Spyware.2020search

Printer Friendly Page

Updated: February 13, 2007 11:39:10 AM
Type: Spyware
Version: 1.1.1.0
Publisher: Visicom Media
Risk Impact: High
File Names: 2020setup.exe Svchost.exe 2020Search.dll 2020search2.dll Srng.exe
Systems Affected: Windows

Behavior


Spyware.2020search is a search hijacker that is installed as a Browser Helper Object Toolbar in Microsoft Internet Explorer. Certain address bar searches and unknown domain name searches will be redirected to the program's controlling servers.

The spyware requests several files during installation and sends IP and operating system version information to a server. This spyware comes bundled and installs Spyware.Shopnav .

Symptoms


The files are detected as Spyware.2020search.

Transmission


This spyware is bundled with various programs.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version January 29, 2018 revision 022
  • Initial Daily Certified version September 03, 2004
  • Latest Daily Certified version January 30, 2018 revision 002
  • Initial Weekly Certified release date September 08, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:39:10 AM
Type: Spyware
Version: 1.1.1.0
Publisher: Visicom Media
Risk Impact: High
File Names: 2020setup.exe Svchost.exe 2020Search.dll 2020search2.dll Srng.exe
Systems Affected: Windows


When Spyware.2020search is executed, it performs the following actions:

  1. Replaces Internet Explorer's Search pane with a search page at pop.popuptoast.com/9908/search/search.html.

  2. Installs a new Internet Explorer toolbar.

  3. Downloads Svchost.exe from www.2020search.com/9908/install.

  4. When Internet Explorer is opened, downloads the file, 2020search2tb0200.cfg into www.2020search.com/9908/toolbar.

  5. Creates the following files:

    • %ProgramFiles%\Srng\Srng.exe (this is the bundled Spyware.Shopnav).
    • %Windir%\svchost.exe (A component of Spyware.Shopnav that checks for new versions of Spyware.Shopnav, and downloads and updates newer versions when available. This is detected as Spyware.Shopnav).
    • %Windir%\2020search2.dll (the 2020search toolbar itself detected as Spyware.2020search).

      Notes:
      • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  6. Creates the folder:

    %ProgramFiles%\Dynamic Toolbar

  7. Adds the value:

    "Srng"="C:\Program Files\Srng\Srng.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the main Spyware.Shopnav executable runs when you start Windows.

  8. Registers the file, 2020search2.dll, so that it is integrated it into Internet Explorer.

  9. Creates some of the following registry keys:

    HKEY_CLASSES_ROOT\CLSID\{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}
    HKEY_CLASSES_ROOT\CLSID\{FC2493D6-A673-49FE-A2EE-EFE03E95C27C}
    HKEY_CLASSES_ROOT\CLSID\{FC3A74E5-F281-4F10-AE1E-733078684F3C}
    HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
    HKEY_CLASSES_ROOT\Interface\{EAF2CCEE-21A1-4203-9F36-4929FD104D43}
    HKEY_CLASSES_ROOT\Interface\{02CB16D1-4CA7-47FF-8546-C5E925DF33D6}
    HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
    HKEY_CLASSES_ROOT\TypeLib\{E306B3C1-3C68-4EFA-9EBC-0B99C6A918C2}
    HKEY_CLASSES_ROOT\GoRSDN.ContextItem
    HKEY_CLASSES_ROOT\GoRSDN.ContextItem.1
    HKEY_CLASSES_ROOT\Pugi.PugiObj
    HKEY_CLASSES_ROOT\Pugi.PugiObj.1
    HKEY_CLASSES_ROOT\Downloader.Downloader
    HKEY_CLASSES_ROOT\Downloader.Downloader.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2020Search2020Search
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&RSDN Search
    HKEY_CURRENT_USER\Software\2020Search

  10. Adds the value:

    "[default]" = "{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Updated: February 13, 2007 11:39:10 AM
Type: Spyware
Version: 1.1.1.0
Publisher: Visicom Media
Risk Impact: High
File Names: 2020setup.exe Svchost.exe 2020Search.dll 2020search2.dll Srng.exe
Systems Affected: Windows


The following instructions pertain to all Symantec antivirus products that support Security Risk detection.

  1. Update the definitions.
  2. Run a full system scan.
  3. Delete the value that was added to the registry.
  4. Uninstall the 2020search toolbar.
  5. Unregister the DLL.
  6. Restore the original settings for Internet Explorer.
  7. Delete the related files and folders.
For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To run the scan
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected as Spyware.Shopnav or Spyware.2020search and depending on which software version you are using, you may see one or more of the following options:

    Note: This applies only to versions of Norton AntiVirus that support Security Risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports Security Risk detection, and Security Risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
    • Exclude (Not recommended): If you click this button, it will set the risk so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

    • Ignore or Skip: This option tells the scanner to ignore the risk for this scan only. It will be detected again the next time that you run a scan.

    • Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the risk for this scan only, and thus, the risk will be detected again the next time that you run a scan.

      To actually delete the security risk:
      • Click its file name (under the Filename column).
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

        If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.

    • Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
      • If you see a message, "Delete Failed" (or similar message), manually delete the file.
      • Click the file name of the risk that is under the Filename column.
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

        If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer.


3. To delete the value from the registry

Important:
Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "Srng" = "C:\Program Files\Srng\Srng.exe"

  5. Navigate to the subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

  6. In the right pane, delete the value:

    "[default]" = "{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}"

  7. Navigate to and delete the following keys:

    HKEY_CLASSES_ROOT\CLSID\{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}
    HKEY_CLASSES_ROOT\CLSID\{FC2493D6-A673-49FE-A2EE-EFE03E95C27C}
    HKEY_CLASSES_ROOT\CLSID\{FC3A74E5-F281-4F10-AE1E-733078684F3C}
    HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
    HKEY_CLASSES_ROOT\Interface\{EAF2CCEE-21A1-4203-9F36-4929FD104D43}
    HKEY_CLASSES_ROOT\Interface\{02CB16D1-4CA7-47FF-8546-C5E925DF33D6}
    HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
    HKEY_CLASSES_ROOT\TypeLib\{E306B3C1-3C68-4EFA-9EBC-0B99C6A918C2}
    HKEY_CLASSES_ROOT\GoRSDN.ContextItem
    HKEY_CLASSES_ROOT\GoRSDN.ContextItem.1
    HKEY_CLASSES_ROOT\Pugi.PugiObj
    HKEY_CLASSES_ROOT\Pugi.PugiObj.1
    HKEY_CLASSES_ROOT\Downloader.Downloader
    HKEY_CLASSES_ROOT\Downloader.Downloader.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2020Search2020Search
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&RSDN Search
    HKEY_CURRENT_USER\Software\2020Search

  8. Exit the Registry Editor.


4. To uninstall the 2020search toolbar
  1. Start Microsoft Internet Explorer.
  2. On the 2020search toolbar, click the Menu button and select Uninstall from the drop-down menu.


5. To unregister the DLL
  1. Click Start > Run.
  2. Type, or copy and paste, the following text:

    regsvr32 /u "%Windir%\2020search2.dll"

    then click OK.

  3. If a dialog box confirming this action appears, click OK.


6. To restore the original settings for Internet Explorer
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  4. In the right pane, modify the value:

    "Start Page" to "http://www.msn.com"

  5. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  6. In the right pane, modify the value:

    "SearchAssistant" to "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"

  7. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  8. In the right pane, modify the value:

    "CustomizeSearch" to "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"

  9. Navigate to the key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

  10. In the right pane, modify the value:

    "Search Bar" to ""

  11. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

  12. In the right pane, modify the value:

    "Search Page" to "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

  13. Navigate to the key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main

  14. In the right pane, modify the value:

    "Search Page" to "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

  15. Exit the Registry Editor.


7. To delete the related files and folders
  1. Navigate to %ProgramFiles%.
  2. Delete the folders "Dynamic Toolbar" and "Srng" and all the files contained within those folders.