It seemed that every once in awhile, my home page would be changed to this global-finder.com site. Great, must be one of these freeware programs I'm trying out. But then I discovered that this occurred after a reboot. So I decided to check it out.
I copied the changed home page URL in my Internet Options, which was encoded (i.e. http://%77%77%77%2e%63%6f%6f%6c%77%77%77%73%65%61%72%63%68%2e%63%6f%6d/%7a/%61/%78%31%2e%63%67%69?%36%35%36%33%38%37) to mask it's true target, and looked it up on Google. I came across the link:
The CoolWebSearch Chronicles
Turns out that a spyware program had installed itself onto my machine. This special trojan apparently uses the ByteVerify exploit in the Microsoft Java Virtual Machine. I also discovered why typing into forms on sites had been lagging so badly, a symptom of this CoolWebSearch trojan.
I tested out the CWS Shredder removal utility generously provided by Merijn at Spyware Info. It cleaned up the trojan nicely.
More information on the Java VM vulnerability can be found here:
Microsoft Security Bulletin MS03-011
Just a recap on the symptoms of the CoolWebSearch trojan:
1. Internet Explorer running extremely slow
2. Typing into text fields responding very slowly
3. Home page changing on it's own
4. Bad URL's redirecting to other sites
So watch out...