I'VE BEEN TAKEN OVER!!!!! can't delete mssearchnet.exe

[ZachThomas20]

Hello to all -

I have used Adaware, MS Antispyware and Spybot Search & Destroy to name a few. They all find something bad when I run a scan, but once it is deleted it re installs.

Symptoms: browser pop-ups - even when IE is supposedly not running, IE security settings and home page reset and world anti spy starts running out of nowhere. If someone could check out the HiJackThis logfile I attached and possibly provide some insight, I would be very grateful. Thanks.

 

[ZachThomas20]

Anyone at all?

 

[RealBlackStuff]

Come back AFTER you have installed some Antivirus protection.
Your log must be a (doctored) joke.

 

[ZachThomas20]

Come back AFTER you have installed some Antivirus protection.
Your log must be a (doctored) joke.

Not sure what you're referring to, but I'm running ad-aware and anti-spyware beta 1 now and I've attached a new log. Thanks in advance for any help.

 

[ZachThomas20]

sorry.....NOW I've attached a new HJT log.......

 

[RealBlackStuff]

You still have not got an Antivirus program installed.
If you won't do that, go somewhere else!

Until then, the only help you'll get from me is the urge to check the Read: posts in this forum.

 

[fireflysydney]

Deleting MSSEARCHNET.EXE

Ignore the comments about anti-virus scanners. This one can get past some of the best. You can delete it as follows:

Reboot your PC in "Safe Mode with Command Prompt". You can do this by rebooting, then pressing the F8 key while the boot process starts. You should come up with an old-fashioned DOS screen. You can then go to the Windows\System32 directory and enter DEL MSSEARCHNET.EXE. You should also go to the Windows\Prefetch directory and enter DIR MSSEARCHNET*, and use the DEL command to delete any files that you find - they will have the name MSSEARCHNET followed by some numbers.

Regards
FireFlySydney

 

[Rickhtoo]

Ignore the comments about anti-virus scanners. This one can get past some of the best. You can delete it as follows:

Reboot your PC in "Safe Mode with Command Prompt". You can do this by rebooting, then pressing the F8 key while the boot process starts. You should come up with an old-fashioned DOS screen. You can then go to the Windows\System32 directory and enter DEL MSSEARCHNET.EXE. You should also go to the Windows\Prefetch directory and enter DIR MSSEARCHNET*, and use the DEL command to delete any files that you find - they will have the name MSSEARCHNET followed by some numbers.

Regards
FireFlySydney

Unfortunately, this is not enough. If you do not delete the registry key, it will return. It's an extremely persistant adware program, and a real pain to remove. AVG, Norton, MSantispyware, and Adaware has no effect. (Norton let it in in the first place..) It attaches itself to the key HKLM\Software\Microsoft\Windows\Current Version\Policies\Explorer\Run
If it's there, delete the Explorer key, as it's not there normally.
Searching for mssearchnet in the registry will show the key. It will also be listed in one other location, just delete it there also.

Rick

 

[fireflysydney]

Good point, Rick. I forget to mention about deleting the registry keys. And PC-cillin is another virus scanner that can't detect this virus - in fact, I think it deliberately attacks PC-cillin and partially disables it.

Richard.

 

[dashunde]

Some clarity is needed here... This is how you get ride of mssearchnet

Print the following, then...

Reboot - press F8 during boot, select "SAFE MODE WITH PROMPT"

Change directory to c:\windows\system32 (type cd windows <enter> then type cd system32 <enter>) [cd = Change Directory]
Type del mssearchnet.exe [del = delete]
Type cd\ [The "\" will back you up one directory or "folder"]
Type cd prefetch
Type del mssearchnet*
Type cd\ (twice, back to the c:\ prompt)
At the C:\ prompt Type REGEDIT
The registry editor will pop up
Use EDIT, then FIND >>> search for mssearchnet - delete all entries
Do it again, until the search function says nothing else found, it is in there several times (3 different places I think)

DO NOT bother to delete the registry entry while still in normal xp mode, it will not work - all deleting must be done from the dos/command prompt mode. That keeps the mssearchnet crap from running - once it is running you cant delete it. But, in dos mode it is a sitting duck.

From what I can tell, if the registry entry(s) is still there during a normal reboot, it will recall the mssearchnet files back up from some deep-hole temp folder and reinstall them.

Good luck

 

[happyjack_gum]

Didn't work for me. please help on mssearchnet.exe

dashunde Sir,
I did everything you said. but when i got to the last step where i searched for mssearchnet in REGEDIT it one found and deleted one object. i redid the search about 103 times and it never found any other files except for that one. well everthig was deleted and everthing seemeed fine. this morning i came into the office ,turned on my computer and BAM the virus- mssearchnet was back. i also had a bunch of nasty pop ups happening. also spytropper.com tried to install software remotely.

I need help please.
I followed your instructions down to the "T". where did i go wrong?

thanks for the help.
steve :bounce: :bounce:

 

[weshemp]

there can be more to it than meets the eye.

I just cleaned up a PC with this problem. not only do you have to clean out
mssearchnet you also have to clean out nvctrl mscornet possably others.
I used info from this site techspot
from http://www.geekstogo.com/forum/nvctrlexe-and-mscornetexe-t82457.html
from http://www.sophos.com/virusinfo/analyses/trojzlobbc.html
and from norton
http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.e.html#removalinstructions

I started in safe mode admin account and deleted
mscornet.exe
mssearch.exe
nvctrl.exe
ld????.tmp
ncompat.tlb
msvol.tlb
hp????.tmp
from c:\win*\system32
and from c:\win*\prefetch
and from %UserProfile%\Application Data\Microsoft\Crypto\RSA
and
%UserProfile%\Application Data\Microsoft\Protect
I think that was all of them.
Then I went into run regedit
did a find on the above files and deleted all of them. had to do some find next too.
then all seemed well so I went to norton and ran there Free Scan for Viruses
http://www.symantec.com/home_homeoffice/ its in the upper right hand side of page.

It found one more virus called spyaxe.trojan which I think is what started it all I deleted it and have had no more problems.

good luck took me about 6 hours. then again though im kinda slow.

 

[Tedster]

removal:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.d.html

 

[ihatemssearch]

the culprit

first of all, do a file search of windows on the day the virus arrived. if you can sort through all those files, delete the unimportant ones that the virus appeared to have created

also look for the following

wbeconm.dll It is 100 kb and after deleting it that annoyin message went away. look in the registry as well and delete it from a key there.


i beat this stupid virus half with all your help and half on my own.

 

[RealBlackStuff]

I would advise all you strugglers to do this:
Follow these instructions EXACTLY.
Put HijackThis in e.g. C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties

Then Read: How to post your Hijackthis log-files as an attachment.

One of the evil-doers is the hpxxx.tmp, as mentioned in my first post above.

 

[Smell the Glove]

You cannot delete mssearchnet from Task Manager. This is how I dealt with it.

1. Download Killbox.

2. Enter the file location of mssearchnet in Killbox (usually something like C:\Windows\System32\mssearchnet.exe)

3. Press Delete and choose "Delete on Start Up"

4. Reboot

5. The file will be held in Killbox and won't infect your machine.

6. Run some Antivirus software such as AVG Free or Avast etc which should now be able to detect the trojan and will be able to erase it fully.

 

[briucla]

Thank you so much Weshemp!!! You absolutely got rid of my problem, and nice easy steps to follow.

I did have an additional problem. The trojan installed a "Security Toolbar" in my Internet Explorer. A quick Google search found a solution to the problem. You must delete all the registry keys to get rid of it, then restart IE. I found the directions here:
http://www.nuker.com/container/details/security_toolbar.php

 

[smythrico]

im having he same problem

read the Read: How to posts

 

[smythrico]

and the rest

same as above

 

[smythrico]

??

please tell me if I deeated it

all I did was used safe reboot and adaware to try and delete it so I mdesperate to see if I won

I also need help to get read of which I call

''the killer'' (look at attachments)

 

[canduit711]

I found Weshemp's answer most helpful in getting rid of this one. Thank you.

I also had to use the comment from "Ihatemssearch" about a 100 byte DLL file to remove. The one I had to remove was "netwrap.dll", not the wbeconm.dll that he mentioned.

 

[canduit711]

I found weshemp's message to be most helpful.

I also had trouble with that "nuisance" message - so "Ihatemssearch" note was helpful - but the file I had to delete was netwrap.dll - I knew it was that one due to date on file and the 100 byte note.

Thanks to all. I am a newcomer here, please forgive me if I post this more than once.

 

[computer help]

Heres a fix that actually works !!!

Download and install update

http://www.download.com/Avast-Home-Edition/3000-2239_4-10375520.html?tag=lst-0-1

remove any other antivirus first

 

[markmoddy]

can't get rid of mssearchnet registry value

I can't get rid of mssearchnet registry value.

I've run regedit in safe mode.
It found the problem.
But will not delete it.
Could it be encripted somehow ?

I'm still getting the annoying popup form the tool bar.

HELP !!!!!!!

 

[John Mather]

i had teh same problem but it didnt go away for ages so eventually i got reeallllly pissed off becaus eit installed spytrooper and stuff like that so i reformatted my HD

Problem sorted