How to Remove Sockins32.dll and Antispy Spyder Rogue Program

Sockins32.dll has been identified as a variant of the malware Win32:Agent-TEV. The file for this infection will show up missing in a HijackThis log even if sockins32 really is present. Sockins32.dll is also known to be an advertiser for Antispy Spyder and is bundled with the MBR rootkit.

Sockins32.dll has the following registry key that allows this file to startup automatically:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad

You will also find a value containing a listed CLSID. This can be found under HKEY_CLASSES_ROOT\CLSID\ and has the filename to be loaded.

Antispy Spyder is actually a rogue anti-spyware program. This rogue anti-spyware program is installed and advertised through the malware sockins32.dll. You will find the sockins32 file in C:\Windows\System32.

When the infection is running, advertisements will open in Internet Explorer. The advertisements will tell you that your security is at risk and that you should install Antispy Spyder to remove the risk. If you do this, you will find your desktop hijacked. A security warning will also show up. You will be directed to a site instructing you to install Antispy Spyder. You may also find your pages in Internet Explorer opening Russian sites in a random fashion.

Installing and running Antispy Spyder will give you a warning that your computer is infected. However, there will be no details of what the infection is. If you want to know what infections are present, you will have to pay for a copy of the software.

This tactic is common among rogue anti-spyware programs. They scare the user into purchasing what they hope to be protection but which, in truth, is actually more malware.

Removing sockins32.dll and Antispy Spyder may prove to be difficult. The programs are designed to make uninstallation difficult. They do this by disabling the regedit.exe program and the Windows Task Manager.

Symptoms in a HijackThis log

The file may be missing in a HijackThis log even if sockins32.dll is actually present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
O4 - HKLM\..\Run: [AntispySpider] C:\Program Files\AntispySpider\antispyspider.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)

How to Remove Sockins32.dll and Antispy Spyder

You will need special tools called FixASS.reg and regallow for this fix.

Print out or write down the instructions listed here. You will need to close every window while performing this fix.

  1. Download FixAss.reg and regallow to your Desktop.
  2. Confirm that both files are present. Do not double click on any of them yet.
  3. Click on Start.
  4. Go to Control Panel.
  5. Double click on Add/Remove Programs.
  6. Locate the entry for Antispy Spyder.
  7. Uninstall Antispy Spyder. Do not reboot if prompted.
  8. Close Add/Remove Programs and Control Panel after the Antispy Spyder program has finished uninstalling.
  9. Go to your Desktop and double click on regallow.
  10. The program will launch.
  11. Click on the Enable Registry Tools button.
  12. Click OK when the tools are enabled.
  13. Double click on the FixAss.reg file on your Desktop.
  14. You will be asked to merge the information.
  15. Click Yes and then OK.
  16. Reboot your computer. This will deactivate the infection.
  17. Locate and delete the following files:c:\WINDOWS\homepage.html
    c:\WINDOWS\index.html
    c:\WINDOWS\promo1.html
    c:\WINDOWS\promo2.html
    c:\WINDOWS\promo3.html
    c:\WINDOWS\promo4.html
    c:\WINDOWS\promo5.html
    c:\WINDOWS\promo6.html
    c:\WINDOWS\promogif1.gif
    c:\WINDOWS\promogif2.gif
    c:\WINDOWS\promogif3.gif
    c:\WINDOWS\system32\adult.txt
    c:\WINDOWS\system32\finance.txt
    c:\WINDOWS\system32\lt.res
    c:\WINDOWS\system32\other.txt
    c:\WINDOWS\system32\pharma.txt
    c:\WINDOWS\system32\sft.res
    c:\WINDOWS\system32\sn.txt
    c:\WINDOWS\system32\sockins32.dll
    %UserProfile%\Desktop\AntispySpider.lnk
    %UserProfile%\Start Menu\Programs\AntispySpider\
    C :\Program Files\AntispySpider\

Your system should now be free of the Antispy Spyder infection.

You should only use trusted and recommended anti-spyware programs like Spyware Cease. This will save you a lot of time and grief. You will also protect your system and your private information from harmful threats that may be posed by rogue programs.

Remember that a valid anti-spyware program will always give you details about the infections found. If an anti-spyware program does not give you any information at all about the infections, be wary.

Be sure not to download anything until you have confirmed that the website is safe. You may be downloading a virus or Trojan that may cause your computer serious harm.

Use an antivirus program like Anti-virus Plus to filter threats and keep you and your system safe.

The adage that an ounce of prevention is worth a pound of cure definitely applies in this situation.