Recommended searchnet.exe (trojan-spy.agent.iw) cleanup method (updated)

Source: Internet
Author: User

Original original volume searchnet.exe (trojan-spy.agent.iw) cleanup method (updated)
Recently, some netizens reported that a file called searchnet.exe was killed, but it could not be cleared (Kaspersky named trojan-spy.agent.iw ). The Program is located in the C: \ Program Files \ searchnetfolder, which contains the searchnet.exe ServerHost.exe serveup.exe srvnet32.dllfile (the searchnet.exe of some variants is under C: \ Program Files ). In C: \ WINDOWS \ system32, the servehost.exe file is still available, and the system service itself is added as Remote Log. Will modify the system settings so that users cannot display all the files in the folder. These files cannot be deleted using KILLBOX.
The cleanup method is actually very simple: Start, enter "c: \ program files \ searchnet \ uninstall.exe" (contains double quotation marks) in the run, and press ENTER
The following content was updated on November 12/25:
The failure to install and test is due to the absence of samples. Today, I finally found an article. It turns out that this bastard program is called the zhongsuo address. The uninstallation program provided is false to confuse users !!
The Deadwoods user of the Youth Forum analyzed in detail. As the original post image has expired, I will edit the content a bit and turn it over:
Today, Kaspersky reported that Trojans were discovered (January 1, December 19)
Neither Kingsoft antivirus software nor Rising antivirus software can recognize this Trojan Horse.
The following is a feature analysis of the Trojan on a machine equipped with positive rising.
This trojan has the following features: Self-hiding, self-protection, self-recovery, network access, background upgrades, monitoring of user operations, and cannot be completely deleted.
1. Hide files
This trojan hides the SearchNet folder under the Program File and the driver File under the Drivers.
No SearchNet folder found in Resource Manager
Use IceSword to find the SearchNet folder
The driver file is not found in the resource manager.
Use IceSword to find three driver files: FAD. sys Anfad. sys hProcess. sys
2. Hide Processes
The trojan hides two processes: SearchNet.exe and ServeHost.exe.
The searchnet.exe and ServeHost.exe processes are not found in the task manager.
Use iceswordto find the searchnet.exe and ServeHost.exe Processes
(IceSword automatically displays it in red)
Use IceSword to view the kernel module (the underlying driver of the Trojan is found)
3. Hide the Registry
This trojan hides all the registry items related to it:
The Regedit cannot be used to view the Registry Startup key.
Use IceSword to view the SearchNet_Up startup Item and FAD. sys, Anfad. sys, and hProcess. sys Driver items.
4. Monitor user operations
The trojan is installed with the WH_MSGFILTER WH_KEYBOARD_LL WH_MOUSE hook, which monitors every action of the user.
Use IceSword to check the global hooks installed by the SearchNet process.
5. Self-protection and self-repair
This trojan uses the driver file FAD. sys Anfad. sys hProcess. sys to protect all of the files and the Registry, and even cannot be deleted with IceSword!
Vi. network access and background upgrade
The Trojan Horse quietly accesses the network and upgrades the background to keep the latest version, avoiding antivirus software detection and removal.
7. Uninstall Spoofing
The trojan provides a false uninstall method to fool the user.
After the uninstallation is performed based on the false uninstallation method provided by the user, there will be no uninstallation items in the control panel. However, when you use IceSword to view the uninstallation items, their files and registries will remain intact in the original place, in addition, its driver is still protecting itself from being discovered or deleted by users. That is to say, the user cannot delete this Trojan!
VIII. virus prevention and control
1. Search
You can use the IceSword tool to check whether the FAD. sys and Anfad. sys hProcess. sys Drivers exist in the System32 \ Drivers folder to check whether they are in the Trojan.
2. Be vigilant
The trojan horse will quietly implant user machines through the following software: 1. Internet pig 2. Word search 3. Desktop Media. If you have these software on your machine, be careful!
3. Delete
Currently, most anti-virus software cannot scan and kill the Trojan. Because the trojan is hidden and protected at the driver level, the latest version of Kaspersky cannot be found while it is quietly working. It will only be detected when it suspends its protection function and tries to upgrade it, however, the primary file cannot be deleted.
Users with multiple operating systems can guide other systems to delete all files of this trojan and completely clear the Trojan.
Additional suggestions for agiha
If the system disk is not in the FAT32 format, you can download the PE tool disk, burn it to the disc, set the boot from the optical drive, and delete the searchnet files.
This disc is made based on the PE disc of the mountains and red leaves. The following repair tools are added: mcafee scanner, F-Prot scanner, SPYBOT, and AD-aware.
Start the network before use.
Connection: http://www.gubei.net/odin/winpe1.rar
In addition, the alternative product is the dwarf dostool (provider: xuanyuan 8300)
Connection: http://www.gubei.net/odin/dos.rar
How to Use dwarf DoS:
Download (nonsense)
Decompress (nonsense)
Click to install (boss ......)
During installation, you can choose to customize the duration of the boot menu. The default value is 1. We recommend that you change it to 4, because some common displays display slow speed when starting up, therefore, the Start Menu may not be visible.
Next, set a password. We recommend that you use the password you are familiar. Then click NEXT to finish.
After restarting, you will see the xp boot menu, provided that you have set enough time. Under the normal XP boot menu bar, there is one more "My dostoolbox". Select this one.
After the selection, a selection menu appears. Select Start from DOS and enter the password.
The system will warn you to load the driver. Here we only need the NTFS partition driver, and other drivers will not. Then select start.
When starting, pay attention to the NTFS loading information. Generally, your original C disk will become a d disk, and so on.
Now, you can delete the LJ files that you are not asking.
(It may not be correct because it is written by memory. If it is incorrect, please PM)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.