Re: Need help in removing nasty Adaware (BHO) from my Win XP
- From: "Jan Il" <abuse@xxxxxxxxxxxxx>
- Date: Sat, 30 Apr 2005 09:44:52 -0400
Hi M. B. :-)
This is somewhat of a stubborn one, so iIn addition to updating and running your AV, download, install and run the programs below in Safe Mode with Hidden Files enabled. This will remove the nasty you have and any others it may have let in the back door. Some malware can replicate itself repeatedly if not removed properly, so even if you have already run some programs, run them again according to the information below. Make sure that you follow all instructions very carefully:
First, Clear the TIF's and empty the recycle bin: http://www.mvps.org/winhelp2002/delcache.htm
Also…empty your Recycle bin.
Then do the following:
WARNING>>>> Backup all documents and files before removing any spyware!!
How to properly scan for scumware (read first, if possible) http://aumha.org/forum/viewtopic.php?t=5878
Download and install BHODemon from http://www.definitivesolutions.com/bhodemon.htm Your problem may be caused by a bad BHO.
Most importantly, download install and run CWShredder here http://www.majorgeeks.com/download3019.html and About Buster, which searches for hidden .dlls that recreate the malware. http://www.majorgeeks.com/download4289.html Then visit these two sites to test for parasites and help basic cleaning: On-Line Check http://aumha.org/a/noads.htm and Quick-Fix Protocol. http://aumha.org/a/quickfix.php Basically, throw everything here at your "infection".
Then download, install and immediately update these three programs before running: AdAware SE - Update immediately after installing http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button SpyBot S &D - Update immediately after installing http://www.majorgeeks.com/download2471.html Microsoft Windows Antispyware Program (Beta) http://www.microsoft.com/athome/security/spyware/software/default.mspx
Also download, install and run CWShredder: http://www.majorgeeks.com/downloadget.php?id=3019&file=11&evp=9e0433de9f8fd8e137fd6b3ff02edc90
Next, do an Online scan here (if possible) - http://www.pandasoftware.com/activescan/com/activescan_principal.htm Make sure that you choose "fix" or "clean".
Download PocketKillbox from http://www.thespykiller.co.uk/files/killbox.exe and put it on the desktop where you can find it easily
Download, install, and run HiJackThis - it is one of the most important tools to help clean your system of scumware. Follow the instructions carefully:
How to download and install HiJackThis: (it does not need to be updated) http://www.bleepingcomputer.com/forums/topict309.html
Please DO NOT post your log to this newsgroup. It is important that you go to one of the HiJackThis Support Forums below and allow the experts there to analyze it for you. AumHa HiJackThis Forum http://forum.aumha.org/viewforum.php?f=30 or Bleeping Computer Forum http://www.bleepingcomputer.com/forums/forum22.html to allow the experts there to evaluate your log and advise you of any necessary steps to clean your system. (Note: You will have to Register before posting on these Forums. Please follow all posting instructions carefully to avoid having your log deleted or ignored.)
Also, please post a link to the forum where you post your HJT log back to this thread so that we can follow your progress there.
CAUTION!!!!! Before you try to remove spyware using any of the programs below, download a copy of LSPFIX from any of the following sites: http://www.cexx.org/lspfix.htm http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or XP) The process of removing certain malware may kill your internet connection. If this should occur, this program, LSPFIX, will enable you to regain your connection.
You should also get a copy of WINSOCKXPFIX available at: http://www.spychecker.com/program/winsockxpfix.html and WinsockXP Fix- WinXP http://www.spychecker.com/program/winsockxpfix.html with instructions, at http://www.iup.edu/house/resnet/winfix.shtm also... From LavaSoft- all versions of Windows- http://digital-solutions.co.uk/lavasoft/whndnfix.zip (NOTE: It is reported that in XP SP2, the command netsh winsock reset will fix this problem without the need for these programs.) or Winsock Fix Utility http://www.dfwonline.net/files/WinsockFix.zip
How to Restart in Safe Mode http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
How to Show Hidden Files http://snipurl.com/6rl8
Hope this helps :-)
Jan :) MS MVP - IE/OE Smiles are meant to be shared, that's why they're so contagious.
Replies are posted only to the newsgroup for the benefit or other readers. How to make a good newsgroup post: http://www.dts-l.org/goodpost.htm
">I have a nasty Ad-aware "BHO" ware sitting in my system with the filename of
REQ.DAT (in my C:\windows\system32 directory). Thankfully the program "BHODemon" allows me to disable this pest at boot-up, but I can't figure out how can I manually delete it completely from my system!
I have tried Ad-Aware Pro, Spybot Search and Destroy and Norton's Antivirus 2005. Only Norton flags it, and when I follow the instructions to "reboot in Safe mode, scan again and then choose to delete it", for some reason, Norton can't even find it!
Anyone have any further ideas?
Here is what Symantec folk's write about this REQ.DAT:
http://securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html
and here is a link to BHO Demon (it's free!) for those who need help:
http://www.definitivesolutions.com/bhodemon.htm
.
- Follow-Ups:
- References:
- Prev by Date: Re: After Updates IE very slow!
- Next by Date: Re: Spurious windows
- Previous by thread: Need help in removing nasty Adaware (BHO) from my Win XP
- Next by thread: Need more help in removing a nasty Spyware (BHO) from my Win XP
- Index(es):
Loading
