Oh. My. God.
I started my computer this morning, and the home page had switched back to fortunecity.
It was good for 2 days, and then it switched again.
systray is still disabled in msconfig.
This is just getting creepy.
Well - it “infected” another file in my systray.
Now I’ve disabled a bunch more files, but I don’t know how to prevent this from happening again.
Does anyone have any thoughts? Anyone? Anyone?
Suggestion for a workaround:
Use the Hosts file to lock out fortunecity.com to 0.0.0.0
link: http://www.smartin-designs.com
Then, when IE tries to load fortunecity.com, you’ll get an error instead of whatever that page is.
To me, it sounds as though IE itself is infected/corrupt/screwy.
If that workaround doesn’t work or seems less than satisfying, try reinstalling IE.
I’ve diagnosed this problem with Xupiter, another of these annoying as hell pieces of *@#$& software (pretty much the same symptoms).
To get rid of it, I had to do the following:[ul][li]Exit all IE based apps (Outlook, Windows Explorer and IE)[]Delete the directory tree containing the files (\Program Files\Xupiter in this case) from a command prompt[]Delete a key from the registry: under HKEY_LOCAL_COMPUTER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, a value that pointed to a Xupiter DLL[/ul]As it happened, I noticed some other spyware on the two machines I disinfected most recently at the same time, so they’re both running much better now.[/li]
If you decide to try this, let me know if you need any of these steps explained.
Well, fortunecity does not appear to have an entry on my registry.
Joey G’s instructions worked perfectly - meaning it was my systray that was screwed up. Disable the systray, problem solved.
Except now it appears that another file in msconfig is screwed up as well.
It’s terribly mysterious.
try this
It works!
Alice, here’s a possibility that hasn’t been mentioned. Check the ‘Proxy’ settings of internet explorer, I think its under the ‘Connections’ tab. If there is an entry in ‘Autoconfiguration URL’ that looks like http://somekazaatypesite.com/configure.ins’, then delete it, and reboot. As a matter of fact, if it contains anything that you didn’t put there, delete it.
.ins (InterNet Settings) files can do all sorts of nasty things to Explorer, like changing your home page, or telling Explorer to update itself, install apps, use different proxies, lower its security, the list goes on. They can also tell Explorer only to do this stuff on a schedule, so that might explain the few minutes grace you get when you initially launch Explorer.
And good luck!
micilin
I can’t find any reference to “Proxy” settings either in IE or in the Window “Internet Options” tab in control panel.
Could you be a little more specific.
Alice, if you didn’t run through all those instructions in my previous post, you may not have caught something in your win.ini or system.ini files. A program could be launched from one of those files that is causing it.
Nope - I went through all your instructions. I disabled everything and then slowly started enabling things until the problem showed up.
It’s in the startup area, I’m pretty sure. I now disabled a shwack of other stuff in the startup and the problem is gone again.
Ah, gotcha. I didn’t know you had done that. Sounds like you narrowed it down pretty good, then. You just have to figure out which startup program it is. 
If you aren’t familiar with some of the startup programs, you could post the list in here, or email it to me at cooper4242@hotmail.com and I will see if there is anything that doesn’t belong.
Cool - this is the list:
C:\Program Files\Messenger\msmsgs.exe/background
*C:\Program Files\ICQ\NDetect.exe
*C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
C:\WINDOWS\scanregw.exe / autorun
C:\WINDOWS askmon.exe
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFFE VIRUSSCAN\VSHWIN32.EXE
*Systray.exe
*Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Atitask.exe
*Aticwd32.exe
*AtiQiPcl.exe
*C:\WINDOWS\SYSTEM\LINUX32.vbs
*C:\WINDOES\SYSTEM\wucrtupd.exe -startup
*C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
mstask.exe
C:\WINDOWS\relaod.vbs
*Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
The ones marked with an * are the ones that are currently disabled.
Did you mean “reload.vbs”? These two files are an indication of having the VBS/Loveletter.as virus. Go to that link for a description of symptoms. I didn’t see the homepage altering thing listed, that may still be a seperate problem. Kinda suprised your virus scanner didn’t detect it, unless it was disabled by another virus. Virii that can disable your scanner are getting more common.
This may not be related to your homepage issue. But if McAfee didn’t catch this one, it might not have caught something else, too. You may want to try the free online scanner at http://housecall.trendmicro.com/ and see what it finds.
HOLY SHIT!! :eek:
It’s already found over 60 infected files!
I’m downloading the latest anti-virus software from my University as we speak!
Good girl.
Dammit. My first coding error in 417 posts, in a thread where I am offering computer advice.
sigh
Well. Now I’m up to about 1,100 infected files.
No wonder this stupid confuter hasn’t been working.
How’s it coming?
Personally, I like doxdesk.com. It has a little utility that scans for some parasites (like Xupiter) and lets you know what you’re infected with right at the top of the screen. The site has removal instructions for a lot of these parasites, telling you exactly what to do and how to do it.
As I understand it, a lot of these parasites are loaded into memory when you boot your system. Deleting them doesn’t work because as soon as you reboot, the parts left behind cause them to redownload again. That’s why your first boot may go okay, but your second boot will revert. You have to disable the relevant dlls before you can successfully remove all parts of the software.
Here’s an example of a set of commands you will have to enter from a DOS command line:
cd “%WinDir%\System”
regsvr32 /u “C:\Program Files\Xupiter\Updates\XupiterToolbar.dll”
regsvr32 /u “C:\Program Files\Xupiter\Updates\XTUpdate.dll”
regsvr32 /u “C:\Program Files\Xupiter\Updates\XTSearch.dll”
Once you disable this stuff, you have to reboot. Then delete the program files and any registry entries.
Most spyware programs do this same thing, but if you are uncomfortable using them or just prefer to become familiar with what actually goes on, doxdesk is a good place to start.
I also think that these types of programs should be outlawed. Most of them are crap and can cause your browser, if not your entire system, to lock up and crash. Some of them can even hijack banner ads, which definitely should be illegal. If Company X is paying or providing services to have their banner ad on a page and Spyware Y can hijack that ad and replace it with their own, there’s something wrong there.
TINSTAAFL. Avoid freeware.
I had a similar problem (also caused by Kazaa, thank you very much), but mine was easier to fix.
I ran msconfig. Noticed that the first entry in the list of startup programs looked bogus (just didn’t look like the others in the list).
I ran a search and found where the bogus program lived, and opened it up with Notebook. It was blatantly obvious: the code consisted of “set homepage=www.crappyunwantedjunk.com”
Unchecked the program in msconfig startup, and the problem was solved.