How to remove AntiSpySpider and sockins32.dll (Removal Instructions)

  • May 13, 2008

AntiSpySpider is a rogue anti-spyware program that is advertised and installed via the use of malware. Currently AntiSpy Spider is advertised through a Trojan named sockins32.dll, which is located in the C:\Windows\System32 folder. When this infection is running it will periodically open advertisements in Internet Explorer stating that you have some security risk and that you should install AntiSpy Spider. This infection will also hijack your desktop to show a security warning and change your Internet Explorer home page to contain a link stating you are infected and should install AntiSpy Spider. Last, but not least, this infection will also randomly open Internet Explorer pages to Russian sites.

  • AntiSpySpider
  • AntiSpySpider Desktop Hijack
  • Internet Explorer Hijack
  • AntiSpySpider Popup Ad #1
  • AntiSpySpider Popup Ad #2
  • AntiSpySpider Popup Ad #3

This infection attempts to make it difficult to uninstall by disabling the Windows regedit.exe program and the Windows Task Manager. This makes it so you can't edit your registry with RegEdit or kill processes that may be running with the Task Manager. As part of this fix, I have created a small tool called regallow that will re-enable the use of RegEdit so that this infection can be properly removed.

If you choose to install AntiSpySpider, the program will automatically scan your computer and state that you are infected. It does not, though, tell you what you are infected with and the only way to supposedly find out is to first purchase a copy of the software.

This guide will walk you through removing the AntiSpy Spider program and associated malware.

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.

These steps may appear to be long and daunting. They are, though, quite easy to do and consist of so many steps only because I have written them in an extremely detailed manner.

  1. Print out these instructions as we will need to close every window that is open later in the fix.

  2. Download FixASS.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.

    FixASS.reg Download Link

    Confirm that the FixASS.reg file now resides on your desktop as we will need it later.

  3. Download regallow.exe from here and save it to your desktop:

    regallow.exe

    Confirm that the file regallow.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:



  4. Click on the Start Menu button.

  5. Click on the Control Panel option.

  6. Double-click on the Add or Remove Programs icon.

  7. Find the entry for AntispySpider and double-click on it to uninstall the program. Follow the prompts to uninstall the program, but do not allow it to reboot the computer if it asks.

  8. When it has completed uninstalling you can close Add or Remove Programs and your Control Panel.

  9. Now, go to your desktop and double click on the regallow.exe program. When the program launches, click on the Enable Registry Tools button. When it says the tools are enabled, click on the OK button to exit the program.

  10. Double click on the FixASS.reg file that you downloaded earlier to your desktop. When it asks if you would like to merge the information, press the Yes button and then the OK button.

  11. Now you should reboot your computer so that the infection becomes deactivated.

  12. When the computer reboots, and you are back at the desktop, you should delete the following files and folders from your computer if they exist:

    c:\WINDOWS\homepage.html
    c:\WINDOWS\index.html
    c:\WINDOWS\promo1.html
    c:\WINDOWS\promo2.html
    c:\WINDOWS\promo3.html
    c:\WINDOWS\promo4.html
    c:\WINDOWS\promo5.html
    c:\WINDOWS\promo6.html
    c:\WINDOWS\promogif1.gif
    c:\WINDOWS\promogif2.gif
    c:\WINDOWS\promogif3.gif
    c:\WINDOWS\system32\adult.txt
    c:\WINDOWS\system32\finance.txt
    c:\WINDOWS\system32\lt.res
    c:\WINDOWS\system32\other.txt
    c:\WINDOWS\system32\pharma.txt
    c:\WINDOWS\system32\sft.res
    c:\WINDOWS\system32\sn.txt
    c:\WINDOWS\system32\sockins32.dll
    %UserProfile%\Desktop\AntispySpider.lnk
    %UserProfile%\Start Menu\Programs\AntispySpider\
    C :\Program Files\AntispySpider\

Your computer should now be free of the AntiSpy Spider infection.

View Associated AntiSpySpider Files

c:\WINDOWS\homepage.html c:\WINDOWS\index.html c:\WINDOWS\promo1.html c:\WINDOWS\promo2.html c:\WINDOWS\promo3.html c:\WINDOWS\promo4.html c:\WINDOWS\promo5.html c:\WINDOWS\promo6.html c:\WINDOWS\promogif1.gif c:\WINDOWS\promogif2.gif c:\WINDOWS\promogif3.gif c:\WINDOWS\system32\adult.txt c:\WINDOWS\system32\finance.txt c:\WINDOWS\system32\lt.res c:\WINDOWS\system32\other.txt c:\WINDOWS\system32\pharma.txt c:\WINDOWS\system32\sft.res c:\WINDOWS\system32\sn.txt c:\WINDOWS\system32\sockins32.dll %UserProfile%\Start Menu\Programs\AntispySpider %UserProfile%\Desktop\AntispySpider.lnk %UserProfile%\Start Menu\Programs\AntispySpider\AntispySpider.lnk c:\Program Files\AntispySpider c:\Program Files\AntispySpider\AntispySpider.exe

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7/8, and c:\winnt\profiles\<Current User> for Windows NT.

View Associated AntiSpySpider Registry Information

HKEY_LOCAL_MACHINE\SOFTWARE\TSoft HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679} HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "WebProxy" HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\86844691B1D37104FADB325A1FF489CB HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\86844691B1D37104FADB325A1FF489CB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "AntispySpider" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "Babylon Client" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "ccApp" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "HotKeysCmds" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "KernelFaultCheck" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "LearnWords Launcher" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "PCSuiteTrayApplication" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "Persistence" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "QuickTime Task" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "vptray" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{19644868-3D1B-4017-AFBD-23A5F14F98BC}

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

search guides

Login

Remember Me
Sign in anonymously