Has anyone had this? I ran a search but didn't find anything. It's some sort of intrusive app that gives me popups and shuts the internet off all the time, i'm literally half expecting it to close down as i type this, it's really annoying.

Anyway, here's my hiijack this logs, can anyone give me advice on what to shut down if they've dealt with this before? Google gives a few things but i haven't found the info to remove it yet, and i've ran ad-aware, spybot, cw shredder and have hitware elite, spyware blaster and a sygate firewall.

Logs :

Logfile of HijackThis v1.97.7
Scan saved at 20:48:51, on 16/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QLWOAS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Karoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~2\SYPCMS.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [QLWOAS] C:\WINDOWS\SYSTEM\QLWOAS.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

As a quick suggestion, start SpyBot in "advanced" mode then go into "tools" and look at BHOs and all the other bits. You mat well find stuff that you don't need. If you delete it and need it, you will only be prompted for a re-install?

Pretty safe IMHO

Also run the "immunise" facility in SpyBot

Cheers

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

appears to be Booked Space adware.

Here's Symantec's answer

http://securityresponse.symantec.com/avcenter/venc/data/adware.bookedspace.html

Good luck :)

Yes, have seen this recently on a home machine (not mine) and I read somewhere that the latest Adaware signatures will detect this.

I analyzed the javascript that runs and sniffed the traffic when going to the site and it does appear to be ad/spyware.

You'll want to watch for anyone going to the following sites:
www.undergroundlair.net
belgiumdip.com
ugl.adtrak.net

<Homer> Belgian dip.... mmmmmm.... </Homer>

<Homer> Doh! Why you little! </Homer>

Thanks Whatthe and ric-o, i checked the Symantec site and deleted the keys from the registry, but then.............(spooky noise in the background)..............i was just about to finish on the PC and Sygate came up and said that the computer was trying to connect to Underground lair, so i still have something there. (before it was trying to connect to Belgian dip, arrgh just typing the name winds me up)

I got something from lavasoft, but it was a small file that i put in the same folder as ad-aware and it hasn't done anything. Is there a way you have to add the latest signatures to ad-aware or do you just put it in the same folder?

The good thing about these things is that they encourage you to learn about your registry etc, the bad thing is the waves of frustration as they re-appear like phantoms to haunt you.

(takes deep breath)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=256808#post737372) by Eonfire
I got something from lavasoft, but it was a small file that i put in the same folder as ad-aware and it hasn't done anything. Is there a way you have to add the latest signatures to ad-aware or do you just put it in the same folder?
I use the update feature of Adaware - it's the "Check for updates now" link right above the START button in v6.

ok this is an old post now but since groovicus brought it to my attention, I feel the need to point out a few other things I see in the log.

this one doesn't need to be running, it's not bad but I'd disable via msconfig
C:\WINDOWS\LOADQM.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
---
same goes for this.. but see here (http://methylblue.com/windows/wmiexe.php)
C:\WINDOWS\SYSTEM\WMIEXE.EXE
there is a W32.Torun virus (http://securityresponse.symantec.com/avcenter/venc/data/w32.torun.html) that can infect this but I think this is not the case here.
---
these are a part of the pup virus (http://www.helpscreen.com.au/index.php?msgid=921867023&cid=7)
C:\WINDOWS\SYSTEM\QLWOAS.EXE
O4 - HKLM\..\Run: [QLWOAS] C:\WINDOWS\SYSTEM\QLWOAS.exe
---
get rid of this
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

this is part of Hitware Popup Killer Lite-- you can uninstall this app if you don't get popups.. or if you get the googletoolbar
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~2\SYPCMS.DLL

whatthe already mentioned these
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
---

of course once the entries are fixed and you reboot, you should delete the bad files

Here's a great link for cleaning winpup (which is what causes belgiandip popups)

http://www.wilderssecurity.com/showpost.php?p=151240&postcount=19

Has anyone got this? I think it is a spyware. I bought Spy Sweeper and it finds it but I can't get it to delete it. It just keeps coming back. Any help would be great. Thanks , Paul

http://www.antionline.com/showthread.php?s=&threadid=256808&highlight=belgiandip

http://www.antionline.com/showthread.php?s=&threadid=257415&highlight=belgiandip

Welcome to AO.:)

Hey thanks, I found the adware forum on this board and I think I may have some luck. That is great I could even understand this post I found. Thanks, Paul

Downloaded hijackthis and ran on my computer and ran on my sons infected computer and deleted everything that was not listed in mine. Worked great, Paul

Downloaded hijackthis and ran on my computer and ran on my sons infected computer and deleted everything that was not listed in mine. Worked great, Paul

*Threads merged... silly Belgians*

*Threads merged... silly Belgians*

Hey hey now watch it ...some "belgians" mean well ;) :D