. I then realized that the link that I had put in MY note wasn't acting as an active hyperlink, which I find annoying & I can only assume that others find annoying also. So, I figured that I needed to insert the link into MY post using this tool. I went into my message, cut out the link for neuber (sp?) & pasted it into the "quicklink" box & hit "insert." Nothing happened, as far as I could see. So I went back to my message & typed the url back in like I had it before, & hit "continue", figuring that this quicklink box did something different entirely & was beyond my comprehension. I guess my big mistake was to not scroll down to the bottom of the preview page to see if a link got stuck in. I mean, why the hell would I want to put a link into your post, or moreover, why would I feel I needed to go looking for one that got stuck in when I never saw anything happen? And no, I have no affiliation w/ neuber or whatever they are selling. I got the link for that company from an earlier post in this thread. Their software solved the problem that my crappy little task manager couldn't, and it did it for free & downloaded pretty fast on my shitty little modem. Now calm down. On Monday, March 8, 2004 at 7:18 pm, Cyber Spyder wrote: > >I have a question erika... > >You responded twice to my posts, and both times you mentioned this security task >manager, then when i look at the posts in here somehow the URL for neuber software >shows up at the bottom of my post that was quoted in your reply. How did the link >for neuber software get into the quoted text of my original post since i never put >it there to begin with? I know that can't happen unless someone does it manually. > If you're going to use my quoted text in your replies DO NOT add links to my messages >that were not there to begin with! You seem very set on getting people to DL this >software, what's in it for you? Please scroll down and have a look at the bottom >of your quoted text...... > > > [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 7:57 pm Posted by ray (3 messages posted) Thank you for your help cyper spyder. You have earned great prestige. You help me, why countless others do nothing other then try and make me worse off. Some cocky delinquents spent time and effort to make programs to annoy irritate others time after time for thier own small money gain or none at all. Yet here you are doing the exact opposite. You continously help me even though I patheticly need help time after time agian. So here I m agian asking for alittle more help. I found 4 files. (sxml14m SJINT35m SENCODEm and Dig) I deleted the first three. Then when I tryied to delete the fourth (DIG) A pop up said the file is being used by windows. COuld you yet agian come to my rescue and tell how to solve this yet agian. Thank you. [Reply or follow-up to this message] re: belgiandip.com Monday, March 8, 2004 at 11:17 pm Posted by Cyber Spyder (6 messages posted) You're welcome Ray, Anything i can do to help. I know what you mean about the idiots out there, you ask a question and they jump all over you. Anyway, the file you're referring to DIG.... is that DIG.EXE, because if it is, that is a file used by windows to query DNS entries. http://pigtail.net/LRP/dig/ Here is a link that will explain what DIG is. If this file you're asking about is indeed the windows file, you shouldn't delete it. Actually, i would try to find out why this file is running on your system. As far as any other files that you want to delete, be sure that you know the file in question is safe to delete. You don't want to accidentally delete something that was part of a critical system process. On Monday, March 8, 2004 at 7:57 pm, ray wrote: > >Thank you for your help cyper spyder. You have earned great prestige. You help me, >why countless others do nothing other then try and make me worse off. Some cocky >delinquents spent time and effort to make programs to annoy irritate others time >after time for thier own small money gain or none at all. Yet here you are doing >the exact opposite. You continously help me even though I patheticly need help time >after time agian. So here I m agian asking for alittle more help. I found 4 files. >(sxml14m SJINT35m SENCODEm and Dig) I deleted the first three. Then when I tryied >to delete the fourth (DIG) A pop up said the file is being used by windows. COuld >you yet agian come to my rescue and tell how to solve this yet agian. > >Thank you. [Reply or follow-up to this message] re: belgiandip.com Tuesday, March 9, 2004 at 4:21 am Posted by Nancy (2 messages posted) I conquered the b##tard. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Tuesday, March 9, 2004 at 4:34 am Posted by Nancy (2 messages posted) G'Day Ray I'm not an expert but I conquered this annoying crap. First you must close all windows you have open, then you must go to your desktop and right click the 'my computer icon', this will bring up a menu, choose explore and left click on it. A window will open allowing you to see all files on your computer. Go to the main hard drive on left side of the screen (usually c drive) and click the little + symbol then scroll down and click the + next to the windows folder and then finally scroll down and click on the system folder thus displaying all the files in the c:\windows\system folder. You sound like you have already seen the pathetic little icon they use for their file names, the wishy washy little box with the wishy washy little blue top that's on an angle. Start at the top and scroll down through this long list of files and search for that pathetic little icon. Have a pen and paper ready to jot down only at this time the names of these files as it will not let you (as you know) delete them at this time. Some of the names that I found were bamev.exe, porders.exe, p_852c.exe, pup.exe, over.exe, liconfgc.exe. Once you have scrolled the whole list and wrote down every little sucker with that pathetic little icon then go back and double check! because if you miss just one it will mutate into more suckers!! Ok once you have your list restart your computer in safe mode (to do this on mine I had to shut down, turn it back on and then continue to press F5 and F8 rapidly until the computer beeped! but you may have an easier and friendlier way to do this) Once in safe mode click on the start button and choose run from the menu. In the box type msconfig and click ok. A window will appear. Click on the startup tab, this will display a list of all the .exe programs the computer would run at a normal startup but because you started in safe mode it has not loaded them this time. Click on the tick next to the names of every one of those b##stard file names you have on your list that you created making sure the box becomes unticked. Check to make sure that there aren't any more in the list. {If a file looks suspicious to you especially if it's location is just c:\windows\system then double check the properites of the file. To do this go to the start button and click on it and choose search:file or folders, type in the name of the file in the search for field and click search now. When the computer find this file it is displayed in the right hand side of the screen. Right click on the file and choose properties from the list, this will bring up a window. At the top of this window there will be a general tab and a version tab, click on the version tab. Click on the wording 'company name' in the white box at the bottom left of the screen, if it says totempole or werule then you know it is one of those pathetic bas#tards.} Ok back to the first screen (msconfig) you were working on, click the button down the right at the bottom that says 'cleanup'. Then just leave that open for the moment. Go back to your desktop and right click on the my computer icon again and again choose explore from the menu just like you did before shutting down your computer. Go back into the c:\window\system folder to once again display the list of files there. This time when you find those pathetic b##stards highlight them (DO NOT CLICK ON THEM WHATEVER YOU DO!!!!!) just highlight them by hovering the mouse over them one at a time and then hit delete on your keyboard. A window will open asking you are you sure you want to delete the file, check that it is the right file on your list and choose yes. After you have gone through the list 3 times to be sure you got all the suckers go to your recycle bin and take out the garbage!! Ok now you can close this window you have been working in and you can go back to the system configuration window from before. You can now click on the ok button. It will then ask you to reboot your computer, click ok. If you have deleted everyone of those little ba#tards this annoying crap should be off your computer now and you can once again enjoy your internet. I highly recommend installing firewall software, you can obtain these for free off the net. I hope I have explained this so that you can understand, it took me 3 nights to work out how to beat this bastar#, I am just a mother of two but I conquered it and so can you! Cheers Nancy On Monday, March 8, 2004 at 7:57 pm, ray wrote: > >Thank you for your help cyper spyder. You have earned great prestige. You help me, >why countless others do nothing other then try and make me worse off. Some cocky >delinquents spent time and effort to make programs to annoy irritate others time >after time for thier own small money gain or none at all. Yet here you are doing >the exact opposite. You continously help me even though I patheticly need help time >after time agian. So here I m agian asking for alittle more help. I found 4 files. >(sxml14m SJINT35m SENCODEm and Dig) I deleted the first three. Then when I tryied >to delete the fourth (DIG) A pop up said the file is being used by windows. COuld >you yet agian come to my rescue and tell how to solve this yet agian. > >Thank you. [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Tuesday, March 9, 2004 at 9:46 pm Posted by Anonymous (15 messages posted) Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ and delete another pup.exe from there. If you cannot find that it may be renamed as something else so anything that has a file size of 64k is potentially it. Go by it's weird visual basic icon, or check it's properties; company is totempole or werule. Then go into system32 and find files from the same company and size and delete them. If it says you can't hold control alt delete and end that program task. Then you can delete it easily. After that search in your registry for "over.exe" or "pup.exe" and especially the file you just deleted in system32. Remove those entries and you are done! No need to scan your computer and waste time like I did. No need to thank me :D Good Luck On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wrote: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > [Reply or follow-up to this message] re: belgiandip.com Wednesday, March 10, 2004 at 8:29 am Posted by VelociRapture (1 messages posted) Well, in addition to removing all the mentioned below, I kept seeing this magehlpi.exe popping up in services. Found it in system32 folder. Made a backup copy of it (just in case) and deleted the original, made a txt with the same name and a descriptive msg inside (like... "bl*w me") then renamed it from .txt to .exe, hence a dummy file. Rebooted, something is definitely trying to start it up, havent figured out how to kill that yet, but so far, since i've done this, no more annoying popups for me. Hope this helps, please post and let us know. On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wrote: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > [Reply or follow-up to this message] re: belgiandip.com fixed Wednesday, March 10, 2004 at 6:06 pm Posted by chaff_salvo (1 messages posted) I found the Pup.exe also, but didn't find anything else matching the descriptions given. I finally use XP's restore function and restored to a point the day before the problem started. Be advised you may lose anything you've done or installed since the restore point. Here's what you do. run the file called msinfo32.exe(Use Search to find it) select tools select system restore Follow the instructions and select a point before the problem's first occurence. The system will reboot and be configured based on your selected point. You may have to reinstall any programs/drivers that you installed after that point. I know its not as elegant as finding the cause, but it works. Some of us may not have time to go on an easter Egg hunt, especially since everyone's description of the egg is different. Good luck On Saturday, March 6, 2004 at 9:12 pm, ray wrote: > >I searched for dbcji32o.exe but came up with nothing i found pup.exe and open.exe >and delted them put im still haveing the problem. Can anyone offer any more hel > >? [Reply or follow-up to this message] re: belgiandip.com Sunday, March 14, 2004 at 6:47 pm Posted by andrea mauer (1 messages posted) I found a way! Finally after doing everything everybody said with no luck, I saw that ad-aware had updated with this in mind (They called it werule, the source). I updated today and ran ad-aware and it caught them in the registry!!!!! (winzip32, winpup32, etc. ) It is gone. On Tuesday, March 9, 2004 at 4:21 am, Nancy wrote: > >I conquered the b##tard. > > > > >On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >>Im getting a popup from Belgiandip.com that launches intermittently when Explorer >>is started or shut down. Cant seem to control it through my firewall or popup stopper. >>Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Monday, March 15, 2004 at 8:15 am Posted by Vinny (3 messages posted) I have tried everything, the files listed don't appear on my computer and the ad-aware update didn't fix it either. Any other ideas???? On Sunday, March 14, 2004 at 6:47 pm, andrea mauer wrote: > >I found a way! Finally after doing everything everybody said with no luck, I saw >that ad-aware had updated with this in mind (They called it werule, the source). >I updated today and ran ad-aware and it caught them in the registry!!!!! (winzip32, >winpup32, etc. ) It is gone. > > >On Tuesday, March 9, 2004 at 4:21 am, Nancy wrote: >> >>I conquered the b##tard. >> >> >> >> >>On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >>>Im getting a popup from Belgiandip.com that launches intermittently when Explorer > >>>is started or shut down. Cant seem to control it through my firewall or popup stopper. > >>>Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Monday, March 15, 2004 at 11:17 am Posted by Tim (3 messages posted) Vinny - Relax! This actually isn't very hard. I got this stupid thing on my computer during the 10 minutes between completing my upgrade to XP and getting all the security patches and firewall re-installed. Guess that will teach me to allow my computer online for even a minute without security in place! Anyway, the post from anonymous on the 9th does give everything (apparently from what I can tell) you need to defeat this thing. Let me make a couple of suggestions if you're still having trouble... I assume you have searched your computer and deleted every occurrance of pup.exe and over.exe. Of course, after this you still get the problem because the actual program causing it is something that was created by these with a random name. This might help track it down. - Double click on My Computer and then your hard drive (C:, I'll assume) and navigate to the c:\Windows\system32 directory. - Once there, go to the View pull down and change the view type to "Details". - Next, go to View again and select "Choose Details..." - Now, scroll through the list and check the "Company" option and click OK. - Now sort the display by size by clicking on the Size column header. - Scroll through the list of files until you find files with a size of 64 KB. - Beside one (or more) of these, you will find "totempole" listed in the Company column. - BINGO! Now write the file name down. - Bring up task manager and kill the process running with the name you just found. - Delete the file you found. - Bring up regedit and search the registry and delete all keys with pup.exe, over.exe, and the file(s) you found with "totempole" listed as the company. - You should be free of the thing now! (of course, up above, you could also sort by company instead of size, but I think the size sort works better since most files have the company entry blank, but either will work). Good Luck! [Reply or follow-up to this message] re: belgiandip.com Monday, March 15, 2004 at 12:38 pm Posted by Vinny (3 messages posted) The reason this has been so frustrating for me is that none of those files appear on my computer. I have tried searching for them and looking for them manually. I also sorted all the programs by size looking for a 64k program with no results. I also took your advise, added company to the options and also searched by company still with no results. Any other suggestions would be greatly appreciated, thanks. On Monday, March 15, 2004 at 11:17 am, Tim wrote: >Vinny - > >Relax! This actually isn't very hard. I got this stupid thing on my computer during >the 10 minutes between completing my upgrade to XP and getting all the security patches >and firewall re-installed. Guess that will teach me to allow my computer online >for even a minute without security in place! > >Anyway, the post from anonymous on the 9th does give everything (apparently from >what I can tell) you need to defeat this thing. Let me make a couple of suggestions >if you're still having trouble... > >I assume you have searched your computer and deleted every occurrance of pup.exe >and over.exe. Of course, after this you still get the problem because the actual >program causing it is something that was created by these with a random name. This >might help track it down. > >- Double click on My Computer and then your hard drive (C:, I'll assume) and navigate >to the c:\Windows\system32 directory. > >- Once there, go to the View pull down and change the view type to "Details". > >- Next, go to View again and select "Choose Details..." > >- Now, scroll through the list and check the "Company" option and click OK. > >- Now sort the display by size by clicking on the Size column header. > >- Scroll through the list of files until you find files with a size of 64 KB. > >- Beside one (or more) of these, you will find "totempole" listed in the Company >column. > >- BINGO! Now write the file name down. > >- Bring up task manager and kill the process running with the name you just found. > >- Delete the file you found. > >- Bring up regedit and search the registry and delete all keys with pup.exe, over.exe, >and the file(s) you found with "totempole" listed as the company. > >- You should be free of the thing now! (of course, up above, you could also sort >by company instead of size, but I think the size sort works better since most files >have the company entry blank, but either will work). > >Good Luck! [Reply or follow-up to this message] re: belgiandip.com Monday, March 15, 2004 at 1:04 pm Posted by Tim (3 messages posted) Hmmm... You certainly have a perplexing infestation then. It doesn't make any sense that you don't have a file on your machine like we would expect. I'm a bit at a loss, but I'll try a couple more suggestions. First, I did see someone say that the latest version, dated yesterday, of Ad-aware will get this. If so, you can get it for free at www.lavasoftusa.com. Also, you might want to download and run Hijack This. It won't fix this problem itself, but it might help clean up junk that came along at the same time. I found that when I got this thing, my computer had been directed to a site called achtungachtung (not typing it as a url, for obvious reasons) that downloads a trojan onto your computer. Also, I got directed to something like default-network-homepage or similar that brought up lots of junk too. I have no idea how my computer got sent to those places in the first place but I suspect it had something to do with the Windows messenger service before I could disable it. Anyway, my point is you need to check to see it there is more to clean up than just the belgiandip problem. This takes virus scanning and registry clean up to fix everything. OK, back to your problem at hand. This may be a bit drudgerous and it is a bit risky (not overly so), but what I personally would do is try to find the program in the task manager that is causing this... Bring up the task manager and go to the Processes tab. Go down the list of every process that is running (you can obviously ignore things like SYSTEM, SYSTEM IDLE PROCESS, and svchost.exe and anything else that you are absolutely 100% sure is part of Windows and supposed to be there, but if in doubt, include it in what I'm about to suggest). For each listed process, open a search window and search for the .exe file on your machine. For example, if you wanted to check it anyway, you'd search for svchost.exe (obviously it will take a little while for your machine to search for each file, that's the drudgery part). Once you find each file, right click (DON'T double-click) and select Properties. Check out the description field contents and then click the version tab and make sure that the company listed is Microsoft, or someone you know you should be running software from like Symantec, Real Networks, etc. depending on what all you have on your machine. I bet you'll eventually find something that looks suspicious and I even expect you'll find "totempole" in the company field. Anyway, once you find something suspicious, you can try killing the process and see if your problem goes away. Of course, this is the risky part, if you have chosen badly, you could crash your machine, but this is probably not a high risk, even if you do. Of course, make sure you write that process name down before you kill it so you can then search for it again and delete it and clean your registry as we discussed before. Maybe someone else will have a simpler solution, but that's the best I can up with at this point. Good Luck! [Reply or follow-up to this message] re: belgiandip.com Monday, March 15, 2004 at 1:44 pm Posted by Vinny (3 messages posted) I think I FINALLY fixed it. Using security task manager I found a program running called roctexep.exe that looked funny to me. I quarantined it and have opened and closed I.E. many many times with no pop-ups. Then I re-booted a few times and did the same just to see if would re-materialize from another program I may have missed, so far, so good (knock on wood) thanks again for all of your help. On Monday, March 15, 2004 at 1:04 pm, Tim wrote: >Hmmm... You certainly have a perplexing infestation then. It doesn't make any sense >that you don't have a file on your machine like we would expect. I'm a bit at a >loss, but I'll try a couple more suggestions. First, I did see someone say that >the latest version, dated yesterday, of Ad-aware will get this. If so, you can get >it for free at www.lavasoftusa.com. Also, you might want to download and run Hijack >This. It won't fix this problem itself, but it might help clean up junk that came >along at the same time. I found that when I got this thing, my computer had been >directed to a site called achtungachtung (not typing it as a url, for obvious reasons) >that downloads a trojan onto your computer. Also, I got directed to something like >default-network-homepage or similar that brought up lots of junk too. I have no >idea how my computer got sent to those places in the first place but I suspect it >had something to do with the Windows messenger service before I could disable it. > Anyway, my point is you need to check to see it there is more to clean up than just >the belgiandip problem. This takes virus scanning and registry clean up to fix everything. > OK, back to your problem at hand. > >This may be a bit drudgerous and it is a bit risky (not overly so), but what I personally >would do is try to find the program in the task manager that is causing this... >Bring up the task manager and go to the Processes tab. Go down the list of every >process that is running (you can obviously ignore things like SYSTEM, SYSTEM IDLE >PROCESS, and svchost.exe and anything else that you are absolutely 100% sure is >part of Windows and supposed to be there, but if in doubt, include it in what I'm >about to suggest). For each listed process, open a search window and search for >the .exe file on your machine. For example, if you wanted to check it anyway, you'd >search for svchost.exe (obviously it will take a little while for your machine to >search for each file, that's the drudgery part). Once you find each file, right >click (DON'T double-click) and select Properties. Check out the description field >contents and then click the version tab and make sure that the company listed is >Microsoft, or someone you know you should be running software from like Symantec, >Real Networks, etc. depending on what all you have on your machine. I bet you'll >eventually find something that looks suspicious and I even expect you'll find "totempole" >in the company field. Anyway, once you find something suspicious, you can try killing >the process and see if your problem goes away. Of course, this is the risky part, >if you have chosen badly, you could crash your machine, but this is probably not >a high risk, even if you do. Of course, make sure you write that process name down >before you kill it so you can then search for it again and delete it and clean your >registry as we discussed before. Maybe someone else will have a simpler solution, >but that's the best I can up with at this point. Good Luck! [Reply or follow-up to this message] re: belgiandip.com Sunday, March 21, 2004 at 3:00 pm Posted by Jay (1 messages posted) I just got rid of it today with the help of the guys at lurkhere.com. The files that caused trouble were: PUP.EXE, GSH400J.EXE and FWD.EXE. I ran McAfee updated 6.0 and got them. McAfee could not remove FWD.EXE so I did the manual removal goint to Windows/System. These files were installed on Windows/System, not on Windows/System32. You all should try to get the program "hijack this" it will scan your system activity and report on everything you may need to id these type of viruses. Good luck to all. On Monday, March 15, 2004 at 1:44 pm, Vinny wrote: >I think I FINALLY fixed it. Using security task manager I found a program running >called roctexep.exe that looked funny to me. I quarantined it and have opened and >closed I.E. many many times with no pop-ups. Then I re-booted a few times and did >the same just to see if would re-materialize from another program I may have missed, >so far, so good (knock on wood) thanks again for all of your help. > > > >On Monday, March 15, 2004 at 1:04 pm, Tim wrote: >>Hmmm... You certainly have a perplexing infestation then. It doesn't make any >sense >>that you don't have a file on your machine like we would expect. I'm a bit at >a >>loss, but I'll try a couple more suggestions. First, I did see someone say that >>the latest version, dated yesterday, of Ad-aware will get this. If so, you can >get >>it for free at www.lavasoftusa.com. Also, you might want to download and run Hijack >>This. It won't fix this problem itself, but it might help clean up junk that came >>along at the same time. I found that when I got this thing, my computer had been >>directed to a site called achtungachtung (not typing it as a url, for obvious reasons) >>that downloads a trojan onto your computer. Also, I got directed to something like >>default-network-homepage or similar that brought up lots of junk too. I have no >>idea how my computer got sent to those places in the first place but I suspect it >>had something to do with the Windows messenger service before I could disable it. >> Anyway, my point is you need to check to see it there is more to clean up than >just >>the belgiandip problem. This takes virus scanning and registry clean up to fix >everything. >> OK, back to your problem at hand. >> >>This may be a bit drudgerous and it is a bit risky (not overly so), but what I personally >>would do is try to find the program in the task manager that is causing this... > >>Bring up the task manager and go to the Processes tab. Go down the list of every >>process that is running (you can obviously ignore things like SYSTEM, SYSTEM IDLE >>PROCESS, and svchost.exe and anything else that you are absolutely 100% sure is >>part of Windows and supposed to be there, but if in doubt, include it in what I'm >>about to suggest). For each listed process, open a search window and search for >>the .exe file on your machine. For example, if you wanted to check it anyway, you'd >>search for svchost.exe (obviously it will take a little while for your machine to >>search for each file, that's the drudgery part). Once you find each file, right >>click (DON'T double-click) and select Properties. Check out the description field >>contents and then click the version tab and make sure that the company listed is >>Microsoft, or someone you know you should be running software from like Symantec, >>Real Networks, etc. depending on what all you have on your machine. I bet you'll >>eventually find something that looks suspicious and I even expect you'll find "totempole" >>in the company field. Anyway, once you find something suspicious, you can try killing >>the process and see if your problem goes away. Of course, this is the risky part, >>if you have chosen badly, you could crash your machine, but this is probably not >>a high risk, even if you do. Of course, make sure you write that process name down >>before you kill it so you can then search for it again and delete it and clean your >>registry as we discussed before. Maybe someone else will have a simpler solution, >>but that's the best I can up with at this point. Good Luck! > [Reply or follow-up to this message] re: belgiandip.com Sunday, March 21, 2004 at 8:38 pm Posted by THANKYOU!!! (1 messages posted) Thank you everyone! This belgiandip thing has been annoying me for a while. But, just one more quick question. I was unable to find the registration information on regedit. Is that a big deal or will I still no longer get the popup? [Reply or follow-up to this message] re: belgiandip.com Monday, March 22, 2004 at 5:07 pm Posted by MrDroid (1 messages posted) I had this popup as well. Thanks for the info below; because of that I could run my own searches for files and found some unmentioned (to my knowledge) files that contain word "werule" in their source. These files are: egSTR.exe SABASER.exe I also found 'pup.exe' but I couldn't find 'over.exe' or 'dbcji32o.exe'. Maybe this is because I have Windows ME. However, just deleting 'pup.exe', 'egSTR.exe' and 'SABASER.exe' fixed my belgiandip.com problem Note: It may tell you that SABASER.exe is in use when you try to delete it. Just restart Windows and do not run the internet until you delete SABASER.exe The problem should be fixed, especially if you previously ran SpySweep like I did, and delete the SABASER registry entry (use "Hijack This" to find it) On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wrote: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > >On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >>Im getting a popup from Belgiandip.com that launches intermittently when Explorer >>is started or shut down. Cant seem to control it through my firewall or popup stopper. >>Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Monday, March 29, 2004 at 5:50 pm Posted by iCQ (1 messages posted) Guys i experianced something odd... a week ago also i ran into such an infection: Trj/Revop.F_Disinfected_C:\Program_Files\pup.exe Trj/Revop.A_Disinfected_C:\Program_Files\over.exe Trj/Revop.E_Disinfected_C:\do.exe Now i find that the name is actualy 'belgian dip". That upsets me a little bit. Because also since last week this belgium guy is trying to make contact/talk (email/icq chat). Now u see i have quite a few sexy (kinki u might call it) photos on my pc which only my honey supposed to see. My question is, since i see that this pup.exe is actually called a trojan, i wonder is it also a sort of remote control or access program which allows hackers access on my system? And is there any proof of that? Of course i directly deleted everything from my system after a backup. [Reply or follow-up to this message] re: belgiandip.com Monday, March 29, 2004 at 6:42 pm Posted by Sleepy (1 messages posted) NOTE: I'm using Win98 SE. Well, this has been some 24 hrs. Not only did I have Lycos SideSearch and eZula installed without my consent, I also came down with a trojan.exe and the belgiandip/illtemperedsomethingorother.com runaround. There were over 170 ezula.exe(s) on my system. I'm not clear what all I did to remove the belgiandip curse, except for ITEM 5, so I'll try to recall to the best of my abilities, with apologies: Only use this info as a guide. I can't recommend it, except for ITEM 5. (1)Go to http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.Q and look for this link: Trend Micro System Cleaner follow the download instructions. The cleaner found the trojan files REVOP.EXE & TRIPPXXA.EXE (2) I regret that in my haste I did not note the exact location and name of the folder before deleting it, but try looking in the Windows folder for something like a BXXS5 folder. You'll know it when you open it. It is full of files like BINGOPARLOR.xxx, CASH.xxx, etc. I deleted this folder because I never visited a bingo site. (3) Run REGEDIT and look for this folder: HKEY_CURRENT_USER > SOFTWARE > MICROSOFT > WINDOWS > CURRENTVERSION > EXPLORER > DOC FIND SPEC MRU The first time I checked, the entries were as follows: (DEFAULT) (value not set) a "belgiandip" b "PUP.EXE" c "" d "o.dll" e "over.exe" f "dbcji32o.exe" g "reduic.exe" h "pup.dll" i "tucows" j "o.bat" MRUList "aicghdjfbe" I deleted the entire KEY (the folder DOC FIND SPEC MRU, and everything in it. I then ran Internet Explorer. Belgiandip returned. I again opened REGEDIT and checked for DOC FIND SPEC MRU SAME FOLDER (this folder was REGENERATED): (DEFAULT) (value not set) a "" b "XADSQ" c "REVOP.EXE" d "TRIPPXXA.EXE" e "NETSKY Q" f "Internet Explorer" g "mm32i.exe" h "illtemperedsomethingorother.com" i "tio404n.exe" j "BookedSpace.dll" MRUList "dacbjihgfe" The files listed and their order was different everytime I checked it. The value "NETSKY Q" was reinserted AFTER running Trend Cleaner. I again deleted this KEY(the folder). (4) I right-clicked Internet Explorer > Temp Internet Files Settings button (on the General page) > the View Objects button. There were 4 files with classid numbers for names and no creation date. Even though they were labeled "from Microsoft" the lack of information was suspect. I deleted them. (5) Run Find and look for the file bsx32.ini. Open it and check for entries of names of files like those found in the (something like a BXXS5 folder). I deleted it. Again, my apologies. It's been a long day. (6) Run Find and look for the file BXXS5.dll I vanquished belgiandip/illtemperedsomethingorother.com by deleting it. [Reply or follow-up to this message] re: belgiandip.com Friday, April 2, 2004 at 9:24 pm Posted by Jim (1 messages posted) Here is what the file is named as of this date, April 2, 2004: cpmont.exe. It is a hidden file in the /system32 folder, and you must terminate, obviously, before you can delete it. Thanks to CyberSpider. Good job. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Tuesday, April 6, 2004 at 2:05 am Posted by Trippy (1 messages posted) Yes this worked! Simply search for filename PUP and delete it. On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wrote: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > [Reply or follow-up to this message] re: belgiandip.com Friday, April 9, 2004 at 7:41 am Posted by Korben (1 messages posted) Just to let you all know, I found this file sxml3am.exe running in my task manager. Stopped it and deleted it, and this seems to have solved the problem. What a bitch of a popup. On Friday, March 5, 2004 at 8:55 pm, Cyber Spyder wrote: > >Sorry, > >To be more specific, look at your task manager at all running tasks, and find the >file/files dbcji32o.exe OR over.exe OR pup.exe and END TASK if they are running. >The root file (the file that generates pup.exe and over.exe) is dbcji32o.exe which >should be in your windows\system32 folder. If not, do a search for that file and >delete it. Be sure you delete PUP.EXE and or OVER.EXE also. Then use your run command >to run msconfig and go to the startup tab and uncheck the box next to that file you >just deleted. It's also a good idea to open regedit and delete the key that loaded >the file to begin with (SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Don't use >regedit unless you're sure you know what you're doing, as this could prove to be >problematic to say the least if you delete the wrong key. > >Also, these guys might have made files with different names so the dbcji32o.exe might >not be the same file name on your system. Just look for a file running in task manager >that is probably similar to this one. If you have any doubts, find whatever file >you think is causing the problem and then locate it on your hard drive. Right click >on it and check properties and if the file indicates that it's original name was >PUP.EXE or if it was created by totempole or werule, it's probably the one you need >to delete. > > [Reply or follow-up to this message] re: belgiandip.com Friday, April 9, 2004 at 11:32 am Posted by Kristiana (1 messages posted) This procedure worked for me. The file I found with the company "totempole" was TPLUGINQ.EXE. On Monday, March 15, 2004 at 11:17 am, Tim wrote: >Vinny - > >Relax! This actually isn't very hard. I got this stupid thing on my computer during >the 10 minutes between completing my upgrade to XP and getting all the security patches >and firewall re-installed. Guess that will teach me to allow my computer online >for even a minute without security in place! > >Anyway, the post from anonymous on the 9th does give everything (apparently from >what I can tell) you need to defeat this thing. Let me make a couple of suggestions >if you're still having trouble... > >I assume you have searched your computer and deleted every occurrance of pup.exe >and over.exe. Of course, after this you still get the problem because the actual >program causing it is something that was created by these with a random name. This >might help track it down. > >- Double click on My Computer and then your hard drive (C:, I'll assume) and navigate >to the c:\Windows\system32 directory. > >- Once there, go to the View pull down and change the view type to "Details". > >- Next, go to View again and select "Choose Details..." > >- Now, scroll through the list and check the "Company" option and click OK. > >- Now sort the display by size by clicking on the Size column header. > >- Scroll through the list of files until you find files with a size of 64 KB. > >- Beside one (or more) of these, you will find "totempole" listed in the Company >column. > >- BINGO! Now write the file name down. > >- Bring up task manager and kill the process running with the name you just found. > >- Delete the file you found. > >- Bring up regedit and search the registry and delete all keys with pup.exe, over.exe, >and the file(s) you found with "totempole" listed as the company. > >- You should be free of the thing now! (of course, up above, you could also sort >by company instead of size, but I think the size sort works better since most files >have the company entry blank, but either will work). > >Good Luck! [Reply or follow-up to this message] re: belgiandip.com Friday, April 9, 2004 at 8:10 pm Posted by S (1 messages posted) this is caused by a program called I_anets.exe that is hidden in c:\windows\system 32. If you are running WinXP, you can run msconfig and then startup to disable it. I had this same stupid popup and once I had disabled it from the startup, I was ok. Hope this helps On Thursday, December 18, 2003 at 9:52 am, Jazz wrote: > > >Try this link: - > >http://www.panicware.com/product_psfree.html > >Good luck > >-=JAZZ=- > [Reply or follow-up to this message] re: belgiandip.com Saturday, April 10, 2004 at 3:40 am Posted by Phoenix (2 messages posted) the file is also called asradr.exe -- still found in the C:/Windows/system32 folder On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wrote: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > [Reply or follow-up to this message] re: belgiandip.com Saturday, April 10, 2004 at 8:59 am Posted by David (1 messages posted) TO ALL who have this problem....i finally found it for myself....it is a 64 kilobyte randomly named file in /system32 under the company totem pole, and all of them have the same icon.....there were 48 on my system [Reply or follow-up to this message] re: belgiandip.com Saturday, April 10, 2004 at 12:11 pm Posted by PossumJenkins (1 messages posted) This finally worked for me! Go to your file search function, search for all files under 100kb only in your Windows/System32 folder, then go through and find all that are under the 'totempole' company. If you cannot delete the file (mine was named something ISBRD...), open your task manager and end the process of that file name, then delete it! I tried AdAware, SpyBlocker, and many others, and this was the only way to get this off of my computer. On Saturday, April 10, 2004 at 8:59 am, David wrote: >TO ALL who have this problem....i finally found it for myself....it is a 64 kilobyte >randomly named file in /system32 under the company totem pole, and all of them have >the same icon.....there were 48 on my system [Reply or follow-up to this message] re: belgiandip.com Saturday, April 10, 2004 at 1:26 pm Posted by Francis (2 messages posted) Can anyone help me??? I have had this problem also. I fallowed the directions but when i got to the Regedit section I couldnt find any thing to delete. Whats the Deal? Im still getting these damn popups and i have pestpatrol, which usually work but can find any thing. any ideas???? thanks [Reply or follow-up to this message] re: belgiandip.com THIS WILL WORK!!! Saturday, April 10, 2004 at 6:37 pm Posted by eric (1 messages posted) Ok, I could not get this stupid thing to go away. I figured it out, end the process YDOCSM.EXE the go to windows/system32 and delete YDOCSM.EXE the run regedit and search for YDOCSM.EXE, and delete it. That will work. I also send a scathing e-mail to a spyware removal company that had an ad using this crappy adware. [Reply or follow-up to this message] re: belgiandip.com Saturday, April 10, 2004 at 8:43 pm Posted by Charles (2 messages posted) In response to belgiandip.com; I've been researching this subject for the past several hours at different sites and noone has mentioned the file "thinstaller.exe which appears to be the first part of the attack. One response I read (maybe here) mentions that ZoneAlarm stops it from connecting and in our case, yes it did ask for permission. Nortons did not react (Antivirus or Internet Security) as this is not a virus in the true sense of the word I guess. If you have ZoneAlarm and use it to check certain entries in its log, you'll come to a page where they will scan your com with Pest Control and tell you what spyware and adware is running - tracking cookies etc. Unfortunately on my main con, this page will not display correctly -probably something to do with certain settings I have re: activeX controls. Wish I knew more, but I thought I would add what I found to existing threads re: thinstaller as nowhere else did I find an entry concerning this aspect. [Reply or follow-up to this message] re: belgiandip.com Sunday, April 11, 2004 at 2:01 am Posted by monica (1 messages posted) I searched sytem 32 and couldn't find anything but then I searched windows looking for totem in the company title - it was hqcpres a with a sort of envelope symbol - aque and white- different to everything else and I tried to delete it but it refused so I went to Task Manager and deleted it from there and it worked. It was simple in the end. I am not having problems now. On Saturday, April 10, 2004 at 1:26 pm, Francis wrote: >Can anyone help me??? > >I have had this problem also. I fallowed the directions but when i got to the Regedit >section I couldnt find any thing to delete. Whats the Deal? Im still getting these >damn popups and i have pestpatrol, which usually work but can find any thing. > >any ideas???? thanks [Reply or follow-up to this message] re: belgiandip.com Sunday, April 11, 2004 at 6:28 pm Posted by will (4 messages posted) TITBDEFA.exe in Win 98SE system folder was my little SOB On Saturday, March 6, 2004 at 11:28 pm, Cyber Spyder wrote: > > >Most likely you have a different file name that's creating the PUP.EXE files. With >me, the dbcji32o.exe file would run at bootup, then once i ran internet explorer >it would create pup.exe and then dbcji32o.exe would hide itself so that you would >only see the pup.exe running. You have to boot your pc and immediately run task >manager before opening any files and look for a running task that you don't recognize. >If you're unsure of deleting a strange file, go to that file wherever it may be on >your hard drive (most likely in the windows\system32\ folder) then right click on >that file and check properties. Look at the info on each line in its profile. If >you see the names totempole, pup.exe, over.exe, or werule in there, that's the file >to delete. The pup.exe, over.exe, and open.exe files are all red herrings created >by the elusive file that hides itself after bootup. > [Reply or follow-up to this message] re: belgiandip.com Sunday, April 11, 2004 at 6:36 pm Posted by will (4 messages posted) I had already found pup and all the rest and killed them off, but nothing would stop it. Even some real files died in my quest to purge any exe with a stupid file name. Thankyou for these helpful tips. TITBDEFA.exe in Win 98SE system folder was my little SOB I couldn't delete it as windows said it wasa being used!! Oh well back to DOS. C:>windows>system>del titbdefa.exe And now I am very happy :-) [Reply or follow-up to this message] re: belgiandip.com Sunday, April 11, 2004 at 8:11 pm Posted by Derek (1 messages posted) Thanks! That did it for an XP Pro machine. It appears in multiple files with the same icon as you said, which is the key to getting rid of it. On Saturday, April 10, 2004 at 8:59 am, David wrote: >TO ALL who have this problem....i finally found it for myself....it is a 64 kilobyte >randomly named file in /system32 under the company totem pole, and all of them have >the same icon.....there were 48 on my system [Reply or follow-up to this message] re: belgiandip.com Sunday, April 11, 2004 at 8:13 pm Posted by D Ho (1 messages posted) mine was called sassl.exe and i did what others mentioned (stopped in task mgr, and found the file and deleted it)... took me a while to find it, but if you look at your processes and see one youve never seen before, google it and make sure it's not something you need running. once youve found it check its properties and it should say totempole, pup, pup.exe, or something like that. [Reply or follow-up to this message] re: belgiandip.com Sunday, April 11, 2004 at 9:46 pm Posted by e (1 messages posted) good looking out, i couldn't figure out where it was til i saw what you posted, mines was called 'luginp.exe' On Saturday, April 10, 2004 at 8:59 am, David wrote: >TO ALL who have this problem....i finally found it for myself....it is a 64 kilobyte >randomly named file in /system32 under the company totem pole, and all of them have >the same icon.....there were 48 on my system [Reply or follow-up to this message] re: belgiandip.com Monday, April 12, 2004 at 3:47 pm Posted by Thomas (1 messages posted) I took the easy way. SpyBot didn't work, so I downloaded the latest update for Ad-Aware and ran it. Surprise! No more Belgiandip pop-up and my Windows Media Player works again. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com - New Name Monday, April 12, 2004 at 9:43 pm Posted by Shaunabobauna (1 messages posted) Mine was called: smuir.exe go figure.. what a pest.... I ended up looking at everything in my task manager to find it. New computer too - so tons of stuff running that I am not familiar with yet. On Friday, March 5, 2004 at 8:55 pm, Cyber Spyder wrote: > >Sorry, > >To be more specific, look at your task manager at all running tasks, and find the >file/files dbcji32o.exe OR over.exe OR pup.exe and END TASK if they are running. >The root file (the file that generates pup.exe and over.exe) is dbcji32o.exe which >should be in your windows\system32 folder. If not, do a search for that file and >delete it. Be sure you delete PUP.EXE and or OVER.EXE also. Then use your run command >to run msconfig and go to the startup tab and uncheck the box next to that file you >just deleted. It's also a good idea to open regedit and delete the key that loaded >the file to begin with (SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Don't use >regedit unless you're sure you know what you're doing, as this could prove to be >problematic to say the least if you delete the wrong key. > >Also, these guys might have made files with different names so the dbcji32o.exe might >not be the same file name on your system. Just look for a file running in task manager >that is probably similar to this one. If you have any doubts, find whatever file >you think is causing the problem and then locate it on your hard drive. Right click >on it and check properties and if the file indicates that it's original name was >PUP.EXE or if it was created by totempole or werule, it's probably the one you need >to delete. > > [Reply or follow-up to this message] re: belgiandip.com Monday, April 12, 2004 at 11:40 pm Posted by Mathew (1 messages posted) I found another variant on my machine (13 April 2004) called apim.exe. Simply killed the task in Task Manager, deleted the file from the Windows System directory and deleted the registry entry which causes it to load at start up. Hope this helps others out there who come across this problem. On Monday, March 1, 2004 at 12:23 am, Cyber Spyder wrote: >I believe i have found an answer to your POPup problem. > >I too was getting the belgiandip popups after going to certain web pages, gotradio.com >was one of them where i was bombarded with popups, browser hijackers, and my cd-rom >drives all popped open. After doing some research i traced all problems back to passthison.com > where they openly admit doing these types of things to convince people to buy spyware >removal tools from their advertisers. Long story short, I spoke to Val Starr, president >of gotradio.com and she had the advertisers removed along with their popup attack >banners. Well they somehow did it again and now i started getting the belgiandip.com >crap. Here is what i noticed: > >A program called pup.exe in the c:\prgram files dir was creating a file called over.exe >which in turn was causing popups. After deleting the files i thought i had the problem >solved, WRONG.... Downloaded both spysweeper and adaware and neither one caught this >nasty little bastard. Opened task manager and saw no unusual tasks running. Decided >to reboot, did, upon opening task manager again i noticed this little S.O.B. running >dbcji32o.exe which if right clicked on and properties checked was codenamed totempole >by some idiots called werule. The original filename is pup.exe... created by the >dbcji32o.exe file So i hope this helps you and everyone else out because none of >the spyware tools i tried could find this one. > > [Reply or follow-up to this message] re: belgiandip.com Tuesday, April 13, 2004 at 4:24 am Posted by Iain Reid (1 messages posted) Many thanks for resolution. The primary executable changed to 'hellstyle.exe' on my sytem, once I'd figured that out (Author as 'totem') and removed it;s executable, the PUP.exe it had created (in c:\windows) and changed startup in registry to not try starting it up it seems to have resolved issue. Pesky little varmint, me and some friends would LOVE to spend some time with the author(s) in a soundproof room. To re-use a phrase, would like to get 'Medieval' on thier sad loser asses. On Monday, March 8, 2004 at 1:30 am, Cyber Spyder wrote: > >Make sure when you search for the files in question that you chose to show ALL files, >especially hidden files and folders. The programs are most likely in the C:\windows\system32\ > folder or you might check c:\program files. Also, if you can't find the file, >don't rely on the windows search tool to locate it, use file explorer to find the >file manually by going to the two main folders i mentioned above. If you're seeing >the program in task manager, you can't right click on it that way. You have to end >task then find the files on your hard drive, then right click on them and check properties. > > > > [Reply or follow-up to this message] re: belgiandip.com Tuesday, April 13, 2004 at 12:37 pm Posted by Ray (2 messages posted) Another variant named: isjperfd.exe Hope this helps others. On Tuesday, April 13, 2004 at 4:24 am, Iain Reid wrote: > >Many thanks for resolution. The primary executable changed to 'hellstyle.exe' on >my sytem, once I'd figured that out (Author as 'totem') and removed it;s executable, >the PUP.exe it had created (in c:\windows) and changed startup in registry to not >try starting it up it seems to have resolved issue. Pesky little varmint, me and >some friends would LOVE to spend some time with the author(s) in a soundproof room. >To re-use a phrase, would like to get 'Medieval' on thier sad loser asses. > > [Reply or follow-up to this message] re: belgiandip.com Tuesday, April 13, 2004 at 2:14 pm Posted by Ray (2 messages posted) Ok, Here's a twist of the dagger. When I started with this whole mess, I had Google's pop-up blocker. It didn't work so I tried a free copy of Stopzilla. Stopzilla killed the windows everytime BUT the free trial is only for 15 days. After finding this forum, I did ALL the things recommended. I unistalled Stopzilla (thinking I didn't need it). That b@st@rd website then gave me two or three pop-ups after the uninstall. I thought I was finished there, but get this... The pop ups slowed down in frequency but I would still get one every tenth instance or so. It got progressively annoying, so I decided to reload Stopzilla so I could see where the pop-ups are coming from (and make sure that I did not have another vairant of belgiandip.) Funny thing is, ever since I reloaded Stopzilla, I have not had one pop-up! Why is it that Stopzilla was the only thing that stopped this AND why do they have a rating from tucows.com (an alleged originator of this annoyance?) Ahhhh!!! any help will be appreciated. [Reply or follow-up to this message] re: belgiandip.com Wednesday, April 14, 2004 at 1:08 am Posted by Mike (1 messages posted) I just wanted to give you guys a big thanks for all the help, I finally got rid of that damn popup. Also, if Tucows was behind this, I hope the not only go out of business but are severly fined. Thanks again guys! On Tuesday, April 13, 2004 at 2:14 pm, Ray wrote: >Ok, > >Here's a twist of the dagger. When I started with this whole mess, I had Google's >pop-up blocker. It didn't work so I tried a free copy of Stopzilla. Stopzilla killed >the windows everytime BUT the free trial is only for 15 days. > >After finding this forum, I did ALL the things recommended. I unistalled Stopzilla >(thinking I didn't need it). That b@st@rd website then gave me two or three pop-ups >after the uninstall. I thought I was finished there, but get this... > >The pop ups slowed down in frequency but I would still get one every tenth instance >or so. It got progressively annoying, so I decided to reload Stopzilla so I could >see where the pop-ups are coming from (and make sure that I did not have another >vairant of belgiandip.) Funny thing is, ever since I reloaded Stopzilla, I have >not had one pop-up! > >Why is it that Stopzilla was the only thing that stopped this AND why do they have >a rating from tucows.com (an alleged originator of this annoyance?) Ahhhh!!! any >help will be appreciated. [Reply or follow-up to this message] re: belgiandip.com Wednesday, April 14, 2004 at 5:09 am Posted by ju (2 messages posted) A l'aide! Est-ce que quelqu'un parle français ici? j'ai toujours ces fenetres qui proviennent de http://www.belgiandip.com qui s'ouvrent et je ne sais pas quoi faire... j'ai essayé de lire vos réponses en anglais mais je n'ai rien compris, c'est technique... Comment faire pour s'en debarasser? D'avance merci On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com Wednesday, April 14, 2004 at 5:43 am Posted by callix (1 messages posted) Installe ad aware et met le à jour. ça vient régler ce probléme sur mon pc. Je suis soulagé !!!!!!!! [Reply or follow-up to this message] re: belgiandip.com Wednesday, April 14, 2004 at 6:25 am Posted by ju (2 messages posted) merci callix! :-) je conanis pas ce truc je vais essayer de le trouver. ceci dit j'ai essayé de comprendre ce qu'a dit Tim un peu plus haut http://www.annoyances.org/exec/forum/winxp/1079378223 j'ai effacé des trucs qui faisaient 64 ko et apparement ça marche je n'ai plus eu de fenetres comme ça qui s'affichaient... On Wednesday, April 14, 2004 at 5:43 am, callix wrote: >Installe ad aware et met le à jour. >ça vient régler ce probléme sur mon pc. Je suis soulagé !!!!!!!! [Reply or follow-up to this message] re: belgiandip.com Thursday, April 15, 2004 at 12:58 pm Posted by kuLLy (1 messages posted) Thursday, April 15, 2004 - I recently dealt with this so called totempole problem. The application was a slipper fellow, but i was able to locate it as r41.qcxi.exe. However, finding it turned out to be the easiest problem. I fought it for an hour trying to get it and its partners expunged. To make it go away you must first end task the application, which may or may not be easy for you. The application for me killed my task manager so i had to manually go into the msconfig and locate the file via the startup tab. After i killed that from starting up when booting, it made it simple to get rid of the last bits. Then standard deleting, makes the rest gone. However, like spyder wrote, its a slipery application so, for best results on making problem go away, i recommend trying to remember when problem started and look in your system32 files for created dates on these such problems. Hope you get your problem fixed and if already fixed, maybe this will help some other random victim. On Saturday, March 6, 2004 at 11:28 pm, Cyber Spyder wrote: > > >Most likely you have a different file name that's creating the PUP.EXE files. With >me, the dbcji32o.exe file would run at bootup, then once i ran internet explorer >it would create pup.exe and then dbcji32o.exe would hide itself so that you would >only see the pup.exe running. You have to boot your pc and immediately run task >manager before opening any files and look for a running task that you don't recognize. >If you're unsure of deleting a strange file, go to that file wherever it may be on >your hard drive (most likely in the windows\system32\ folder) then right click on >that file and check properties. Look at the info on each line in its profile. If >you see the names totempole, pup.exe, over.exe, or werule in there, that's the file >to delete. The pup.exe, over.exe, and open.exe files are all red herrings created >by the elusive file that hides itself after bootup. > [Reply or follow-up to this message] re: belgiandip.com THIS WILL WORK!!! Thursday, April 15, 2004 at 1:01 pm Posted by stephen nesbitt (1 messages posted) I far as i am aware this is who the bastards are! Search results for: 83.218.5.65 OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: Singel 258 Address: 1016 AB City: Amsterdam StateProv: PostalCode: Country: NL ReferralServer: whois://whois.ripe.net NetRange: 83.0.0.0 - 83.255.255.255 CIDR: 83.0.0.0/8 NetName: 83-RIPE NetHandle: NET-83-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: SUNIC.SUNET.SE NameServer: TINNIE.ARIN.NET NameServer: NS3.NIC.FR Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois Comment: RegDate: 2003-11-17 Updated: 2004-03-16 OrgTechHandle: RIPE-NCC-ARIN OrgTechName: RIPE NCC Hostmaster OrgTechPhone: +31 20 535 4444 OrgTechEmail: search-ripe-ncc-not-arin@ripe.net # ARIN WHOIS database, last updated 2004-04-14 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. On Saturday, April 10, 2004 at 6:37 pm, eric wrote: >Ok, I could not get this stupid thing to go away. I figured it out, end the process >YDOCSM.EXE the go to windows/system32 and delete YDOCSM.EXE the run regedit and search >for YDOCSM.EXE, and delete it. That will work. I also send a scathing e-mail to a >spyware removal company that had an ad using this crappy adware. [Reply or follow-up to this message] re: belgiandip.com Friday, April 16, 2004 at 8:36 am Posted by Terence (5 messages posted) I've tried almost everything here, and I did scans with many different programs. I think they removed the files you guys mentioned. however, I'm still getting the popups. I've tried everything! On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com - New Name Friday, April 16, 2004 at 11:44 am Posted by Dennis (1 messages posted) Another possible name is B16K.exe On Monday, April 12, 2004 at 9:43 pm, Shaunabobauna wrote: > >Mine was called: smuir.exe > >go figure.. what a pest.... I ended up looking at everything in my task manager to >find it. New computer too - so tons of stuff running that I am not familiar with >yet. > > > > > [Reply or follow-up to this message] re: belgiandip.com Friday, April 16, 2004 at 2:41 pm Posted by Acrobaze (1 messages posted) Try this: http://www.microsoft.com/windows/ie/using/howto/restrictedsites/stoppopups.asp On Friday, April 16, 2004 at 8:36 am, Terence wrote: > >I've tried almost everything here, and I did scans with many different programs. > I think they removed the files you guys mentioned. however, I'm still getting the >popups. I've tried everything! > > [Reply or follow-up to this message] re: belgiandip.com NEW INFO Friday, April 16, 2004 at 6:18 pm Posted by Anonymous (1 messages posted) *PROBLEM* Belgiandip.com popup that launches intermittently when Explorer is started or shut down. * SOLUTION* There were four files in Windows\ and Windows\System32 related to belgiandip.com. Close each file in Task Manager then deleted the file. It worked! *SAVE TIME* Target files clearly authored by Totempole and 64 kb in size. There are 2 new files. HUNT FILES USING START, THEN SEARCH FOR- pup.exe b821557k.exe et1n.exe and etplwizn.exe REGEDIT. I lack extensive computer skills. However, I tried to hunt it down using the regedit utility instructions posted here. I could not find any file in there other than Explorer.exe. Also, deactivating scripting only seems to work if you plan on visiting that website again. I don't know how I got this virus, but I don't ever plan on visiting belgiandip.com. *ACTION* Everyone reading this has wasted their time. I hope you all will continue complaining to the main-stream companies advertising in those pop-ups and contact your local govt officials (Attorney General's, FTC, and reps to Congress and State Legislature). Belgiandip.com should be closed down immediately. I have heard of a successful lawsuit against a spammer that sent unwanted faxes. This is the same deal. Belgiandip.com is stealing our time and our machines. Its illegal. [Reply or follow-up to this message] re: belgiandip.com A SIMPLE SOLUTION!!! Saturday, April 17, 2004 at 7:40 am Posted by Jack (1 messages posted) I think i have a simple solution to your problem! Go to windows>system32, let your pc search for all "exe" files. (also the hidden files) When the search engine is ready, you select the list of files, on volume (Kb's). You only have to be interested in files with 64kb. The files may have differend names but if you watch in "properties" you will see if its a "totempole" or a "werule" file. First i was not able to delete the exe files because they were active at the moment. This problem can be solved if you shut down your pc and restart it in "save mode" Now you just repeat the same things and you will see that it is possible to eliminate the "exe" files. If you wan't to be sure that all the files are eliminated, you also need to run a search on "program files"! Good luck Jack On Friday, April 16, 2004 at 2:41 pm, Acrobaze wrote: > >Try this: > >http://www.microsoft.com/windows/ie/using/howto/restrictedsites/stoppopups.asp > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Saturday, April 17, 2004 at 10:58 am Posted by Jerry (1 messages posted) Tried everything listed and still have the http://www.belgiandip.com/go.php?l=0021 popup. Found other pieces to the puzzle. "http://www.undergroundlair.net" IP address: United States 24.13.30.60 Still working on it. Please post any additional info. Thanks, JerryR52 On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Sunday, April 18, 2004 at 12:18 am Posted by skippy (4 messages posted) I just downloaded the Adware and it took care of the problem. Make sure you update the software once you download it. I also had to update my WMP to get it to work but it's back to normal now. On Saturday, April 17, 2004 at 10:58 am, Jerry wrote: >Tried everything listed and still have the http://www.belgiandip.com/go.php?l=0021 >popup. >Found other pieces to the puzzle. >"http://www.undergroundlair.net" >IP address: United States 24.13.30.60 >Still working on it. Please post any additional info. >Thanks, JerryR52 > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Sunday, April 18, 2004 at 8:51 am Posted by Fluff (1 messages posted) A couple more possible names are "cfgnt51.exe ," "gfxhespi.exe ," and "NTUninstallQ308677$$.exe ." [Reply or follow-up to this message] re: belgiandip.com A SIMPLE SOLUTION!!! Sunday, April 18, 2004 at 2:19 pm Posted by Konrad Adenauer (1 messages posted) This was the ultimate tip! I've removed some strange exes in system32 and now I can surf in peace again... ;-) THX [Reply or follow-up to this message] re: belgiandip.com Wednesday, April 21, 2004 at 1:06 pm Posted by ruben lima (1 messages posted) i solve my problem deleting real player,i have problen with my broadband internet i have a poup i check the properties, give me a long file addrees with a weird name ,i put the name on serch ans i found the belgiandip.com on the file datacache on real player i delete real player and i solve the problem with this ongly pupup [Reply or follow-up to this message] re: belgiandip.com: Mutated / Migrated? ow32w.exe Wednesday, April 21, 2004 at 5:34 pm Posted by u660699 (1 messages posted) Hi, whilst I never went near belgiandip.com .... I did manage to pick up something which sounds very similar to the problems described in other posts here ... details plus how I fixed follows .... ow32w.exe Trojan from Totempole found on my XP machine - now removed (I hope). Symptoms: Explore Notepad hijacked . Right clicking to open causes pop ups Missed by SpyBot, Adaware, Trendmicro Antivirus :-( Brownie points to Hotmail for spotting a virus when I had all the offending files zipped up! Internet access attempts stopped by Zonealarm. Thanks to Spybot "Tools-System start up" for spotting ow32w.exe and B6Jhpjm.exe ow32w was running as a process. Killed it (plus any spawned processses) using Process Explorer from www.sysinternals.com No registry changes required that I could spot - unless ofcourse you know better.... Removing the following files fixed it. \Local Settings\Temp ====================================================================== B6Jhpjm.exe 228 KB 16/04/2004 11:31:44 AM a Total 1 file(s); Size: 233667 Byte(s) \Program Files ================================================================ over.exe 3 KB 20/04/2004 11:22:34 PM a pup.exe 245 KB 20/04/2004 11:22:34 PM a Total 2 file(s); Size: 254901 Byte(s) \Windows ========================================================== bdl94126.exe 58 KB 01/03/2004 04:02:00 PM a pup.exe 64 KB 26/02/2004 04:17:50 PM a update12.js 1 KB 01/03/2004 11:50:40 PM a Total 3 file(s); Size: 126314 Byte(s) \Windows\prefetch =================================================================== B6JHPJM.EXE-16AE5CE1.pf 21 KB 16/04/2004 11:31:54 AM a BDL94126.EXE-195022B7.pf 24 KB 20/04/2004 11:23:00 PM a OW32W.EXE-26648B26.pf 12 KB 20/04/2004 11:22:56 PM a PUP.EXE-0402600B.pf 15 KB 20/04/2004 11:22:44 PM a PUP.EXE-052747AD.pf 17 KB 20/04/2004 11:22:44 PM a PUP.EXE-3934063A.pf 15 KB 20/04/2004 11:22:46 PM a Total 6 file(s); Size: 110244 Byte(s) \Windows\system32 =================================================================== O 1 KB 16/04/2004 11:32:16 AM a O.BAT 1 KB 16/04/2004 11:32:16 AM a ow32w.exe 64 KB 26/02/2004 04:17:50 PM a Total 3 file(s); Size: 65880 Byte(s) O.BAT contains the following: ========================================================== if not exist C:\WINDOWSstatuslog ftp -s:o if exist bs5-nt15v.exe bs5-nt15v.exe if exist 0021-bdl94126.EXE 0021-bdl94126.EXE if exist silent.exe silent.exe if exist CS4P028.exe CS4P028.exe ========================================================== I didn't find cs4p028.exe or silent.exe on my machine but a couple of postings suggest others have. Other postings suggest that other files are also created. I deleted a " Thinstaller client " that may also be associated with this zonealarm also shows a file u070104.exe (unclear on timings but looks dodgy!) ow32w.exe Properties Version Company information suggests that " Totempole " are the "people" concerned. WARNING The Javascript file contains the url of a web site WARNING >>> searchcentral.cc <<< DANGEROUS TROJAN SITE PLEASE RESIST the temptation to browse the site. I went in with IE6.0 (yes I know it is stupid and I have now installed the latest SP) with the Security Settings on High and got several pop-ups plus at least 2 executables (over.exe and pup.exe) installed....I'm not going back Worrying aspect from my viewpoint is that: a) I remain unclear how I picked this up b) lost some faith in spybot and adaware c) not convinced I have found everything Any suggestions/thoughts welcomed. Hopefully info provided is sufficent to help others / encourage some updates. On Wednesday, December 17, 2003 at 4:01 pm, BT wrote: >Im getting a popup from Belgiandip.com that launches intermittently when Explorer >is started or shut down. Cant seem to control it through my firewall or popup stopper. >Does anyone know how to kill it? [Reply or follow-up to this message] re: belgiandip.com A SIMPLE SOLUTION!!! Wednesday, April 21, 2004 at 5:47 pm Posted by John Naughton (3 messages posted) Hardryve from Federazione of Famiglia's&Naughtons Quadrant This is still going on for me at the present time, I have found the pup.exe file and deleted it so I presume, posted a hijack log on Coyote's forum, had Higham check it and then deleted if I can remember at the moment something like xxioi.exe some kind of adult $hit and a few others from his checking with others scrupulous intelligencia. But to no avail I have read all the replys on this subject as well as checked myself on whois both on RIPE as well the other one that was posted here. Did as mentioned about searching all exe's 64kbs, hidden and system32, programs and anything else I could think of. I have posted a copy of the hijack log on Lockergnome and so on and so forth, If there is more info please reply as this bastard still prevails as a terrorist on my PC, Thank you all for hearing my gripe. Hardryve4/21/04 9:00pm EST Mr. John Naughton aka: Hardryve. On Sunday, April 18, 2004 at 2:19 pm, Konrad Adenauer wrote: >This was the ultimate tip! I've removed some strange exes in system32 and now I can >surf in peace again... ;-) THX [Reply or follow-up to this message] re: belgiandip.com NEW INFO Thursday, April 22, 2004 at 12:49 pm Posted by Jenni (1 messages posted) Once you find one file from these boneheads,you might want to try searching for all files modified on the date that the original file was modified on. I just got rid of 10 or so files all connected with totempole that way. Hope it works!!! Jenni On Friday, April 16, 2004 at 6:18 pm, Anonymous wrote: >*PROBLEM* Belgiandip.com popup that launches intermittently when Explorer is started >or shut down. * SOLUTION* There were four files in Windows\ and Windows\System32 >related to belgiandip.com. Close each file in Task Manager then deleted the file. >It worked! *SAVE TIME* Target files clearly authored by Totempole and 64 kb in size. >There are 2 new files. HUNT FILES USING START, THEN SEARCH FOR- pup.exe b821557k.exe > et1n.exe and etplwizn.exe REGEDIT. I lack extensive computer skills. However, I >tried to hunt it down using the regedit utility instructions posted here. I could >not find any file in there other than Explorer.exe. Also, deactivating scripting >only seems to work if you plan on visiting that website again. I don't know how >I got this virus, but I don't ever plan on visiting belgiandip.com. *ACTION* Everyone >reading this has wasted their time. I hope you all will continue complaining to the >main-stream companies advertising in those pop-ups and contact your local govt officials >(Attorney General's, FTC, and reps to Congress and State Legislature). Belgiandip.com >should be closed down immediately. I have heard of a successful lawsuit against a >spammer that sent unwanted faxes. This is the same deal. Belgiandip.com is stealing >our time and our machines. Its illegal. [Reply or follow-up to this message] re: belgiandip.com A SIMPLE SOLUTION!!! Monday, April 26, 2004 at 8:29 am Posted by Rob Leslie (1 messages posted) Thank you Jack....! After hours of searching how to get rid of the problem ..Success!! My son's PC is running Windows Me and had 2 files avacyptj.exe and mcfg32c.exe in the c:\windows\system directory. Both 64K in size and both from totempole....they are now history!......Thank you again! On Saturday, April 17, 2004 at 7:40 am, Jack wrote: >I think i have a simple solution to your problem! > >Go to windows>system32, let your pc search for all "exe" files. (also the hidden >files) When the search engine is ready, you select the list of files, on volume (Kb's). > >You only have to be interested in files with 64kb. The files may have differend names >but if you watch in "properties" you will see if its a "totempole" or a "werule" >file. > >First i was not able to delete the exe files because they were active at the moment. >This problem can be solved if you shut down your pc and restart it in >"save mode" > >Now you just repeat the same things and you will see that it is possible to eliminate >the "exe" files. > >If you wan't to be sure that all the files are eliminated, you also need to run a >search on "program files"! > >Good luck > >Jack > > > > > > > [Reply or follow-up to this message] re: belgiandip.com NEW INFO Friday, April 30, 2004 at 6:10 pm Posted by Mark (3 messages posted) Even though I have Windows ME, I was just able to locate two .exe files, size 64kb in windows/system. File names are P_1252C and OMPOBJC. Both files are authored by totempole. On Thursday, April 22, 2004 at 12:49 pm, Jenni wrote: >Once you find one file from these boneheads,you might want to try searching for all >files modified on the date that the original file was modified on. I just got rid >of 10 or so files all connected with totempole that way. Hope it works!!! Jenni > > > [Reply or follow-up to this message] re: belgiandip.com NEW INFO Friday, April 30, 2004 at 11:12 pm Posted by CLR (4 messages posted) Hello. I'm CLR. I have been "infected" with pup.exe via BitTorrent. I have found out how to remove it. I posted it in the Windows 2000 forum, where they discuss about pup.exe also. It may be weird for me to post there when I'm a XP user, but go there and look for my post of CLR. It will help you a lot, I promise. [Reply or follow-up to this message] belgiandip.com - programs by totempole Saturday, May 1, 2004 at 4:00 pm Posted by Jay (1 messages posted) I did not find any of the files (pup.exe, werule.exe, etc) that others had. However, based on the 64KB size info, I was able to locate the two files sr2cm.exe and ldap32w.exe - both in windows/system32 folder. Both these files were by the company totempole. As soon as I deleted them, my frustrations ended. No more belgiandip window. None of the programs - NIS, PC Mag's CookieCop, SpyBot and others - could prevent the very annoying pop-up. On Friday, April 30, 2004 at 6:10 pm, Mark wrote: >Even though I have Windows ME, I was just able to locate two .exe files, size 64kb >in windows/system. File names are P_1252C and OMPOBJC. Both files are authored by >totempole. > > > > [Reply or follow-up to this message] re: belgiandip.com - programs by totempole Saturday, May 1, 2004 at 8:36 pm Posted by John Naughton (3 messages posted) Hardryve from Federazione of Famiglia's&Naughtons Quadrant I finally caught up with the pup in the registry thanks to Coyote's tech: Daemon with the help of Pieter_Arntz, from Wilders Security Forums and deleted it in the registry, the file morphed several times the only hint I could get even before the above mentioned tech's and tech sites was from "Zone Alarm" this program out of all the security software on the Internet was the only program that showed a log and the location of the file on my PC, anyone who does not have this program on their PC should immediately after reading this post go and get it for free, it is in my opinion the best of the free software out there here is the link http://www.zonelabs.com/store/content/home.jsp, thanks to everyone here as well as the before mentioned security forum's for their effective investigation and knowledge in breaking down the barrier's of these vicious cohart's, Hardryve [May,1, 2004] Mr. John Naughton aka: Hardryve. On Saturday, May 1, 2004 at 4:00 pm, Jay wrote: >I did not find any of the files (pup.exe, werule.exe, etc) that others had. However, >based on the 64KB size info, I was able to locate the two files sr2cm.exe and ldap32w.exe >- both in windows/system32 folder. Both these files were by the company totempole. > As soon as I deleted them, my frustrations ended. No more belgiandip window. None >of the programs - NIS, PC Mag's CookieCop, SpyBot and others - could prevent the >very annoying pop-up. > > > [Reply or follow-up to this message] re: belgiandip.com - Yet another person who needs help... Sunday, May 2, 2004 at 11:44 am Posted by Bri (1 messages posted) **WARNING: This file is long...I'm having a lot of problems...** Hi everyone. About 3 days ago, I got the belgiandip worm/virus/whatever-it-is on my computer, and I don't know how to get rid of it. I think my problem is a little different than most people's. First off, I didn't go to any unusual websites. I went to the sites I usually go to and I got the bug. (Makes me wonder if someone jacked Google for a day.) And I get the "belgiandip.com/go.php?1=002" popup when I OPEN Explorer, not when I close it. Also, I don't get the pop-up the first time I open IE, but I do get the pop-up everyday (I open IE about 5-10 times a day). To make things even more specific, I usually get the pop-up when I turn off my pop-up blocker (so IE won't be blocked from opening) and then re-open IE. I went to all the various forums online, and I'm glad to see I'm not the only one with this problem. But it seems like I AM the only person when it comes to a few areas: My "belgiandip" problem was caused by WeRule, not Totempole. The day I got the bug, I saw these weird files in the Close Program box (via Ctrl-Alt-Del): 3i, BDL94126, 0021-BDL94126. I also saw Winoldap and Mshta the same day I got hijacked, but I'm pretty sure those were always on my computer and the "belgiandip" bug corrupted them a little. I ran Ad-Aware, and it didn't find anything. So I MANUALLY deleted these files (based on what forums like this one said): pup.exe, 3i.dll, 3I.exe, BDL94126.exe, 0021-BDL94126, 0.bat, silent.exe, CS4P028.exe. I never saw files that started with the letter "o", so "over.exe" is ruled out. I also deleted the following files because they were created around the same time as the highjack, had the notorious "64kb" filesize, and shared the same icon as "pup.exe": *CFGWIZ32 (this is supposedly a trojan horse!!) *ERWVDRVS *fjbg12nl *Hb *MVCOREW *RYPT32C *TEM0409S *TIDIAGA *WUPDMGR Lastly, I MANUALLY removed folders from "C:\Program Files" that looked like spyware. Some of the folders have been on my computer for a while, but they might have triggered the attack: topMoxie, NewDotNet, NewtonKnows, scbar, Sprynet, Surf Safari, Grokster, TimeSink, and Shareaza (I couldn't uninstall Shareaza!! It kept freezing!) Should I have not deleted these things manually? All of these files are still in the Recycle Bin, so do I restore them or delete them all together (maybe the worm can still contact them in the trash)? And what the heck is a program called "MP_MMV.exe" -- I can't delete it at all! I know that Tucows.com is responsible for this -- but they are somewhat reputable; they're a download site. Sites like CNET (or some other legit places I went to) linked to them so I had to go to their site to download some legit programs. When I went to tucows.com, could they have planted something time-activated on my computer and it just decided to act up now???? Lastly, in the Add/Remove Programs area, what are "SMB OS" and "Search OS"? Are they related to spyware? If so, can I delete them? Please tell me how to get rid of this stupid "belgiandip" worm!! -Bri PS, Tucows (the creator of this) must DIE!!!!! [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Tuesday, May 4, 2004 at 12:45 pm Posted by Diane (1 messages posted) I LOVE YOU!! I love this site. I have been trying to get rid of this for 2 weeks. Totally frustrated and fed up at this point, it was by a stroke of luck that I happened onto your site (by typing belgiandip into google search engine). Can't thank you enough, Diane On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Sunday, May 9, 2004 at 8:43 am Posted by Mike Duffy (1 messages posted) Thanks to ANONYMOUS re Belgiandip removal. Even a computer illiterate, a virtual non-geek, was able to decipher what these instructions were saying. IT WORKED even though there are some slight differences in the "mechanics" of my 2000XP program. Question: Is there a clue on one's screen when the system is being hijacked? I suspect it will happen again unless I take proper precautions. Any suggestions?THANKS again, very much. On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Sunday, May 9, 2004 at 10:10 am Posted by joel (1 messages posted) Im glad somebody got it off there computer. I have been spending alot of time on trying to get rid of this, I found file but cant delete, there is no program running, so ctrl alt dlt does not help!, any tip would be greatly appreciated. thanks Joel On Tuesday, May 4, 2004 at 12:45 pm, Diane wrote: >I LOVE YOU!! I love this site. I have been trying to get rid of this for 2 weeks. >Totally frustrated and fed up at this point, it was by a stroke of luck that I happened >onto your site (by typing belgiandip into google search engine). > >Can't thank you enough, >Diane > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Sunday, May 9, 2004 at 4:28 pm Posted by Pat (2 messages posted) I found an online fix for this very issue at http://housecall.trendmicro.com. It wasn't clear that it fixed the problem, but ever since I ran the free online virus scan with the auto clean feature on it hasn't run, nor has it reoccured. I actually followed all the steps people have discussed here but for the deleting, and I cleaned up the registry manually first (not recommended unless you know what you are doing), but could not get rid of the actual .exe files (just couldn't figure out how I guess), but then I read a tip about this scan doing the part of the fix I could not (deleting the .exe files), ran it, and it worked! They are gone! On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION:pat Sunday, May 9, 2004 at 10:59 pm Posted by Nathan Griffin (4 messages posted) Pat, The Trendmicro software seems to have worked for me, too. However, I have another mouse lurking in the background and I have not been able to get rid of it. The Trendmicro software did not get rid of this one: "www.no-beba-al-agua.com", which does the same thing as belgiandip, even calling up some of the same ads. Maybe it's from the same source... Any help to remove this would be greatly appreciated. Thanks for reading.... Nathan On Sunday, May 9, 2004 at 4:28 pm, Pat wrote: >I found an online fix for this very issue at http://housecall.trendmicro.com. [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Monday, May 10, 2004 at 12:15 am Posted by Faulco (1 messages posted) The procedure below works very well. Note you should NOT attempt to change the names of any of the 64K files mentioned or they will MULTIPLY! If Pop-Ups still occur after all files have been deleted, you may need to eliminate files from your Windows Prefetch folder On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION:pat Monday, May 10, 2004 at 7:25 am Posted by Pat (2 messages posted) Hey, I am no expert, I just got lucky with trendmicro. I did read were it was suggested that if you can't delete because it is in use and you can't shut it off in task manager and then delete that you should then try running in safemode and deleting. But heck, my old system did not even appear to have a safe mode (Win 98, dos mode was my option, did not need it though) Good luck. On Sunday, May 9, 2004 at 10:59 pm, Nathan Griffin wrote: >Pat, >The Trendmicro software seems to have worked for me, too. >However, I have another mouse lurking in the background and I have not been able >to get rid of it. The Trendmicro software did not get rid of this one: >"www.no-beba-al-agua.com", which does the same thing as belgiandip, even calling >up some of the same ads. Maybe it's from the same source... >Any help to remove this would be greatly appreciated. >Thanks for reading.... >Nathan > > > > [Reply or follow-up to this message] i found a way to rid of it Tuesday, May 11, 2004 at 5:10 pm Posted by jason (1 messages posted) every, download ad-aware 6, it will rid of everything. this is erious, its a fantastic program to rid of an adware. [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION:pat Tuesday, May 11, 2004 at 7:18 pm Posted by Sara (1 messages posted) I am also having a problem with no-beba-el-agua.com after dealing with belgiandip.com and can't seem to get rid of it. i also have popup windows that say adserve. Anyone know how to get rid of these? On Sunday, May 9, 2004 at 10:59 pm, Nathan Griffin wrote: >Pat, >The Trendmicro software seems to have worked for me, too. >However, I have another mouse lurking in the background and I have not been able >to get rid of it. The Trendmicro software did not get rid of this one: >"www.no-beba-al-agua.com", which does the same thing as belgiandip, even calling >up some of the same ads. Maybe it's from the same source... >Any help to remove this would be greatly appreciated. >Thanks for reading.... >Nathan > > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION:pat Friday, May 14, 2004 at 8:53 pm Posted by John Naughton (3 messages posted) Hardryve from Federazione of Famiglia's&Naughtons Quadrant If you have ZoneAlarm go to the permission panel or control panel and you will see what is incoming and outgoing on your system, I found the location of the trouble I was recently having by looking there. And I had posted my hijackthis log on Coyote's Forum and on Lockergnome. Plus I was using Spybot S&D, and Ad-aware, ran scans on "Panda, Trendmicro", and a host of other software's. Everything helped but it wasnt until I looked at the permissions panel in ZoneAlarm that not only showed them(werule, Thinstaller client)but where they were located on my system. ZoneAlarm is free and most intelligent in my opinion, as the other's could not detect it. Try it and have a look, you are able to control incoming and outgoing on it by permissions, just block them, and ZoneAlarm will halt all incoming as well outgoing programs, that simple........Hardryve Mr. John Naughton aka: Hardryve. On Sunday, May 9, 2004 at 10:59 pm, Nathan Griffin wrote: >Pat, >The Trendmicro software seems to have worked for me, too. >However, I have another mouse lurking in the background and I have not been able >to get rid of it. The Trendmicro software did not get rid of this one: >"www.no-beba-al-agua.com", which does the same thing as belgiandip, even calling >up some of the same ads. Maybe it's from the same source... >Any help to remove this would be greatly appreciated. >Thanks for reading.... >Nathan > > > > [Reply or follow-up to this message] belgiandip.com :S! Sunday, May 16, 2004 at 3:08 pm Posted by Fernando (2 messages posted) The popup is "belgian dip" and so far it evades pop-up >blockers and spyware removal software. > >Delete pup.exe and over.exe in your >program files directory. > >Then go into C:\Windows and delete another >pup.exe from there. If you cannot find that it may be >renamed as something else so anything that has a file size >of 64k is potentially it. Go by it's weird visual basic >icon, or check it's properties; company is totempol >or werule. > >Then go into system32 and find files from the same >company and size and delete them. If it says you can't, hold >control alt delete and end that program task. Then you can >delete it easily. > >After that search in your registry for >"over.exe" or "pup.exe" and especially the >file you just deleted in system32. Remove those entries and >you are done! No need to scan your computer and waste time >like I did. No need to thank me Good Luck I've been having this problem for a couple of weeks now, and found this subject here on this board over a week ago (as well as in a couple of other places). I've done everything you described here.....and I am STILL having this pop-up window problem! Not just with the belgiandip one, but having blank windows pop-up also. I got rid of those pup and over files, but didn't find anything in my Windows Registry, nor was there anything in my system32 directory. I'm having the pop-up problem not only while browsing the web, but even when I am OFFLINE, believe it or not! It seems to occur periodically when I open a new browser window or when I close one out. I've also found some more detailed (and complex) info on both the Symantec and McAffee websites. Also, I had to deal with this other "adclicker" (as it turns out to be called) problem with something called alchem.exe. I did find that and several corresponding files relating to it, and got rid of all of them. Please, please, PLEASE help me out here! This is driving me nuts, and I want to end this once and for all! I have windows98 but y have the same problen thar yours pls help me [Reply or follow-up to this message] re: belgiandip.com :S! Tuesday, May 18, 2004 at 6:54 am Posted by Lindsay (1 messages posted) It seems that this virus hides under a few different filenames. The ones that got rid of it for me when I deleted them were ogonl.exe and pcdlld.exe. You should look at your startup settings and check the companies of all the programs in there. If it's Totempole, definetely delete the exe. On Sunday, May 16, 2004 at 3:08 pm, Fernando wrote: > >The popup is "belgian dip" and so far it evades pop-up >>blockers and spyware removal software. >> >>Delete pup.exe and over.exe in your >>program files directory. >> >>Then go into C:\Windows and delete another >>pup.exe from there. If you cannot find that it may be >>renamed as something else so anything that has a file size >>of 64k is potentially it. Go by it's weird visual basic >>icon, or check it's properties; company is totempol >>or werule. >> >>Then go into system32 and find files from the same >>company and size and delete them. If it says you can't, hold >>control alt delete and end that program task. Then you can >>delete it easily. >> >>After that search in your registry for >>"over.exe" or "pup.exe" and especially the >>file you just deleted in system32. Remove those entries and >>you are done! No need to scan your computer and waste time >>like I did. No need to thank me Good Luck >I've been having this problem for a couple of weeks now, and found this subject here >on this board over a week ago (as well as in a couple of other places). I've done >everything you described here.....and I am STILL having this pop-up window problem! >Not just with the belgiandip one, but having blank windows pop-up also. I got rid >of those pup and over files, but didn't find anything in my Windows Registry, nor >was there anything in my system32 directory. > >I'm having the pop-up problem not only while browsing the web, but even when I am >OFFLINE, believe it or not! It seems to occur periodically when I open a new browser >window or when I close one out. I've also found some more detailed (and complex) >info on both the Symantec and McAffee websites. Also, I had to deal with this other >"adclicker" (as it turns out to be called) problem with something called alchem.exe. >I did find that and several corresponding files relating to it, and got rid of all >of them. > >Please, please, PLEASE help me out here! This is driving me nuts, and I want to end >this once and for all! > >I have windows98 but y have the same problen thar yours pls help me > > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Sunday, May 23, 2004 at 11:12 pm Posted by archie (1 messages posted) how come i can't delete the file from system32...help me please...im going nuts On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] update on files to delete Monday, May 24, 2004 at 11:57 am Posted by mero (1 messages posted) I first got belgiumdip popup every 5 browsers opened. And then the number multiplied to 4, 5 and even more popups! When I would go to close the popup another would popup. Initially the after once or twice the popups would stop but it came to a point where 5 popups would open all at once and when I'd quickly close them, they would continually open again and again and again and again... I found this site and tried to get rid of this problem and it seems that this "virus" is changing. Here's what I found. As many people have written above, deleting exe files from c drive and from windows\system32 folder will stop the popups. The problem is that the name of exe files were different from any of the names that have been listed in this thread so far. I only was able to find pup.exe but that was it and I still had belgiumdip popus! I tried to find files that had company name "totempole" and another name that was listed in a post above and of course I couldn't find any. I was finally able to find the right files by going to the windows\system32 folder and sorting the files by size. There were a bunch and I mean like 7 or so files with a distinct icon that were EXACTLY 64kb in size! THey were also listed under properties as being from a company named "Thunderdome" and NOT "totepole"! I knew these were the files so I tried to delete them but couldn't because they were in use. So I opened up taskmanager but couldn't find corresponding running program with these popup exe files in the windows\system32 folder. So I went down the list of programs running and closed the non-system programs that seemed ok to close. And then I tried to delete the 64kb exe files in windows\system32 folder and that solved the problem. I wasn't able to check for other 64kb virus exe files in other parts of my c drive. I tried to do a search but stupid search won't let me specify file size, only "atmost" or "atleast" a certain size. I guess I could go through the names of files I found and deleted in my windows\system32 folder and look for them on my c drive using search but my browser is working fine now and I don't wanna bother. CONCLUSION: Forget looking for specific file names or looking for company name because they seem to change. Open up your windows\system32 folder and sort files by size and look for 64kb sized files and delete them! [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Monday, May 24, 2004 at 3:36 pm Posted by VICTOR (1 messages posted) Belgian dip popup have taken over my computor and I need help. I have been following this page and it's getting worst. Please Help! On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] re: belgiandip.com residual problem Sunday, May 30, 2004 at 3:35 pm Posted by Mike Lowry (1 messages posted) I want to thank every one for the help with this really annoying pop up problem. I had to use almost everyone's advice as it was all through my computer, but I still have a problem that started when the virus started. When My internet explorer is opened everything is fine but if I go to a web site that opens in another window (like the search in this forum) another window comes up but it is just that, no address on top or bottom and you just see the page underneath. the hour glass is on the curser but it does'nt do any thing. Also if I go to back to the original page and try again internet explorer will shut down. Can anyone help with this On Sunday, April 18, 2004 at 12:18 am, skippy wrote: >I just downloaded the Adware and it took care of the problem. > >Make sure you update the software once you download it. > >I also had to update my WMP to get it to work but it's back to normal now. > > > [Reply or follow-up to this message] re: belgiandip.com residual problem Wednesday, June 2, 2004 at 4:04 pm Posted by CrazyTalk (2 messages posted) I had the Belgian Dip trojan/worm/ whatever the crap it is on my computer and I think I managed to get it off by following some of the above tips and such. I still have a problem though, when I'm in Internet Explorer, starting it up, closing it down or just surfing, a window pops up on the bottom browser bar at the bottom of the screen. The window is not actually a window but just appears in the browser bar with either the name: "--- --Microsoft Internet Explorer" or "~close~" (no quotes though) I have tried to search for the first to no avail, but when i searched for "~close~" on google or any search engine, the Internet Explorer window automatically closes! FRUSTRATION! On Sunday, May 30, 2004 at 3:35 pm, Mike Lowry wrote: >I want to thank every one for the help with this really annoying pop up problem. >I had to use almost everyone's advice as it was all through my computer, but I still >have a problem that started when the virus started. When My internet explorer is >opened everything is fine but if I go to a web site that opens in another window >(like the search in this forum) another window comes up but it is just that, no address >on top or bottom and you just see the page underneath. the hour glass is on the curser >but it does'nt do any thing. Also if I go to back to the original page and try again >internet explorer will shut down. Can anyone help with this > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Saturday, June 12, 2004 at 5:10 pm Posted by Jess (1 messages posted) Hi Guys, I am committed to removing this confounded nuisance too, so I just thought I'd let you know that my file was under "werule" and my Firewall picked it up, but the nuisance file in windows 32 was nputi.exe. If we keep sharing the names they use it will help others. I wish someone would deal with companies like this permanently!! Thanks again for your help I would not have found it if you hadn't mentioned "werule". On Tuesday, March 9, 2004 at 9:46 pm, Anonymous wrote: > >Delete pup.exe and over.exe in your program files directory. Then go into C:\Windows\ >and delete another pup.exe from there. If you cannot find that it may be renamed >as something else so anything that has a file size of 64k is potentially it. Go >by it's weird visual basic icon, or check it's properties; company is totempole or >werule. Then go into system32 and find files from the same company and size and >delete them. If it says you can't hold control alt delete and end that program task. > Then you can delete it easily. After that search in your registry for "over.exe" >or "pup.exe" and especially the file you just deleted in system32. Remove those >entries and you are done! No need to scan your computer and waste time like I did. > No need to thank me :D Good Luck > > > > [Reply or follow-up to this message] re: belgiandip.com - programs by totempole Monday, June 21, 2004 at 8:41 pm Posted by Akashan (1 messages posted) I s there any way to actually FIND this totempole dude? He is probably for hire.... On Saturday, May 1, 2004 at 4:00 pm, Jay wrote: >I did not find any of the files (pup.exe, werule.exe, etc) that others had. However, >based on the 64KB size info, I was able to locate the two files sr2cm.exe and ldap32w.exe >- both in windows/system32 folder. Both these files were by the company totempole. > As soon as I deleted them, my frustrations ended. No more belgiandip window. None >of the programs - NIS, PC Mag's CookieCop, SpyBot and others - could prevent the >very annoying pop-up. > > > [Reply or follow-up to this message] re: belgiandip.com EASY SOLUTION Friday, June 25, 2004 at 2:04 pm Posted by Muzlhed (2 messages posted) I tried for days to get rid of the UndergroundLair pop-up ads. They have changed the name of the program from pup.exe and over.ext to, in my case, rico.exe and MRTL.exe. I was finally successful in locating the files by searching for all recent .exe files that are 64kb. One file will be in the windows directory, the other in windows/system32. The hosting company for undergroundlair.net is Datapipe.net. You can call them or use their live chat support and they will give you removal instructions for this trojan. The company responsible is called Invisible Inc. Advertising at 702-697-0216. Their web page is invinc.com. They don't pick up the phone for obvious reasons. Call DataPipe toll free at 877-773-3306 - they're open 24 hours. [Reply or follow-up to this message] re: belgiandip.com A SIMPLE SOLUTION!!! Thursday, July 1, 2004 at 9:11 am Posted by Stuart (1 messages posted) This was very helpful. On my machine with this problem, the files were named "rico.exe" and "lbc.exe". Deleting these files appears to have solved the problem with Belgiandip pop ups. Spy Sweeper claimed to remove the adware, but it just came right back on reboot until I deleted these files manually. However, Spy Sweeper did help me identify the source of the problem, whereas AdAware and SpyBot could not. Check in both c:\windows and c:\windows\system32. By the way, they were attributed to "Thunderdome", not "werule" or "totempole". On Saturday, April 17, 2004 at 7:40 am, Jack wrote: >I think i have a simple solution to your problem! > >Go to windows>system32, let your pc search for all "exe" files. (also the hidden >files) When the search engine is ready, you select the list of files, on volume (Kb's). > >You only have to be interested in files with 64kb. The files may have differend names >but if you watch in "properties" you will see if its a "totempole" or a "werule" >file. > >First i was not able to delete the exe files because they were active at the moment. >This problem can be solved if you shut down your pc and restart it in >"save mode" > >Now you just repeat the same things and you will see that it is possible to eliminate >the "exe" files. > >If you wan't to be sure that all the files are eliminated, you also need to run a >search on "program files"! > >Good luck > >Jack > > > > > > > [Reply or follow-up to this message] More Information Friday, July 2, 2004 at 7:56 am Posted by Harry May (1 messages posted) I also found some interesting files and once I deleted them, I no longer get the pop up messages. In C:\WINNT\SYSTEM32, I found some files that you had to change the attributes in order to see them. The first thing I did was to boot to the command prompt in SAFE MODE. Next, I changed to the C:\WINNT\SYSTEM32 directory. I used the DIR /AH command to see the files that are hidden. There were about 20 files that were hidden but there were about 8 of them that had weird names. I also noticed they all had the same timestamp on them. They also were the same size (233,511 bytes). You have to change the attributes on these files using the ATTRIB -H -S command to take the hidden and system attributes off before you can delete them. The next thing was to go into the REGEDIT command so I could look at the HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Run area. I found another file that had a weird name like JwqUeC.EXE. I deleted this line. After rebooting, I no longer get the pop ups. Hope this helps anyone! [Reply or follow-up to this message] re: belgiandip.com A SIMPLE SOLUTION!!! Saturday, July 3, 2004 at 5:23 am Posted by olivier (1 messages posted) yes it's a little frenchy !thanks for all your solutions i kill too this bad things and keep courage against bush who is the only american person that the fench don't like . sorry for the orthography!bye On Wednesday, April 21, 2004 at 5:47 pm, John Naughton wrote: > >This is still going on for me at the present time, I have found the pup.exe file >and deleted it so I presume, posted a hijack log on Coyote's forum, had Higham check >it and then deleted if I can remember at the moment something like xxioi.exe some >kind of adult $hit and a few others from his checking with others scrupulous intelligencia. > > But to no avail I have read all the replys on this subject as well as checked myself >on whois both on RIPE as well the other one that was posted here. > >Did as mentioned about searching all exe's 64kbs, hidden and system32, programs and >anything else I could think of. I have posted a copy of the hijack log on Lockergnome >and so on and so forth, If there is more info please reply as this bastard still >prevails as a terrorist on my PC, Thank you all for hearing my gripe. > Hardryve4/21/04 9:00pm >EST > > > > Mr. >John Naughton aka: Hardryve. [Reply or follow-up to this message] re: belgiandip.com residual problem Tuesday, July 13, 2004 at 6:51 am Posted by Mandy (1 messages posted) I had the wonderful belgian dip also. I've downloaded Spybot S&D and it didn't catch it but when I downloaded and ran Adware it came up with WINPUP which I had seen mentioned in other forums regarding Belgian Dip. I removed everything it found and I haven't had a problem since. I also downloaded Spy Blaster and CW Shredder. So maybe the combination of the four? Either way it's gone and it's great! On Wednesday, June 2, 2004 at 4:04 pm, CrazyTalk wrote: >I had the Belgian Dip trojan/worm/ whatever the crap it is on my computer and I think >I managed to get it off by following some of the above tips and such. I still have >a problem though, when I'm in Internet Explorer, starting it up, closing it down >or just surfing, a window pops up on the bottom browser bar at the bottom of the >screen. The window is not actually a window but just appears in the browser bar with >either the name: "--- --Microsoft Internet Explorer" or "~close~" (no quotes though) >I have tried to search for the first to no avail, but when i searched for "~close~" >on google or any search engine, the Internet Explorer window automatically closes! >FRUSTRATION! > > > [Reply or follow-up to this message] re: belgiandip.com residual problem Wednesday, September 8, 2004 at 10:45 pm Posted by Charles (2 messages posted) It has been three months since Belgiandip reared its ugly head on this forum; five months since it wormed it's way onto our computers here at the house, and Thankfully nearly two months since I finally got rid of it. Because of it, I have downloaded many great programs. Because of it, I have become active in security forums, and have learned a great deal. Since the arrival of Belgiandip, Microsoft was forced to take warnings about it's OS' security flaws a bit more seriously, and although initial reviews of SP2 are very mixed and cautionary, one would presume, Microsoft is still working hard to fix the problem and in some cases, fix the fixes! A few excellent programs became stronger - Ad-Aware, Spybot, to name a few; new programs were written - a2 (a Squared) http://www.emsisoft.com/en/software/free/ I can't help but wonder what the damage$ this 64kb piece of code will be responsible for! [Reply or follow-up to this message] re: belgiandip.com A SIMPLE SOLUTION!!! Wednesday, September 22, 2004 at 9:51 am Posted by David Barbee (1 messages posted) Worked for me : An on-line virus scan detected five trojan horse files on my harddrive. Deleting these files also deleted the Belgian Dip problem. The files were alchem.exe, polmx.exe, polmx3.exe, wupdt.exe, and tpjhcc.exe.. Which one, or ones, were responsible I do not know, I just know after delteing these five files, the Belgian Dip problem went with them. good luck. On Thursday, July 1, 2004 at 9:11 am, Stuart wrote: >This was very helpful. On my machine with this problem, the files were named "rico.exe" >and "lbc.exe". Deleting these files appears to have solved the problem with Belgiandip >pop ups. Spy Sweeper claimed to remove the adware, but it just came right back on >reboot until I deleted these files manually. However, Spy Sweeper did help me identify >the source of the problem, whereas AdAware and SpyBot could not. Check in both c:\windows >and c:\windows\system32. By the way, they were attributed to "Thunderdome", not >"werule" or "totempole". > > > [Reply or follow-up to this message] re: belgiandip.com: Mutated / Migrated? ow32w.exe Saturday, November 13, 2004 at 8:42 pm Posted by ccam (1 messages posted) Well, I just deleted no less than 69 different versions of this #@&%* bug, all as suggested above, 64kb in size with thunderdome or totempole listed in the company field. And as advised, I did have to End Process for many in Task Manager. Wish I could attach a listing, but follow those instructions and see if it works for you. On Wednesday, April 21, 2004 at 5:34 pm, u660699 wrote: >Hi, whilst I never went near belgiandip.com .... >I did manage to pick up something which sounds very similar to the problems described >in other posts here ... >details plus how I fixed follows .... > >ow32w.exe Trojan from Totempole found on my XP machine - now removed (I hope). > >Symptoms: Explore Notepad hijacked . Right clicking to open causes pop ups > >Missed by SpyBot, Adaware, Trendmicro Antivirus :-( >Brownie points to Hotmail for spotting a virus when I had all the offending files >zipped up! >Internet access attempts stopped by Zonealarm. > >Thanks to Spybot "Tools-System start up" for spotting ow32w.exe and B6Jhpjm.exe > >ow32w was running as a process. >Killed it (plus any spawned processses) using Process Explorer from www.sysinternals.com > >No registry changes required that I could spot - unless ofcourse you know better.... > >Removing the following files fixed it. > >\Local Settings\Temp > ====================================================================== > B6Jhpjm.exe 228 KB 16/04/2004 11:31:44 AM a > Total 1 file(s); Size: 233667 Byte(s) > >\Program Files > ================================================================ > over.exe 3 KB 20/04/2004 11:22:34 PM a > pup.exe 245 KB 20/04/2004 11:22:34 PM a > Total 2 file(s); Size: 254901 Byte(s) > >\Windows > ========================================================== > bdl94126.exe 58 KB 01/03/2004 04:02:00 PM a > pup.exe 64 KB 26/02/2004 04:17:50 PM a > update12.js 1 KB 01/03/2004 11:50:40 PM a > Total 3 file(s); Size: 126314 Byte(s) > >\Windows\prefetch > =================================================================== > B6JHPJM.EXE-16AE5CE1.pf 21 KB 16/04/2004 11:31:54 AM a > BDL94126.EXE-195022B7.pf 24 KB 20/04/2004 11:23:00 PM a > OW32W.EXE-26648B26.pf 12 KB 20/04/2004 11:22:56 PM a > PUP.EXE-0402600B.pf 15 KB 20/04/2004 11:22:44 PM a > PUP.EXE-052747AD.pf 17 KB 20/04/2004 11:22:44 PM a > PUP.EXE-3934063A.pf 15 KB 20/04/2004 11:22:46 PM a > Total 6 file(s); Size: 110244 Byte(s) > >\Windows\system32 > =================================================================== > O 1 KB 16/04/2004 11:32:16 AM a > O.BAT 1 KB 16/04/2004 11:32:16 AM a > ow32w.exe 64 KB 26/02/2004 04:17:50 PM a > Total 3 file(s); Size: 65880 Byte(s) > >O.BAT contains the following: >========================================================== >if not exist C:\WINDOWSstatuslog ftp -s:o >if exist bs5-nt15v.exe bs5-nt15v.exe >if exist 0021-bdl94126.EXE 0021-bdl94126.EXE >if exist silent.exe silent.exe >if exist CS4P028.exe CS4P028.exe >========================================================== > >I didn't find cs4p028.exe or silent.exe on my machine but a couple of postings suggest >others have. >Other postings suggest that other files are also created. >I deleted a " Thinstaller client " that may also be associated with this >zonealarm also shows a file u070104.exe (unclear on timings but looks dodgy!) > >ow32w.exe Properties Version Company information suggests that " Totempole " are >the "people" concerned. > >WARNING >The Javascript file contains the url of a web site >WARNING >>> searchcentral.cc <<< DANGEROUS TROJAN SITE >PLEASE RESIST the temptation to browse the site. >I went in with IE6.0 (yes I know it is stupid and I have now installed the latest >SP) >with the Security Settings on High and got several pop-ups plus at least 2 executables >(over.exe and pup.exe) installed....I'm not going back > > >Worrying aspect from my viewpoint is that: >a) I remain unclear how I picked this up >b) lost some faith in spybot and adaware >c) not convinced I have found everything >Any suggestions/thoughts welcomed. > >Hopefully info provided is sufficent to help others / encourage some updates. > > > [Reply or follow-up to this message] re: McAfee Popups on desktop when booting Wednesday, March 30, 2005 at 11:28 am Posted by Hazel B. Senn (1 messages posted) McAfee user for years.Paid regularly. (Now getting free from AOL) Been getting TWO desktop reminder (POPUPS ) of expiration date for years when booting. Slows loading time. Is very annoying to "cancel" before beginning work. Tried everything known to man to delete. What can you do? What can I do? I can switch to Nortons if you don't eliminate this pesky problem immediately.BooksMe2@aol.com, Hazel B. Senn, P.O. Box 252, Cowpens, SC 29330 > > [Reply or follow-up to this message] re: McAfee Popups on desktop when booting Wednesday, March 30, 2005 at 12:09 pm Posted by Falcon (13489 messages posted) Dump it and go with one of the free AV scanners: AVG and Avast are two good ones. [Reply or follow-up to this message] Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum