Author Topic: " /" IE startpage hijacking problem  (Read 1197 times)

Offline dta

  • Member
  • **
  • Posts: 3273
Have this problem currently that I still can't solve.

Details:  Upon rebooting the computer and starting Internet Explorer, it defaults to homepage of "" (shows "" briefly). Now I tried changing the default homepage and using a blank page, but after reboot, it still goes to this

Steps that I tried to remove it: I run RegEdit and manually searched the registry key that has the "default home page and start page". I notice they were all replaced with %61%63%63.... (ie. an obfuscated "" -- obfuscated means hidden/encoded). I searched the whole registry for "%61%63%63" and found all the registry entries and deleted those string values)

But after restarting Windows and starting IE, it reverts to, so I figure there might be some other hidden startup or some program that always reset the IE home/search page URLs. So far, I haven't figured this part out yet (I tried MSCONFIG to check the various programs that run at startup but don't notice anything out of the usual Microsoft Windows startup services)


Tried Ad-award 6.0 and Spybot Search & Destroy, but they didn't seem to catch any spy/malware that does this (ok, I could be using an older version that doesn't catch this new start/search page hijacker).

Found a link in Google of someone who also has the same problem here:

I used Hijackthis.exe * mentioned above and notice that it also contains a run=c:windows..progra~1common~1micros~1msinfoinfo32.exe)  <-- is this normal?  the file info32.exe seems benign enough though.

*hijackthis.exe can be gotten here:

So far, I have yet to restart my Windows to see if the above remedy works. Anyone encountered this yet?


update (did some more Googling around):

Seems like this "luckysearch /" is related to this "CoolWebSearch hijacker", however this "luckysearch/" is perhaps a new variant that's not yet even listed in this page:

It advises to install MS VM 3810 or newer. Also, looks like my problem was caused by a file called WINDOWSWebwin.def which contains the CoolWebSearch hijacker (and is also likely related to the "MSINFO" variant listed in -- hmmm. looks like my guess (prior to Googling around) is correct)

Could somebody look at their WIN.INI file to see if they have a run= entry that points to "windows..progra~1common~1micros~1msinfoinfo32.exe"   (the reason I suppected this is the convoluted way it tries to run the info32.exe -- the nonconvoluted way would have been plainly "progra~1common~1micros~1msinfoinfo32.exe").  Also, the file date-time stamp of info32.exe is the same as the other msinfo32.exe legitimate executable files, so I'm wondering if the info32.exe is legit or a trojan. Can someone do a chksum of this file if they have this file present? Thanks.  My chksum (32bit and 16bit CRC) is 65F4AFC8  6D24 -- I use the tiny CHKSUM* utility to output the chksum (same chksum would almost indicate an exact same file).

*chksum utility is a tiny download (< 100kb) from here:


seems like hijackthis.exe is really nifty -- after rereading the first link above, I notice that a tech savvy user could identify some VBS viruses trojans and coolwebsearch hijackers just by reading the hijackthis.exe log file.

in summary: to remove the above, do these (caveat: I still have to test this out in more detail) : remove the run=..info32.exe link (just leave it at "run=") and then delete the windowswebwin.def file. Then reset the searchpage urls in the registry. reboot and the hijacker should be gone.

one other thing remains: I'm not sure how I got the above hijacker in the first place (maybe it's from some website that attacks the MS VM vulnerability)

Offline k00kiboy

  • Member
  • **
  • Posts: 107
" /" IE startpage hijacking problem
« Reply #1 on: October 04, 2003, 12:03:16 AM »
ugh, here's what I think is the best solution to your problem, dta.

Don't use IE. Try using Mozilla Firebird, or even the ad-supported version of Opera.


  • Guest
" /" IE startpage hijacking problem
« Reply #2 on: October 04, 2003, 11:35:59 AM »
reformat time! hahaha

Offline dta

  • Member
  • **
  • Posts: 3273
" /" IE startpage hijacking problem
« Reply #3 on: October 04, 2003, 01:08:30 PM »
ok, finally got the out of my IE settings, using the above mentioned steps.

I used to use Netscape Navigator v4.x (back when I was using a Pentium MMX computer), but then some sites don't seem to display properly. Then I used Opera v3.6 and v5.0, which is much more snappy than Netscape or IE at that time. Unfortunately, I think some sites I went to didn't register very correctly (I think it was some message forums which don't display all information, I used to visit/participate in a Diablo message forum quite regularly at that time).

Well, after upgrading to a Pentium 4 from the Pentium MMX, I just used the built-in IE 5.5 (WinME) or IE 6.0 of WinXP. Not that I particularly liked IE, but I think IE 5.5/6.0, while not as snappy as Opera, performs quite well (much better than IE 3.x or 4.x, although it may partly be due to the faster CPU system) and I have since then not installed another web browser on WinME/XP system.

If this "CoolWebSearch" strikes back again, maybe I'll give Opera v7.x another try... or perhaps even Mozilla, which was in beta stage (back when I heard it). Still have to try downloading Mozilla though...

Anyway, Coolwebsearch hijacker appears to be gone from my system. I've updated to MS Java VM v3810 (after a 5Mb download from Windows Update), installed the newest version of Ad-Aware v6.0 rev181 (reflist 222), Spybot Search&Destroy and also discovered this nifty HijackThis.exe utility.

Offline spolarium

  • Newbie
  • *
  • Posts: 0
" /" IE startpage hijacking problem
« Reply #4 on: October 04, 2003, 01:40:41 PM »
Nice and educational story...