Install a program called RegLite (http://www.resplende...oad/reglite.exe).
Run the program (its a simple registry editor) and browse over to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Double-click or right-click on the key called AppInit_DLLs and a window will popup, there will be a file name in the box titled "value" in this window. Write this down, it should be c:\windows\system32\*****.dll where **** is any random name.
Next, you will need to reboot to window recovery console (aka DOS). To do this, you have two options. You can simply boot from your window CD (insert the cd and reboot, then wait and when the big blue screen comes up choose the second option by pressing R) or insert the windows cd and install the console so you can have it forever by inserting the cd and typing "e:\i386\winnt32.exe /cmdcons". Its much easier to just boot from cdrom however.
Now you should be in dos, browse your way over to C:\windows\system32\ folder, for those of you not familiar with DOS use cd.. to go up a directory and cd ___ where ___ is the name of the directory you want to go to. So if your windows install drive is C then type cd C:\Windows\System32 and it should go there. Most likely, the recovery console will load dos already in C:\Windows. In this case just type cd system32.
Now you need to type attrib -r ****.dll where **** is the name you wrote down before. This will take off the read-only property of the .dll, next, rename the .dll to anything you want. I will call it nasty.dll, to do this type ren ****.dll nasty.dll (where **** is the name from above).
Now type exit and the computer will reboot as usual into windows, you can now put away the windows cd, you won't need it.
Once in windows, launch the RegLite program and browse over to the same key we did before, right-click or double-click it, and delete the filename in the value box, click apply and the size box should now say 1 (or 0). Now click ok and exit reglite.
Now we need to run HijackThis and remove the R1's that are causing the problem (if you removed them earlier then don't worry). The R1's should be something like "R1 - HKCU\Software\Microsoft\Internet Explorer\Main, Search something = and then a nasty .dll filename with a /sp.html after it. Write down the name of this .dll. Now go ahead and remove all the R1's and any BHO's with that DLL name in it.
Now, exit HijackThis, and open my computer/windows explorer, browse to C:\windows\system32 and delete the nasty.dll or whatever you renamed the ****.dll file earlier. Also, if its still there, delete the .dll file you found with HijackThis. Now, make sure to empty your recycle bin and you are done!!!
This spyware is one that is particularly annoying and I hope this guide helps anybody infected with it, it has been torturing me for over a week until I found this cure. If you keep removing it with HijackThis and a few hours/days later it comes back, then you need to use this guide to fully remove it.
I also read somewhere else that this spyware is associated with palsol.com, likesurfing.com and vn.msie.cc. If you can besure to boycott these horrible companies, they do not deserve any business if they plan to attract customers using this spyware.
Edited by dxiw, 10 June 2004 - 09:24 PM.