Hey guys. I have this Trojan. I have found out some information about it and am posting it here in response to a dead thread elsewhere. I hope the orignal poster sees this and this helps them if they haven't already been helped(the thread didn't really help the poster much... *bites tongue*. Anyway I also have it and if anybody has any information about it other than what I post please post it. Trend Micro's PC-CILLIN catches it. I'm preety sure HouseCall does 2(made by same company but is free and run's via-web browser). Norton Anti-Virus doesn't. I have found several sites on the Trojan. http://www.google.com/search?q=TROJ_WINPUP.B&hl=en&lr=&ie=UTF-8&oe=UTF-8&start=10&sa=N That's the address to search google for the Trojan and I found several worth reading responses there other than Trend Micro's page in about 10 different versions(mainly language/region differences). Now to why I am posting this: I have found that it doesn't actually write over notepad.exe(which is all that is needed to be done to do what it's doing if you want to get down to it, it's very easy to do, just move something with the same name to it's folder. I think it's TechTV, just did a report on hacking notepad to add things to the dropdown menus.) Instead what it does is it links what everything runs notepad with to something else. This is really ingenious in my opinion. If all you really want is to get the ability to use start--->programs--->accessories---->notepad to work again just change the properties of the shortcut there to notepad to look like http://gonffen.f2o.org/images/fixnotepad.gif To futher fix this problem will be a slightly harder task. If you don't use Internet Explorer(which if you do I highly suggest switching to Mozzila Firefox http://www.mozilla.org/products/firefox/) and don't have anything else that points to Notepad in the way IE does so you will be fine this way except it will run the *.exe's from the trojan and leave the registry keys. If you do use IE it will have the same effect except it will continue to connect to the server and bring you pop-up ads and whenever you try closing one of these ads connect to the site and get a list of ads to show again. It is my suspision that to completly free notepad form this menace you can just change something in registry(start--->run---->type "regedit"---note do not edit the registry unless you know what your doing first) So far I have not found anything to prove this. And it's kind of pointless yet intresting at the same time. I personally wouldn't mind a look at the source of the trojan. When I find out more about removing this trojan, more about it, etc. I will post it here. -gonffen P.S. This was written to go in the post that originally brought up this topic so I am sorry if something is unclear... post and I will answer the question.

By reading more into this I have found that I think I have a new variant of the Trojan. However I think I can still help those with previous versions. So far it appears to be gone. I have deleted pup.exe from C:\program files and notepad.exe from C:\windows\system32\ That notepad.exe is the one that is causing all the problems. Then you go over to start--->programs--->accessories--->notepad.exe then right click and hit properties. Once this window opens up change the shortcut's link to the location of the REAL notepad.exe C:\windows\notepad.exe This appears to take care of it. I would still remove all registry entries caused by this trojan though. If anybody has any questions that I haven't answered in my search I would be glad to help you since this Trojan is such a pain. -gonffen

I don't know if you have found a solution, but here is something I hope will help you. I was also aflicted by those little buggers. Also, please beware of spywarenuker.com and its distributors. They are in the practice of propagating viruses in order to make you think you need their software. They have a site called www.adaware.com that promotes a software called ada-ware, but that is simply spywarenuker.exe masked. Do not fall for that trap. If you do you will get flooded with pup.exe up to your elbows. Instead go to the actual Ad-aware6 site: www.lavasoft.com. Here is what you need to do: ad-aware does not detect them, but use it anyw ay and get rid of anything called spyware, data miners, adware on your compu ter. We'll eventually get to the registry, but let's first disable the suck er at the root. Buckle up it's quite a ride! 1. Turn off "system restore" because the virus will lodge itsel in there whe n you try to delete it. Go to your Windows\system32 directory and list all the files by type. To do this click on the type heading at the top of the wi ndow. Once you've done that examine every .exe file's property, especially the ones that look like they were named at random. Click on the version tab to see if it was created by a company called either "totempole", "werule" or "totally". Also check the original file name. It should say: pup.exe. If that's the case delete the file. Write down the name so that you can fi nd it in the registry later. Continue deleting them until there are no more ocurrences. 2. (By any means avoid opening notepad.exe files) This little critter rewri tes the path of the notepad files and writes a new copy in the system32 fold er, so everytime you click on a .txt file it activates itself and connects t o the net and downloads a new update to itself. Delete the copy of notepad. exe in the system32 folder.(Don't worry, there is a fresh copy in the Window s directory.) 3. Go to the C:\Program Files directory and delete a file called "pup.exe"(250kb, roughly) and empty the recycle bin. 4. Go to the c:\documents and settings\yourprofilename and select from the mainmenu tools\folderoptions. In the view tab check "show hidden files and f olders." Once you do that you will be able to access your History, Temp and Temporary Internet Files folders. Delete all the files in the Temp folder. Delete all the files and cookies. Specifically, look for 2 files in the l ist, one is called "over.exe"(64kb) and another .exe file of the same size, I believe it might have the same name as mine which was "B1O1420.exe"(64kb)t hat's "b one o one four two zero.exe; the description for these files reads either "www.belgiandip.com" or "www.achtungachtung.com", it might be differe nt in your system, I don't know. You can go by the size (64kb.) Delete the m. 5. Once you have taken the previous measures, you can go to the registry a nd delete the entries (Make sure you backup your registry; you wrote down th e .exe filenames you deleted before)in "HKEY_LOCAL_MACHINE\Software|Microsof t\Windows\Current Version\Run." Go into the Windows directory and copy the notepad.exe program onto the Windows\system32 directory. Your .txt files wi ll work again, no risk of reactivating the virus. 6. Restart your computer and run Ad-Aware6 again. You should be all set. Repeat the steps and hunt the sucker down if necessary(shouldn't be.) I told you it would take long! Take care and good luck. Hope this helps. nlightend

Ya I got rid of it. All I have left is removing the registry entries... I don't feel like going in right now though... I did it to many times over the weekend for things before this. I found an easier way to restore notepad though. Just delete the one in system32 and change the address of the shortcut in the start menu. It appears to have fixed everything for me. I also deleted the randomly generated exe pup.exe made. -gonffen