Need help in removing nasty Adaware (BHO) from my Win XP

[M. B.]

I have a nasty Ad-aware "BHO" ware sitting in my system with the filename of
REQ.DAT (in my C:\windows\system32 directory). Thankfully the program
"BHODemon" allows me to disable this pest at boot-up, but I can't figure out
how can I manually delete it completely from my system!

I have tried Ad-Aware Pro, Spybot Search and Destroy and Norton's Antivirus
2005. Only Norton flags it, and when I follow the instructions to "reboot
in Safe mode, scan again and then choose to delete it", for some reason,
Norton can't even find it!

Anyone have any further ideas?

Here is what Symantec folk's write about this REQ.DAT:

http://securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html

and here is a link to BHO Demon (it's free!) for those who need help:

http://www.definitivesolutions.com/bhodemon.htm

 

[Jan Il]

Hi M. B.

This is somewhat of a stubborn one, so iIn addition to updating and running
your AV, download, install and run the programs below in Safe Mode with
Hidden Files enabled. This will remove the nasty you have and any others
it may have let in the back door. Some malware can replicate itself
repeatedly if not removed properly, so even if you have already run some
programs, run them again according to the information below. Make sure that
you follow all instructions very carefully:

First, Clear the TIF's and empty the recycle bin:
http://www.mvps.org/winhelp2002/delcache.htm

Also…empty your Recycle bin.

Then do the following:

WARNING>>>> Backup all documents and files before removing any spyware!!

How to properly scan for scumware (read first, if possible)
http://aumha.org/forum/viewtopic.php?t=5878

Download and install BHODemon from
http://www.definitivesolutions.com/bhodemon.htm
Your problem may be caused by a bad BHO.

Most importantly, download install and run CWShredder here
http://www.majorgeeks.com/download3019.html
and About Buster, which searches for hidden .dlls that recreate the malware.
http://www.majorgeeks.com/download4289.html
Then visit these two sites to test for parasites and help basic cleaning:
On-Line Check
http://aumha.org/a/noads.htm
and
Quick-Fix Protocol.
http://aumha.org/a/quickfix.php
Basically, throw everything here at your "infection".

Then download, install and immediately update these three programs before
running:
AdAware SE - Update immediately after installing
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
SpyBot S &D - Update immediately after installing
http://www.majorgeeks.com/download2471.html
Microsoft Windows Antispyware Program (Beta)
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Also download, install and run CWShredder:
http://www.majorgeeks.com/downloadget.php?id=3019&file=11&evp=9e0433de9f8fd8e137fd6b3ff02edc90

Next, do an Online scan here (if possible) -
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure that you choose "fix" or "clean".

Download PocketKillbox from
http://www.thespykiller.co.uk/files/killbox.exe
and put it on the desktop where you can find it easily

Download, install, and run HiJackThis - it is one of the most important
tools to help clean your system of scumware. Follow the instructions
carefully:

How to download and install HiJackThis: (it does not need to be updated)
http://www.bleepingcomputer.com/forums/topict309.html

Please DO NOT post your log to this newsgroup. It is important that you go
to one of the HiJackThis Support Forums below and allow the experts there
to analyze it for you.
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30
or Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums. Please
follow all posting instructions carefully to avoid having your log deleted
or ignored.)

Also, please post a link to the forum where you post your HJT log back to
this thread so that we can follow your progress there.

CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

You should also get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also... From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)
or Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip

How to Restart in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

How to Show Hidden Files
http://snipurl.com/6rl8

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm


">I have a nasty Ad-aware "BHO" ware sitting in my system with the filename
of

 

[M. B.]

Well folks, thanks everyone for your help and suggestions but I have yet
still to successfully remove this damn "Spyware". But I do have some
more information!



I have for sure indentified the "offending" file as:

\WINDOWS\SYSTEM32\REQ.DAT



And the REGISTRY entry is:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{1C044AAD-7955-4cbd-8175-501A165C4E5D}



If I try to MANUALLY delete the file, I get "Access Denied" and when I
delete the registry key, it just pops right back after exiting REGEDIT.



Please remember, I have tried running the below suggested utilities with
System Restore On & Off, and also in Normal and in Safe Mode.
Unfortunately, no luck!



-----------------------------------------------------------------

CWShredder - it finds this as "VX2.Look2Me", tells me it has been removed
but when I reboot, it's still there.



AdAware SE Pro - doesn't find it.



Spybot Search and Destroy - doesn't find it.



Microsoft's Antispyware beta - doesn't find it.



Norton Antivirus 2005 - it find's it. Tells me to run it again in Safe Mode
to remove it. When I re-run Norton in Safe Mode, it doens't even flag or
find it.



HiJack This - it finds it, and when I choose to Fix It, it supposedly does
but when I re-run Scan, it's again back there.



BHODemo - it finds it and thankfully I have been able to DISABLE it with
this program. Here is the data that it reports on it:



BHODemon 2.0.0.22 Report File:
Desc: * Investigating *
ReportsCount: 6
Clsid: {1C044AAD-7955-4cbd-8175-501A165C4E5D}
DLL Path: C:\WINDOWS\System32\req.dat
Last Load Time: 4/30/2005 6:02:51 PM
Blocked Load Attempts: 1,003
Modified Date: Monday, April 11, 2005 20:11:53
Created Date: Monday, April 11, 2005 20:11:53
Load Attempts: 1,166
Enabled?: No
Size (bytes): 22,016
EnabledCount: 4
MD5 Checksum: d7bcebc6ca7dca7326eebb92818d410d
Status: Investigating

------------------------------------------------------------



So, if anyone has any other suggestions or ideas how to completely remove
it, PLEASE let me know. In my 20+ years around computers, I have never
seen such a nasty and vicious worm.

 

[Jan Il]

Hi M. B.

Well folks, thanks everyone for your help and suggestions but I have yet
still to successfully remove this damn "Spyware". But I do have some
more information!

HiJack This - it finds it, and when I choose to Fix It, it supposedly does
but when I re-run Scan, it's again back there.

Which forum did you post your HiJackThis scan log in? What did the experts
there tell you about removing it?

You may have a variant of Coolwebsearch, a hijacker/malware that replicates
itself repeatedly if not removed properly. If you have followed all the
instructions on cleaning your system we have provided, and it is still
returning, then you will need expert help to get rid of it. If you have not
yet posted your HiJackThis log, then I strongly urge you to do so at this
forum and tell them that I sent you. Explain the spyware all that you have
done thus far.

AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30

Please be patient, they are always very busy, but, they are usually fairly
prompt in getting to you. They are excellent with removing stubborn
scumware.

Be sure to post the link to your post at the forum so that we can follow
your progress there. I will follow there as well.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

 

[Ricky]

Here's a post I copied and pasted..maybe something in it will help..

Download pocket killbox from
http://www.thespykiller.co.uk/files/killbox.exe & put it on the
desktop where you can find it easily
Now run killbox and paste this lines into the box, select delete on
reboot then press the red X button, say yes to the prompt and let it
reboot

C:\WINDOWS\system32\req.dat

then when it reboots run HJT & make sure these entries have gone

O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} -
C:\WINDOWS\system32\req.dat
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat"

I did as suggested, ran HJT and it said the req.dat file was missing
and then HJT deleted it. Let's hope that's an end of it.


| Well folks, thanks everyone for your help and suggestions but I have
yet
| still to successfully remove this damn "Spyware". But I do have
some
| more information!
|
|
|
| I have for sure indentified the "offending" file as:
|
| \WINDOWS\SYSTEM32\REQ.DAT
|
|
|
| And the REGISTRY entry is:
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
| Helper Objects\{1C044AAD-7955-4cbd-8175-501A165C4E5D}
|
|
|
| If I try to MANUALLY delete the file, I get "Access Denied" and when
I
| delete the registry key, it just pops right back after exiting
REGEDIT.
|
|
|
| Please remember, I have tried running the below suggested utilities
with
| System Restore On & Off, and also in Normal and in Safe Mode.
| Unfortunately, no luck!
|
|
|
| -----------------------------------------------------------------
|
| CWShredder - it finds this as "VX2.Look2Me", tells me it has been
removed
| but when I reboot, it's still there.
|
|
|
| AdAware SE Pro - doesn't find it.
|
|
|
| Spybot Search and Destroy - doesn't find it.
|
|
|
| Microsoft's Antispyware beta - doesn't find it.
|
|
|
| Norton Antivirus 2005 - it find's it. Tells me to run it again in
Safe Mode
| to remove it. When I re-run Norton in Safe Mode, it doens't even
flag or
| find it.
|
|
|
| HiJack This - it finds it, and when I choose to Fix It, it
supposedly does
| but when I re-run Scan, it's again back there.
|
|
|
| BHODemo - it finds it and thankfully I have been able to DISABLE it
with
| this program. Here is the data that it reports on it:
|
|
|
| BHODemon 2.0.0.22 Report File:
| Desc: * Investigating *
| ReportsCount: 6
| Clsid: {1C044AAD-7955-4cbd-8175-501A165C4E5D}
| DLL Path: C:\WINDOWS\System32\req.dat
| Last Load Time: 4/30/2005 6:02:51 PM
| Blocked Load Attempts: 1,003
| Modified Date: Monday, April 11, 2005 20:11:53
| Created Date: Monday, April 11, 2005 20:11:53
| Load Attempts: 1,166
| Enabled?: No
| Size (bytes): 22,016
| EnabledCount: 4
| MD5 Checksum: d7bcebc6ca7dca7326eebb92818d410d
| Status: Investigating
|
| ------------------------------------------------------------
|
|
|
| So, if anyone has any other suggestions or ideas how to completely
remove
| it, PLEASE let me know. In my 20+ years around computers, I have
never
| seen such a nasty and vicious worm.
|
|

 

[PA Bear]

See any of the forum threads in this link:
http://www.google.com/search?hl=en&q=req.dat

 

[M. B.]

Problem has been solved! Here is what one needs to do:

Download pocket killbox from
http://www.thespykiller.co.uk/files/killbox.exe & put it on the
desktop where you can find it easily
Now run killbox and paste this lines into the box, select delete on
reboot then press the red X button, say yes to the prompt and let it
reboot

C:\WINDOWS\system32\req.dat

then when it reboots run HJT & make sure these entries have gone

O2 - BHO: (no name) - {1C044AAD-7955-4cbd-8175-501A165C4E5D} -
C:\WINDOWS\system32\req.dat
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat"



I hope this helps others...