Keyboard F9 key invokes unwanted internet "Search-aide"

[Joe Funk]

Hi there;

As of a few days ago my F9 key was somehow re-assigned without my
knowledge or permission. Instead of the native behaviour, I get a small
browser window titled "Search-aide - Information at your fingertips ...",
from the Infosoft Corporation.

That leads me to ask 2 questions:
1. How can I remove the unknown program that is manipulating the keyboard? I
searched for both "Search-aide" and "Infosoft Corporation" on Google, and
there seems to be some funny business involved. The url's I found are either
useless or evasive wrt to what Infosoft Corporation actually does.
2.Can I re-assign the key myself via some built-in utility in WinXP Pro?
(Are these called keyboard hooks?)

I load ZoneAlarm and AVG6 at startup.
Now that I've become aware of "spyware, malware, BHo's and hijackers",
I've been tryinng out AdAware and HijackThis, which found and fixed a few
items. The F9 problem persists after removing all spyware etc with those 2
programs.

Joe

(I'm also posting this to microsoft.public.windowsxp.security_admin)

[mto]

"Joe Funk" <joefunk50@shaw.ca> wrote in message
news:%5mSa.461956$ro6.11163667@news2.calgary.shaw. ca...
> Hi there;
>
> As of a few days ago my F9 key was somehow re-assigned without my
> knowledge or permission. Instead of the native behaviour, I get a small
> browser window titled "Search-aide - Information at your fingertips ...",
> from the Infosoft Corporation.

What does the browser window do? Load ads, give you a search box? Does
this happen only when you are online? Can you resize the window by dragging
the frame with your mouse? Can you view source? (If you can select all and
copy it to a plain text file please.)


> That leads me to ask 2 questions:
> 1. How can I remove the unknown program that is manipulating the keyboard?

Can't answer that until we figure out what it is.

I
> searched for both "Search-aide" and "Infosoft Corporation" on Google, and
> there seems to be some funny business involved. The url's I found are
either
> useless or evasive wrt to what Infosoft Corporation actually does.

Infosoft is a well known company. This does seem to be a bit out of
character for their usual product though, so I'm not sure I'd buy the window
title. I didn't get any results of any value whatever either.

2.Can I re-assign the key myself via some built-in utility in WinXP Pro?
> (Are these called keyboard hooks?)

Maybe. Maybe not. Depends on why it did what it did. If it is some
program that will reinstall itself if not correctly and entirely deleted
then you are just banging your head.

> I load ZoneAlarm and AVG6 at startup.
> Now that I've become aware of "spyware, malware, BHo's and hijackers",
> I've been tryinng out AdAware and HijackThis, which found and fixed a few
> items. The F9 problem persists after removing all spyware etc with those 2
> programs.

ZoneAlarm or ZoneAlarm Pro? Spring for the Pro, primo adblocker and other
features make it worth every dime.

Try SpyBot Search & Destroy. That's the year's top award winner in the spy
removal category - and free. Hijack This I hear is really great if you both
know what you are doing and have something to remove that is out of the
usual. The thing took >200 files off my daughter infested machine - and
that was AFTER AdAware got done with another 247 or so.

[Joe Funk]

"mto" <nobody@nowhere.com> wrote in message
news:vhl6sv5p77ck54@corp.supernews.com...
>
> ... install MySearch through Total Uninstall,
> run it and then uninstall it. No guarantees but can't hurt much.
>
>

Great plan - I'll do it.

[Joe Funk]

"mto" <nobody@nowhere.com> wrote in message
news:vhl6sv5p77ck54@corp.supernews.com...
> <snip>
> ... install MySearch through Total Uninstall,
> run it and then uninstall it. No guarantees but can't hurt much.
>
... no luck so far ... here's a recap of what I've tried ...

I had been thinking that the Search-Aide mini-browser might have been a
part of MySearch (originally installed on my computer when I tried out
Kazaa), but
it wasn't.
I removed Kazaa via XP's Add/Remove Programs, RegClean, AdAware,
SpyBot-S&D, and regedit. Then I re-installed and uninstalled Kazaa with
Total Uninstall, so theoretically Kazaa and its MySearch are completely
gone. While MySearch was still on my computer I had a look at its
components, none of which involved aide.html.

However I did find the source html on my hard drive. After hitting F9 I
found aide.html in
my ..\Temporary Internet Files folder. (That file's Properties showed the
address http://www.search-aide.com/aide.html .)
When I use IE6's Tools|Options|Delete Files (all Offline Content) the
file is deleted, but it returns when I hit F9.
For what it's worth, I can open ..\Temporary Internet Files\aide.html in
Notepad, but I'm supposing the html itself is harmless. I would guess the
real problem is some program on my system that's detecting the F9 keypress
and then calling the html.

After running the utilities listed above, SpyBot-S&D says I'm now
clean - no spybots, tracking cookies, hijackers, keyloggers, malware or
trojans.
So now I'm trying to track down what I suppose is the real culprit: some
little exe, dll, vbs, js, or wsh file on my computer that hooks onto F9. Am
I on the right track?

[Joe Funk]

<snip>
>After hitting F9 I found aide.html in my ..\Temporary Internet Files
folder.
<snip>

Just some further random diddling ...
Starting with an empty Temporary Internet Files folder, then hitting F9,
I immediately see 3 files created there:
File: Property points to
aide[1].html http://www.search-aide.com/aide.html
en-us_CSS_Classic[1].css
http://www.search-aide.com/en-us_CSS_Classic.css
search[1].html http://www.search-aide.com/search.html

Of interest to me is the fact that when I remove the RO attribute of the
Temporary Internet Files folder, the 3 files disappear without explanation.
Probably not remarkable to you out there who know what's going on, but a
puzzle to me. Changing the attribute from RO to Archive permitted me to copy
the files to view them as text.
Call hierarchy is:
search.html calls aide.html, which is formatted by en-us_CSS_Classic.css

Anyone have better suggestion than me searching now on my machine for
the an unkown program that calls search.html every time I tap F9? If not,
any suggestions how to do that?!!
According to SpyBot-S&D I'm completely clean.
The only time I use F9 is while programming in Visual LISP - to set a
breakpoint. It's no more than an annoyance to lose that shortcut, but I'd
sure like to know what's controlling my keyboard without my consent.

Thanks, Joe

[mto]

"Joe Funk" <joefunk50@shaw.ca> wrote in message
news:nYXSa.508769$Vi5.13115763@news1.calgary.shaw. ca...
> <snip>
> >After hitting F9 I found aide.html in my ..\Temporary Internet Files
> folder.
> <snip>
>
> Just some further random diddling ...
> Starting with an empty Temporary Internet Files folder, then hitting
F9,
> I immediately see 3 files created there:
> File: Property points to
> aide[1].html
http://www.search-aide.com/aide.html
> en-us_CSS_Classic[1].css
>
http://www.search-aide.com/en-us_CSS_Classic.css
> search[1].html
http://www.search-aide.com/search.html
>
> Of interest to me is the fact that when I remove the RO attribute of
the
> Temporary Internet Files folder, the 3 files disappear without
explanation.
> Probably not remarkable to you out there who know what's going on, but a
> puzzle to me. Changing the attribute from RO to Archive permitted me to
copy
> the files to view them as text.
> Call hierarchy is:
> search.html calls aide.html, which is formatted by en-us_CSS_Classic.css
>
> Anyone have better suggestion than me searching now on my machine for
> the an unkown program that calls search.html every time I tap F9? If not,
> any suggestions how to do that?!!
> According to SpyBot-S&D I'm completely clean.
> The only time I use F9 is while programming in Visual LISP - to set a
> breakpoint. It's no more than an annoyance to lose that shortcut, but I'd
> sure like to know what's controlling my keyboard without my consent.
>
> Thanks, Joe

Joe, if you run SpyBot in Advanced mode and go to tools there is a place
that allows you to remove unwanted search and start pages. You might try
that. While you are in that section there is a section under tools that
will list all of the programs that start when you turn on your machine. Get
that list out to a text file that you can reference, then google each of
them (though SpyBot is very good about telling you what most of them do.)
Sooner or later you should find the little sucker that is starting up and
overwriting your search page every time you boot the machine.

Make sure you keep a record - and maybe write to Pepi and see if he wants
the thing or any of your records to add to the SpyBot database before you
kill the sucker.

NOTE - you might want to download the beta files for SpyBot as that goes
after a bunch of new stuff. In advanced mode go to settings, then scroll
down and check the "check for beta versions" button, then update and they
will be automatically installed.

[mto]

"Joe Funk" <joefunk50@shaw.ca> wrote in message
news:nYXSa.508769$Vi5.13115763@news1.calgary.shaw. ca...
> <snip>
> >After hitting F9 I found aide.html in my ..\Temporary Internet Files
> folder.
> <snip>
>
> Just some further random diddling ...
> Starting with an empty Temporary Internet Files folder, then hitting
F9,
> I immediately see 3 files created there:
> File: Property points to
> aide[1].html
http://www.search-aide.com/aide.html
> en-us_CSS_Classic[1].css
>
http://www.search-aide.com/en-us_CSS_Classic.css
> search[1].html
http://www.search-aide.com/search.html
>
> Of interest to me is the fact that when I remove the RO attribute of
the
> Temporary Internet Files folder, the 3 files disappear without
explanation.
> Probably not remarkable to you out there who know what's going on, but a
> puzzle to me. Changing the attribute from RO to Archive permitted me to
copy
> the files to view them as text.
> Call hierarchy is:
> search.html calls aide.html, which is formatted by en-us_CSS_Classic.css
>
> Anyone have better suggestion than me searching now on my machine for
> the an unkown program that calls search.html every time I tap F9? If not,
> any suggestions how to do that?!!
> According to SpyBot-S&D I'm completely clean.
> The only time I use F9 is while programming in Visual LISP - to set a
> breakpoint. It's no more than an annoyance to lose that shortcut, but I'd
> sure like to know what's controlling my keyboard without my consent.
>
> Thanks, Joe

VERY interesting - when I google Search Aide I get results for a program to
help uni students learn to search the library/databases.

When I went off to ARIN to Whois, there is no search-aide.com - with or
without the - or the e

Ping and tracert come up as 66.226.81.169 but no connection achieved with
either.

ARIN results for that IP number are -
Search results for: 66.226.81.169
OrgName: Abacus America Inc.
OrgID: ABAC
Address: 5266 Eastgate Mall
City: San Diego
StateProv: CA
PostalCode: 92121
Country: US

NetRange: 66.226.64.0 - 66.226.95.255
CIDR: 66.226.64.0/19
NetName: ABAC2002A
NetHandle: NET-66-226-64-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.ABAC.COM
NameServer: NS2.ABAC.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-31
Updated: 2003-03-27

TechHandle: AD384-ORG-ARIN
TechName: A+Net Internet Services
TechPhone: +1-858-410-6900
TechEmail: dns@aplus.net

# ARIN WHOIS database, last updated 2003-07-21 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

Here are the Google results for Abacus America Inc.:
http://www.google.com/search?hl=en&l...+SearchExtract
from one of the listings (10 pages, page one shows similar results under a
variety of domain names -
Aplus.net - web hosting free isp provider internet service
ENTER. web hosting free isp provider internet service domain registration
page
low cost affordable frontpage. Abacus is a privately owned corporation. ...
Description: Offers internet access, web hosting, e-commerce solutions and
data center. Based in San Diego.

[Chris McFarland]

Dear Joe,

I stumbled across your post earlier this evening while trying to decipher
this same problem. I've solved it, but am now searching for the why behind
the how. Here is how I solved the F9 popup:

1. Noticed a suspicious Csrss.exe in my processes
2. Searched and found the file in C:\Windows (I'm running XP Home)
3. File size was 69,632, as opposed to the correct csrss.exe file in
C:|Windows\System32, which is 4096
4. Repeated searches found no reference to this exact behavior in a worm or
virus, although many worms do hide behind the csrss.exe
5. Found a registry entry for this exe in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run [CSRSS]
6. Renamed the C:\Windows\Csrss.exe to Csrss_old.exe in case it was somehow,
by an amazing remote chance, a valid file
7. Rebooted and F9 was suddenly available to me again. Surprise!
8. Still investigating when and how I got this thing. I noticed that my
half-life and Dod 1.0 installation occured just before the installation of
the bad file (assuming the date and time can be trusted). Perhaps I stumbled
onto a bad install file..... will post if I discoved anything more.

Please let me know if this process works for you and if you notice and
strange installs, etc around your date. Maybe we can find the trigger for
this thing by comparing info.

Chris

[Chris McFarland]

Very interesting. I had installed Kazaap (http://www.kazaap.org) a couple of
weeks ago to see what it actually did. Apparently what it did was install
the Csrss.exe file in my C:\Windows directory and add a registry setting
forcing it to start at boot. I didn't believe this at first, so I downloaded
Kazaap again and reinstalled it. Sure enough, that pesky file was
regenerated. Considering that one of Kazaap's main points is "Unlike other
Kazaa accelerators and other Kazaa add-ons, Kazaap does not contain any
Adware nor does it contains any Spyware".

Joe, is this the explanation for your system's behavior? If you verify this
I would love to get an explanation from Kazaap. Tomorrow I will see if this
process does anything besides display that annoying search window.

Chris

"Chris McFarland" <jakobscalpel@hotmail.com> wrote in message
news:3f1ce144$1@news.sti.net...
> Dear Joe,
>
> I stumbled across your post earlier this evening while trying to decipher
> this same problem. I've solved it, but am now searching for the why behind
> the how. Here is how I solved the F9 popup:
>
> 1. Noticed a suspicious Csrss.exe in my processes
> 2. Searched and found the file in C:\Windows (I'm running XP Home)
> 3. File size was 69,632, as opposed to the correct csrss.exe file in
> C:|Windows\System32, which is 4096
> 4. Repeated searches found no reference to this exact behavior in a worm
or
> virus, although many worms do hide behind the csrss.exe
> 5. Found a registry entry for this exe in
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run [CSRSS]
> 6. Renamed the C:\Windows\Csrss.exe to Csrss_old.exe in case it was
somehow,
> by an amazing remote chance, a valid file
> 7. Rebooted and F9 was suddenly available to me again. Surprise!
> 8. Still investigating when and how I got this thing. I noticed that my
> half-life and Dod 1.0 installation occured just before the installation of
> the bad file (assuming the date and time can be trusted). Perhaps I
stumbled
> onto a bad install file..... will post if I discoved anything more.
>
> Please let me know if this process works for you and if you notice and
> strange installs, etc around your date. Maybe we can find the trigger for
> this thing by comparing info.
>
> Chris
>
>

[Joe Funk]

Chris;
Exactement! Thanks. This whole Napster-Kazaa-Morpheus business was
always too good to be true wasn't it?
I too installed Kazaa-p about the same time the F9 gift arrived. Now at
your suggestion I found and renamed c:\windows\csrss.exe, re-booted and -
all's well! I've yet to remove the registry entry.
FWIW, I'd received this warning last night from my newly downloaded
Trojan-finder called TDS-3:
RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run
[csrss=C:\WINDOWS\CSRSS.EXE]
Using that clue I searched the net for csrss.exe wrt virus activity, and
found references to a Ladex|Dalbug worm, and variations of w32-Nimda,
neither of which (apparently) usurp keyboard functions. I'd given up until
you dropped in to solve the problem. Thanks a bunch.
Just to be sure - McAffee recommends shutting off System Restore during
de-worming:
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
I guess we're durned lucky it wasn't more aggressive - or there may be
other so-far unnoticed changes caused by this worm or whatever it is.
Now that I think of it my machine has been running very slowly lately
....
Good work.f
Joe


"Chris McFarland" <jakobscalpel@hotmail.com> wrote in message
news:3f1cea52@news.sti.net...
> Very interesting. I had installed Kazaap (http://www.kazaap.org) a couple
of
> weeks ago to see what it actually did. Apparently what it did was install
> the Csrss.exe file in my C:\Windows directory and add a registry setting
> forcing it to start at boot. I didn't believe this at first, so I
downloaded
> Kazaap again and reinstalled it. Sure enough, that pesky file was
> regenerated. Considering that one of Kazaap's main points is "Unlike other
> Kazaa accelerators and other Kazaa add-ons, Kazaap does not contain any
> Adware nor does it contains any Spyware".
>
> Joe, is this the explanation for your system's behavior? If you verify
this
> I would love to get an explanation from Kazaap. Tomorrow I will see if
this
> process does anything besides display that annoying search window.
>
> Chris
>
> "Chris McFarland" <jakobscalpel@hotmail.com> wrote in message
> news:3f1ce144$1@news.sti.net...
> > Dear Joe,
> >
> > I stumbled across your post earlier this evening while trying to
decipher
> > this same problem. I've solved it, but am now searching for the why
behind
> > the how. Here is how I solved the F9 popup:
> >
> > 1. Noticed a suspicious Csrss.exe in my processes
> > 2. Searched and found the file in C:\Windows (I'm running XP Home)
> > 3. File size was 69,632, as opposed to the correct csrss.exe file in
> > C:|Windows\System32, which is 4096
> > 4. Repeated searches found no reference to this exact behavior in a worm
> or
> > virus, although many worms do hide behind the csrss.exe
> > 5. Found a registry entry for this exe in
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run [CSRSS]
> > 6. Renamed the C:\Windows\Csrss.exe to Csrss_old.exe in case it was
> somehow,
> > by an amazing remote chance, a valid file
> > 7. Rebooted and F9 was suddenly available to me again. Surprise!
> > 8. Still investigating when and how I got this thing. I noticed that my
> > half-life and Dod 1.0 installation occured just before the installation
of
> > the bad file (assuming the date and time can be trusted). Perhaps I
> stumbled
> > onto a bad install file..... will post if I discoved anything more.
> >
> > Please let me know if this process works for you and if you notice and
> > strange installs, etc around your date. Maybe we can find the trigger
for
> > this thing by comparing info.
> >
> > Chris
> >
> >
>
>