Jump to content



  • Please log in to reply
5 replies to this topic

Poll: Were you able to remove the spyware with this guide? (4 member(s) have cast votes)

Were you able to remove the spyware with this guide?

  1. Yes. (2 votes [50.00%])

    Percentage of vote: 50.00%

  2. No. (2 votes [50.00%])

    Percentage of vote: 50.00%

  3. I am just reading, I do not have this spyware to remove. (0 votes [0.00%])

    Percentage of vote: 0.00%

Vote Guests cannot vote

#1 dxiw



  • Full Member
  • Pip
  • 12 posts

Posted 10 June 2004 - 09:22 PM

If your home page is changed to about:blank and it loads some sort of a search webpage with a bunch of links, you probably are hijacked by this nasty spyware. The older variants could simply be removed by removing the R1's from HijackThis, however, if you have done this and it keeps coming back, here is how to remove it permanently:

Install a program called RegLite (http://www.resplende...oad/reglite.exe).

Run the program (its a simple registry editor) and browse over to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Double-click or right-click on the key called AppInit_DLLs and a window will popup, there will be a file name in the box titled "value" in this window. Write this down, it should be c:\windows\system32\*****.dll where **** is any random name.

Next, you will need to reboot to window recovery console (aka DOS). To do this, you have two options. You can simply boot from your window CD (insert the cd and reboot, then wait and when the big blue screen comes up choose the second option by pressing R) or insert the windows cd and install the console so you can have it forever by inserting the cd and typing "e:\i386\winnt32.exe /cmdcons". Its much easier to just boot from cdrom however.

Now you should be in dos, browse your way over to C:\windows\system32\ folder, for those of you not familiar with DOS use cd.. to go up a directory and cd ___ where ___ is the name of the directory you want to go to. So if your windows install drive is C then type cd C:\Windows\System32 and it should go there. Most likely, the recovery console will load dos already in C:\Windows. In this case just type cd system32.

Now you need to type attrib -r ****.dll where **** is the name you wrote down before. This will take off the read-only property of the .dll, next, rename the .dll to anything you want. I will call it nasty.dll, to do this type ren ****.dll nasty.dll (where **** is the name from above).

Now type exit and the computer will reboot as usual into windows, you can now put away the windows cd, you won't need it.

Once in windows, launch the RegLite program and browse over to the same key we did before, right-click or double-click it, and delete the filename in the value box, click apply and the size box should now say 1 (or 0). Now click ok and exit reglite.

Now we need to run HijackThis and remove the R1's that are causing the problem (if you removed them earlier then don't worry). The R1's should be something like "R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search something = and then a nasty .dll filename with a /sp.html after it. Write down the name of this .dll. Now go ahead and remove all the R1's and any BHO's with that DLL name in it.

Now, exit HijackThis, and open my computer/windows explorer, browse to C:\windows\system32 and delete the nasty.dll or whatever you renamed the ****.dll file earlier. Also, if its still there, delete the .dll file you found with HijackThis. Now, make sure to empty your recycle bin and you are done!!!


This spyware is one that is particularly annoying and I hope this guide helps anybody infected with it, it has been torturing me for over a week until I found this cure. If you keep removing it with HijackThis and a few hours/days later it comes back, then you need to use this guide to fully remove it.

I also read somewhere else that this spyware is associated with palsol.com, likesurfing.com and vn.msie.cc. If you can besure to boycott these horrible companies, they do not deserve any business if they plan to attract customers using this spyware.

-David W

Edited by dxiw, 10 June 2004 - 09:24 PM.

#2 dxiw



  • Full Member
  • Pip
  • 12 posts

Posted 10 June 2004 - 10:08 PM


#3 dxiw



  • Full Member
  • Pip
  • 12 posts

Posted 11 June 2004 - 10:50 AM

bump..does anyone else not wan t to remove this spyware?

#4 pomp


    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 11 June 2004 - 11:05 AM


Dllfix.exe is what is being used now. It's a magic program, and much easier to use than doing all those steps above and using reglite.


#5 dxiw



  • Full Member
  • Pip
  • 12 posts

Posted 14 June 2004 - 12:38 AM

dllfix didnt work for me..

#6 jwbirdsong


    Slasher O' spyware

  • Retired Staff
  • PipPipPipPipPip
  • 2,045 posts

Posted 14 June 2004 - 12:57 AM

Nor will reglite work in all cases...

When there IS a CURE-ALL for the rapidly changing/ever evolving about:blank you can be sure it be used here to it's full extent
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!