[Original] () Clear method (updated)
Recently, some netizens reported that a file called "Software" was killed but could not be removed (Kaspersky named). The program is located in the C:\Program Files\Searchnet folder, which contains files such as (Some variants are under C:\Program Files\). There are also files in C:\WINDOWS\System32 and add them to the system service as Remote Log. The system settings will be modified so that the user cannot display all files in the folder, etc. These files cannot be deleted using KILLBOX.
The method to clear is actually very simple: start, enter "c:\program files\searchnet\" in the run (including double quotes) and press Enter
The following content will be updated on 12/25:
Due to the fact that there are still no samples, why can't I install the test? Some netizens cannot uninstall it. I finally found an article today. It turned out that this bastard program is called Zhongsou Address. The uninstaller provided is false to confuse users! !
A netizen from the Youth Forum's Deadwoods analyzed in detail. Since the original post image has expired, I will edit the content slightly and turn it over:
Kaspersky reports that *s are discovered today (December 19)
The latest versions of Kingsoft Antivirus and Rising Antivirus software cannot recognize this *.
The following is a feature analysis of the * horse on a machine equipped with the genuine Rising.
This * has the following characteristics: self-hiding, self-protection, self-recovery, network access, background upgrade, monitoring user operations, and cannot be completely deleted.
1. Hide files
This * hides the SearchNet folder under Program File and the driver files under Drivers.
No SearchNet folder was found in Explorer
Use IceSword to discover SearchNet folders
No driver files were found in Explorer
Use IceSword to discover three driver files:
2. Hidden process
The * hides its own two processes: and
No process found and process found in Task Manager
Discover and process with IceSword
(IceSword automatically displays it in red)
Use IceSword to view the kernel module (discover the underlying driver of the *)
3. Hide the registry
This * hides all registry entries related to it:
Its registry startup key cannot be viewed with Regedit
Use IceSword to view the SearchNet_Up startup items and driver items
4. Monitor user operations
This * has installed the WH_MSGFILTER WH_KEYBOARD_LL WH_MOUSE hook to monitor the user's every move.
Use IceSword to view the global hooks installed by SearchNet process
5. Self-protection and self-healing
This * uses driver files to protect all of its and the registry, and cannot even be deleted with IceSword!
6. Network access and background upgrade
The * can be upgraded by quietly accessing the network and in the background to maintain its latest version and avoiding the detection of anti-virus software.
7. Uninstall fraud
The * provides a fake uninstall method to deceive users.
The user follows the false uninstall method provided by him. After uninstalling, there is no search addressing uninstallation item in the control panel. However, when viewing with IceSword, its files and registry are kept in place, and its driver is still protecting itself from being discovered by users and not deleted by users. In other words, users cannot delete this *!
8. Virus prevention and control
1. Search
You can use the IceSword tool to check whether these three driver files exist and are in the System32\Drivers folder to determine whether you have been caught in this *.
2. Beware
The * will be quietly implanted into the user's machine through the following software: 1. Internet Pig 2. Word search 3. Desktop media, etc. If you have these software on your machine, be careful!
3. Delete
At present, most antivirus software cannot detect and kill the *. Since the * is hidden and protected at the driver level, the latest version of Kaspersky cannot be discovered when it works quietly. It will only be discovered when it suspends its protection function and attempts to upgrade, but it cannot delete its main files.
Users with multiple operating systems can delete all files of this * by booting to other systems and completely clear the *.
agiha additional suggestions
If you are poisoned by searchnet, but the system disk is not in FAT32 format, you can download this PE tool disk, then burn it to the CD and set it to boot from the CD-ROM drive and delete the searchnet file.
This disc is made of PE disc based on the Deep Mountain Red Leaf. Added repair tools such as mcafee scanner, F-Prot scanner, SPYBOT and AD-aware that can be upgraded.
Start the network before use.
Download connection: /odin/
In addition, alternative products, Dwarf DOS tool (provided by: Xuanyuan 8300)
Download connection: /odin/
How to use Dwarf DOS:
Download (nonsense)
Unzip (again)
Click to install (Boss...)
When installing, choose customization to define the time of staying on the boot menu. The default is 1 wonderful, and it is recommended to change to 4 wonderful, because some ordinary monitors display slow when they are turned on, so the startup menu may not be visible.
Then set a password, and it is recommended to use a password you are familiar with. Then click NEXT all the way to the end.
After restarting, you will see the xp startup menu, provided that you have set enough time. There is an extra "My DOS Toolbox" under the normal XP boot menu bar, just select this one.
After selecting, a selection menu will appear. Please select Start from DOS and enter your password.
Then, we will be warned to load the driver. Here we only need the NTFS partition driver, and we don't need other drivers. Then select Start.
When starting, pay attention to the loading information of NTFS. Generally speaking, your original C drive will become D drive, and so on.
Now, you can go in and delete those unsolicited LJ files.
(Written based on memory may not be correct. If there is any error, please PM me!)
Recently, some netizens reported that a file called "Software" was killed but could not be removed (Kaspersky named). The program is located in the C:\Program Files\Searchnet folder, which contains files such as (Some variants are under C:\Program Files\). There are also files in C:\WINDOWS\System32 and add them to the system service as Remote Log. The system settings will be modified so that the user cannot display all files in the folder, etc. These files cannot be deleted using KILLBOX.
The method to clear is actually very simple: start, enter "c:\program files\searchnet\" in the run (including double quotes) and press Enter
The following content will be updated on 12/25:
Due to the fact that there are still no samples, why can't I install the test? Some netizens cannot uninstall it. I finally found an article today. It turned out that this bastard program is called Zhongsou Address. The uninstaller provided is false to confuse users! !
A netizen from the Youth Forum's Deadwoods analyzed in detail. Since the original post image has expired, I will edit the content slightly and turn it over:
Kaspersky reports that *s are discovered today (December 19)
The latest versions of Kingsoft Antivirus and Rising Antivirus software cannot recognize this *.
The following is a feature analysis of the * horse on a machine equipped with the genuine Rising.
This * has the following characteristics: self-hiding, self-protection, self-recovery, network access, background upgrade, monitoring user operations, and cannot be completely deleted.
1. Hide files
This * hides the SearchNet folder under Program File and the driver files under Drivers.
No SearchNet folder was found in Explorer
Use IceSword to discover SearchNet folders
No driver files were found in Explorer
Use IceSword to discover three driver files:
2. Hidden process
The * hides its own two processes: and
No process found and process found in Task Manager
Discover and process with IceSword
(IceSword automatically displays it in red)
Use IceSword to view the kernel module (discover the underlying driver of the *)
3. Hide the registry
This * hides all registry entries related to it:
Its registry startup key cannot be viewed with Regedit
Use IceSword to view the SearchNet_Up startup items and driver items
4. Monitor user operations
This * has installed the WH_MSGFILTER WH_KEYBOARD_LL WH_MOUSE hook to monitor the user's every move.
Use IceSword to view the global hooks installed by SearchNet process
5. Self-protection and self-healing
This * uses driver files to protect all of its and the registry, and cannot even be deleted with IceSword!
6. Network access and background upgrade
The * can be upgraded by quietly accessing the network and in the background to maintain its latest version and avoiding the detection of anti-virus software.
7. Uninstall fraud
The * provides a fake uninstall method to deceive users.
The user follows the false uninstall method provided by him. After uninstalling, there is no search addressing uninstallation item in the control panel. However, when viewing with IceSword, its files and registry are kept in place, and its driver is still protecting itself from being discovered by users and not deleted by users. In other words, users cannot delete this *!
8. Virus prevention and control
1. Search
You can use the IceSword tool to check whether these three driver files exist and are in the System32\Drivers folder to determine whether you have been caught in this *.
2. Beware
The * will be quietly implanted into the user's machine through the following software: 1. Internet Pig 2. Word search 3. Desktop media, etc. If you have these software on your machine, be careful!
3. Delete
At present, most antivirus software cannot detect and kill the *. Since the * is hidden and protected at the driver level, the latest version of Kaspersky cannot be discovered when it works quietly. It will only be discovered when it suspends its protection function and attempts to upgrade, but it cannot delete its main files.
Users with multiple operating systems can delete all files of this * by booting to other systems and completely clear the *.
agiha additional suggestions
If you are poisoned by searchnet, but the system disk is not in FAT32 format, you can download this PE tool disk, then burn it to the CD and set it to boot from the CD-ROM drive and delete the searchnet file.
This disc is made of PE disc based on the Deep Mountain Red Leaf. Added repair tools such as mcafee scanner, F-Prot scanner, SPYBOT and AD-aware that can be upgraded.
Start the network before use.
Download connection: /odin/
In addition, alternative products, Dwarf DOS tool (provided by: Xuanyuan 8300)
Download connection: /odin/
How to use Dwarf DOS:
Download (nonsense)
Unzip (again)
Click to install (Boss...)
When installing, choose customization to define the time of staying on the boot menu. The default is 1 wonderful, and it is recommended to change to 4 wonderful, because some ordinary monitors display slow when they are turned on, so the startup menu may not be visible.
Then set a password, and it is recommended to use a password you are familiar with. Then click NEXT all the way to the end.
After restarting, you will see the xp startup menu, provided that you have set enough time. There is an extra "My DOS Toolbox" under the normal XP boot menu bar, just select this one.
After selecting, a selection menu will appear. Please select Start from DOS and enter your password.
Then, we will be warned to load the driver. Here we only need the NTFS partition driver, and we don't need other drivers. Then select Start.
When starting, pay attention to the loading information of NTFS. Generally speaking, your original C drive will become D drive, and so on.
Now, you can go in and delete those unsolicited LJ files.
(Written based on memory may not be correct. If there is any error, please PM me!)