mssearchnet.exe problems (tough little sucker)

Welcome to Majorgeeks!

According to the HJT log you posted, you have not followed the READ & RUN ME.

- you have not completed step 6 and attached the two requested logs
- HJT logs must be from normal boot mode. I know you said you ran it in safe mode but we need it from normal boot mode. If you cannot run it in normal mode, please explain why.

You also need to run the below because your have a SmitFraud infection. Some items mentioned in the below procedure may not be seen. That's okay, just continue thru all steps.

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

 

Is there a reason you did not run Bitdefender and attach the log? It is not an optional scan. It is required.

MessengerPlus! 3 is an untrustworthy application that we suggested uninstalling in step 0 of the READ ME. I see multiple LOP infections on your PC and they probably originated from this application. It is highly recommeded that you uninstall this.



Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Panda Process Protection Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

PavPrSrv
Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

 

After doing what was in my previous message, continue with the below steps!

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
F3 - REG:win.ini: load=C:\WINDOWS\system32\xpouolbqjd\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\xpouolbqjd\csrss.exe
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hpC35F.tmp (file missing)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll (file missing)
O4 - Startup: csrss.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing)
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://kdx.kontiki.com/kdx/Client403/kdx.cab
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\xpouolbqjd <--- the whole folder
C:\Program Files\Common Files\Totem Shared <--- the whole folder
C:\WINDOWS\FlyakiteOSX\Tools\wfpdisable.exe
C:\WINDOWS\AdultAccess.exe
C:\WINDOWS\SYSTEM32\exclean.exe
C:\WINDOWS\SYSTEM32\proover.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060217-212135.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060217-212136.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060217-212137.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060217-212138.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060219-124630.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060219-124631.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060409-235524.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060409-235525.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060409-235526.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060409-235527.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060417-200236.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.20060417-200237.backup
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.msn

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Based on your log, you never ran it. It takes quite awhile to run.

 

It looks like you did not do the procedure in message # 5. Please run it to fix the stray Panda service.

Other than that and the fact that you still have MessengerPlus! 3, your log is clean.

 

You can just check for yourself to make sure the below line is gone:
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

Just a one detail with System Restore first. Here is what remains for you to do:

It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely.