"Original" Searchnet.exe (TROJAN-SPY.AGENT.IW) Cleanup method (with update)
Recently Fei where the forum appeared some netizens reflect the computer has a name Searchnet.exe file was killed soft report poison but cannot clear (Kaspersky named as Trojan-spy.agent.iw). The program is located in the C:\Program Files\searchnet folder, which has Searchnet.exe ServerHost.exe Serveup.exe Documents such as Srvnet32.dll (some variants of the Searchnet.exe are under C:\Program files\). The C:\WINDOWS\System32 also has servehost.exe files and adds itself to the system service for remote Log. Modifies system settings so that users cannot display all files in the folder. You cannot delete these files using Killbox.
The clear method is actually very simple: start, run inside "C:\Program Files\searchnet\uninstall.exe" (including double quotes) and press ENTER
The following items are updated in 12/25 days:
Suffer from always no samples, unable to install test why some netizens can not uninstall. Today finally found an article, the original eight egg program called the search address, provided the uninstall program is false to confuse users!!
The Youth Forum Deadwoods netizen detailed analysis, because the original post picture has been invalidated, I will the content slightly edits to turn over:
Today Kaspersky report found Trojan Horse (December 19)
The latest version of Jinshan Poison PA and rising anti-virus software are not yet recognized this Trojan.
The following is installed on the machine with genuine rising on the characteristics of the Trojan horse.
The Trojan has the following characteristics: self-concealment, self-protection, self-recovery, network access, background upgrades, monitoring user operations, can not be completely deleted.
One, hidden files
The Trojan hides the Searchnet folder under program file and the driver files under drivers.
Searchnet folder not found under Explorer
Searchnet folders can be found with IceSword
No driver files found under the Explorer
Three driver files found with IceSword: Fad.sys Anfad.sys Hprocess.sys
Ii. Hidden processes
The Trojan hides its own two processes: SearchNet.exe and ServeHost.exe
SearchNet.exe and ServeHost.exe processes are not found under Task Manager
Discovering SearchNet.exe and ServeHost.exe processes with IceSword
(IceSword automatically displays it in red)
View the kernel module with IceSword (discover the bottom drive of the Trojan)
Third, hide the registry
The Trojan hides all registry entries associated with it:
Unable to view registry startup entries with Regedit
Use IceSword to see Searchnet_up Startup items and Fad.sys,anfad.sys,hprocess.sys drivers
Iv. Monitoring User Actions
The Trojan, installed Wh_msgfilter wh_keyboard_ll wh_mouse Hook, monitor the user's every move.
Use IceSword to see the global hooks that the searchnet process installs
V. Self-protection, self-healing
The Trojan uses the driver file Fad.sys Anfad.sys Hprocess.sys to all its and the registry protection, even with IceSword cannot delete!
Vi. network access and background upgrades
The Trojan can be quietly access to the network, the background to upgrade to maintain its latest version, to escape the killing of anti-virus software.
Seven, uninstall cheat
The Trojan provides a false way of unloading to deceive the user.
The user according to the false unloading method provided by them, after unloading, the control Panel has no search site uninstall, but with IceSword view, its files and registry are kept intact in situ, and its drive is still in the protection of their own users are not found, not deleted by the user. In other words, users can not delete this Trojan!
Viii. Virus prevention and control
1, find
You can use the IceSword tool to see if the System32\Drivers folder exists Fad.sys, Anfad.sys hprocess.sys These three driver files to determine whether they have this trojan.
2, Vigilance
The Trojan will be quietly implanted through the following software user machine: 1, Network Pig 2, the word Search 3, desktop media, etc., if you have these software on the machine, you have to be careful!
3, delete
At present, most anti-virus software can not kill the Trojan. Because the trojan in the drive-level implementation of the hidden and protected, in its quiet work, the latest version of Kaspersky can not be found, only when its protection to suspend the attempt to upgrade, will be found, but also can not delete its primary files.
There are many operating system users, can be guided to other systems to remove all files of this trojan, complete removal of the Trojan.
Agiha Additional Suggestions If the searchnet poison, but the system disk is not FAT32 format, you can download the PE tool disk, and then burn to the disc after setting up from the CD drive, delete the searchnet file.
This CD-ROM is based on the production of PE CD-ROM of mountains. Added McAfee scanners that can be upgraded, F-prot scanners, Spybot and ad-aware repair tools.
First start the network before using.
Download Connection: Http://www.gubei.net/odin/winpe1.rar
Alternative product, Dwarf dos tool (provider: Shaft 8300)
Download Connection: Http://www.gubei.net/odin/dos.rar
How to use the Dwarf dos:
Download (nonsense)
Decompression (again nonsense)
Click to install (Boss ...) )
Install the time to choose a custom, you can define the boot menu stop time, the default is 1 good, recommended to 4 wonderful, because some ordinary monitors on the boot time slow, so you may not see the boot menu.
Then you set up a password, and you are advised to use your own familiar password. And then just click Next to the end.
When you reboot, you will see the XP boot menu, provided you have set up enough time. There is one more "My DOS toolbox" under the Normal XP boot menu bar, so choose this one.
A selection menu appears, select Start from DOS, and then enter the password.
The driver is then warned to load, where we only need NTFS partitions to drive, and other drivers are not. Then select Start.
When starting, pay attention to the NTFS loading information, usually, your original C disk, will become D disk, and so on.
Now, you can go in and delete the unsolicited LJ files.
(written by memory, may not be correct, there are no, please pm I know)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.