Spyware.Shopnav

Printer Friendly Page

Updated: February 13, 2007 11:37:54 AM
Type: Spyware
Version: Not available
Publisher: srng.net
Risk Impact: High
File Names: SearchHook.dll IEHelper.dll IEHelper02.dll SNHelper.dll srng.exe Svchost.exe ad_msi.exe ads
Systems Affected: Windows

Behavior


Spyware.Shopnav is a search-hijacker that is installed as a Browser Helper Object. It can update itself when you start Windows.

Certain address bar searches and unknown domain name searches will be redirected to the program's controlling servers.

Note: Definitions prior to April 20, 2005 may detect this security risk as Spyware.Shopnav.dl.

Symptoms


The files are detected as Spyware.Shopnav.

Transmission


This spyware is bundled with various programs, particularly certain versions of Grokster.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 13, 2018 revision 041
  • Initial Daily Certified version August 18, 2003
  • Latest Daily Certified version March 14, 2018 revision 001
  • Initial Weekly Certified release date August 18, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:37:54 AM
Type: Spyware
Version: Not available
Publisher: srng.net
Risk Impact: High
File Names: SearchHook.dll IEHelper.dll IEHelper02.dll SNHelper.dll srng.exe Svchost.exe ad_msi.exe ads
Systems Affected: Windows


When Sypware.Shopnav is installed, it does the following:

  1. Creates one of the following folders:

    • %Program Files%\Snrg
    • %Program Files%\Kugoo

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates some of the following files:

    • %Windir%\adrsb.exe
    • %Windir%\waladhpr.exe
    • %Windir%\iun6002.exe
    • %Windir%\Svchost.exe
    • %Program Files%\Srng\Srng.exe
    • %Program Files%\Srng\SRNG.LOCK
    • %Program Files%\Srng\file.zip
    • %Program Files%\Srng\SNHelper.dll
    • %Program Files%\Srng\SrngUtil.exe
    • %Program Files%\ieshnv.ini
    • %Program Files%\ieshnv.bmp
    • %Program Files%\ieshnv.dat
    • %Program Files%\ieshnv.lng

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  3. Creates some of the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{14b3d246-6274-40b5-8d50-6c2ade2ab29b}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SNHlprObj.SNHlprObj
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SNHlprObj.SNHlprObj
    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14b3d246-6274-40b5-8d50-6c2ade2ab29b}
    HKEY_LOCAL_MACHINE\Software\Srng
    HKEY_LOCAL_MACHINE\Software\Kugoo
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\shnv
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PCID
    HKEY_ALL_USERS\Software\Srng
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{14B3D246-6274-40B5-8D50-6C2ADE2AB29B}

  4. Adds the value:

    "PCID" = "random value"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

  5. Adds one of the values:

    "srng"
    "kugoo"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  6. Adds the values:

    "Use search Asst" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="
    "Use Custom Search URL" = "0x00000000"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  7. Adds the values:

    "Search Page" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="
    "Search Bar" = "http:/ /pop.popuptoast.com/9899/search/search.html"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  8. Adds the values:

    "Search Assistant" = "http:/ /pop.popuptoast.com/9899/search/search.html"
    "CustomizeSearch" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  9. Adds the values:

    "Search Assistant" = "http:/ /pop.popuptoast.com/9899/search/search.html"
    "CustomizeSearch" = ""

    to the registry subkey:

    HKEY_ALL_USERS\SOFTWARE\Microsoft\Internet Explorer\Search

  10. Adds the values:

    "Search Bar" = "http:/ /pop.popuptoast.com/9899/search/search.html"
    "Search Page" = "http/ /search.2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s=

    to the registry subkey:

    HKEY_ALL_USERS\Microsoft\Internet Explorer\Main

  11. Adds the value:

    "DefaultSearchURL" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="

    to the registry subkey:

    HKEY_ALL_USERS\SOFTWARE\Microsoft\SearchAssistant

  12. Adds the value:

    "provider" = "msn"

    to the registry subkey:

    HKEY_ALL_USERS%\Software\Microsoft\Internet Explorer\SearchURL

  13. Modifies the value:

    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft"

    to the registry subkey:

    HKEY_ALL_USERS%\Software\Microsoft\Internet Explorer\URLSearchHooks

  14. Sends the Windows account name and previous search settings to a predetermined server.

  15. May load and install arbitrary code from its server.


Updated: February 13, 2007 11:37:54 AM
Type: Spyware
Version: Not available
Publisher: srng.net
Risk Impact: High
File Names: SearchHook.dll IEHelper.dll IEHelper02.dll SNHelper.dll srng.exe Svchost.exe ad_msi.exe ads
Systems Affected: Windows


  1. Update the definitions.
  2. Unregister the .dll files so that they can be deleted.
  3. Restart the computer in Safe mode or VGA mode.
  4. Delete the installation folder C:\Program Files\Srng.
  5. Run a full system scan and delete any files detected as Sypware.Shopnav.
  6. Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. Updating the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


2. Unregistering the .dll files
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type, or copy and paste, the following text:

    regsvr32 /u "C:\Program Files\Srng\SearchHook.dll"

    then click OK.


    Note: If you type the text (instead of copying and pasting it), make sure that you type it exactly as shown and that you include the quotes.

  3. After a few seconds, you should see one of the following messages:

    (Load Library Failed, [filename].dll was not registered)

    (Load Library Succeeded)

    In either case, click OK.

  4. Repeat steps a. through c., substituting the following commands in step b:

    Regsvr32 /u "C:\Program Files\Srng\IEHelper.dll"

    Regsvr32 /u "C:\Program Files\Srng\IEHelper02.dll"

    Regsvr32 /u "C:\Program Files\Srng\SNHelper.dll"


3. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
  • For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
  • For Windows NT 4 users, restart the computer in VGA mode.


4. Deleting the installation folder
Using Windows Explorer, locate and delete the folder C:\Program Files\Srng or C:\Program Files\Kugoo.

5. Scanning for and deleting the files
  1. Start Norton AntiVirus and make sure that it is configured to scan all the files. For more information, read the document, "How to configure Norton AntiVirus to scan all files."
  2. Run a full system scan.
  3. If any files are detected as Spyware.Shopnav, click Delete.
  4. Using Windows Explorer, delete the following files(if they exist):
    • %Windows%\iun6002.exe
    • %Program Files%\ieshnv.ini
    • %Program Files%\ieshnv.bmp
    • %Program Files%\ieshnv.dat
    • %Program Files%\ieshnv.lng

6. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run.
  2. Type regedit

    Then click OK.

  3. Navigate to and delete the following keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{14b3d246-6274-40b5-8d50-6c2ade2ab29b}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SNHlprObj.SNHlprObj
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SNHlprObj.SNHlprObj
    HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
    Objects\{14b3d246-6274-40b5-8d50-6c2ade2ab29b}
    HKEY_LOCAL_MACHINE\Software\Srng
    HKEY_LOCAL_MACHINE\Software\Kugoo
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\shnv
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PCID
    HKEY_ALL_USERS\Software\Srng
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{14B3D246-6274-40B5-8D50-6C2ADE2AB29B}

  4. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    In the right pane, delete the values:

    "srng"
    "kugoo"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    In the right pane, delete the values:

    "Use search Asst" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="
    "Use Custom Search URL" = "0x00000000"

  6. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    In the right pane, change the values:

    "Search Page" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="
    "Search Bar" = "http:/ /pop.popuptoast.com/9899/search/search.html"

    to:

    "Search Page" = "http:/ /www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    "Search Bar" = "http:/ /search.msn.com/spbasic.htm"

  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

    In the right pane, change the values:

    "Search Assistant" = "http:/ /pop.popuptoast.com/9899/search/search.html"
    "CustomizeSearch" = ""

    to:

    "Search Assistant" = "http:/ /ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
    "CustomizeSearch" = "http:/ /ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"

  8. Navigate to the key:

    HKEY_ALL_USERS\Microsoft\Internet Explorer\Main

    In the right pane, change the values:

    "Search Bar" = "http:/ /pop.popuptoast.com/9899/search/search.html"
    "Search Page" = "http/ /search.2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="

    to:

    "Search Bar" = "http:/ /search.msn.com/spbasic.htm"
    "Search Page" = "http:/ /www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

  9. Navigate to the key:

    HKEY_ALL_USERS\SOFTWARE\Microsoft\SearchAssistant

    In the right pane, change the value:

    "DefaultSearchURL" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="

    to:

    "DefaultSearchURL" = "http:/ /www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

  10. Navigate to the key:

    HKEY_ALL_USERS%\Software\Microsoft\Internet Explorer\SearchURL

    In the right hand pane, change the value:

    "provider" = "msn"

    to:

    "provider" = ""

  11. Navigate to the key:

    HKEY_ALL_USERS%\Software\Microsoft\Internet Explorer\URLSearchHooks

    In the right hand pane, change the value:

    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft"

    to:

    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = ""

  12. Exit the Registry Editor.