CoolWebSearch

It looks like I was hijacked. How? I found out eventually, the real question is when. But I guess we'll never know. Now to clean it up...

I noticed recently that whenever I entered a non-existent URL into the address bar, I would get a "global-finder.com" page. At first I didn't think anything was out of the ordinary - I just assumed that they owned the domain I had entered and it was parked, ready to be sold. But then something else raised a red flag...

It seemed that every once in awhile, my home page would be changed to this global-finder.com site. Great, must be one of these freeware programs I'm trying out. But then I discovered that this occurred after a reboot. So I decided to check it out.

I copied the changed home page URL in my Internet Options, which was encoded (i.e. http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37) to mask it's true target, and looked it up on Google. I came across the link:

The CoolWebSearch Chronicles

Turns out that a spyware program had installed itself onto my machine. This special trojan apparently uses the ByteVerify exploit in the Microsoft Java Virtual Machine. I also discovered why typing into forms on sites had been lagging so badly, a symptom of this CoolWebSearch trojan.

I tested out the CWS Shredder removal utility generously provided by Merijn at Spyware Info. It cleaned up the trojan nicely.



More information on the Java VM vulnerability can be found here:

Microsoft Security Bulletin MS03-011

Just a recap on the symptoms of the CoolWebSearch trojan:

1. Internet Explorer running extremely slow
2. Typing into text fields responding very slowly
3. Home page changing on it's own
4. Bad URL's redirecting to other sites

So watch out...