Help! My Homepage has been taken over by a Trojan Horse (Orbit Explorer)!

self | 11-27-03 | WL-Law

[WL-law]

This is a Freeper-line call for help. Somehow we have, on our home PC, downloaded a hidden Trojan-horse type application that has:

(a)switched my Internet Explorer homepage (from FR) to a Google-type site called Orbit Explorer, and

(b)brought with it a whole world of pop-up spam (a suspicious amount of such that points me to Microsoft products, BTW).

Part of the deviousness of the Trojan horse is that it self-prevents its own removal. It blocks access to Internet Explorer->Tools->Internet Options, which effectively blocks the end-user from re-setting the homepage back to the original home-page. Instead, a message pops up that says “This operation has been cancelled due to restrictions in effect on this computer…”

I have SpyBot installed on my PC, and when executed it did identify the files in question. However, when I removed the files per SpyBot, then Internet Explorer wouldn’t work at all – all addresses end up in the same failure/error message. Since Spybot has a ‘recovery’ function, I was able to re-load the deleted files and can use the system – but I’m stuck with this bogus homepage, and am fighting off pop-ups at a furious pace as I try to use my system.

BTW, this is a home computer used by all ages -- at this point the spam/pop-up is not pornographic but I have a bad feeling that we’ll soon be afflicted by that as well.

Has anyone out there defeated this problem on their own system?

[RISU]

This idea of taking legal action against perps is great. Your computer is your property. When someone setups up a tent in it without permission is is trespass, just like they hacked off one corner of your house lot. Sue them.

[mtbopfuyn]

Not to detract from your problem and looks like you're getting help, but how did you reload deleted files? Ours went wacky last month and now when we try to start it a window pops up that says it's missing a required start up .DLL file (C:\WINDOWS\SYSTEM\CRTDLL.DLL). At one time I knew how to fix it but now can't remember and can't find the menu I thought would do it. Any ideas?

[WL-law]

No your not. From the pull down menu: click Tools|Internet Options Under the "General" tab, in the "home page" box, click the "Use Current" button to change the homepage to FR or another page you want. It will save it as your home page.

As I said in my post, the Tools option is BLOCKED by the trojan. See my post. It's infuriating.

[Cultural Jihad]

From the pull down menu: click Tools|Internet Options

WL-law has already said that menu option was blocked.

[Cultural Jihad]

Did you try tscislaw's suggestion in #2?

[WL-law]

I purchased a full copy of Windows XP Home Edition. I had been using Windows 98, 2nd. Ed.

I'm already using Windows XP -- so be prepared, it's NOT a defense against these things by itself.

[paulsy]

"spybot"

Called "Spybot Search & Destroy" it is free, and you can download it here:

http://download.com.com/3000-2144-10194058.html?tag=lst-0-1

It works really well, easy to use and will find/eliminate spybots where the virus scanning warez won't. We use this program, and Norton Systemworks and haven't had any problems, after having many problems before doing this.

[Cultural Jihad]

I'm already using Windows XP...

Then take a look at post #18.

[Malsua]

There are several things to be done, and you can clear these blights without too much trouble.

First, get "Hijackthis". It will list all the objects affecting IE. There are forums that can help you decypher what is what. You've probably got an evil BHO installed.

http://mjc1.com/mirror/hjt/

Then get and run CWS Shredder.

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Get and run Spyware blaster:

http://www.javacoolsoftware.com/spywareblaster.html

Run Adaware:
http://www.lavasoft.de/

Run Spybot Search and destroy and thereafter immunize with it.

http://www.safer-networking.org/index.php?lang=en&page=download

And once you've done all that. Get Mozilla Firebird and use it instead :)

http://www.mozilla.org/projects/firebird/

[WL-law]

If you didn't ask for it and can't get rid of it, why not bill the originators for using your computer? I imagine you'd be in a pretty good legal position.

Well, that was my first thought! (LOL!) But the Orbit Explorer people leave no trail as to who they are or where they are. No surprise there.

[FrogMom]

Google CRTDLL.DLL, download it to the directory the 'puter is looking in, reboot.

[mrsmith]

Did you run SpyBot in Safe Mode? That is the simplest way to handle this.

Do let us know what you try.
Hijack This is a great free program that has worked for me with this type of program.

[LoneRangerMassachusetts]

You should check your information services provider to see what options are available to catch spam on the server side of your email. For example, Verizon has a spam detector which catches about 80 to 90 percent of the crap I used to get. My unwanted email is cut down from about 150 pieces a day to less than 20. It also gives me the ability to check the content of my email reading it while it is still on their server to help avert running viruses.

I still run Norton's virus and web security programs for additional security.

The SpyBot and Adaware freeware programs never seemed robust enough to help.

[mrsmith]

How to start Windows XP in Safe mode

Do that and run SpyBot while in safe mode.
If it doesn't work then download and use "hijackthis".

And that's all from me.

[demlosers]

Have you tried to reboot your computer since you deleted the offending program?

[Restorer]

I had the same problem. I purchased and installed a copy of McAfee Virus Scan. It quickly found and deleted the Trojan Horse virus and two others I didn't know I had.

[Restorer]

I had the same problem. I purchased and installed a copy of McAfee Virus Scan. It quickly found and deleted the Trojan Horse virus and two others I didn't know I had.

[weegee]

Some of these software companies (and I believe Orbit Explorer is among them) "claim" that you authorized them to install the spyware.

This is a patently false statement. They will cite examples of animated cursors and other programs that people download and install (that come bundled with spyware) but I was INFECTED (yes, infected with such a spyware VIRUS) when I typed a "soundalike" webpage name for some site.

Some clymer bought a name that would deciptively look like the site I wanted to visit (a Google search took me to the right page). When I got to the false page I saw what looked like a squater's search engine. I never "approved" the installation of any software.

The company knew that they had installed something you and I did not want because these programs will reassert themselves if they are not entirely removed (hidden files deleted). In your case there were even alterations to your system settings so that you could not easily make the change.

Your computer was hijacked and raped by some scumware company.

Don't try to sue though because the advertising lobbyists long ago got the legislation that they wanted from elected officials.

We know it is malicious software of the same nature as a "virus" but the tech-ignorant legislators believe otherwise. Only now (that it is too late) are any laws being drafted to stem the practice (which will just go offshore and out of "our" reach).

[MEG33]

how about this?

[WL-law]

Thanks to everyone for the help.

Spybot was effective, but tricky -- removing the viruses tended to make IE inoperable.

What finally worked was a combination of the "System Restore" function of Windows XP, coupled with the immediate use of Spybot.

Specifically, I found a date (about 3 weeks ago) where a system restore to that date brought IE back into function. I immediately ran Spybot (careful to keep the virus files updated)and caught the "Orbit Explorer" virus before it could implant itself into the system files.

System has been stable now for a few days, so I think I'm clean.

Again, thanks to all the responders.