help? possible IE6 hijack

G

Guest

hi, everyone :) i'm lee... my friend's IE6 (probably) got hijacked and we
can't figure out what to do anymore.

anyway, here's what he told me to post about the problem...

first of all, when he tries to access the any website, he gets redirected to:

res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm

then, this particular program gets loaded to his cpu's memory: CSRSSU.Exe

when you try to terminate it, it does for a few seconds then runs again...

he also noted that during the time that the hijack probably took place,
there was a program called SWPLO.exe that wanted to access the internet.

now, when he wants to access any website, say hotmail, instead of
http://hotmail.com, the URL gets appended as such ->
http://ehttp.cc/?hotmail.com and the browser will tell you that there's a
"possible virus threat" message on the main window (yeah, we know that
harhar) afterwards, the browser wants to access another site,
"www.e-finder.cc/hp/.." (from what he can read from the status bar)

he uses a firewall and he has norton running but it still got through...
we've tried virus scans, adaware, and spybot to name a few but so far,
nothing's worked... i really hope you guys can help coz he's on the verge of
reformatting his pc again and hopefully it won't get stuck in the registry
^^;

any help will be appreciated thanks! :)

lee
 
J

Jan Il

Hi Lee :)

To get rid of the hijacker, do the following:

res://C:\WINDOWS\<random name>.dll/sp.html#<random number>
CWShredder: Free
http://www.majorgeeks.com/download4086.html
http://www.hsremove.com/

Then follow-up with these steps to make sure that his system if fully clean.
Even if you have already run some programs, run them again according to the
instructions in the information below to thoroughly clean you system. Some
variants of malware can replicate itself and return repeatedly if not
cleaned properly. It is best to read through all the information before you
start to know before hand what you need to do and how. Follow all
instructions to letter as much as possible.

WARNING>>>> Backup all documents and files before removing any spyware!!

Dealing with Unwanted Spyware and Parasites:
http://mvps.org/winhelp2002/unwanted.htm
What You Should Know About Spyware
http://www.microsoft.com/athome/security/spyware/devioussoftware.mspx
What you can do about spyware and other unwanted software
http://www.microsoft.com/athome/security/spyware/spywarewhat.mspx
Most importantly, be sure to run CWShredder here
http://www.majorgeeks.com/download3019.html
Also this program searches for hidden .dlls that recreate the malware.
About Buster:
http://www.majorgeeks.com/download4289.html
Then visit these two sites to test for parasites and help basic cleaning:
On-Line Check
http://aumha.org/a/noads.htm
and
Quick-Fix Protocol.
http://aumha.org/a/quickfix.php
Basically, throw everything here at your "infection".

Also very important, be sure to use the HijackThis. Please DO NOT post your
log to this
newsgroup, but to the HiJackThis Support Forums below:
http://www.hijackthis.de/forum/forumdisplay.php?f=10&guestlanguageid=4
the Aumha HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30
or Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html
to allow the experts there to evaluate your log and advise you of any
necessary steps to clean your system.
(Note: You will have to Register before posting on these Forums. Please
follow all posting instructions carefully to avoid having your log deleted
or ignored.

CAUTION!!!!! Before you try to remove spyware using any of the programs
below, download a copy of LSPFIX from any of the following sites:
http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html
(if your OS is Win2k or XP) The process of removing certain malware may kill
your internet connection. If this should occur, this program, LSPFIX, will
enable you to regain your connection.

You should also get a copy of WINSOCKXPFIX available at:
http://www.spychecker.com/program/winsockxpfix.html
and
WinsockXP Fix- WinXP
http://www.spychecker.com/program/winsockxpfix.html
with instructions, at
http://www.iup.edu/house/resnet/winfix.shtm
also... From LavaSoft- all versions of Windows-
http://digital-solutions.co.uk/lavasoft/whndnfix.zip
(NOTE: It is reported that in XP SP2, the command netsh winsock reset
will fix this problem without the need for these programs.)
or Winsock Fix Utility
http://www.dfwonline.net/files/WinsockFix.zip

NOTE: If you can not download these programs from the Internet, if your PC
has CD read capabilities, go to another computer with CD-ROM burning
capabilities. Create a folder on the hard drive of the other computer called
HOLD, download the programs to that folder, then burn that folder to a CD.
Copy the HOLD folder to your HD and then install the programs from there
and run them. After you have IE access again, update all programs where
possible to get the latest definitions and run them again in Safe Mode to be
sure there are no lingering items on the system.

Hope this helps

Jan :)
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Popups in IE6 3
Email & program updates but no IE6 webpage access 6
IE6 is calling Firefox 2
Java not working in IE6 2
Win98SE IE6 priveleges? 1
Full install off line ie6 1
Cannot access update Error 1
IE 6.0 (SP1) - AOL - Security question (maybe) 3

Top