Hijacked Error Page Assistant-SRNG05

CraifCraif Cleveland, Ohio ("round on the ends, high in the middle")
edited June 2004 in Spyware & Virus Removal
:rant: Help!!! Need new ideas on getting rid of a web page re-direction problem whenever an invalid address is entered. When this happens, the web page will begin to be redirected to:
http://srng05.srng.net/apps/epa/epa?cid=shnv9887&s=www.att.n
("www.att.nrepresents the bad web address)

Then, 2 seconds later, it will end at this page
http://search2.shopnav.com/apps/epa/epa?cid=shnv9887&s=www.att.n

I have followed all of the instructions for removing SRNG05 spyware. I don't have a subdirectory "SNRG" off of my "program files" directory. I don't have any entries in my "run" entries in my registry. I have removed all references to both main web addresses (as above) in my registry. Even after doing this, it reappears.

I am no lightweight with resolving stuff like this, but this problem is alluding me. I am slightly annoyed now and beating my head against the wall :banghead: . So, who's up for the challenge?

Also, I have used the following detection methods:
bazookasetup.exe
CWShredder.exe
remover.exe
spybotsd12.exe
xcleaner_free.exe
spywareguardsetupmin.exe
NAV 2004
RemoveSHOPNAV.exe (<---yea, this is a joke)

Comments

  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Have you given this a shot?
  • CraifCraif Cleveland, Ohio (&quot;round on the ends, high in the middle&quot;)
    edited May 2004
    Absolutely. This was my starting point, as always. My computer has none of the files listed in this Symantec bulletin. This is why I'm pulling my hair out!!!!
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Want to give HiJackThis a try?

    I found the PestPatrol removal instructions. They might be better than Symantec's.
  • CraifCraif Cleveland, Ohio (&quot;round on the ends, high in the middle&quot;)
    edited May 2004
    I have done all of the Pestpatrol instructions, however, most of them are redundant of Symantec's instructions. None of the files referred to for removal exist on my computer in the locations that they specify. No Luck!

    Where is HiJack?
    Mr. Kwitko wrote:
    Want to give HiJackThis a try?

    I found the PestPatrol removal instructions. They might be better than Symantec's.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Add the following to your hosts file:

    127.0.0.1 srng05.srng.net
    127.0.0.1 search2.shopnav.com

    Reset your home page to whatever you had before, then follow these instructions from PestPatrol on clearing a hijack.
  • CraifCraif Cleveland, Ohio (&quot;round on the ends, high in the middle&quot;)
    edited May 2004
    What do you mean by "add the following to your host..."

    I already did the pestpatrol hijack clearing thingy. No luck. :banghead:
    Mr. Kwitko wrote:
    Add the following to your hosts file:

    127.0.0.1 srng05.srng.net
    127.0.0.1 search2.shopnav.com

    Reset your home page to whatever you had before, then follow these instructions from PestPatrol on clearing a hijack.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    If you're using Windows2K/NT/XP, go to your Windows folder (Windows or WinNT), navigate to system32\drivers\etc and open the hosts file with a text editor. Add those two lines in and save.

    If you're using Win9x, hosts is located in c:\Windows.

    If the file isn't already there, create it with a text editor. It does not have an extension.

    Restart your browser. The hosts file is used by DNS as a way for users to specify IP addresses for certain sites. It can be used for legitimate purposes or by scumware to redirect search sites, like pointing Google to www.wearethea**holesthathijackedyourbrowser.com. By directing sites to localhost (127.0.0.1), you're never actually connecting to them.
  • CraifCraif Cleveland, Ohio (&quot;round on the ends, high in the middle&quot;)
    edited May 2004
    Okay. Gotch ya... It successfully stops it from load that page, but I'm still being hijacked.
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    Please download Hijack This from our security downloads section. Run a scan, and save a text copy of the log. Post it here for us to review.

    Dexter...
  • CraifCraif Cleveland, Ohio (&quot;round on the ends, high in the middle&quot;)
    edited May 2004
    Here 'tis. I notice the typical entries for the "search" hijackers. It has been deleted before, only to reappear.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:53:42 AM, on 5/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\drivers\CDAC11BA.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Iomega\AutoDisk\ADService.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\GMW\gmw6.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Program Files\Norton AntiVirus\OPScan.exe
    C:\Downloads\Spyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=08311416925441216
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=08311416925441216
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.att.net/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL (file missing)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: SpywareGuard.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {3BFF8629-4839-11D7-89C9-001083024791} (Project1.Pic1) - http://auditor.cuyahoga.oh.us/auditor/repi/sketch/Sketch.ocx
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9D957860-F106-49A1-8CC9-5E476C118491}: NameServer = 66.73.20.40 206.141.193.55
  • SFguy
    edited June 2004
    Sir,

    Were you able to fix this problem?
    I'm having exactly the same problem!!
    Please let me know if you've found a fix

    Mark
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited June 2004
    There are still a few baddied in there:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat...311416925441216
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat...311416925441216
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.att.net/
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
    GSim Hijacker
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL (file missing)
    Peper orphaned toolbar BHO.

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsa vings_script0.htm
Sign In or Register to comment.