virus in mssearchnet.exe

two programs here mssearchnet.exe and mscornet.exe, both located in windows\system32

They cause multiple popups of sex site advertising.

if you delete the mssearchnet.exe process it immediately reappears.

Virus scan kept reporting a virus but after deleting the virus it reappeared.

Ran the scan at boot option, deleted some identified viruses, these two programs were still there.

Downloaded the vircus clean program from your site, failed to identify any virus.

Finally booted in safe mode, deleted the two programs above and cleaned the registry and seem to be virus free now.

Just thought I would post this in case someone else had the same problem.

Thanks for posting…
It’s strange that the boot time scanning did not caught the infection and the safe mode did ::slight_smile:
Anyway, glad you’re clean now 8)

I think he did it manually Tech :slight_smile:

Yeah, but why weren’t they detected by boot time scanning?

these two programs were still there
Are the files detected but couldn't be deleted, is it so?

It can some other program that creating those viruses that avast can find.
Try online scanners.
And check for spywares with SpyboSD and Ad-aware or some other trusted scanners.

Troj/Zlob-AO may attempt to stealth itself by injecting code into the process winlogon.exe.

http://www.sophos.com/virusinfo/analyses/trojzlobao.html

I’ve seen this before!

Ewido managed to remove the malware attached to the winlogon.exe file, and a subsequent boot time scan by avast detected no malware, which is excellent!

http://forum.avast.com/index.php?topic=16890.msg144976#msg144976

I suspect the malicious code is injected even before the boot time scan starts. In cases like this, Ewido or Trojan Hunter can deal with process-injecting Trojans.

I also suspect that pseudo-rootkits of the FU type which run as Windows services can start before the boot time scan.

And unknown malware can spawn known malware processes as Mr Babis has said.

It would be good to get some comment from the avast! team here so we known exactly what to say to people with a process-injecting Trojan or a rootkit.

Yes I ended up deleting it manually. Avast memory scans kept reporting a virus in memory in a file called lde086.tmp which changed the number pattern on each delete reboot scan, but once the two above files were removed manually in safe mode and the registry cleaned of their footprints, it seems to be ok.

The Avast system knew there was a virus, but did not know to remove those two files mssearchnet.exe and mscornet.exe in /windows/system32.

I only saw mssearchnet.ext as a process the reappeared soon as I removed it, so I am going to make an assumption that mscornet.exe somehow was causing it to restart.

Hello wynnr,

It was not the whole story. Consider this thread as an elegant solution to take it all out using killbox. You only mentioned msserachnet.exe & mscornet.exe, but look here:
http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/234083/an/0/page/0
It could be that you only had these two. Just consider this then as an elegant way of removing this type of infections.

greets,

polonus

mssearchnet.exe is registered as the Generic Downloader.aa downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer

Only thing you have to do is following the malware removal instruction on my website. (see signature)

I know I’m a bit late to this topic, but both of those files are related to the PSGuard infection. It and many registry changes made by it can be removed with smitRem.exe. I also recommend downloading, updating and running Ewido security suite after running smitRem. SmitRem creates a log of files found at C:\smitfiles.txt (or whatever partition Windows is installed on).

Many thanks noahdfear, that’s a beauty! It just wiped out mssearchnet.exe, and all it’s related garbage that was on my system. :slight_smile:

I would like to add though, that what I read after a few searches is true about some bits and pieces lingering in the registry after removing mssearchnet.exe from the C:\WINDOWS\System32 folder.

You can find them at HKLM>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>explorer>run.

In my case, there were three keys lingering there:

mssearchnet.exe
mscornet.exe
nvctrl.exe

Of course I did run both Ewido and a HijackThis log afterward, as well as Spybot and Ad Aware. The most concerning thing found there was a BHO malware in the HijackThis log.

That bug definately goes straight for Explorer and digs in like a tick. If I’d not been using Firefox during and after this incident, and enabling my net connection only a few times while searching for solutions and submitting posts here and at Tom Coyote, I may have had much more stuff come through.