Belgian dip
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Belgian dip

  1. #1
    Member
    Join Date
    Jan 2004
    Posts
    81

    Belgian dip

    Has anyone had this? I ran a search but didn't find anything. It's some sort of intrusive app that gives me popups and shuts the internet off all the time, i'm literally half expecting it to close down as i type this, it's really annoying.

    Anyway, here's my hiijack this logs, can anyone give me advice on what to shut down if they've dealt with this before? Google gives a few things but i haven't found the info to remove it yet, and i've ran ad-aware, spybot, cw shredder and have hitware elite, spyware blaster and a sygate firewall.

    Logs :

    Logfile of HijackThis v1.97.7
    Scan saved at 20:48:51, on 16/04/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\CNXDSLTB.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\QLWOAS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.karoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Karoo
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~2\SYPCMS.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CnxDslTaskBar] C:\WINDOWS\SYSTEM\CnxDslTb.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [QLWOAS] C:\WINDOWS\SYSTEM\QLWOAS.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    \"What is is not, what is not is - - if this is not yet clear to you, you\'re still far from the truth.\"

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    As a quick suggestion, start SpyBot in "advanced" mode then go into "tools" and look at BHOs and all the other bits. You mat well find stuff that you don't need. If you delete it and need it, you will only be prompted for a re-install?

    Pretty safe IMHO

    Also run the "immunise" facility in SpyBot

    Cheers

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

    appears to be Booked Space adware.

    Here's Symantec's answer

    http://securityresponse.symantec.com...okedspace.html

    Good luck
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  4. #4
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Yes, have seen this recently on a home machine (not mine) and I read somewhere that the latest Adaware signatures will detect this.

    I analyzed the javascript that runs and sniffed the traffic when going to the site and it does appear to be ad/spyware.

    You'll want to watch for anyone going to the following sites:
    www.undergroundlair.net
    belgiumdip.com
    ugl.adtrak.net

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    <Homer> Belgian dip.... mmmmmm.... </Homer>

    <Homer> Doh! Why you little! </Homer>
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Member
    Join Date
    Jan 2004
    Posts
    81
    Thanks Whatthe and ric-o, i checked the Symantec site and deleted the keys from the registry, but then.............(spooky noise in the background)..............i was just about to finish on the PC and Sygate came up and said that the computer was trying to connect to Underground lair, so i still have something there. (before it was trying to connect to Belgian dip, arrgh just typing the name winds me up)

    I got something from lavasoft, but it was a small file that i put in the same folder as ad-aware and it hasn't done anything. Is there a way you have to add the latest signatures to ad-aware or do you just put it in the same folder?

    The good thing about these things is that they encourage you to learn about your registry etc, the bad thing is the waves of frustration as they re-appear like phantoms to haunt you.

    (takes deep breath)
    \"What is is not, what is not is - - if this is not yet clear to you, you\'re still far from the truth.\"

  7. #7
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by Eonfire
    I got something from lavasoft, but it was a small file that i put in the same folder as ad-aware and it hasn't done anything. Is there a way you have to add the latest signatures to ad-aware or do you just put it in the same folder?
    I use the update feature of Adaware - it's the "Check for updates now" link right above the START button in v6.

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    ok this is an old post now but since groovicus brought it to my attention, I feel the need to point out a few other things I see in the log.

    this one doesn't need to be running, it's not bad but I'd disable via msconfig
    C:\WINDOWS\LOADQM.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    ---
    same goes for this.. but see here
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    there is a W32.Torun virus that can infect this but I think this is not the case here.
    ---
    these are a part of the pup virus
    C:\WINDOWS\SYSTEM\QLWOAS.EXE
    O4 - HKLM\..\Run: [QLWOAS] C:\WINDOWS\SYSTEM\QLWOAS.exe
    ---
    get rid of this
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

    this is part of Hitware Popup Killer Lite-- you can uninstall this app if you don't get popups.. or if you get the googletoolbar
    O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~2\SYPCMS.DLL

    whatthe already mentioned these
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    ---

    of course once the entries are fixed and you reboot, you should delete the bad files

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Here's a great link for cleaning winpup (which is what causes belgiandip popups)

    http://www.wilderssecurity.com/showp...0&postcount=19

  10. #10
    Junior Member
    Join Date
    May 2004
    Posts
    4

    Belgiandip??

    Has anyone got this? I think it is a spyware. I bought Spy Sweeper and it finds it but I can't get it to delete it. It just keeps coming back. Any help would be great. Thanks , Paul

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •