The dreaded Search Assistant toolbar.

Discussion in 'adware, spyware & hijack cleaning' started by the2belo, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. the2belo

    the2belo Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    7
    Location:
    Japan
    For the last several days I have been at war with the Blazefind Search Assistant toolbar, a notorious little doodjimahickey that hooked itself onto my Windows taskbar and won't let go... because it had taken over my Userinit registry key (renaming the original as "Olduserinit").

    Following the instructions of several people on this board I was able to identify two programs that were launching this toolbar: C:\WINDOWS\system32\wsaupdater.exe, and C:\WINDOWS\2_0_1browserhelper2.dll. I found them, and killed them. I enjoyed watching them die.

    However -- and I'm also posting this as a warning to people who may be trying to remove wsaupdater.exe from their systems -- the next time I booted the system, it would not let me log on. I would be shoved right back out to the login screen again. Using the remote registry editor on another system, I found that in HKEY_LOCAL_MACHINE/Software/Windows NT/CurrentVersion/Winlogon, the Userinit key had been renamed Olduserinit, and and replaced with a Userinit containing the value -- you guessed it -- C:\WINDOWS\system32\wsaupdater.exe. When I removed this program, Windows couldn't find anything with which to log me onto the system, and I got a revolving door as a result.

    Switching the offending key with the original gave me back my computer.

    The only thing left to address is, the Search Assistant Toolbar. Remember that? Since I removed the suspicious programs, the toolbar no longer appears on the taskbar at boot, and my taskbar settings are left alone. However, "Search Assistant" remains as a list of toolbars that can be displayed when I right-click on the taskbar, and indeed it can still be turned on. It sits there and mocks me like the raven in the Edgar Allen Poe poem.

    There of course must be something still remaining in my system, but I can't for the life of me figure out what it is. This is my HijackThis log:

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Fujitsu\sa\de\jsharp\bin\SBRSVC.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\LTSMMSG.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Semagic\LiveJournalU.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Husen\Husen.exe
    C:\WINDOWS\System32\conime.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Sleipnir\Sleipnir.exe
    C:\Program Files\RimArts\B2\B2.exe
    C:\Program Files\Trend Micro\Virus Buster 2004\tmproxy.exe
    C:\Program Files\Trend Micro\Virus Buster 2004\PccPfw.exe
    C:\Program Files\Trend Micro\Virus Buster 2004\Tmntsrv.exe
    C:\Program Files\Trend Micro\Virus Buster 2004\PCClient.EXE
    C:\Program Files\Trend Micro\Virus Buster 2004\PCCGUIDE.EXE
    C:\Program Files\Trend Micro\Virus Buster 2004\TMOAgent.exe
    C:\Program Files\HijackThis\HijackThis.exe

    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: o_O?? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [IMJPMIG9.0] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP9\IMJPMIG.EXE /Preload /Migration32
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Virus Buster 2004\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Virus Buster 2004\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Virus Buster 2004\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Fujitsu Quick Touch\QuickTouch.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [RegProt] c:\program files\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: surfingFOLiO - C:\Program Files\B's Recorder GOLD7\Plugin\surfingFOLiO\bssurf.htm
    O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O15 - Trusted Zone: http://*.planning
    O15 - Trusted Zone: http://*.wp1006
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4931C47D-3EE7-4138-BFFC-03316D06F1BE} (DDS.RXViewCommander) - http://planning/3DCabinet/WebForm/CABs/RXViewCommander.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.9616666667
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    The only thing I can find that may be suspicious is C:\WINDOWS\LTSMMSG.exe. What is this program? Someone please throw me a bone here before I end up sawing off the top part of my display so as to never see that irritating piece of #$%&{` toolbar ever again. Thanks!

    --
    The 2
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  3. the2belo

    the2belo Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    7
    Location:
    Japan
    Actually when I ran AdAware, it didn't find any registry keys, only tracker cookies. None of them matched BlazeFind or anything related to that.

    --
    The 2
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Well first we can eliminate your suspect:
    Ltsmmsg

    Ltsmmsg.exe

    (Lucent Technologies)

    Lucent Softmodem Messaging Applet. We have only ourselves ever found this modem driver in Acer and Sony laptops, and some Fujitsu Siemens and IBM laptop owners have also reported it, but we would not be surprised if it can be found on a many other brands of laptops as well.

    Source: http://www.answersthatwork.com/Tasklist_pages/tasklist_l.htm

    I am not sure where in the registry this toolbar hides, so we will have to look for it.

    Please surf to http://www.billsway.com/vbspage/ and scroll down to
    Registry Search Tool
    Download, unzip and run RegSrch.vbs
    Put the name of the Toolbar in the dialog box.

    After a while a prompt will come up. Click OK to write the results to wordpad and post them.

    Regards,

    Pieter
     
  5. the2belo

    the2belo Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    7
    Location:
    Japan
    1) Yes, I do indeed have a Lucent Softmodem on this laptop (Fujitsu FMV NB50G). Noted.

    Now, here are the results of that search script:

    REGEDIT4
    ; RegSrch.vbs ゥ Bill James

    ; Registry search results for string "Search Assistant" 2004/06/07 8:49:40

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}]
    @="Search Assistant"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47C6C527-6204-4F91-849D-66E234DEE015}]
    @="Search Assistant Control"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9461b922-3c5a-11d2-bf8b-00c04fb93661}]
    @="Search Assistant OC"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B791A095-A4AC-4312-8894-5B7E8FF5B3CD}]
    @="Search Assistant Tip Service"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant]
    @="Search Assistant Control"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SrchUI.SearchAssistant.1]
    @="Search Assistant Control"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ECA4E801-17AE-4863-9F5C-AF4047AABEE0}\1.0]
    @="Search Assistant 1.0 Type Library"

    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="タスク バーと [スタート] メニュー"
    "{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

    The name of the above key is Japanese meaning "Taskbar and Start Menu". Could this be it?

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Search Assistant]

    [HKEY_USERS\S-1-5-19\Software\Microsoft\Search Assistant]

    [HKEY_USERS\S-1-5-20\Software\Microsoft\Search Assistant]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\ACMru]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\ACMru\5603]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\ACMru\5604]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa0]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa1]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa2]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa4]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa5]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa6]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa8]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\fa9]

    [HKEY_USERS\S-1-5-21-1715567821-492894223-1343024091-1003\Software\Microsoft\Search Assistant\Tips\SrchAssCtl\faa]

    [HKEY_USERS\S-1-5-18\Software\Microsoft\Search Assistant]
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    We will find out soon enough. It is where one would expect such an entry. Backup your registry before you do this, just in case.

    Please copy the part in bold below into notepad:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{ECA4E801-17AE-4863-9F5C-AF4047AABEE0}\1.0]
    "{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=-


    Save that as SArem.reg and doubleclick it, confirm you want to merge it with the registry. It may require a reboot for the changes to take full effect.

    Regards,

    Pieter
     
  7. the2belo

    the2belo Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    7
    Location:
    Japan
    I merged this into the registry and rebooted, but unfortunately the toolbar is still available. Maybe it's one of the other keys?

    --
    The 2
     
  8. ahulett

    ahulett Spyware Expert

    Joined:
    Aug 13, 2003
    Posts:
    9
    Please see the following Knowledge Base article for more information concerning wsaupdater.exe and Ad-aware.

    This problem is not present in reference file 01R315 06.06.2004.

    Lavasoft Knowledge Base Article 04060901
    Unable to Log On To Windows XP After Removing wsaupdater.exe
    http://www.lavahelp.com/articles/v6/04/06/0901.html

    Thanks,

    Aaron
     
  9. the2belo

    the2belo Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    7
    Location:
    Japan
    Actually I was able to discover and fix this problem (which I did have) before. The only problem I have remaining now is the continued existence of "Search Assistant" in the taskbar context menu under Toolbars, and the ability to turn the thing on. I just want it completely gone.

    --
    The 2
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi the2belo,

    Under what name is it listed in that context menu.
    We should be able to find that spot in the regsitry.
    Or maybe Aaron has it in his notes somewhere. ;)

    Regards,

    Pieter
     
  11. the2belo

    the2belo Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    7
    Location:
    Japan
    If you right-click on the Start menu toolbar and go to Toolbars, it is listed in that menu as simply "Search Assistant".

    Hmm. I think I'll go try removing a suspicious registry key I found. I'll let you know if it works.

    --
    The 2
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Backup your registry before experimenting.

    Keep us posted,

    Pieter
     
  13. the2belo

    the2belo Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    7
    Location:
    Japan
    Well, never mind. It seems that I cannot tell the difference between a "Search Assistant" left in my taskbar, and the Microsoft Search Assistant that's part of Explorer.

    I'm stumped.

    --
    The 2
     
Thread Status:
Not open for further replies.