My HijackThis log detected this and nvctrl.exe. I also found mscornet.exe in an HKLM>Software>Microsoft>Windows>Current Version>policies>explorer>run key along with these two.

All three removed from the registry, but after searching I found you also have to go into safe mode and type in commands to bring up Windows\System32 and use DEL MSSEARCHNET.EXE to remove it. They also said you should go to Windows\Prefetch and use DIR MSSEARCHNET.EXE to find anything related and DEL to remove it.

I went to the WINDOWS Prefetch folder deleted it, and replaced it with another empty Prefetch folder, as I do from time to time. I just need to get the right command lines to remove these others in safe mode.

Please excuse my ignorance, but I rarely can get command prompts to work. The instructions are often not detailed enough for me.

I cannot get the command prompt to recognize C:\WINDOWS|System32, or Windows\System32. QWhat is the exact command line I need to use?

Here’s the lof file:
http://www.hijackthis.de/logfiles/495c735f4df5b6d966cb0d41275cb8c0.html

Hi and welcome ,
Im not an expert on dos cmd`s but i can give you a link to some recent history on dealing with this infection
http://forum.avast.com/index.php?topic=17172.msg146420#msg146420
hope this helps good luck

It did indeed help Inspector Cloussau! being DOS dumb to the point of turing blue and numb, I decided to use noadfear’s smitRem.exe tip, which is a marvel for the command prompt challenged.

It works in safe mode without having to use command lines, all you do is extract the contents of the file, click on the bat, and watch it work after hittng any key several times to run through the explainations of the tool.

Best to run more than just the recommended Ewido Security Suite afterward though. It can leave bits in your registry under HKLM>SOFTYWARE>Microsoft>Windows>CurrentVersion>policies>explorer>run.