Google Answers: Process runs every 20 mins and can't stop it

View Question

Q: Process runs every 20 mins and can't stop it ( Answered 5 out of 5 stars

Question

Subject: Process runs every 20 mins and can't stop it
Category: Computers > Internet
Asked by: jaycd-ga
List Price: $20.00

Posted: 14 Jan 2004 14:06 PST
Expires: 13 Feb 2004 14:06 PST
Question ID: 296535

When I sstart up my XP Professional pc Internet Explorer 6 opens up a browser window for www.searchmeup.net. A new browser window opens up every 20 minutes thereafter. It is annoying because for one thing I can't stop it, and if I leave my pc, even offline, when I return after say 6 hours I would have 18 browser windows to close. I have run Norton Antivirus and my pc is clean Pest Patrol, Win Patrol and Lavasoft Ad Aware show no trojans, spyware or keyloggers etc There is nothing that I can see in the scheduler except Copernic Tracker which runs OK every hour. There is nothing showing in Windows Startup that would seem to be causing this. I have Roxio GoBack installed, and the log for PC transactions/processes shows the following events happening every 20 minutes Process Start - explorer.exe http://www.searchmeup.net File Replaced c:\Windows\Prefetch\Explorer.exe-082F38A9.pf I have cleared the registry of refernces to 81.211.105.38 and www.searchmeup.net, to no effect. Also on startup WinPatrol shows that a program is trying to change my homepage to http://startpage and an attempt is also made to change my search page, naturally I block this but the Process Start - explorer.exe http://www.searchmeup.net still runs evry 20 mins. How do I stop this happening and what has caused it? I tend to use the internet for reasearch, and as far as I know no 'dodgy' sites have been visited. John
Request for Question Clarification by pinkfreud-ga on 14 Jan 2004 14:42 PST Hello, John. This sounds like a variant of the infamous "Cool Web Search" browser hijacker, one of the toughest hijackers to eradicate. "CWS.Svcinit.3: Possibly, a mutation of this variant exists, which hijacks to xwebsearch.biz and http:/// (sic), as well as installing a hosts file redirection of several dialer sites to searchmeup.com." http://www.merijn.org/cwschronicles.html NOTE: searchmeup.com (mentioned above) and searchmeup.net are essentially the same entity, as a visit to the two sites will show. The best way to zap "Cool Web Search" and its evil spawn is to use CWShredder, which can be downloaded here: http://www.merijn.org/cwschronicles.html#cwshredder CWShredder zapped a hijacker that I acquired a while back, even though AdAware, SpyBot and HijackThis had failed to help. The program is updated very frequently, and weapons against new "Cool Web Search" variants are constantly being added to the Shredder's arsenal. If this gets rid of your hijacker, I'll be pleased to post an answer to your question. Please let me know whether or not CWShredder solves your problem. ~pinkfreud
Request for Question Clarification by pinkfreud-ga on 14 Jan 2004 15:02 PST Update: I just noticed that both searchmeup.com and IP addresses starting with 81.211.105 are on a list of Cool Web Search affiliates that are targeted by CWShredder: http://www.wilderssecurity.com/index.php?board=20;action=display;threadid=14086 One more bit of advice: for reasons not known to me, I had to run CWShredder twice before it got rid of my hijacker permanently. So, if it doesn't work after one pass, I recommend trying again.
Clarification of Question by jaycd-ga on 14 Jan 2004 15:37 PST CWShredder log was cws.googlems cws.loadbat Removing hosts file redirection restored I rebooted the machine and, no warning appeared about homepage being changed, and the page www.searchmeup.net did not open, I have waited 40 minutes+ and I am delighted to say that the offending web page has not reappeared again. With all the protection and ZoneAlarm firewall etc I surprised I got the hijacker Very many thanks Job well done!

Answer

Subject: Re: Process runs every 20 mins and can't stop it
Answered By: pinkfreud-ga on 14 Jan 2004 16:08 PST
Rated: 5 out of 5 stars

Whew! I'm delighted to hear that things went so well. As I said
earlier, CWShredder once helped me to kill a really tenacious
hijacker. I was very hopeful that it would work for you, too, when I
saw the mention of "searchmeup" in the documentation on the Merijn
site (Merijn is the creator of CWShredder.)

In case you wonder how you may have acquired this unwelcome visitor,
here's some interesting info:

" We are pretty sure now CoolWebSearch is part of a new strain of
trojans that have recently been identified that all have one thing in
common: they install through the ByteVerify exploit in the MS Java VM
and change the IE homepage, search page, search bar, etc. Take a look
at this snippet from the description of the Java.Shinwow trojan:

'This is a growing family of trojans that exploits the
ByteCodeVerifier vulnerability in the Microsoft Virtual Machine to
execute unauthorized code on an affected machine. The variants of this
trojan that we have seen in the wild have been functionally diverse;
the common factor amongst them has been the use of the ByteVerify
exploit to achieve their goals. Some variants may do little more than
change the user's default Internet Explorer home page and/or search
page via modifications to the registry.'

We strongly recommend you install the patch, available from this MS
security bulletin.

Microsoft Technet
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp

If you have Windows XP with Service Pack 1a, your system has no MS
Java VM. Information on removing the MS Java VM completely and
replacing it with the newer, safer Sun Java VM can be found here.

An a side note, some of the affiliates (Search-Meta has been verified)
use another Java exploit to install their malware. It's classified as
the JS.Exception.Exploit,

Symantec AntiVirus Center
http://www.symantec.com/avcenter/venc/data/js.exception.exploit.html

and a patch can be downloaded from this MS security bulletin.

Microsoft Technet
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-075.asp
"

Merijn.com: The CoolWebSearch Chronicles 
http://www.merijn.org/cwschronicles.html

Much, much more information on Cool Web Search and its variants
(probably more than you want!) may be found by searching Google using
these keyword strings:

Google Web Seach: "cool web search: + "hijack"
://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22cool+web+search%22+hijack

Google Web Seach: "cool web search: + "variants"
://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22cool+web+search%22+variants

If anything is unclear, or if a link does not function, please request
clarification; I'll be glad to offer further assistance before you
rate my answer.

Best wishes,
pinkfreud

jaycd-ga rated this answer: 5 out of 5 stars

and gave an additional tip of: $5.00

Just 2 hours to answer a question that had been plaguing me for a
fortnight. The answer was both explicit and very professional. The
answer did not meet my expectationsc - it far exceeded them, giving
much additional feedback and advice. Brilliant!

Comments

Subject: Re: Process runs every 20 mins and can't stop it
From: pinkfreud-ga on 15 Jan 2004 11:41 PST

Many thanks for the kind words, the five-star rating, and the tip!

~pinkfreud

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy