How can I remove REQ.DAT file from my WinXP?

M

M. B.

I have a nasty Ad-aware "BHO" ware sitting in my system with the filename of
REQ.DAT (in my C:\windows\system32 directory). Thankfully the program
"BHODemon" allows me to disable this pest at boot-up, but I can't figure out
how can I manually delete it completely from my system!

I have tried Ad-Aware Pro, Spybot Search and Destroy and Norton's Antivirus
2005. Only Norton flags it, and when I follow the instructions to "reboot
in Safe mode, scan again and then choose to delete it", for some reason,
Norton can't even find it!

Anyone have any further ideas?

Here is what Symantec folk's write about this REQ.DAT:

http://securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html

and here is a link to BHO Demon (it's free!) for those who need help:

http://www.definitivesolutions.com/bhodemon.htm
 
M

M. B.

Hi Mark,

Well, I tried to find that "Key" but I dont have that one listed under the
Browser Helper Ebjects.

I only have:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{1C044AAD-7955-4cbd-8175-501A165C4E5D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}

Could it be then one of these?

Thanks,
Michael
 
M

Mark L. Ferguson

You can chase those GUID numbers around at hkey_classes_root/CLSID/, but exporting a reg file to save them, then removing them might
be easier.
 
M

M. B.

Well folks, thanks everyone for your help and suggestions but I have yet
still to successfully remove this damn "Spyware". But I do have some
more information!



I have for sure indentified the "offending" file as:

\WINDOWS\SYSTEM32\REQ.DAT



And the REGISTRY entry is:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{1C044AAD-7955-4cbd-8175-501A165C4E5D}



If I try to MANUALLY delete the file, I get "Access Denied" and when I
delete the registry key, it just pops right back after exiting REGEDIT.



Please remember, I have tried running the below suggested utilities with
System Restore On & Off, and also in Normal and in Safe Mode.
Unfortunately, no luck!



-----------------------------------------------------------------

CWShredder - it finds this as "VX2.Look2Me", tells me it has been removed
but when I reboot, it's still there.



AdAware SE Pro - doesn't find it.



Spybot Search and Destroy - doesn't find it.



Microsoft's Antispyware beta - doesn't find it.



Norton Antivirus 2005 - it find's it. Tells me to run it again in Safe Mode
to remove it. When I re-run Norton in Safe Mode, it doens't even flag or
find it.



HiJack This - it finds it, and when I choose to Fix It, it supposedly does
but when I re-run Scan, it's again back there.



BHODemo - it finds it and thankfully I have been able to DISABLE it with
this program. Here is the data that it reports on it:



BHODemon 2.0.0.22 Report File:
Desc: * Investigating *
ReportsCount: 6
Clsid: {1C044AAD-7955-4cbd-8175-501A165C4E5D}
DLL Path: C:\WINDOWS\System32\req.dat
Last Load Time: 4/30/2005 6:02:51 PM
Blocked Load Attempts: 1,003
Modified Date: Monday, April 11, 2005 20:11:53
Created Date: Monday, April 11, 2005 20:11:53
Load Attempts: 1,166
Enabled?: No
Size (bytes): 22,016
EnabledCount: 4
MD5 Checksum: d7bcebc6ca7dca7326eebb92818d410d
Status: Investigating

------------------------------------------------------------



So, if anyone has any other suggestions or ideas how to completely remove
it, PLEASE let me know. In my 20+ years around computers, I have never
seen such a nasty and vicious worm.
 
M

Mark L. Ferguson

With SP2, IE has a Tools menu item for "Manage Add-Ons" that should allow disabling it.
 
M

M. B.

Mark,

You are right, I am seeing this "req.dat" under Manage Add-ons under the
Disabled list. But there is no option to DELETE it, is there?

Thanks again!
Michael
 
R

Ricky

Here's a post I found that may help..

Download pocket killbox from
http://www.thespykiller.co.uk/files/killbox.exe & put it on the
desktop where you can find it easily
Now run killbox and paste this lines into the box, select delete on
reboot then press the red X button, say yes to the prompt and let it
reboot

C:\WINDOWS\system32\req.dat

then when it reboots run HJT & make sure these entries have gone

O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} -
C:\WINDOWS\system32\req.dat
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat"



| Mark,
|
| You are right, I am seeing this "req.dat" under Manage Add-ons under
the
| Disabled list. But there is no option to DELETE it, is there?
|
| Thanks again!
| Michael
|
| | > With SP2, IE has a Tools menu item for "Manage Add-Ons" that
should allow
| > disabling it.
| >
| > --
| >
| > Mark L. Ferguson
| > FAQ for MS Antispyware version 1.0.509
| > http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
| > marfers notes for windows xp
| > http://www.geocities.com/marfer_mvp/chatNotes.htm
| > .
| > | >> Well folks, thanks everyone for your help and suggestions but I
have yet
| >> still to successfully remove this damn "Spyware". But I do
have some
| >> more information!
| >>
| >>
| >>
| >> I have for sure indentified the "offending" file as:
| >>
| >> \WINDOWS\SYSTEM32\REQ.DAT
| >>
| >>
| >>
| >> And the REGISTRY entry is:
| >>
| >>
| >>
| >>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
| >> Helper Objects\{1C044AAD-7955-4cbd-8175-501A165C4E5D}
| >>
| >>
| >>
| >> If I try to MANUALLY delete the file, I get "Access Denied" and
when I
| >> delete the registry key, it just pops right back after exiting
REGEDIT.
| >>
| >>
| >>
| >> Please remember, I have tried running the below suggested
utilities with
| >> System Restore On & Off, and also in Normal and in Safe Mode.
| >> Unfortunately, no luck!
| >>
| >>
| >>
| >> -----------------------------------------------------------------
| >>
| >> CWShredder - it finds this as "VX2.Look2Me", tells me it has been
removed
| >> but when I reboot, it's still there.
| >>
| >>
| >>
| >> AdAware SE Pro - doesn't find it.
| >>
| >>
| >>
| >> Spybot Search and Destroy - doesn't find it.
| >>
| >>
| >>
| >> Microsoft's Antispyware beta - doesn't find it.
| >>
| >>
| >>
| >> Norton Antivirus 2005 - it find's it. Tells me to run it again
in Safe
| >> Mode to remove it. When I re-run Norton in Safe Mode, it
doens't even
| >> flag or find it.
| >>
| >>
| >>
| >> HiJack This - it finds it, and when I choose to Fix It, it
supposedly
| >> does but when I re-run Scan, it's again back there.
| >>
| >>
| >>
| >> BHODemo - it finds it and thankfully I have been able to DISABLE
it with
| >> this program. Here is the data that it reports on it:
| >>
| >>
| >>
| >> BHODemon 2.0.0.22 Report File:
| >> Desc: * Investigating *
| >> ReportsCount: 6
| >> Clsid: {1C044AAD-7955-4cbd-8175-501A165C4E5D}
| >> DLL Path: C:\WINDOWS\System32\req.dat
| >> Last Load Time: 4/30/2005 6:02:51 PM
| >> Blocked Load Attempts: 1,003
| >> Modified Date: Monday, April 11, 2005 20:11:53
| >> Created Date: Monday, April 11, 2005 20:11:53
| >> Load Attempts: 1,166
| >> Enabled?: No
| >> Size (bytes): 22,016
| >> EnabledCount: 4
| >> MD5 Checksum: d7bcebc6ca7dca7326eebb92818d410d
| >> Status: Investigating
| >>
| >> ------------------------------------------------------------
| >>
| >>
| >>
| >> So, if anyone has any other suggestions or ideas how to
completely remove
| >> it, PLEASE let me know. In my 20+ years around computers, I
have never
| >> seen such a nasty and vicious worm.
| >>
| >>
| >
| >
|
|
 
M

M. B.

Ricky!

THANK YOU! It worked like a charm!

I have now re-booted a few times (even with System Restore on), and its
really completely gone. I even ran HiJackThis and CWShredder and they say
that my system is now clean!

THANK YOU again!

- Michael
 
R

Ricky

You're welcome..I'm glad it helped. :)

| Ricky!
|
| THANK YOU! It worked like a charm!
|
| I have now re-booted a few times (even with System Restore on), and
its
| really completely gone. I even ran HiJackThis and CWShredder and
they say
| that my system is now clean!
|
| THANK YOU again!
|
| - Michael
|
| | > Here's a post I found that may help..
| >
| > Download pocket killbox from
| > http://www.thespykiller.co.uk/files/killbox.exe & put it on the
| > desktop where you can find it easily
| > Now run killbox and paste this lines into the box, select delete
on
| > reboot then press the red X button, say yes to the prompt and let
it
| > reboot
| >
| > C:\WINDOWS\system32\req.dat
| >
| > then when it reboots run HJT & make sure these entries have gone
| >
| > O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} -
| > C:\WINDOWS\system32\req.dat
| > O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat"
| >
| >
| >
| > | > | Mark,
| > |
| > | You are right, I am seeing this "req.dat" under Manage Add-ons
under
| > the
| > | Disabled list. But there is no option to DELETE it, is there?
| > |
| > | Thanks again!
| > | Michael
| > |
message
| > | | > | > With SP2, IE has a Tools menu item for "Manage Add-Ons" that
| > should allow
| > | > disabling it.
| > | >
| > | > --
| > | >
| > | > Mark L. Ferguson
| > | > FAQ for MS Antispyware version 1.0.509
| > | > http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm
| > | > marfers notes for windows xp
| > | > http://www.geocities.com/marfer_mvp/chatNotes.htm
| > | > .
| > | > | > | >> Well folks, thanks everyone for your help and suggestions but
I
| > have yet
| > | >> still to successfully remove this damn "Spyware". But I
do
| > have some
| > | >> more information!
| > | >>
| > | >>
| > | >>
| > | >> I have for sure indentified the "offending" file as:
| > | >>
| > | >> \WINDOWS\SYSTEM32\REQ.DAT
| > | >>
| > | >>
| > | >>
| > | >> And the REGISTRY entry is:
| > | >>
| > | >>
| > | >>
| > | >>
| >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
| > | >> Helper Objects\{1C044AAD-7955-4cbd-8175-501A165C4E5D}
| > | >>
| > | >>
| > | >>
| > | >> If I try to MANUALLY delete the file, I get "Access Denied"
and
| > when I
| > | >> delete the registry key, it just pops right back after
exiting
| > REGEDIT.
| > | >>
| > | >>
| > | >>
| > | >> Please remember, I have tried running the below suggested
| > utilities with
| > | >> System Restore On & Off, and also in Normal and in Safe Mode.
| > | >> Unfortunately, no luck!
| > | >>
| > | >>
| > | >>
| > || > | >>
| > | >> CWShredder - it finds this as "VX2.Look2Me", tells me it has
been
| > removed
| > | >> but when I reboot, it's still there.
| > | >>
| > | >>
| > | >>
| > | >> AdAware SE Pro - doesn't find it.
| > | >>
| > | >>
| > | >>
| > | >> Spybot Search and Destroy - doesn't find it.
| > | >>
| > | >>
| > | >>
| > | >> Microsoft's Antispyware beta - doesn't find it.
| > | >>
| > | >>
| > | >>
| > | >> Norton Antivirus 2005 - it find's it. Tells me to run it
again
| > in Safe
| > | >> Mode to remove it. When I re-run Norton in Safe Mode, it
| > doens't even
| > | >> flag or find it.
| > | >>
| > | >>
| > | >>
| > | >> HiJack This - it finds it, and when I choose to Fix It, it
| > supposedly
| > | >> does but when I re-run Scan, it's again back there.
| > | >>
| > | >>
| > | >>
| > | >> BHODemo - it finds it and thankfully I have been able to
DISABLE
| > it with
| > | >> this program. Here is the data that it reports on it:
| > | >>
| > | >>
| > | >>
| > | >> BHODemon 2.0.0.22 Report File:
| > | >> Desc: * Investigating *
| > | >> ReportsCount: 6
| > | >> Clsid: {1C044AAD-7955-4cbd-8175-501A165C4E5D}
| > | >> DLL Path: C:\WINDOWS\System32\req.dat
| > | >> Last Load Time: 4/30/2005 6:02:51 PM
| > | >> Blocked Load Attempts: 1,003
| > | >> Modified Date: Monday, April 11, 2005 20:11:53
| > | >> Created Date: Monday, April 11, 2005 20:11:53
| > | >> Load Attempts: 1,166
| > | >> Enabled?: No
| > | >> Size (bytes): 22,016
| > | >> EnabledCount: 4
| > | >> MD5 Checksum: d7bcebc6ca7dca7326eebb92818d410d
| > | >> Status: Investigating
| > | >>
| > | >> ------------------------------------------------------------
| > | >>
| > | >>
| > | >>
| > | >> So, if anyone has any other suggestions or ideas how to
| > completely remove
| > | >> it, PLEASE let me know. In my 20+ years around computers,
I
| > have never
| > | >> seen such a nasty and vicious worm.
| > | >>
| > | >>
| > | >
| > | >
| > |
| > |
| >
| >
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Need to remove nasty REQ.DAT from my WinXp Pro - help 9
I need some help in removing a nasty BHO Ad-aware in my WinXP Pro 2
Need help in removing nasty Adaware (BHO) from my Win XP 6
downloader.mscache - help remove please 5
How do I Remove Unwanted BHOs? 7
Internet Explorer hanging 2
How do I get "DelFin" pop-up spyware off my computer? 2
How do I delete or quarantine a "download.troajn" file? 10

Top