It can some other program that creating those viruses that avast can find.
Try online scanners.
And check for spywares with SpyboSD and Ad-aware or some other trusted scanners.
Ewido managed to remove the malware attached to the winlogon.exe file, and a subsequent boot time scan by avast detected no malware, which is excellent!
I suspect the malicious code is injected even before the boot time scan starts. In cases like this, Ewido or Trojan Hunter can deal with process-injecting Trojans.
I also suspect that pseudo-rootkits of the FU type which run as Windows services can start before the boot time scan.
And unknown malware can spawn known malware processes as Mr Babis has said.
It would be good to get some comment from the avast! team here so we known exactly what to say to people with a process-injecting Trojan or a rootkit.
Yes I ended up deleting it manually. Avast memory scans kept reporting a virus in memory in a file called lde086.tmp which changed the number pattern on each delete reboot scan, but once the two above files were removed manually in safe mode and the registry cleaned of their footprints, it seems to be ok.
The Avast system knew there was a virus, but did not know to remove those two files mssearchnet.exe and mscornet.exe in /windows/system32.
I only saw mssearchnet.ext as a process the reappeared soon as I removed it, so I am going to make an assumption that mscornet.exe somehow was causing it to restart.
It was not the whole story. Consider this thread as an elegant solution to take it all out using killbox. You only mentioned msserachnet.exe & mscornet.exe, but look here: http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/234083/an/0/page/0
It could be that you only had these two. Just consider this then as an elegant way of removing this type of infections.
mssearchnet.exe is registered as the Generic Downloader.aa downloader. This process usually comes bundled with a virus and it’s main role is to do nothing other than download other viruses to your computer
Only thing you have to do is following the malware removal instruction on my website. (see signature)
I know I’m a bit late to this topic, but both of those files are related to the PSGuard infection. It and many registry changes made by it can be removed with smitRem.exe. I also recommend downloading, updating and running Ewido security suite after running smitRem. SmitRem creates a log of files found at C:\smitfiles.txt (or whatever partition Windows is installed on).
Many thanks noahdfear, that’s a beauty! It just wiped out mssearchnet.exe, and all it’s related garbage that was on my system.
I would like to add though, that what I read after a few searches is true about some bits and pieces lingering in the registry after removing mssearchnet.exe from the C:\WINDOWS\System32 folder.
You can find them at HKLM>SOFTWARE>Microsoft>Windows>CurrentVersion>policies>explorer>run.
In my case, there were three keys lingering there:
mssearchnet.exe
mscornet.exe
nvctrl.exe
Of course I did run both Ewido and a HijackThis log afterward, as well as Spybot and Ad Aware. The most concerning thing found there was a BHO malware in the HijackThis log.
That bug definately goes straight for Explorer and digs in like a tick. If I’d not been using Firefox during and after this incident, and enabling my net connection only a few times while searching for solutions and submitting posts here and at Tom Coyote, I may have had much more stuff come through.