Internet Security Source provides daily updates on Internet Threats, Viruses, Worms, Trojans, Spyware and Adware. Subscribe to our newsletter and receive daily updates on threats on the internet.

Adware.SearchNet

Friday, June 27 2008

Symantec Security Response

http://www.symantec.com/business/security_response/index.jsp

Adware.SearchNet

Updated: February 13, 2007 11:50:44 AM
Type: Adware
Risk Impact: High
File Names: Anfad.sysFAD.sysSNHpr.dllSearchNet.exeServeHost.datServeHost.exeServeUp.exeSrvNet32.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

SUMMARY

Behavior


Adware.SearchNet is a Browser Helper Object that replaces the default search page in Internet Explorer.

Symptoms


Your Symantec program detects Adware.SearchNet.

Transmission


Adware.SearchNet must be manually installed.

Protection

  • Initial Rapid Release version July 18, 2006
  • Latest Rapid Release version June 19, 2008 revision 053
  • Initial Daily Certified version July 18, 2006
  • Latest Daily Certified version June 20, 2008 revision 003
  • Initial Weekly Certified release date July 19, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

TECHNICAL DETAILS


When Adware.SearchNet is executed it performs the following actions:
  1. Creates the following files:

    • %Windir%\Downloaded Program Files\[RANDOM NAME].dll
    • %Windir%\Downloaded Program Files\[RANDOM NAME].dll
    • %System%\drivers\Anfad.sys
    • %System%\drivers\[RANDOM NAME].sys
    • %System%\drivers\FAD.sys
    • %System%\drivers\[RANDOM NAME].sys
    • %System%\ServeHost.dat
    • %System%\ServeHost.exe
    • %ProgramFiles%\SearchNet\SearchNet.exe
    • %ProgramFiles%\SearchNet\ServeUp.exe
    • %ProgramFiles%\SearchNet\SNHpr.dll
    • %ProgramFiles%\SearchNet\SrvNet32.dll
    • %ProgramFiles%\SearchNet\UnInstall.exe

      Notes:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{04152c5b-7ca9-4bb1-8077-5ea42f787eb8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{515bafd0-86a0-4b2a-9dfe-4440bf60c355}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{5c20c0e0-9a22-424f-92c8-6f408563ce98}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{93506e82-31e9-47b4-901e-2d04d6aa3b86}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{b9b553a9-77ff-44de-8c24-fe88ccdc4e93}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{c8a82950-abe8-4b7d-a5de-19c249a9cfac}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{cf3780c4-33ba-44bd-981f-e37940887d8b}
    HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}

  3. Creates the following registry subkeys so that it runs as a service:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log

  4. Adds the value

    "Enable Browser Extensions" = "yes"

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main
    HKEY_CURRENT_USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main
    HKEY_CURRENT_USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main
    HKEY_CURRENT_USER\S-1-5-18\Software\Microsoft\Internet Explorer\Main

  5. Adds the values:

    "CdnCtr" = ""
    "SearchNet_Up" = "%ProgramFiles%\SearchNet\ServeUp.exe"
    "[RANDOM NAME]" = "rundll32 "%Windir%\Downloaded Program Files\[RANDOM NAME].dll""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it runs every time Windows starts.

  6. Modifies the Internet Explorer default search page so that each search is redirected to the following domain:

    zhongsou.com

  7. Attempts to delete folders and registry keys associate with another Browser Helper Object.

  8. Uses kernel mode drivers to protect its files and registry keys from being tampered with, thus making removal more difficult.


REMOVAL



The following instructions pertain to all Symantec antivirus products that support security risk detection.
  1. Restart the computer using the Windows Recovery Console
  2. Update the definitions.
  3. Close all open Internet Explorer windows.
  4. Run a full system scan.
  5. Delete any values added to the registry.
  6. Reset the Internet Explorer search page.
For specific details on each of these steps, read the following instructions.

1. To restart the computer using the Windows Recovery Console
To remove this threat it is necessary to restart the computer and run the Windows Recovery Console. For full details on how to do this please read the Microsoft Knowledge Base article, How to install and use the Recovery Console in Windows XP.
  1. Insert the Windows XP CD-ROM into the CD-ROM drive.
  2. Restart the computer from the CD-ROM drive.
  3. Press R to start the Recovery Console when the "Welcome to Setup" screen appears.
  4. Select the installation that you want to access from the Recovery Console.
  5. Enter the administrator password and press Enter.
  6. Type cd system32
  7. Press Enter
  8. Type attrib -r servehost.exe
  9. Press Enter
  10. Type del servehost.exe
  11. Press Enter
  12. Type del servehost.dat
  13. Press Enter
  14. Type cd drivers
  15. Press Enter
  16. Type attrib -r fad.sys
  17. Press Enter
  18. Type del fad.sys
  19. Press Enter
  20. Type attrib -r anfad.sys
  21. Press Enter
  22. Type del anfad.sys
  23. Press Enter
  24. Type del [RANDOM NAME].sys
  25. Press Enter
  26. Type del [RANDOM NAME].sys
  27. Press Enter
  28. Type cd ..\..
  29. Press Enter
  30. Type cd downloaded program files
  31. Press Enter
  32. Type del [RANDOM NAME].dll
  33. Press Enter
  34. Type del [RANDOM NAME].dll
  35. Press Enter
  36. Type exit
  37. Press Enter. The computer will now restart automatically.


2. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.


3. To close all open Internet Explorer windows
Because this risk functions as a Microsoft Internet Explorer plug-in, it is necessary to close all open Internet Explorer windows to remove it. If you are reading this writeup in Internet Explorer, print this writeup using our printer-friendly option at the top of the page, or write down the following instructions, and then close all Internet Explorer windows.


4. To run the scan
  1. Start your Symantec antivirus program, and then run a full system scan.
  2. If any files are detected, and depending on which software version you are using, you may see one or more of the following options:

    Note: This applies only to versions of Norton AntiVirus that support security risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports security risk detection, and security risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.
    • Exclude (Not recommended): If you click this button, it will set the risk so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

    • Ignore or Skip: This option tells the scanner to ignore the risk for this scan only. It will be detected again the next time that you run a scan.

    • Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the risk for this scan only, and thus, the risk will be detected again the next time that you run a scan.

      To actually delete the security risk:
      • Click its file name (under the Filename column).
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

    • Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
      • If you see a message, "Delete Failed" (or similar message), manually delete the file.
      • Click the file name of the risk that is under the Filename column.
      • In the Item Information box that displays, write down the full path and file name.
      • Then use Windows Explorer to locate and delete the file.

Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the risk may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

5. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.
  1. Click Start > Run.
  2. Type regedit

    Then click OK.

    Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

  3. Navigate to the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the values:

    "CdnCtr" = ""
    "SearchNet_Up" = "%ProgramFiles%\SearchNet\ServeUp.exe"
    "[RANDOM NAME]" = "rundll32 "%Windir%\Downloaded Program Files\[RANDOM NAME].dll""

  5. Navigate to and delete the following subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{04152c5b-7ca9-4bb1-8077-5ea42f787eb8}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{515bafd0-86a0-4b2a-9dfe-4440bf60c355}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{5c20c0e0-9a22-424f-92c8-6f408563ce98}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{93506e82-31e9-47b4-901e-2d04d6aa3b86}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{b9b553a9-77ff-44de-8c24-fe88ccdc4e93}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{c8a82950-abe8-4b7d-a5de-19c249a9cfac}
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{cf3780c4-33ba-44bd-981f-e37940887d8b}
    HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log

  6. Exit the Registry Editor.

6. To reset the Internet Explorer search page
Follow the instructions for your version of Windows.

Windows 98/Me/2000
  1. Start Microsoft Internet Explorer.
  2. Click the Search button on the toolbar.
  3. In the Search pane, click Customize.
  4. Click Reset.
  5. Click Autosearch Settings.
  6. Select a search site from the drop-down list, and then click OK.
  7. Click OK.

Windows XP
Because Windows XP is set by default to use animated characters in the search, how you do this can vary. Read all the instructions before you start.
  1. Start Microsoft Internet Explorer.
  2. Click the Search button on the toolbar.
  3. Do one of the following:
    • If the pane that opens looks similar to the following picture, click the word Customize and proceed to step h:




    • If the pane that opens has the words "Search Companion" at the top, and the center looks similar to the following picture, click the Change preferences link and proceed with step d.




  4. Click the Change Internet search behavior link.
  5. Under "Internet Search Behavior," click With Classic Internet Search.
  6. Click OK. Then close Internet Explorer. (Close the program for the change to take effect.)
  7. Start Internet Explorer. When the search pane opens, it should look similar to the following picture:





    Click the word Customize, and then proceed with the next step.

  8. In the Search pane, click Customize.
  9. Click Reset.
  10. Click Autosearch Settings.
  11. Select a search site from the drop-down list, and then click OK.
  12. Click OK.
  13. Do one of the following:
    • If you were using (or want to continue using) the "Classic Internet Search" panel, stop here (or proceed with the next section).
    • If you want to go back to the "Search Companion" search (it usually has an animated character at the button), proceed with step n.

  14. Click the word Customize again.
  15. In the "Customize Search Settings" window, click Use Search Companion > OK.
  16. Close Internet Explorer. The next time you open it, it will again use the Search Companion.



Read More:
Adware.SearchNet
Also See:
Adware.Roogoo
Adware.Rabio
Adware.Advertmen
Adware.DiscoveryLive
Adware.AdSupport