Using LSP-Fix to remove Spyware & Hijackers

Table of Contents

• Introduction
• Type of Software that use an LSP
• How to use LSP-Fix
• Conclusion

Introduction

LSP-Fix is a utility designed to remove and repair problems associated with a a type of software called a Layered Service Provider, or LSP. LSPs are designed to integrate directly into your TCP/IP layer, the protocol you use to communicate on the Internet, in order to manipulate data that is sent across it. The LSPs are installed in such a way that each LSP in the TCP/IP handler are chained together. If one of these LSPs is removed incorrectly, that chain could become broken, possibly removing your ability to connect to the Internet or a network.

LSP-Fix was designed to fix problems such as these. With LSP-Fix you can remove LSPs that are malicious in nature or do not belong, and have them removed in such a way that the chain of LSPs are not broken and your network connectivity will continue to work properly. This software will also fix breaks in the chain that may have already occurred due to deletions of certain files or buggy installation routines

This program deserves a word of warning though. You should not be using this program unless you have been directed to do so by someone who is extremely knowledgeable in these matters. Removing the wrong LSPs from your computer by mistake can make your computer unstable and possibly unable to communicate over a network, including the Internet.

Types of Software that use an LSP

Many different types of software use LSPs and they are all applications that use the a network or the Internet. Unfortunately, some of these applications do not have your interests at heart and use LSPs to redirect your traffic to where they want or to collect statistics about how you use the Internet. LSPs that are used by these types of software, called Spyware or Browser Hijackers, can be removed using LSP-Fix as well.

Below is a sample of valid applications that use LSPs:

Sygate Firewall
Mcafee Personal Firewall
E-Safe

Below is a sample of malicious applications that use LSPs:

Webhancer
New.net
NewDotNet

Unfortunately many of the above known malicious programs are installed without your consent or even knowledge, but by using LSP-Fix and with the proper guidance you can remove these programs.

How to use LSP-Fix

Step 1: Download and run LSP-Fix

Download LSP-Fix and save it into its own directory. You can download LSP-Fix from the following location:

LSP-Fix Download Location

Once the file is downloaded navigate to where you saved the file and double-click on it to start the application. You will then be presented with a screen similar to Figure 1 below.

Figure 1. Start Screen for LSP-Fix

Now that the application is started you will see a screen with two sections labeled Keep and Remove. The Keep section is for LSPs that we will not be removing and Remove section is for the LSPs that will be removed.

There are two buttons between these two sections labeled >> and <<. The >> will move the highlighted LSP from the Keep section into the Remove section. If you would like to move a highlighted LSP from the Remove section back into the Keep section, you would use the << button. It is important to note that these buttons will not become useable unless you put a checkmark in the checkbox labeled "I know what I'm doing" designated by the red box in Figure 1 above.

If you just want to fix a broken chain, and the problem DLL has already been removed for some other reasons, you can just click the Finish button, designated by the green box in Figure 1. LSP-Fix will automatically fix the LSP chain and hopefully restore connectivity back to the network. If you are attempting to remove a specific DLL from the chain, then you should proceed to Step 2.

Step 2: Remove the LSP

In this tutorial we want to remove the webhdll.dll that is installed by a known Spyware program called Webhancer. For your individual situation the file you will be removing may be a different name.

To remove webhdll.dll we would put a checkmark in the checkbox labeled "I know what I'm doing" in order to activate the move (<< & >>) buttons, and then click once on the webhdll.dll file to select it as shown in Figure 2 below

.

Figure 2. Selecting the LSP we are about to move

Once you have the checkbox checked and the LSP you would like to move selected. You will press on the >> button, designated by the blue box in Figure 2 above, to move the LSP into the Remove section. Once you do this, you should see a screen like Figure 3 below.

Figure 3. LSP moved to the Remove section

Now that the LSP has been moved to the Remove section, you can finish the remove process by clicking on the Finish button designated by the blue box in the figure above. When you click on the Finish button the LSP will be removed from your computer in the correct manner so that the LSP chain does not break.

When LSP-Fix is done removing the LSP you will see a summary box similar to Figure 4 below:

Figure 4. LSP removal Summary

At this point the LSP has been removed and you can press OK to shutdown LSP-Fix.

Conclusion

Using LSP-Fix can enable you to remove unwanted LSPs from your computer. Regardless of how these programs were installed on your computer with the proper advice and the use of this tool, you can keep your computer operating correctly.

As always if you have any comments, questions or suggestions about this tutorial please do not hesitate to tell us in the computer help forums.

--
Lawrence Abrams
Bleeping Computer Windows Internet Security Series
BleepingComputer.com: Computer Support & Tutorials for the beginning computer user.