SRCHASST parasite hijacker

[Guest]

This is BY FAR the most annoying bug I have ever gotten
and unless microsoft or another spyware company steps up,
I'll be formatting soon. I have tried everything I can
find to fix this Search Assistant (srchasst) parasite and
NONE of it works. I still have spysubtractor warnings
about Browser changes all the time. Spyhunter, CW
SHREDDER/SPY SUBTRACT, and microsoft have all proven (as
have I)incapable of dealing with this bug. I also just
scanned with symantac online and again nothing. In
windows\srchasst there are 4 files I believe are primarily
responsible:
msgr3en.dll
nls302en
srchctls.dll
srchui.dll
ALSO
It adds atleast one value in the registry in:
HKEY_CURRENT_USER - Software\Microsoft\Internet
Explorer\Main

but there are probably others...

When I delete that value or one of the afore mentioned 4
files they will reappear within seconds. (Does anyone know
How I could go about deleting them - I don't see anything
in task manager processes I believe to be responsible).
This SearchAssistant bug is driving me crazy!!! In
addition to the other symptoms I listed in previous
threads on the spyware beta newsgroup - general site, here's the newest
ones: Web browsing is way too
slow, I have tons of popups, and it creates new values
each time my computer reboots in the Favorites.
While I can't find a way to get this thing off of here, I
found a site that suggests this is the (THERE AREN'T
ADJECTIVES VULGAR ENOUGH) company responsible:
Registrant:
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

Domain Name: SEARCHASSISTANT.NET
Administrative Contact:
Jones, Ed (e-mail address removed)
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

213-947-1271
Record expires on 01-May-2006.
Record created on 29-Sep-2003.
Database last updated on 12-Jan-2004 21:59:36 EST.
Domain servers in listed order:
NS.SERVINT.COM 209.50.225.13
NS2.SERVINT.COM 209.50.225.12
NS01.BACKUPDNS.COM 199.242.242.199

If someone's aware of a law they're breaking, please
either report them or let me know and I will.

I doubt this works and it for sure won't delete this thing, but I just
dumped the actual program srchasst from windows... by:
To remove/block srchasst
On the "Run" line type "Regedit"
Go to HKEY_CURRENT_USER \Software\Microsoft\ Windows \
CurrentVersion \ Explorer \ CabinetState \
Right-click an empty space in the right pane and select
New > String Value
Name the new value Use Search Asst
Double-click this new value, and enter no as it's Value
data
Close the registry editor

 

[Carey Frisch [MVP]]

Try the following:

Microsoft Windows AntiSpyware (Beta)
http://www.microsoft.com/downloads/...a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.mspx

------------------------------------------------------------------------------

:

| This is BY FAR the most annoying bug I have ever gotten
| and unless microsoft or another spyware company steps up,
| I'll be formatting soon. I have tried everything I can
| find to fix this Search Assistant (srchasst) parasite and
| NONE of it works. I still have spysubtractor warnings
| about Browser changes all the time. Spyhunter, CW
| SHREDDER/SPY SUBTRACT, and microsoft have all proven (as
| have I)incapable of dealing with this bug. I also just
| scanned with symantac online and again nothing. In
| windows\srchasst there are 4 files I believe are primarily
| responsible:
| msgr3en.dll
| nls302en
| srchctls.dll
| srchui.dll
| ALSO
| It adds atleast one value in the registry in:
| HKEY_CURRENT_USER - Software\Microsoft\Internet
| Explorer\Main
|
| but there are probably others...
|
| When I delete that value or one of the afore mentioned 4
| files they will reappear within seconds. (Does anyone know
| How I could go about deleting them - I don't see anything
| in task manager processes I believe to be responsible).
| This SearchAssistant bug is driving me crazy!!! In
| addition to the other symptoms I listed in previous
| threads on the spyware beta newsgroup - general site, here's the newest
| ones: Web browsing is way too
| slow, I have tons of popups, and it creates new values
| each time my computer reboots in the Favorites.
| While I can't find a way to get this thing off of here, I
| found a site that suggests this is the (THERE AREN'T
| ADJECTIVES VULGAR ENOUGH) company responsible:
| Registrant:
| Odysseus Marketing, Inc.
| 8721 Santa Monica Blvd #409
| Los Angeles, CA 90069-4507
|
| Domain Name: SEARCHASSISTANT.NET
| Administrative Contact:
| Jones, Ed (e-mail address removed)
| Odysseus Marketing, Inc.
| 8721 Santa Monica Blvd #409
| Los Angeles, CA 90069-4507
|
| 213-947-1271
| Record expires on 01-May-2006.
| Record created on 29-Sep-2003.
| Database last updated on 12-Jan-2004 21:59:36 EST.
| Domain servers in listed order:
| NS.SERVINT.COM 209.50.225.13
| NS2.SERVINT.COM 209.50.225.12
| NS01.BACKUPDNS.COM 199.242.242.199
|
| If someone's aware of a law they're breaking, please
| either report them or let me know and I will.
|
| I doubt this works and it for sure won't delete this thing, but I just
| dumped the actual program srchasst from windows... by:
| To remove/block srchasst
| On the "Run" line type "Regedit"
| Go to HKEY_CURRENT_USER \Software\Microsoft\ Windows \
| CurrentVersion \ Explorer \ CabinetState \
| Right-click an empty space in the right pane and select
| New > String Value
| Name the new value Use Search Asst
| Double-click this new value, and enter no as it's Value
| data
| Close the registry editor
|

 

[Dave]

it may not show in task manager, go to the services control panel and see if
there are any services you don't recognize running. that is a common way
for some of those worms to 'repair' themselves, they install a service that
monitors their running process and files and replaces or restarts them as
needed. check carefully, they also do things like imitate common names so
they may look 'normal' at first glance but may be one letter off from a real
service or exe.

 

[Wesley Vogel]

Just how long have you had Windows XP? The Search Asst is not a parasite,
it's part of Windows XP.

These four files are legitimate Windows XP files>>>

C:\WINDOWS\srchasst\msgr3en.dll = Microsoft English Natural Language Server

C:\WINDOWS\srchasst\nls302en.lex = Microsoft Office Dictionary file

C:\WINDOWS\srchasst\srchctls.dll = Microsoft Search Assistant Controls

C:\WINDOWS\srchasst\srchui.dll = Microsoft Search Assistant UI (User
Interface)

You can't delete them because they are protected by Windows File Protection.

What value gets added in?
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

AutoSearch? Search Bar? Use Custom Search URL? Use Search Asst?

Classic Search in Internet Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Internet Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value Name: Use Search Asst
Data Type: REG_SZ
Value Data: no

The tweak you used is for Classic Search in Windows Explorer *not* Classic
Search in Internet Explorer.

Classic Search in Windows Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Windows Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState
Value Name: Use Search Asst
Value Type: REG_SZ
Value Data: no

What makes you think you have SEARCHASSISTANT.NET??

SearchAssistant.net
http://tired-of-spam.home.comcast.net/searchassistant.html

Spyware Warrior Forums :: View topic - WALT RINES SPYWAREHELP.NET IS NO
MORE!!!!!!!!
http://spywarewarrior.com/viewtopic.php?t=4178

You have some sort of scumware if you are getting tons of popups and items
added in Favorites.

Steer clear of Microsoft Windows AntiSpyware (BETA) until it's ready for
public release. It has too many problems yet!!!!

Make sure you update every program, even if you just downloaded it. You
must have the latest updates. Without updates, you have a gun without ammo.
You also need to use more than one anti scumware program. One program will
*not* catch everything.

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it from
ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (More for the advanced user)
http://www.spywareinfo.com/~merijn/downloads.html

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

I've had xp forever...
that may have been the original role for these files, but they've been
replaced by same-named nasty NASTY files...

The thing that originally made this hard for me to diagnose was the clever
way this program hides itself - not only does it disguise itself as srchasst,
but it also blocks spyhunter reporting from beta back to microsoft, PREVENTS
deletion of these files and it's entires in the registry, blocks beta from
restoring the pages it's hijacked (that's actually cool to watch - you can't
even highlught them, etc...)

Just how long have you had Windows XP? The Search Asst is not a parasite,
it's part of Windows XP.

These four files are legitimate Windows XP files>>>

C:\WINDOWS\srchasst\msgr3en.dll = Microsoft English Natural Language Server

C:\WINDOWS\srchasst\nls302en.lex = Microsoft Office Dictionary file

C:\WINDOWS\srchasst\srchctls.dll = Microsoft Search Assistant Controls

C:\WINDOWS\srchasst\srchui.dll = Microsoft Search Assistant UI (User
Interface)

You can't delete them because they are protected by Windows File Protection.

What value gets added in?
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

AutoSearch? Search Bar? Use Custom Search URL? Use Search Asst?

Classic Search in Internet Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Internet Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value Name: Use Search Asst
Data Type: REG_SZ
Value Data: no

The tweak you used is for Classic Search in Windows Explorer *not* Classic
Search in Internet Explorer.

Classic Search in Windows Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Windows Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState
Value Name: Use Search Asst
Value Type: REG_SZ
Value Data: no

What makes you think you have SEARCHASSISTANT.NET??

SearchAssistant.net
http://tired-of-spam.home.comcast.net/searchassistant.html

Spyware Warrior Forums :: View topic - WALT RINES SPYWAREHELP.NET IS NO
MORE!!!!!!!!
http://spywarewarrior.com/viewtopic.php?t=4178

You have some sort of scumware if you are getting tons of popups and items
added in Favorites.

Steer clear of Microsoft Windows AntiSpyware (BETA) until it's ready for
public release. It has too many problems yet!!!!

Make sure you update every program, even if you just downloaded it. You
must have the latest updates. Without updates, you have a gun without ammo.
You also need to use more than one anti scumware program. One program will
*not* catch everything.

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it from
ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (More for the advanced user)
http://www.spywareinfo.com/~merijn/downloads.html

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

This is BY FAR the most annoying bug I have ever gotten
and unless microsoft or another spyware company steps up,
I'll be formatting soon. I have tried everything I can
find to fix this Search Assistant (srchasst) parasite and
NONE of it works. I still have spysubtractor warnings
about Browser changes all the time. Spyhunter, CW
SHREDDER/SPY SUBTRACT, and microsoft have all proven (as
have I)incapable of dealing with this bug. I also just
scanned with symantac online and again nothing. In
windows\srchasst there are 4 files I believe are primarily
responsible:
msgr3en.dll
nls302en
srchctls.dll
srchui.dll
ALSO
It adds atleast one value in the registry in:
HKEY_CURRENT_USER - Software\Microsoft\Internet
Explorer\Main

but there are probably others...

When I delete that value or one of the afore mentioned 4
files they will reappear within seconds. (Does anyone know
How I could go about deleting them - I don't see anything
in task manager processes I believe to be responsible).
This SearchAssistant bug is driving me crazy!!! In
addition to the other symptoms I listed in previous
threads on the spyware beta newsgroup - general site, here's the
newest ones: Web browsing is way too
slow, I have tons of popups, and it creates new values
each time my computer reboots in the Favorites.
While I can't find a way to get this thing off of here, I
found a site that suggests this is the (THERE AREN'T
ADJECTIVES VULGAR ENOUGH) company responsible:
Registrant:
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

Domain Name: SEARCHASSISTANT.NET
Administrative Contact:
Jones, Ed (e-mail address removed)
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

213-947-1271
Record expires on 01-May-2006.
Record created on 29-Sep-2003.
Database last updated on 12-Jan-2004 21:59:36 EST.
Domain servers in listed order:
NS.SERVINT.COM 209.50.225.13
NS2.SERVINT.COM 209.50.225.12
NS01.BACKUPDNS.COM 199.242.242.199

If someone's aware of a law they're breaking, please
either report them or let me know and I will.

I doubt this works and it for sure won't delete this thing, but I just
dumped the actual program srchasst from windows... by:
To remove/block srchasst
On the "Run" line type "Regedit"
Go to HKEY_CURRENT_USER \Software\Microsoft\ Windows \
CurrentVersion \ Explorer \ CabinetState \
Right-click an empty space in the right pane and select
New > String Value
Name the new value Use Search Asst
Double-click this new value, and enter no as it's Value
data
Close the registry editor

 

[Wesley Vogel]

Baloney.

msgr3en.dll, nls302en.lex, srchctls.dll and srchui.dll are protected System
files. They can't be replaced unless your Windows File Protection has
somehow been turned off. And that is not an easy feat.

I opened C:\WINDOWS\srchasst and dragged msgr3en.dll, nls302en.lex,
srchctls.dll and srchui.dll to my Desktop. Within seconds they all
reappeared.

Event Viewer showed these events...

File replacement was attempted on the protected system file
c:\windows\srchasst\srchctls.dll. This file was restored to the original
version to maintain system stability. The file version of the system file is
1.0.0.2008.

File replacement was attempted on the protected system file
c:\windows\srchasst\srchui.dll. This file was restored to the original
version to maintain system stability. The file version of the system file is
1.0.0.2714.

File replacement was attempted on the protected system file
c:\windows\srchasst\nls302en.lex. This file was restored to the original
version to maintain system stability. The file version of the system file is
0.0.0.1.

File replacement was attempted on the protected system file
c:\windows\srchasst\msgr3en.dll. This file was restored to the original
version to maintain system stability. The file version of the system file is
3.1.0.2415.
-----

Run System File Checker to make sure...

[[System File Checker gives an administrator the ability to scan all
protected files to verify their versions. If System File Checker discovers
that a protected file has been overwritten, it retrieves the correct version
of the file from the cache folder (%Systemroot%\System32\Dllcache) or the
Windows installation source files, and then replaces the incorrect file.
System File Checker also checks and repopulates the cache folder. ]]
Description of Windows XP and Windows Server 2003 System File Checker
(Sfc.exe)
http://support.microsoft.com/?kbid=310747

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I've had xp forever...
that may have been the original role for these files, but they've been
replaced by same-named nasty NASTY files...

The thing that originally made this hard for me to diagnose was the
clever way this program hides itself - not only does it disguise
itself as srchasst, but it also blocks spyhunter reporting from beta
back to microsoft, PREVENTS deletion of these files and it's entires
in the registry, blocks beta from restoring the pages it's hijacked
(that's actually cool to watch - you can't even highlught them,
etc...)

Just how long have you had Windows XP? The Search Asst is not a
parasite, it's part of Windows XP.

These four files are legitimate Windows XP files>>>

C:\WINDOWS\srchasst\msgr3en.dll = Microsoft English Natural Language
Server

C:\WINDOWS\srchasst\nls302en.lex = Microsoft Office Dictionary file

C:\WINDOWS\srchasst\srchctls.dll = Microsoft Search Assistant
Controls

C:\WINDOWS\srchasst\srchui.dll = Microsoft Search Assistant UI (User
Interface)

You can't delete them because they are protected by Windows File
Protection.

What value gets added in?
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

AutoSearch? Search Bar? Use Custom Search URL? Use Search Asst?

Classic Search in Internet Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Internet Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value Name: Use Search Asst
Data Type: REG_SZ
Value Data: no

The tweak you used is for Classic Search in Windows Explorer *not*
Classic Search in Internet Explorer.

Classic Search in Windows Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Windows Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState
Value Name: Use Search Asst
Value Type: REG_SZ
Value Data: no

What makes you think you have SEARCHASSISTANT.NET??

SearchAssistant.net
http://tired-of-spam.home.comcast.net/searchassistant.html

Spyware Warrior Forums :: View topic - WALT RINES SPYWAREHELP.NET IS
NO MORE!!!!!!!!
http://spywarewarrior.com/viewtopic.php?t=4178

You have some sort of scumware if you are getting tons of popups and
items added in Favorites.

Steer clear of Microsoft Windows AntiSpyware (BETA) until it's ready
for public release. It has too many problems yet!!!!

Make sure you update every program, even if you just downloaded it.
You must have the latest updates. Without updates, you have a gun
without ammo. You also need to use more than one anti scumware
program. One program will *not* catch everything.

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it
from ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (More for the advanced user)
http://www.spywareinfo.com/~merijn/downloads.html

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

This is BY FAR the most annoying bug I have ever gotten
and unless microsoft or another spyware company steps up,
I'll be formatting soon. I have tried everything I can
find to fix this Search Assistant (srchasst) parasite and
NONE of it works. I still have spysubtractor warnings
about Browser changes all the time. Spyhunter, CW
SHREDDER/SPY SUBTRACT, and microsoft have all proven (as
have I)incapable of dealing with this bug. I also just
scanned with symantac online and again nothing. In
windows\srchasst there are 4 files I believe are primarily
responsible:
msgr3en.dll
nls302en
srchctls.dll
srchui.dll
ALSO
It adds atleast one value in the registry in:
HKEY_CURRENT_USER - Software\Microsoft\Internet
Explorer\Main

but there are probably others...

When I delete that value or one of the afore mentioned 4
files they will reappear within seconds. (Does anyone know
How I could go about deleting them - I don't see anything
in task manager processes I believe to be responsible).
This SearchAssistant bug is driving me crazy!!! In
addition to the other symptoms I listed in previous
threads on the spyware beta newsgroup - general site, here's the
newest ones: Web browsing is way too
slow, I have tons of popups, and it creates new values
each time my computer reboots in the Favorites.
While I can't find a way to get this thing off of here, I
found a site that suggests this is the (THERE AREN'T
ADJECTIVES VULGAR ENOUGH) company responsible:
Registrant:
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

Domain Name: SEARCHASSISTANT.NET
Administrative Contact:
Jones, Ed (e-mail address removed)
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

213-947-1271
Record expires on 01-May-2006.
Record created on 29-Sep-2003.
Database last updated on 12-Jan-2004 21:59:36 EST.
Domain servers in listed order:
NS.SERVINT.COM 209.50.225.13
NS2.SERVINT.COM 209.50.225.12
NS01.BACKUPDNS.COM 199.242.242.199

If someone's aware of a law they're breaking, please
either report them or let me know and I will.

I doubt this works and it for sure won't delete this thing, but I
just dumped the actual program srchasst from windows... by:
To remove/block srchasst
On the "Run" line type "Regedit"
Go to HKEY_CURRENT_USER \Software\Microsoft\ Windows \
CurrentVersion \ Explorer \ CabinetState \
Right-click an empty space in the right pane and select
New > String Value
Name the new value Use Search Asst
Double-click this new value, and enter no as it's Value
data
Close the registry editor

 

[Guest]

no wait...

you're right...

I'm making the whole thing up.

instead of trying to figure out how hard it is to alter a protected system
file and how I must be wrong, why don't you search for srchasst hijacker and
see what pops up...

the wisest man is the man that knows he knows nothing.

Baloney.

msgr3en.dll, nls302en.lex, srchctls.dll and srchui.dll are protected System
files. They can't be replaced unless your Windows File Protection has
somehow been turned off. And that is not an easy feat.

I opened C:\WINDOWS\srchasst and dragged msgr3en.dll, nls302en.lex,
srchctls.dll and srchui.dll to my Desktop. Within seconds they all
reappeared.

Event Viewer showed these events...

File replacement was attempted on the protected system file
c:\windows\srchasst\srchctls.dll. This file was restored to the original
version to maintain system stability. The file version of the system file is
1.0.0.2008.

File replacement was attempted on the protected system file
c:\windows\srchasst\srchui.dll. This file was restored to the original
version to maintain system stability. The file version of the system file is
1.0.0.2714.

File replacement was attempted on the protected system file
c:\windows\srchasst\nls302en.lex. This file was restored to the original
version to maintain system stability. The file version of the system file is
0.0.0.1.

File replacement was attempted on the protected system file
c:\windows\srchasst\msgr3en.dll. This file was restored to the original
version to maintain system stability. The file version of the system file is
3.1.0.2415.
-----

Run System File Checker to make sure...

[[System File Checker gives an administrator the ability to scan all
protected files to verify their versions. If System File Checker discovers
that a protected file has been overwritten, it retrieves the correct version
of the file from the cache folder (%Systemroot%\System32\Dllcache) or the
Windows installation source files, and then replaces the incorrect file.
System File Checker also checks and repopulates the cache folder. ]]
Description of Windows XP and Windows Server 2003 System File Checker
(Sfc.exe)
http://support.microsoft.com/?kbid=310747

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I've had xp forever...
that may have been the original role for these files, but they've been
replaced by same-named nasty NASTY files...

The thing that originally made this hard for me to diagnose was the
clever way this program hides itself - not only does it disguise
itself as srchasst, but it also blocks spyhunter reporting from beta
back to microsoft, PREVENTS deletion of these files and it's entires
in the registry, blocks beta from restoring the pages it's hijacked
(that's actually cool to watch - you can't even highlught them,
etc...)

Just how long have you had Windows XP? The Search Asst is not a
parasite, it's part of Windows XP.

These four files are legitimate Windows XP files>>>

C:\WINDOWS\srchasst\msgr3en.dll = Microsoft English Natural Language
Server

C:\WINDOWS\srchasst\nls302en.lex = Microsoft Office Dictionary file

C:\WINDOWS\srchasst\srchctls.dll = Microsoft Search Assistant
Controls

C:\WINDOWS\srchasst\srchui.dll = Microsoft Search Assistant UI (User
Interface)

You can't delete them because they are protected by Windows File
Protection.

What value gets added in?
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

AutoSearch? Search Bar? Use Custom Search URL? Use Search Asst?

Classic Search in Internet Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Internet Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value Name: Use Search Asst
Data Type: REG_SZ
Value Data: no

The tweak you used is for Classic Search in Windows Explorer *not*
Classic Search in Internet Explorer.

Classic Search in Windows Explorer
This tweak allows you to disable the new Search Assistant and use the
traditional search interface in Windows Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState
Value Name: Use Search Asst
Value Type: REG_SZ
Value Data: no

What makes you think you have SEARCHASSISTANT.NET??

SearchAssistant.net
http://tired-of-spam.home.comcast.net/searchassistant.html

Spyware Warrior Forums :: View topic - WALT RINES SPYWAREHELP.NET IS
NO MORE!!!!!!!!
http://spywarewarrior.com/viewtopic.php?t=4178

You have some sort of scumware if you are getting tons of popups and
items added in Favorites.

Steer clear of Microsoft Windows AntiSpyware (BETA) until it's ready
for public release. It has too many problems yet!!!!

Make sure you update every program, even if you just downloaded it.
You must have the latest updates. Without updates, you have a gun
without ammo. You also need to use more than one anti scumware
program. One program will *not* catch everything.

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it
from ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (More for the advanced user)
http://www.spywareinfo.com/~merijn/downloads.html

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In HELP ME <HELP (e-mail address removed)> hunted and pecked:
This is BY FAR the most annoying bug I have ever gotten
and unless microsoft or another spyware company steps up,
I'll be formatting soon. I have tried everything I can
find to fix this Search Assistant (srchasst) parasite and
NONE of it works. I still have spysubtractor warnings
about Browser changes all the time. Spyhunter, CW
SHREDDER/SPY SUBTRACT, and microsoft have all proven (as
have I)incapable of dealing with this bug. I also just
scanned with symantac online and again nothing. In
windows\srchasst there are 4 files I believe are primarily
responsible:
msgr3en.dll
nls302en
srchctls.dll
srchui.dll
ALSO
It adds atleast one value in the registry in:
HKEY_CURRENT_USER - Software\Microsoft\Internet
Explorer\Main

but there are probably others...

When I delete that value or one of the afore mentioned 4
files they will reappear within seconds. (Does anyone know
How I could go about deleting them - I don't see anything
in task manager processes I believe to be responsible).
This SearchAssistant bug is driving me crazy!!! In
addition to the other symptoms I listed in previous
threads on the spyware beta newsgroup - general site, here's the
newest ones: Web browsing is way too
slow, I have tons of popups, and it creates new values
each time my computer reboots in the Favorites.
While I can't find a way to get this thing off of here, I
found a site that suggests this is the (THERE AREN'T
ADJECTIVES VULGAR ENOUGH) company responsible:
Registrant:
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

Domain Name: SEARCHASSISTANT.NET
Administrative Contact:
Jones, Ed (e-mail address removed)
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

213-947-1271
Record expires on 01-May-2006.
Record created on 29-Sep-2003.
Database last updated on 12-Jan-2004 21:59:36 EST.
Domain servers in listed order:
NS.SERVINT.COM 209.50.225.13
NS2.SERVINT.COM 209.50.225.12
NS01.BACKUPDNS.COM 199.242.242.199

If someone's aware of a law they're breaking, please
either report them or let me know and I will.

I doubt this works and it for sure won't delete this thing, but I
just dumped the actual program srchasst from windows... by:
To remove/block srchasst
On the "Run" line type "Regedit"
Go to HKEY_CURRENT_USER \Software\Microsoft\ Windows \
CurrentVersion \ Explorer \ CabinetState \
Right-click an empty space in the right pane and select
New > String Value
Name the new value Use Search Asst
Double-click this new value, and enter no as it's Value
data
Close the registry editor

 

[Wesley Vogel]

Spyware Warrior » Searchassistant.net Problem
http://netrn.net/spywareblog/archives/2004/01/23/searchassistantnet-problem/

doxdesk.com: database: ClientMan
http://www.doxdesk.com/parasite/ClientMan.html

SrchAsst.exe
http://www.2-spyware.com/file-srchasst-exe.html

SrchAsst.exe
http://startup.iamnotageek.com/srch-SrchAsst.exe.html

CastleCops XNSearchAssistant SrchAsst.exe
http://computercops.biz/startuplist-4570.html

SrchAsst.exe
http://www.2-files.com/filename/srchasst-exe

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

no wait...

you're right...

I'm making the whole thing up.

instead of trying to figure out how hard it is to alter a protected
system file and how I must be wrong, why don't you search for
srchasst hijacker and see what pops up...

the wisest man is the man that knows he knows nothing.

Baloney.

msgr3en.dll, nls302en.lex, srchctls.dll and srchui.dll are protected
System files. They can't be replaced unless your Windows File
Protection has somehow been turned off. And that is not an easy
feat.

I opened C:\WINDOWS\srchasst and dragged msgr3en.dll, nls302en.lex,
srchctls.dll and srchui.dll to my Desktop. Within seconds they all
reappeared.

Event Viewer showed these events...

File replacement was attempted on the protected system file
c:\windows\srchasst\srchctls.dll. This file was restored to the
original version to maintain system stability. The file version of
the system file is
1.0.0.2008.

File replacement was attempted on the protected system file
c:\windows\srchasst\srchui.dll. This file was restored to the
original version to maintain system stability. The file version of
the system file is
1.0.0.2714.

File replacement was attempted on the protected system file
c:\windows\srchasst\nls302en.lex. This file was restored to the
original version to maintain system stability. The file version of
the system file is
0.0.0.1.

File replacement was attempted on the protected system file
c:\windows\srchasst\msgr3en.dll. This file was restored to the
original version to maintain system stability. The file version of
the system file is
3.1.0.2415.
-----

Run System File Checker to make sure...

[[System File Checker gives an administrator the ability to scan all
protected files to verify their versions. If System File Checker
discovers that a protected file has been overwritten, it retrieves
the correct version of the file from the cache folder
(%Systemroot%\System32\Dllcache) or the Windows installation source
files, and then replaces the incorrect file. System File Checker
also checks and repopulates the cache folder. ]] Description of
Windows XP and Windows Server 2003 System File Checker (Sfc.exe)
http://support.microsoft.com/?kbid=310747

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I've had xp forever...
that may have been the original role for these files, but they've
been replaced by same-named nasty NASTY files...

The thing that originally made this hard for me to diagnose was the
clever way this program hides itself - not only does it disguise
itself as srchasst, but it also blocks spyhunter reporting from beta
back to microsoft, PREVENTS deletion of these files and it's entires
in the registry, blocks beta from restoring the pages it's hijacked
(that's actually cool to watch - you can't even highlught them,
etc...)

:

Just how long have you had Windows XP? The Search Asst is not a
parasite, it's part of Windows XP.

These four files are legitimate Windows XP files>>>

C:\WINDOWS\srchasst\msgr3en.dll = Microsoft English Natural
Language Server

C:\WINDOWS\srchasst\nls302en.lex = Microsoft Office Dictionary file

C:\WINDOWS\srchasst\srchctls.dll = Microsoft Search Assistant
Controls

C:\WINDOWS\srchasst\srchui.dll = Microsoft Search Assistant UI
(User Interface)

You can't delete them because they are protected by Windows File
Protection.

What value gets added in?
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

AutoSearch? Search Bar? Use Custom Search URL? Use Search Asst?

Classic Search in Internet Explorer
This tweak allows you to disable the new Search Assistant and use
the traditional search interface in Internet Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Value Name: Use Search Asst
Data Type: REG_SZ
Value Data: no

The tweak you used is for Classic Search in Windows Explorer *not*
Classic Search in Internet Explorer.

Classic Search in Windows Explorer
This tweak allows you to disable the new Search Assistant and use
the traditional search interface in Windows Explorer.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState
Value Name: Use Search Asst
Value Type: REG_SZ
Value Data: no

What makes you think you have SEARCHASSISTANT.NET??

SearchAssistant.net
http://tired-of-spam.home.comcast.net/searchassistant.html

Spyware Warrior Forums :: View topic - WALT RINES SPYWAREHELP.NET
IS NO MORE!!!!!!!!
http://spywarewarrior.com/viewtopic.php?t=4178

You have some sort of scumware if you are getting tons of popups
and items added in Favorites.

Steer clear of Microsoft Windows AntiSpyware (BETA) until it's
ready for public release. It has too many problems yet!!!!

Make sure you update every program, even if you just downloaded it.
You must have the latest updates. Without updates, you have a gun
without ammo. You also need to use more than one anti scumware
program. One program will *not* catch everything.

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents
it from ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (More for the advanced user)
http://www.spywareinfo.com/~merijn/downloads.html

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In HELP ME <HELP (e-mail address removed)> hunted and pecked:
This is BY FAR the most annoying bug I have ever gotten
and unless microsoft or another spyware company steps up,
I'll be formatting soon. I have tried everything I can
find to fix this Search Assistant (srchasst) parasite and
NONE of it works. I still have spysubtractor warnings
about Browser changes all the time. Spyhunter, CW
SHREDDER/SPY SUBTRACT, and microsoft have all proven (as
have I)incapable of dealing with this bug. I also just
scanned with symantac online and again nothing. In
windows\srchasst there are 4 files I believe are primarily
responsible:
msgr3en.dll
nls302en
srchctls.dll
srchui.dll
ALSO
It adds atleast one value in the registry in:
HKEY_CURRENT_USER - Software\Microsoft\Internet
Explorer\Main

but there are probably others...

When I delete that value or one of the afore mentioned 4
files they will reappear within seconds. (Does anyone know
How I could go about deleting them - I don't see anything
in task manager processes I believe to be responsible).
This SearchAssistant bug is driving me crazy!!! In
addition to the other symptoms I listed in previous
threads on the spyware beta newsgroup - general site, here's the
newest ones: Web browsing is way too
slow, I have tons of popups, and it creates new values
each time my computer reboots in the Favorites.
While I can't find a way to get this thing off of here, I
found a site that suggests this is the (THERE AREN'T
ADJECTIVES VULGAR ENOUGH) company responsible:
Registrant:
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

Domain Name: SEARCHASSISTANT.NET
Administrative Contact:
Jones, Ed (e-mail address removed)
Odysseus Marketing, Inc.
8721 Santa Monica Blvd #409
Los Angeles, CA 90069-4507

213-947-1271
Record expires on 01-May-2006.
Record created on 29-Sep-2003.
Database last updated on 12-Jan-2004 21:59:36 EST.
Domain servers in listed order:
NS.SERVINT.COM 209.50.225.13
NS2.SERVINT.COM 209.50.225.12
NS01.BACKUPDNS.COM 199.242.242.199

If someone's aware of a law they're breaking, please
either report them or let me know and I will.

I doubt this works and it for sure won't delete this thing, but I
just dumped the actual program srchasst from windows... by:
To remove/block srchasst
On the "Run" line type "Regedit"
Go to HKEY_CURRENT_USER \Software\Microsoft\ Windows \
CurrentVersion \ Explorer \ CabinetState \
Right-click an empty space in the right pane and select
New > String Value
Name the new value Use Search Asst
Double-click this new value, and enter no as it's Value
data
Close the registry editor

 

[jenna]

I have to agree

I've had XP since it first came out as well and I've never had these files in this location under these folder names... this is not a normal XP file...

I'm currently running into the same problem..and I haven't yet found a sure fix for this yet ...


I have all these spyware search and destroy, cws killers, ad-aware, hijack this logs, so on and so forth... and these are all updated...


has anyone used the .lex fix??

please help!?

 

[Ian Menkins]

I'm infested with this same thing and it's driving me ding bats! Yes srchasst does seem to be affected somehow. I also notice that there is a twunk16.exe and a twunk32.exe which return as fast as I delete them. Have these got something to do with it?

 

[GeneralTso92]

fine

the twunk files are window files and are not a problem

and srchasst is again not a problem at all,gotta agree with
Wesley