1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Nasty sp.dll

Discussion in 'Earlier Versions of Windows' started by Emtronics, Dec 2, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. Emtronics

    Emtronics Thread Starter

    Joined:
    Jan 20, 2000
    Messages:
    2,984
    There seems to be a nasty .dll file coming from somewhere on the internet that loads itself onto your computer without any warning. It then puts itself into the "run" entry in the registry and shows up in MSCONFIG as a startup item then proceeds to modify the registry changing the SEARCH function in IE5 and up. Below is SP.DLL as viewed in Notepad.

    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
    "SearchURL"="http://www.jethomepage.com/ie/"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Default_Search_URL"="http://www.jethomepage.com/ie/"
    "Search Page"="http://www.jethomepage.com/ie/"
    "Search Bar"="http://www.jethomepage.com/ie/"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.jethomepage.com/ie/"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.jethomepage.com/ie/"
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]
    "SearchURL"="http://www.jethomepage.com/ie/"
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main]
    "Search Page"="http://www.jethomepage.com/ie/"
    "Default_Search_URL"="http://www.jethomepage.com/ie/"
    "Search Bar"="http://www.jethomepage.com/ie/"
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search]
    "SearchAssistant"="http://www.jethomepage.com/ie/"

    I fully understand how to remove this .dll from MSCONFIG in the registry and how to move it out of the C:\Windows directory. What I am not sure of is if I should delete all the KEYS listed above or just changed the name (jethomepage) to some site I would like. (example: www.google.com) I don't want to disable the SEARCH button in IE's toolbar.

    Also, anyone know where this is coming from? I think it arrives as a HTA script.
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,151
  3. Emtronics

    Emtronics Thread Starter

    Joined:
    Jan 20, 2000
    Messages:
    2,984
    Thanks Eddie for the links. I will remove this nasty little .dll and then remove it from the Startup in MSCONFIG. What a crappy thing to do via a popup ad.
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,151
    Tell me about it.

    When I was trying to help remove it for someone, who is in one of those links at Lavasoft, she had no PC knowhow. I kept saying " don't delete the sp.old yet", and all I got was I Deleted It. Arrggh, restore. Just being cautious.

    You'll see what I mean.

    eddie
     
  5. Emtronics

    Emtronics Thread Starter

    Joined:
    Jan 20, 2000
    Messages:
    2,984
    AH hell, I went into the registry and changed every instance of jethomepage to google and then I moved the .dll to another folder, renamed it old, then went to the "run" entry and removed it from there. Everything went well except that the 'search' button in the toolbar doesn't work. Guess I should have just removed the offending keys completely instead of re-inserting the 'google'. I hate deleting values in the registry.
     
  6. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,151
    Hiya

    Did you delete the entry in

    HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Labeled

    regedit -s c:\windows\sp.dll

    eddie
     
  7. Emtronics

    Emtronics Thread Starter

    Joined:
    Jan 20, 2000
    Messages:
    2,984
    Eddie, yes I deleted it under the RUN in the registry. I went in and deleted all the instances of it as it is listed in the sp.dll I posted above. Now, when I click the SEARCH button in the toolbar, the search box opens on the left, but I get a "Page can not be displayed..." instead of the default MSN. I want to get it back to the default setting, or for that matter, any setting.

    I tried just typing in a word in the URL and hitting ENTER. The search worked and it opened the SEARCH box (on the left) to MSN. Maybe I had to use it once to set it back to the deafult.??

    All in all, I have NOT deleted the sp.dll, just moved and renamed it. And really, I don't see any real harm in it just that it directs your searches to 'jethomepage'. And I guess the downside is that that darn thing installed itself without asking and it starts up when Windows starts.
     
  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    36,151
    No, it does no real harm, but its installed without you knowing or wanting to, like you said.

    Apparently, AddAware may soon be able to remove it, but as its not really spyware, who knows.

    Glad its working

    eddie
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/60485

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice