# Solved: belgiandip



## Roe727 (Mar 9, 2004)

When I close out my IE I get several pop-ups....one says at the top...belgiandip.com....WHAT IS THIS?? and HOW DO I GET RID OF IT??


----------



## mobo (Feb 23, 2003)

Please get Spybot S&D to clear out any spyware.
http://www.safer-networking.org/index.php?page=mirrors

Install the program and open it.

Before doing any scanning click Online and Search for Updates .
Put a check mark at and install all updates .
Click Check for Problems nd when the scan is finished have Spybot fix all it finds marked in red .

Then after reboot :
Download 'Hijack This!'. http://www.tomcoyote.org/hjt/ or from http://www.majorgeeks.com/downloadg...a8baee6434cfc13
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the " scan " button will change into a " save log " button.
Press that, save the log , load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
.


----------



## Roe727 (Mar 9, 2004)

Ok, this is the situation. I have run ad adware and Spybot Search and Destroy. The Belgiandip file is hiding somewhere because it is not in my add/remove programs etc. I also get an e-bay pop-up when I close out of IE. It is driving me crazy because everytime I close out of IE, I get anywhere from 1-3 pop-ups, even if I use a pop up killer. my question is. where would I find the file for the belgiandip program and the file for the e-bay program, so that I can directly delete them??? I am posting a log as you requested, but as you will see, they are not there. HELP.....thank you...

Logfile of HijackThis v1.97.5
Scan saved at 7:33:17 AM, on 3/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\OXMSDECV.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\MY DOCUMENTS\ROE'S DOCS\HIGHJACK THIS\HIJACKTHIS.EXE
C:\MY DOCUMENTS\ROE'S DOCS\HIGHJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [OXMSDECV] C:\WINDOWS\SYSTEM\OXMSDECV.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.1817939815
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab


----------



## mobo (Feb 23, 2003)

Click http://www.kaspersky.com/remoteviruschk.html then "browse" and submit the following
C:\WINDOWS\SYSTEM\OXMSDECV.exe
then wait for its results and post back..


----------



## Roe727 (Mar 9, 2004)

I think maybe you found my problem.....or I hope....This is what came up:
oxmsdecv.exe Infected: TrojamDownloader.Win32.VB.ca

What do I do now?


----------



## mobo (Feb 23, 2003)

Rescan with hijack and put a check next to O4 - HKLM\..\Run: [OXMSDECV] C:\WINDOWS\SYSTEM\OXMSDECV.exe

Then reboot into safe mode and delete :
C:\WINDOWS\SYSTEM\OXMSDECV.exe


----------



## mobo (Feb 23, 2003)

Safe mode http://www.computerhope.com/issues/chsafe.htm


----------



## Roe727 (Mar 9, 2004)

I did as you said and I went into IE and out several times without any pop-ups, so hopefully that was the problem. THANK YOU SO MUCH for your help. I have been trying for about a week to figure this out with you guys and I really appreciate all the back and forth to help me. You guys are great and I will make a donation to your cause. Can I ask you one more question though? How can I know if there are other files infected, as my Norton did not pick up on this problem to begin with??


----------



## mobo (Feb 23, 2003)

Do a full system scan http://housecall.trendmicro.com/ and you should get a clear picture..


----------



## Roe727 (Mar 9, 2004)

Ok...I ran Trend Housecall and this is what I got....
TROJ REVOP.A NON-CLEANABLE.....C:\WINDOWS\SYSTEM\TIICDXX
TROJ REVOP.A NON-CLEANABLE.....C:\WINDOWS\PUP.EXE
TROJ REVOP.A NON-CLEANABLE.....C:\RECYCLED\DC3.EXE

AND 26 FILES LABELED
TROJ REVOP.A 
NON-CLEANABLE.....C:\RECYCLED\NPROTECT\0000....


What should I do now?


----------



## mobo (Feb 23, 2003)

Reboot into safe mode and delete 
C:\WINDOWS\SYSTEM\TIICDXX
C:\WINDOWS\PUP.EXE
C:\RECYCLED\DC3.EXE

Then empty the norton recycle bin

P.S. Sorry for the delay but an Ice storm is in the area and power was out for about 3 hours.


----------



## Roe727 (Mar 9, 2004)

Ok well I went to safe mode and deleted the C:\windows\pup.exe file and the C:\windows\system\TIICDXX file...couldn't find the C:|reccyled\dc3.exe file. NOW I HAVE A MAJOR PROBLEM......I WENT TO REBOOT AND MY CPU SOUNDS LIKE IT IS REBOOTING, BUT MY MONITOR IS BLANK. IT SOUNDS LIKE IT IS RUNNING, BUT THE MONITOR IS BLANK AND IT IS JUST CLICKING.....WHAT DO I DO NOW...IS THERE ANY WAY TO FIX IT...

PLEASE HELP. i'M TYPING THIS FROM MY SON'S LAPTOP.

GET BACK TO ME ASAP
THANKS


----------



## mobo (Feb 23, 2003)

Do you have a bootdisk ? If so reboot from it and when you arrive at the A> prompt type scanreg /restore. Then choose a date from the registry (usually the oldest is best) to restore the pc to..


----------



## Roe727 (Mar 9, 2004)

I put a boot disc in and nothing is showing up on the monitor. The monitor is clicking which is weird. 
I'm wondering if my monitor went and it just happened to be now. I am going to get ahold of another monitor and see when I hook it up what happens. Never a dull moment. 
Do you think deleting either of those files could make this happen....just give me your opinion.....??? I appreciate it.


----------



## mobo (Feb 23, 2003)

If the monitor is clicking then i would think yes the monitor went to rest. I had a couple in the shop the same way with a constant clicking and no video output..


----------



## Roe727 (Mar 9, 2004)

Thank you...I'll let you know how I make out.


----------



## mobo (Feb 23, 2003)

Please do..You should be very pleased with the end result which should be a very well running system.


----------



## Roe727 (Mar 9, 2004)

Well....it was my monitor. What about that other file that I couldn't find....the C:\recycled\DC3.exe? what do I do about that? And the nexthing I'm going to do is rerun the Tread Housecall and make sure it comes up clean. In fact, I'm going to run Spybot, Adware, Norton AND the treat Housecall and see what if anything comes up.


----------



## mobo (Feb 23, 2003)

Start / search / DC3.exe


----------



## Roe727 (Mar 9, 2004)

OK....I re-ran Tread Housecall...came up clean, ran spybot, came up clean, ran Norton came up clean....ran AdAdware and came up with 42 files found...about 1/2 were cookies and the other half were winpup32. I went into regedit and deleted the winpup32 file. Is there anything else I should do at this point and what is your opinion on how often I should run these programs?? I do have Spyblaster on my computer.....is there anything else I can do to keep my computer clean??

One more thing...I never found the DC3.exe file, but when I ran Tread Housecall, which is where it originally came up, it didn't come up. Mystery to me!!

Your opinions??


----------



## mobo (Feb 23, 2003)

I run those every couple of days or so in addition to spyware blaster and spybot's immunize feature..


----------



## NiteHawk (Mar 9, 2003)

The DC3.exe file was found in the recycle bin, so if you emptied both the recycle bin and Norton protected files, you should be fine. :up:


----------



## Roe727 (Mar 9, 2004)

Thank you for all of your help with all of this. I am going to attempt to keep my computer clean and hopefully not have any more major problems. LOL Wishful thinking.
Thanks again, you have a great site here and I will donate to your cause.


----------



## mobo (Feb 23, 2003)

Good luck with everything Roe


----------



## Roe727 (Mar 9, 2004)

THANKS Mobo!!!


----------



## mobo (Feb 23, 2003)

Your welcome


----------



## Roe727 (Mar 9, 2004)

Thank was quick and a little freaky......lol....


----------



## mobo (Feb 23, 2003)

He he


----------



## Roe727 (Mar 9, 2004)

LMAO....


----------



## mobo (Feb 23, 2003)




----------



## Roe727 (Mar 9, 2004)

Mobo....you won't believe this....After everything I've done to this thing...I just closed out of my IE and I had a pop-up for Precision Time...It is still HIDING somewhere on my computer, as it is not in my add/remove or my MSConfig. Any other suggestions as to where I can look. 

And the saga continues........lol


----------



## iliketoast (Mar 27, 2004)

Ok..I got your fix. I too had the annoying Belgandip pop up's. After trying just about everything for two weeks to get rid of it, I stumbled on the fix searching a multitude of forums i finally found a successfull fix! I'm kicking myself..it was so simple.

Download Adaware. After you install it, download the LATEST update and run. It will find two malware programs called "winpup". Ensure you delete them! 

Did it and it worked like a champ!


----------

