Author Topic: "luckysearch.net / acc.count-all.com" IE startpage hijacking problem  (Read 1138 times)

Offline dta

  • Member
  • **
  • Posts: 3273
Have this problem currently that I still can't solve.



Details:  Upon rebooting the computer and starting Internet Explorer, it defaults to homepage of "luckysearch.net" (shows "acc.count-all.com" briefly). Now I tried changing the default homepage and using a blank page, but after reboot, it still goes to this luckysearch.net.



Steps that I tried to remove it: I run RegEdit and manually searched the registry key that has the "default home page and start page". I notice they were all replaced with %61%63%63.... (ie. an obfuscated "acc.count-all.com/?/pgdoc" -- obfuscated means hidden/encoded). I searched the whole registry for "%61%63%63" and found all the registry entries and deleted those string values)



But after restarting Windows and starting IE, it reverts to luckysearch.net, so I figure there might be some other hidden startup or some program that always reset the IE home/search page URLs. So far, I haven't figured this part out yet (I tried MSCONFIG to check the various programs that run at startup but don't notice anything out of the usual Microsoft Windows startup services)



~~~~~~



Tried Ad-award 6.0 and Spybot Search & Destroy, but they didn't seem to catch any spy/malware that does this (ok, I could be using an older version that doesn't catch this new start/search page hijacker).



Found a link in Google of someone who also has the same problem here:

http://www.tek-tips.com/gviewthread.cfm/lev2/67/lev3/70/pid/615/qid/668978



I used Hijackthis.exe * mentioned above and notice that it also contains a run=c:windows..progra~1common~1micros~1msinfoinfo32.exe)  <-- is this normal?  the file info32.exe seems benign enough though.



*hijackthis.exe can be gotten here: http://www.tomcoyote.org/hjt/



So far, I have yet to restart my Windows to see if the above remedy works. Anyone encountered this luckysearch.net yet?





~~~~~~~



update (did some more Googling around):



Seems like this "luckysearch / acc.count-all.com" is related to this "CoolWebSearch hijacker", however this "luckysearch/acc.count-all.com" is perhaps a new variant that's not yet even listed in this page:



http://www.spywareinfo.com/~merijn/cwschronicles.html



It advises to install MS VM 3810 or newer. Also, looks like my problem was caused by a file called WINDOWSWebwin.def which contains the CoolWebSearch hijacker (and is also likely related to the "MSINFO" variant listed in http://www.doxdesk.com/parasite/CoolWebSearch.html) -- hmmm. looks like my guess (prior to Googling around) is correct)





Could somebody look at their WIN.INI file to see if they have a run= entry that points to "windows..progra~1common~1micros~1msinfoinfo32.exe"   (the reason I suppected this is the convoluted way it tries to run the info32.exe -- the nonconvoluted way would have been plainly "progra~1common~1micros~1msinfoinfo32.exe").  Also, the file date-time stamp of info32.exe is the same as the other msinfo32.exe legitimate executable files, so I'm wondering if the info32.exe is legit or a trojan. Can someone do a chksum of this file if they have this file present? Thanks.  My chksum (32bit and 16bit CRC) is 65F4AFC8  6D24 -- I use the tiny CHKSUM* utility to output the chksum (same chksum would almost indicate an exact same file).



*chksum utility is a tiny download (< 100kb) from here: http://www.highfiber.com/~raster/freeware.htm







~~~~~~



seems like hijackthis.exe is really nifty -- after rereading the first link above, I notice that a tech savvy user could identify some VBS viruses trojans and coolwebsearch hijackers just by reading the hijackthis.exe log file.



in summary: to remove the above, do these (caveat: I still have to test this out in more detail) : remove the run=..info32.exe link (just leave it at "run=") and then delete the windowswebwin.def file. Then reset the searchpage urls in the registry. reboot and the hijacker should be gone.



one other thing remains: I'm not sure how I got the above hijacker in the first place (maybe it's from some website that attacks the MS VM vulnerability)

Offline k00kiboy

  • Member
  • **
  • Posts: 107
"luckysearch.net / acc.count-all.com" IE startpage hijacking problem
« Reply #1 on: October 04, 2003, 12:03:16 AM »
ugh, here's what I think is the best solution to your problem, dta.



Don't use IE. Try using Mozilla Firebird, or even the ad-supported version of Opera.

iobilly

  • Guest
"luckysearch.net / acc.count-all.com" IE startpage hijacking problem
« Reply #2 on: October 04, 2003, 11:35:59 AM »
reformat time! hahaha

Offline dta

  • Member
  • **
  • Posts: 3273
"luckysearch.net / acc.count-all.com" IE startpage hijacking problem
« Reply #3 on: October 04, 2003, 01:08:30 PM »
ok, finally got the luckysearch.net out of my IE settings, using the above mentioned steps.



I used to use Netscape Navigator v4.x (back when I was using a Pentium MMX computer), but then some sites don't seem to display properly. Then I used Opera v3.6 and v5.0, which is much more snappy than Netscape or IE at that time. Unfortunately, I think some sites I went to didn't register very correctly (I think it was some message forums which don't display all information, I used to visit/participate in a Diablo message forum quite regularly at that time).



Well, after upgrading to a Pentium 4 from the Pentium MMX, I just used the built-in IE 5.5 (WinME) or IE 6.0 of WinXP. Not that I particularly liked IE, but I think IE 5.5/6.0, while not as snappy as Opera, performs quite well (much better than IE 3.x or 4.x, although it may partly be due to the faster CPU system) and I have since then not installed another web browser on WinME/XP system.



If this "CoolWebSearch" strikes back again, maybe I'll give Opera v7.x another try... or perhaps even Mozilla, which was in beta stage (back when I heard it). Still have to try downloading Mozilla though...





Anyway, Coolwebsearch hijacker appears to be gone from my system. I've updated to MS Java VM v3810 (after a 5Mb download from Windows Update), installed the newest version of Ad-Aware v6.0 rev181 (reflist 222), Spybot Search&Destroy and also discovered this nifty HijackThis.exe utility.

Offline spolarium

  • Newbie
  • *
  • Posts: 0
"luckysearch.net / acc.count-all.com" IE startpage hijacking problem
« Reply #4 on: October 04, 2003, 01:40:41 PM »
Nice and educational story...