Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Adware.SearchNet

Adware.SearchNet

Updated:
July 19, 2006
Risk Impact:
High
Systems Affected:
Windows

Behavior

Adware.SearchNet is adware that modifies the Internet Explorer default search page.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version July 25, 2017 revision 006
  • Initial Daily Certified version July 18, 2006
  • Latest Daily Certified version July 25, 2017 revision 018
  • Initial Weekly Certified release date July 19, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Adware.SearchNet is adware that modifies the Internet Explorer default search page.

When the risk is first installed, it creates the following files:
%Windir%\Downloaded Program Files\[RANDOM NAME].dll
%Windir%\Downloaded Program Files\[RANDOM NAME].dll
%System%\drivers\Anfad.sys
%System%\drivers\[RANDOM NAME].sys
%System%\drivers\FAD.sys
%System%\drivers\[RANDOM NAME].sys
%System%\ServeHost.dat
%System%\ServeHost.exe
%ProgramFiles%\SearchNet\SearchNet.exe
%ProgramFiles%\SearchNet\ServeUp.exe
%ProgramFiles%\SearchNet\SNHpr.dll
%ProgramFiles%\SearchNet\SrvNet32.dll
%ProgramFiles%\SearchNet\UnInstall.exe

Next, the risk creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{04152c5b-7ca9-4bb1-8077-5ea42f787eb8}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{515bafd0-86a0-4b2a-9dfe-4440bf60c355}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{5c20c0e0-9a22-424f-92c8-6f408563ce98}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{93506e82-31e9-47b4-901e-2d04d6aa3b86}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{b9b553a9-77ff-44de-8c24-fe88ccdc4e93}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{c8a82950-abe8-4b7d-a5de-19c249a9cfac}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{cf3780c4-33ba-44bd-981f-e37940887d8b}
HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}

Then the risk creates the following registry subkeys so that it runs as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]

Next the risk creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"

Then, the risk creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"CdnCtr" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SearchNet_Up" = "%ProgramFiles%\SearchNet\ServeUp.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = rundll32 "%Windir%\Downloaded Program Files\[RANDOM NAME].dll"

Adware.SearchNet is a Browser Helper Object that replaces the default search page in Internet Explorer, so that each search is redirected to the following domain:
zhongsou.com

The risk uses kernel mode drivers to protect its files and registry keys from being deleted, so to remove this threat it is necessary to restart the machine in recovery console mode. The threat will also try to delete folders or registry keys related to the CnsMin Browser Helper Object.