Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Have an ad that keeps popping up. Starts with the title of 'Belgiandip.com' and then the screen changes and goes to an ad for suitcases.
I see some info about this worm but no way to remove it. Anybody have any ideas?
After literally days of searching and re-searching my computer for the source of this problem, I finally found the solution.
I had tried everything from pop-up blockers to spyware-catchers, and NOTHING works on this worm.
Here's what to do:
Do a search on your computer under C:\Windows for a file by the name of pup.exe. This file is the one responsible for replicating all the files that attach themselves to your task manager. Once you find that file, delete it. However, note the icon for the file; you'll see a lot of it soon.
Now, go into C:\Windows and open up the folder called System 32. I'm afraid this part is tedious, but you'll have to go through every one of the files in that folder and search for icons that resemble the one you found for pup.exe. Delete all those files, but jot down their names as you go.
Finally, open up C:\Windows again and open the folder called "Prefetch." You'll see a bunch of documents that look like notepad files (or perhaps other files on your computer). Go through the list you jotted down for all the worm files you deleted, and delete all files in this folder that contain those names. Make sure that, in all steps, you do not accidentally delete files that pertain to your computer's proper functioning. This could cause serious damage.That ought to permanently take care of your problem. At least, it did on my computer. Interestingly, the file description for the mother-file for the worm is titled "we rule." I guess they weren't expecting to be beaten by a teenage girl. I hope I helped.
0 
Update on my previous post:
Also search for the file "over.exe" which is apparently an alias for "pup.exe." You may have both or just one of these on your computer. Both or one should show up on a C:\Windows search.
0
after deleting the pup.exe i searched through system 32 folder and could not find any icons looked like pup.exe. and also i wasnt able to find the folder called "prefetch". and the belgian dip ad still shows up. what is goin on?!!
0
Hoorj! thanks Heidi! I think that got the little b---tard... however the only file that looked like pup.exe was tdosn.exe, and it wasnt in the prefetch folder. Anyway, thanks so much =)
0
DYINGALONE- It seems as though pup.exe has replicated itself. As far as I know, all replicated files should be in the folder System 32. However, if you're abolutely positive that there are no files with the worm icon in System 32, try this. Press ctrl+alt+delete so that task manager shows up. Go to the processes tab. Click on the heading "username", which should group all similar usernames together. Look for all files under your personal name. For example, aiejtl.exe would be under 'joebob' rather than SYSTEM. If your username is joebob, jot down all the names of the files under the IMAGE NAME heading, beside username 'joebob'. Now, go through and end the process of each file, one by one, making sure to open and close an internet explorer window after you delete each one to see if it worked. Say after you end process for file xpleterl.exe, you open an IE window, close it, and get no pop-up windows. You've found the culprit, and you'll know exactly what the filename was, since you wrote it down.
Do a full system search on your computer for the worm file you just found. It'll show up eventually, but DO NOT double-click on it. Every time you do, it replicates itself under a new name. Right click on the culprit file, and select 'open containing folder'. It'll take you straight to the file. Most likely, all the other files (if there are any other ones) will be in that same folder, so search for them. Delete all such files.
To clear a few things up, the worm files should all be in the folder "System 32", or perhaps in another folder in your case.
"Prefetch" is just a folder that contains the scripts for all the files you have in your task manager. If you can't find the folder "prefetch", it's okay. I don't actually have solid proof that the files in "prefetch" were doing the replicating. It was more of a precaution.
0
Thankyou for saving my sanity,i did everything you said and i finally got rid of the little sod.
Just a note to say that in my processes list it appeared as :ppenda,ppromoni,sscds32m,musicd. Hope this helps someone else. Thanks again
0
I have the same problem, but I deleted the pup.exe and couldn't remember what the icon looks like. What should I do?
Sandy
0
gah
i found the pup.exe file and found a file in system32 that had the same icon as the pup.exe file but when i try to delete it i get an error saying"cannot delete ayiptrd : Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use"
so far i've found 2 files with the same icon but every time i tried to delete them i got that error message >.< any idea how to get rid of those?
0
You're very welcome to the people I managed to help. :)
s8ndyleung~ I'll try to give you a rough description, from my memory. It's a weird icon that I haven't really seen on any other type of file before. It's a white rectangle, slightly slanted, as if going into the screen (so it looks 3D-ish) and has a strip of turquoise at the very top. If you use internet explorer, it kind of looks like a miniature browser window with a turquoise header.
Andy~ I think DyingAlone had that same problem, and the only thing I could think of that was causing the problem was that the file was running. Restarting your computer ought to take care of the problem, but if it doesn't, here's the response I wrote, incase you don't feel like scrolling through the messages:Open an internet explorer window and close it (it should trigger replication of the worm). Press ctrl+alt+delete so that task manager shows up. Go to the processes tab. Click on the heading "username", which should group all similar usernames together. Look for all files under your personal name. For example, aiejtl.exe would be under 'joebob' rather than SYSTEM. If your username is joebob, jot down all the names of the files under the IMAGE NAME heading, beside username 'joebob'. Now, go through and end the process of each file, one by one, making sure to open and close an internet explorer window after you delete each one to see if it worked. Say after you end process for file xpleterl.exe, you open an IE window, close it, and get no pop-up windows. You've found the culprit, and you'll know exactly what the filename was, since you wrote it down.
Do a full system search on your computer for the worm file you just found. It'll show up eventually, but DO NOT double-click on it. Every time you do, it replicates itself under a new name. Right click on the culprit file, and select 'open containing folder'. It'll take you straight to the file. Most likely, all the other files (if there are any other ones) will be in that same folder, so search for them. Now that you've ended the processes for the files, it should no longer give you an error message and you can delete them. Pup.exe should be deletable too.However, make sure you try restarting first, and don't open an IE window until you've deleted all the files. It works most of the time and is a lot less tedious.
0
Heidi, you have described EXACTLY what
the icon in the system32 folder looks like.
Mine was renamed "pvkikk" or something like
that after I tried to delete the original
pup.exe. From responses in a few forums,
it does appear that pup.exe randomly
assigns itself a new name. It may also
change icons, because at one point I had
to delete something called install2.exe
with a different icon, which looked like
a small pyramid of kids' blocks, two on
the botton and one on top. There was also
a newly created folder in C:\ called
"thinstaller" which I had to delete.Don't be surprised if, when you shut down
following attempts to delete, you see
something called "Second Thought
Installation", which is apparently saving
a newly-named version of pup.exe or over.exe
before shutdown. I did a fast power off at
the power bar, but that fails to stop the
old pup.exe (or other name) from recurring
when you start up again. May I suggest:- temporarily turn off Restore System in
System settings of Control Panel
- kill off suspected .exe files in
Processes of Task Manager, as Heidi
described
- use REGEDIT in Windows folder to delete
script lines related to suspect .exe
files in your Registry
- delete suspect .exe files and folders from
c:\ and from Windows and Windows\system 32
folders
- shut down - if you see a window pop up
during shutdown that appears to be doing
a re-install, try a fast power off - may
prevent a new version of pup.exe from
being created
- re-start
- turn System Restore back onI think I've gotten rid of most traces of
pup.exe, although there is still a strange
little text file in Windows named 0 (zero)
containing 0 bytes which modifies itself
just before shutdown, immediately after the
BOOTSTAT file modifies itself. I wonder if
anyone else has also seen this 0 file - not
really sure where it fits into Windows
operations or whether it's an intruder.
In any event, its modifying before shutdown
seems harmless and without effect on
restarting the system.I've become so vigilant and paranoid about
pup.exe that I now have pasted shortcuts to
REGEDIT and Task Manager on my desktop. I
check them immediately on startup and
whenever I go offline for new or suspect
script of unknown processes. I haven't had
to repeat the whole eradication cycle, so
it's probably a good idea to stay watchful
and nip anything in the bud that looks new
or weird in Registry and Task Manager.Thanks to all of you, and especially Heidi
for your detailed desciptions of this
nasty little bug.Paul
0  |
 April 13 Patch
|
The Ad-Aware Updates Part...
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
