Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 



Alert!  Have a problem and would like to ask us for help? To learn how to ask your question Click Here!
Stop!  Do you have popups or other malware infecting your computer? If so, Start Here!
Question?  Are you having trouble using this site? Then you should visit the New User Orientation Center!

How to remove AntiSpySpider and sockins32.dll (Removal Instructions)

Posted by Grinler on May 13, 2008 @ 07:20 PM · Views: 12,540

 

What this programs does:

AntiSpySpider is a rogue anti-spyware program that is advertised and installed via the use of malware. Currently AntiSpy Spider is advertised through a Trojan named sockins32.dll, which is located in the C:\Windows\System32 folder. When this infection is running it will periodically open advertisements in Internet Explorer stating that you have some security risk and that you should install AntiSpy Spider. This infection will also hijack your desktop to show a security warning and change your Internet Explorer home page to contain a link stating you are infected and should install AntiSpy Spider. Last, but not least, this infection will also randomly open Internet Explorer pages to Russian sites.

 

AntiSpySpider
AntiSpySpider
For more screen shots of this infection click on the image above.
There are a total of 6 images you can view.

 

This infection attempts to make it difficult to uninstall by disabling the Windows regedit.exe program and the Windows Task Manager. This makes it so you can't edit your registry with RegEdit or kill processes that may be running with the Task Manager. As part of this fix, I have created a small tool called regallow that will re-enable the use of RegEdit so that this infection can be properly removed.

If you choose to install AntiSpySpider, the program will automatically scan your computer and state that you are infected. It does not, though, tell you what you are infected with and the only way to supposedly find out is to first purchase a copy of the software.

This guide will walk you through removing the AntiSpy Spider program and associated malware.

 

Threat Classification:

 

Advanced information:

View AntiSpySpider files.
View AntiSpySpider Registry Information.

 

Entries for this program found in the Add or Remove Programs control panel:

AntispySpider

 

Tools Needed for this fix:

 

Symptoms that may be in a HijackThis Log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM\..\Run: [AntispySpider] C:\Program Files\AntispySpider\antispyspider.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)

 

Guide Updates:

05/13/08 - Initial guide creation.

 

Manual Removal Instructions for AntiSpy Spider:

 

These steps may appear to be long and daunting. They are, though, quite easy to do and consist of so many steps only because I have written them in an extremely detailed manner.

  1. Print out these instructions as we will need to close every window that is open later in the fix.

  2. Download FixASS.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

    FixASS.reg Download Link

    Confirm that the FixASS.reg file now resides on your desktop as we will need it later.

  3. Download regallow.exe from here and save it to your desktop:

    regallow.exe

    Confirm that the file regallow.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:



  4. Click on the Start Menu button.

  5. Click on the Control Panel option.

  6. Double-click on the Add or Remove Programs icon.

  7. Find the entry for AntispySpider and double-click on it to uninstall the program. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.

  8. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.

  9. Now, go to your desktop and double click on the regallow.exe program. When the program launches, click on the Enable Registry Tools button. When it says the tools are enabled, click on the OK button to exit the program.

  10. Double click on the FixASS.reg file that you downloaded earlier to your desktop. When it asks if you would like to merge the information, press the Yes button and then the OK button.

  11. Now you should reboot your computer so that the infection becomes deactivated.

  12. When the computer reboots, and you are back at the desktop, you should delete the following files and folders from your computer if they exist:

    c:\WINDOWS\homepage.html
    c:\WINDOWS\index.html
    c:\WINDOWS\promo1.html
    c:\WINDOWS\promo2.html
    c:\WINDOWS\promo3.html
    c:\WINDOWS\promo4.html
    c:\WINDOWS\promo5.html
    c:\WINDOWS\promo6.html
    c:\WINDOWS\promogif1.gif
    c:\WINDOWS\promogif2.gif
    c:\WINDOWS\promogif3.gif
    c:\WINDOWS\system32\adult.txt
    c:\WINDOWS\system32\finance.txt
    c:\WINDOWS\system32\lt.res
    c:\WINDOWS\system32\other.txt
    c:\WINDOWS\system32\pharma.txt
    c:\WINDOWS\system32\sft.res
    c:\WINDOWS\system32\sn.txt
    c:\WINDOWS\system32\sockins32.dll
    %UserProfile%\Desktop\AntispySpider.lnk
    %UserProfile%\Start Menu\Programs\AntispySpider\
    C :\Program Files\AntispySpider\

Your computer should now be free of the AntiSpy Spider infection.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

 

 

Associated AntiSpySpider Files:

c:\WINDOWS\homepage.html
c:\WINDOWS\index.html
c:\WINDOWS\promo1.html
c:\WINDOWS\promo2.html
c:\WINDOWS\promo3.html
c:\WINDOWS\promo4.html
c:\WINDOWS\promo5.html
c:\WINDOWS\promo6.html
c:\WINDOWS\promogif1.gif
c:\WINDOWS\promogif2.gif
c:\WINDOWS\promogif3.gif
c:\WINDOWS\system32\adult.txt
c:\WINDOWS\system32\finance.txt
c:\WINDOWS\system32\lt.res
c:\WINDOWS\system32\other.txt
c:\WINDOWS\system32\pharma.txt
c:\WINDOWS\system32\sft.res
c:\WINDOWS\system32\sn.txt
c:\WINDOWS\system32\sockins32.dll
%UserProfile%\Start Menu\Programs\AntispySpider
%UserProfile%\Desktop\AntispySpider.lnk
%UserProfile%\Start Menu\Programs\AntispySpider\AntispySpider.lnk
c:\Program Files\AntispySpider
c:\Program Files\AntispySpider\AntispySpider.exe

 

Associated AntiSpySpider Windows Registry Information:

HKEY_LOCAL_MACHINE\SOFTWARE\TSoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}
HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "WebProxy"
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\86844691B1D37104FADB325A1FF489CB
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\86844691B1D37104FADB325A1FF489CB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AntispySpider"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "Babylon Client"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "ccApp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "HotKeysCmds"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "KernelFaultCheck"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "LearnWords Launcher"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "PCSuiteTrayApplication"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "Persistence"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "QuickTime Task"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "vptray"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{19644868-3D1B-4017-AFBD-23A5F14F98BC}

 

 

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

 

 

Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides


© 2003-2009 All Rights Reserved Bleeping Computer LLC.
PGT: 0.09054 Queries: 12