Nasty sp.dll

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Emtronics

Thread Starter
Joined
Jan 20, 2000
Messages
2,984
There seems to be a nasty .dll file coming from somewhere on the internet that loads itself onto your computer without any warning. It then puts itself into the "run" entry in the registry and shows up in MSCONFIG as a startup item then proceeds to modify the registry changing the SEARCH function in IE5 and up. Below is SP.DLL as viewed in Notepad.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.jethomepage.com/ie/"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.jethomepage.com/ie/"
"Search Page"="http://www.jethomepage.com/ie/"
"Search Bar"="http://www.jethomepage.com/ie/"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.jethomepage.com/ie/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.jethomepage.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]
"SearchURL"="http://www.jethomepage.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.jethomepage.com/ie/"
"Default_Search_URL"="http://www.jethomepage.com/ie/"
"Search Bar"="http://www.jethomepage.com/ie/"
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.jethomepage.com/ie/"

I fully understand how to remove this .dll from MSCONFIG in the registry and how to move it out of the C:\Windows directory. What I am not sure of is if I should delete all the KEYS listed above or just changed the name (jethomepage) to some site I would like. (example: www.google.com) I don't want to disable the SEARCH button in IE's toolbar.

Also, anyone know where this is coming from? I think it arrives as a HTA script.
 

Emtronics

Thread Starter
Joined
Jan 20, 2000
Messages
2,984
Thanks Eddie for the links. I will remove this nasty little .dll and then remove it from the Startup in MSCONFIG. What a crappy thing to do via a popup ad.
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Tell me about it.

When I was trying to help remove it for someone, who is in one of those links at Lavasoft, she had no PC knowhow. I kept saying " don't delete the sp.old yet", and all I got was I Deleted It. Arrggh, restore. Just being cautious.

You'll see what I mean.

eddie
 

Emtronics

Thread Starter
Joined
Jan 20, 2000
Messages
2,984
AH hell, I went into the registry and changed every instance of jethomepage to google and then I moved the .dll to another folder, renamed it old, then went to the "run" entry and removed it from there. Everything went well except that the 'search' button in the toolbar doesn't work. Guess I should have just removed the offending keys completely instead of re-inserting the 'google'. I hate deleting values in the registry.
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hiya

Did you delete the entry in

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Labeled

regedit -s c:\windows\sp.dll

eddie
 

Emtronics

Thread Starter
Joined
Jan 20, 2000
Messages
2,984
Eddie, yes I deleted it under the RUN in the registry. I went in and deleted all the instances of it as it is listed in the sp.dll I posted above. Now, when I click the SEARCH button in the toolbar, the search box opens on the left, but I get a "Page can not be displayed..." instead of the default MSN. I want to get it back to the default setting, or for that matter, any setting.

I tried just typing in a word in the URL and hitting ENTER. The search worked and it opened the SEARCH box (on the left) to MSN. Maybe I had to use it once to set it back to the deafult.??

All in all, I have NOT deleted the sp.dll, just moved and renamed it. And really, I don't see any real harm in it just that it directs your searches to 'jethomepage'. And I guess the downside is that that darn thing installed itself without asking and it starts up when Windows starts.
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
No, it does no real harm, but its installed without you knowing or wanting to, like you said.

Apparently, AddAware may soon be able to remove it, but as its not really spyware, who knows.

Glad its working

eddie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top