Google Answers Logo
View Question
 
Q: Process runs every 20 mins and can't stop it ( Answered 5 out of 5 stars,   1 Comment )
Question  
Subject: Process runs every 20 mins and can't stop it
Category: Computers > Internet
Asked by: jaycd-ga
List Price: $20.00
Posted: 14 Jan 2004 14:06 PST
Expires: 13 Feb 2004 14:06 PST
Question ID: 296535
When I sstart up my XP Professional pc Internet Explorer 6 opens up a
browser window for www.searchmeup.net. A new browser window opens up
every 20 minutes thereafter. It is annoying because for one thing I
can't stop it, and if I leave my pc, even offline, when I return after
say 6 hours I would have 18 browser windows to close.

I have run Norton Antivirus and my pc is clean
Pest Patrol, Win Patrol and Lavasoft Ad Aware show no trojans, spyware
or keyloggers etc
There is nothing that I can see in the scheduler except Copernic
Tracker which runs OK every hour.

There is nothing showing in Windows Startup that would seem to be causing this.

I have Roxio GoBack installed, and the log for PC
transactions/processes shows the following events happening every 20
minutes
Process Start - explorer.exe http://www.searchmeup.net
File Replaced c:\Windows\Prefetch\Explorer.exe-082F38A9.pf

I have cleared the registry of refernces to 81.211.105.38 and
www.searchmeup.net, to no effect.

Also on startup WinPatrol shows that a program is trying to change my
homepage to http://startpage and an attempt is also made to change my
search page, naturally I block this but the Process Start -
explorer.exe http://www.searchmeup.net still runs evry 20 mins.

How do I stop this happening and what has caused it? I tend to use the
internet for reasearch, and as far as I know no 'dodgy' sites have
been visited.

John

Request for Question Clarification by pinkfreud-ga on 14 Jan 2004 14:42 PST
Hello, John.

This sounds like a variant of the infamous "Cool Web Search" browser
hijacker, one of the toughest hijackers to eradicate.

"CWS.Svcinit.3: Possibly, a mutation of this variant exists, which
hijacks to xwebsearch.biz and http:/// (sic), as well as installing a
hosts file redirection of several dialer sites to searchmeup.com."

http://www.merijn.org/cwschronicles.html

NOTE: searchmeup.com (mentioned above) and searchmeup.net are
essentially the same entity, as a visit to the two sites will show.

The best way to zap "Cool Web Search" and its evil spawn is to use
CWShredder, which can be downloaded here:

http://www.merijn.org/cwschronicles.html#cwshredder

CWShredder zapped a hijacker that I acquired a while back, even though
AdAware, SpyBot and HijackThis had failed to help. The program is
updated very frequently, and weapons against new "Cool Web Search"
variants are constantly being added to the Shredder's arsenal.

If this gets rid of your hijacker, I'll be pleased to post an answer
to your question.

Please let me know whether or not CWShredder solves your problem. 

~pinkfreud

Request for Question Clarification by pinkfreud-ga on 14 Jan 2004 15:02 PST
Update:

I just noticed that both searchmeup.com and IP addresses starting with
81.211.105 are on a list of Cool Web Search affiliates that are
targeted by CWShredder:

http://www.wilderssecurity.com/index.php?board=20;action=display;threadid=14086

One more bit of advice: for reasons not known to me, I had to run
CWShredder twice before it got rid of my hijacker permanently. So, if
it doesn't work after one pass, I recommend trying again.

Clarification of Question by jaycd-ga on 14 Jan 2004 15:37 PST
CWShredder log was

cws.googlems
cws.loadbat
Removing hosts file redirection restored

I rebooted the machine and, no warning appeared about homepage being
changed, and the page www.searchmeup.net did not open, I have waited
40 minutes+ and I am delighted to say that the offending web page has
not reappeared again.

With all the protection and ZoneAlarm firewall etc I surprised I got the hijacker

Very many thanks
Job well done!
Answer  
Subject: Re: Process runs every 20 mins and can't stop it
Answered By: pinkfreud-ga on 14 Jan 2004 16:08 PST
Rated:5 out of 5 stars
 
Whew! I'm delighted to hear that things went so well. As I said
earlier, CWShredder once helped me to kill a really tenacious
hijacker. I was very hopeful that it would work for you, too, when I
saw the mention of "searchmeup" in the documentation on the Merijn
site (Merijn is the creator of CWShredder.)

In case you wonder how you may have acquired this unwelcome visitor,
here's some interesting info:

" We are pretty sure now CoolWebSearch is part of a new strain of
trojans that have recently been identified that all have one thing in
common: they install through the ByteVerify exploit in the MS Java VM
and change the IE homepage, search page, search bar, etc. Take a look
at this snippet from the description of the Java.Shinwow trojan:

'This is a growing family of trojans that exploits the
ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to
execute unauthorized code on an affected machine. The variants of this
trojan that we have seen in the wild have been functionally diverse;
the common factor amongst them has been the use of the ByteVerify
exploit to achieve their goals. Some variants may do little more than
change the user's default Internet Explorer home page and/or search
page via modifications to the registry.'

We strongly recommend you install the patch, available from this MS
security bulletin.

Microsoft Technet
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp

If you have Windows XP with Service Pack 1a, your system has no MS
Java VM. Information on removing the MS Java VM completely and
replacing it with the newer, safer Sun Java VM can be found here.

An a side note, some of the affiliates (Search-Meta has been verified)
use another Java exploit to install their malware. It's classified as
the JS.Exception.Exploit,

Symantec AntiVirus Center
http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html

and a patch can be downloaded from this MS security bulletin.

Microsoft Technet
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-075.asp
"

Merijn.com: The CoolWebSearch Chronicles 
http://www.merijn.org/cwschronicles.html

Much, much more information on Cool Web Search and its variants
(probably more than you want!) may be found by searching Google using
these keyword strings:

Google Web Seach: "cool web search: + "hijack"
://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22cool+web+search%22+hijack

Google Web Seach: "cool web search: + "variants"
://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22cool+web+search%22+variants

If anything is unclear, or if a link does not function, please request
clarification; I'll be glad to offer further assistance before you
rate my answer.

Best wishes,
pinkfreud
jaycd-ga rated this answer:5 out of 5 stars and gave an additional tip of: $5.00
Just 2 hours to answer a question that had been plaguing me for a
fortnight. The answer was both explicit and very professional. The
answer did not meet my expectationsc - it far exceeded them, giving
much additional feedback and advice. Brilliant!

Comments  
Subject: Re: Process runs every 20 mins and can't stop it
From: pinkfreud-ga on 15 Jan 2004 11:41 PST
 
Many thanks for the kind words, the five-star rating, and the tip!

~pinkfreud

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  


Google Home - Answers FAQ - Terms of Service - Privacy Policy