Globefinder or Luckysearch Hijacker on Internet Explorer

[K Cole]

I do not know if "Hijacker" is the best way to describe
this, but this is what it is and how I fixed it:

The Luckysearch virus changes the default URLs for Home
and Search to http://acc.count-al%
6c%2e%63%6f%6d/%2d/?%63%78%6c%6f%77

, and reinstalls itself each time the computer is
restarted.



Norton Antivirus does not detect this program. Adaware
finds many of the dataminers it installs but not the
program itself. Spybot Search & Destroy fixes the
problem, but can not find the program, so it reinstalls
itself the next time the computer starts up.



This virus may also be referred to as:

Globefinder

Findfast

tb_animated.exe



There are seven steps to fixing this problem:





1) Correct the Windows Registry:

a. Run Regedit

b. Export a backup of the current registry

c. Search for and delete references to the
following files:

1. tb_setup

2. tb_animated

3. tb_animated.exe

4. hotbar

d. Make changes to keys and references for
HKEY_CURRENT_USER


i. In ./Software/Microsoft/Internet
Explorer/SearchURL change the following Keys:

1. CustomizeSearch modify it, replacing it
with http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchcust.htm

2. Search Assistant modify it, replacing
it with http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchasst.htm

3. Search Page modify it, replacing
it with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

4. Any other reference to the link noted above


ii. In ./Software/Microsoft/Internet
Explorer/Main change the following Keys:

1. Default_Page_URL modify it, replacing it
with your personal start page.

2. Default_Search_URL modify it, replacing it
with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

3. Search Page modify it, replacing
it with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

4. Start Page modify it,
replacing it with your personal start page.

e. Make changes to keys and references for
HKEY_LOCAL_MACHINE


i. In ./Software/Microsoft/Internet
Explorer/SearchURL change the following Keys:

1. CustomizeSearch modify it, replacing it
with http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchcust.htm

2. Search Assistant modify it, replacing
it with http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchasst.htm

3. Search Page modify it, replacing
it with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

4. Any other reference to the link noted above


ii. In ./Software/Microsoft/Internet
Explorer/Main change the following Keys:

1. Default_Page_URL modify it, replacing it
with your personal start page.

2. Default_Search_URL modify it, replacing it
with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

3. Search Page modify it, replacing
it with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

4. Start Page modify it,
replacing it with your personal start page.

5. Any other reference to the link noted above

f. Make changes to keys and references for
HKEY_USERS


i. In ./Software/Microsoft/Internet
Explorer/Main change the following Keys:

1. CustomizeSearch modify it, replacing it
with http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchcust.htm

2. Search Assistant modify it, replacing
it with http://ie.search.msn.com/
{SUB_RFC1766}/srchasst/srchasst.htm

3. Search Page modify it, replacing
it with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

4. Default_Page_URL modify it, replacing it
with your personal start page.

5. Default_Search_URL modify it, replacing it
with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

6. Search Page modify it, replacing
it with http://www.microsoft.com/isapi/redir.dll?
prd=ie&ar=iesearch

7. Start Page modify it,
replacing it with your personal start page.

8. Any other reference to the link noted above

2) Search your entire computer for
tb_animated.exe

a. If you find this file delete it.

3) Download, install, update, and run
the following virus scan softwares:


i. SpyBot Search & Destroy:
http://www.safer-networking.org/


ii. Adaware 6.0:
http://www.lavasoftusa.com/software/adaware/

4) In your Internet Browser Security
Settings, set the following pages as forbidden:

a. http://globefinder.com/

b. http://luckysearch.com/

c. http://findfast.com/http://acc.cou%
6e%74%2d%61%6c%6c%2e%63%6f%6d/%2d/?%63%78%6c%6f%77

5) For good measure: Open your internet
browser, clean your cash, delete all cookies, and change
your default home page.

6) Restart your computer

7) Open Internet Explorer. Click on
the Home Page button and the Search buttons, they should
go to the defaults you set. If they still go to strange
looking search engine sites then the virus is not gone,
double check that all steps above have been taken.



References:

http://www.lavasoftsupport.com/index.php?
showtopic=14695&hl=globe+finder

http://support.microsoft.com/default.aspx?scid=kb;en-
us;320159&Product=ie600



I am not 100% sure this totally works, but it did seem to
fix the problem on the two computers I had to fix.

 

[Mike Burgess]

K Cole,
If you decode that URL = acc.count-all.com = CWS.Tapicfg (coolwebsearch
trojan)

How to remove Coolwebsearch and affiliates
http://mvps.org/winhelp2002/unwanted.htm#Coolwebsearch

Note: this type hijack indicates an unpatched machine, that is lacking in
"Defense".
Please visit Windows Update to avoid these exploits.
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-08-03]
Please post replies to this Newsgroup, email address is invalid
--