Hello,
Has anyone heard of this?
My neighbor has the worse case of computer hijacking I have seen. It started with a porn dialer that I thought I eradicated with Adaware, Spybot S&D and Regcleaner. It seems to regenerate itself after rebooting several times. He also has a program called XJUPITER that has completely usurped his search functions , homepage, and I assume it is responsible for this error in his I.E. tools/ internet options menu:

"This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator"
He can reach "internet options"in control panel only. I went to
www.xjupiter.com where it has a link to its uninstall. I am very wary about clicking any link on this page lest I become infected with this insidious software. He is using Win98. Any information will be appreciated. Thanks.

Digiti,

{QUOTE-> He is using Win98. <-QUOTE}

W98 it is - not W98 ME?

regards,

paul

Hi,
SSD should cure XJUPITER(did you use the latest updated version?) and,if I am not mistaken ,SPYWAREBLASTER also.You can find SPYWAREBLASTER in the
dowload section of Wilder's and ask more specific questions to PepiMK(the coder of SSD) at
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3dee506e5a69ffff;act=SF;f=28
unless someone has a better idea :)

Hi Claire,

{QUOTE-> ...and,if I am not mistaken ,SPYWAREBLASTER also <-QUOTE}

Spywareblaster works pro-active; it will prevent this from happening - it will not cure though, in case the damage is done.

regards.

paul

Hi Digiti,

Please go to our downloads-section: http://www.wilders.org/downloads.htm and download startuplist.zip
Unzip and run the program and copy and paste the results in your next post. If there is anything in there you don´t want the world to know about, you´re welcome to mail or IM it to me.

@claire,

Do you know anything about this site or firm. The layout of the website and the name make me shiver and think of lop.com and xupiter. Are they the same or is the resemblance coincidence?

Regards,

Pieter

Digiti and Paul please accept my apologies.I have wrongly
understood the following sentence
"As a side benefit, setting this "kill bit" will also prevent the spyware Active-X from running, in many cases, if it is already installed on your system.* "
I will refrain of posting in the future. :-[
Regards

To Pieter:Sorry I don't know this site or firm.

No prob Claire - and no need to apologize ;).

regards.

paul

It is Win 98. I did not run msconfig yet to see what is running at startup.That might be a good place to start.
I have his Spybot set up to download updates when the program starts.
Fortunately this is Not my computer. In fact he was rather embarassed to show me his problem. I will try the Spybot forum to see if there is any information there. Thanks.

No need to try the SpyBot forum.

I'd just ask you to post a Startuplist.log like Pieter just did... :D

Please do that, and we'll help you get rid of it.

SpywareBlaster won't remove the problem, but in some cases it can disable the spyware ActiveX component from running (this depends on various factors).

If this is some sort of variant of Xupiter, SpywareBlaster *may* disable it from running (and it couldn't hurt to try). :)

Best regards,

-Javacool

Thanks for the replies. I tranferred startuplist.exe to a floppy so I can use it on his machine. My spelling for XJUPITER is correct I think, but I will double check when I see him. I will keep you posted.

{QUOTE-> quoting: Digiti link=board=21;threadid=5289;start=0#34425 date=1039035297]
My spelling for XJUPITER is correct I think, but I will double check when I see him. I will keep you posted.
<-QUOTE}

Please do Digiti,

If this is a new nasty you would be helping to prevent the same from happening to other people. :)

Regards,

Pieter

{QUOTE-> quoting: Pieter_Arntz link=board=21;threadid=5289;start=0#34422 date=1039033272]
@ Javacool

I don´t think Digiti misspelled Xupiter, the link she gave to xjupiter is a valid one and reminds me very much of the lop.com page.

Regards,

Pieter
<-QUOTE}

It does remind me of Lop.com, but the domain doesn't seem to be registered to Lop's owners. I have seen a page that looked exactly like it recently - I'll see if I can find it again.

In regard to the spelling, just wanted to cover all the bases. :) I thought it was rather interesting that the web sites (xupiter.com and xjupiter.com) were so similar in spelling - I just figured investigating a possible connection couldn't hurt. 8) (I changed the wording of my post, since it was a little vague on this part initially.)

Best regards,

-Javacool

{QUOTE-> quoting: Pieter_Arntz link=board=21;threadid=5289;start=0#34426 date=1039035663]
{QUOTE-> quoting: Digiti link=board=21;threadid=5289;start=0#34425 date=1039035297]
My spelling for XJUPITER is correct I think, but I will double check when I see him. I will keep you posted.
<-QUOTE}

Please do Digiti,

If this is a new nasty you would be helping to prevent the same from happening to other people. :)

Regards,

Pieter
<-QUOTE}

If you do find anything suspicious on that machine, don't delete it if at all possible - if this is a new nasty, it could be very useful to anti-spyware developers to get their hands on it as soon as possible (before a massive outbreak). :)

Regards,

-Javacool

XJUPITER Hmmm tricky...I found the statemant at the bottom of the page of this web site interesting....
http://sendjoemoney.tripod.com/wedding.htm



It States:

"note: if XJUPITER AUTOMATICLY INSTALLED http://www.xupiter.com/uninstall is the link to uninstall. Sorry I didn't know this was happening. "

What do you think guys..another typo???

{QUOTE-> quoting: javacool link=board=21;threadid=5289;start=0#34427 date=1039035819]
I have seen a page that looked exactly like it recently - I'll see if I can find it again.
<-QUOTE}

http://www.targetwords.com/examples.phtml

That company that's associated with that hastalavista.com hijacker I sent a mailing around about the other night most likely.

I think more and more hijacker sites are going to show up with portal pages put together by this targetwords.com company.

OK. First thing, download HijackThis. It has StartupList bundled into it as well, so that's both programs in one.

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!' .
Unzip, doubleclick HijackThis.exe, and hit "Scan".

Usually, most of what you'll see there is legit, but if you're browser has been hijacked, there will be telltale signs.

When the scan is finished, click "Save Log", and please show us its contents.

Next, press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log"

This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and please post its contents here as well.

HT will fix that "access denied" problem and probably most of this hijack. When/if someone figures out what files are involved, DON'T DELETE THEM. I'd like a copy and I'm sure a bunch of others would too.
mike@spywareinfo.com

I'll keep an eye on this thread. Or try to anyway.

Thnx for your input Mike. Always greatly appreciated.
If you forget to keep an eye on this thread I'm sure you have at least three volunteers that will keep you posted ;)

Regards,

Pieter

Would you people trust that uninstall program from the XJUPITER website? I am dubious to say the least. This XJUPITER or XUPITER program has completely taken over my friend's computer generating pop-ups,controlling search functions and internet options through internet explorer. The only thing I could do for him was to change his homepage in control panel, but I don't know how long that will stick.I will try SPYWAREBLASTER and your other suggestions tomorrow. Thanks.

I would abosolutely not trust their own uninstal application.

I would, however, listen to what these guys have told you in this thread... You will find these guys really know what they are doing/talking about and the advice you find here is some of the best (if not the best) available anywhere.

The applications they have recommended to you are trustworthy, reliable, and will get the job done nice, clean and fast.

Hello, This was Xupiter. I tried Spywareblaster and their uninstall tool. No joy at all so I sending you the startuplist which is quite long:StartupList report, 12/6/02, 9:44:44 AM
StartupList version: 1.35.0
Started from : A:\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\MSDOS423.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\KFH\CL\LAUNCHER.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
A:\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
Ultimate Mail Manager Event Reminder.LNK = C:\Program Files\Broderbund\The Print Shop\UMM\Crdmind.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
DXM6Patch_981116 = C:\WINDOWS\p_981116.exe /Q:A
LVComs = c:\windows\SYSTEM\LVComS.exe
TCASUTIEXE = TCAUDIAG.EXE -off
EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
LoadQM = loadqm.exe
MovieNetworks = "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
MSKernel32 = C:\WINDOWS\SYSTEM\Win32.hta
Renovate = C:\WINDOWS\SYSTEM\Renovate.exe
msdos423 = c:\windows\msdos423.exe
No Credit Card = c:\windows\dialer.exe /m
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
Launcher = "C:\Program Files\KFH\cl\launcher.exe" /P
WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
WebInstall2 = C:\WINDOWS\TEMP\INS5300.TMP /R /A
XupiterToolbarUninstaller = A:\XupiterToolbarUninstaller.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = c:\windows\SYSTEM\mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
WEBCAMRT.EXE =
5-11-1-22 = c:\windows\5-11-1-22.exe -m
5-1-25-449 = c:\windows\5-1-25-449.exe -m
5-1-25-40 = c:\windows\5-1-25-40.exe -m
5-1-25-221 = c:\windows\5-1-25-221.exe -m
5-1-48-5 = c:\windows\5-1-48-5.exe -m
5-1-6-43 = c:\windows\5-1-6-43.exe -m

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Place Holder = Regsvr32.exe /s pholder.ocx

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = c:\windows\SYSTEM\ie4uinit.exe

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[MmoptPreferredAudioDevices] *
StubPath = rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_0850&MI_01\1USB&VID_046D&PID_0850&INST_0

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\UNDERW~2.SCR
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 2/12/2002, 21:16:34)

[rename]
NUL=

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
@ECHO OFF
SET BLASTER=A220 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS
REM [Header]
REM [CD-ROM Drive]
REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001
REM [Miscellaneous]
REM [Display]
SET PATH=C:\PRESTO~1\PAGEMGR\
SET PATH=%PATH%;C:\WINDOWS\Twain_32\Scanport;C:\WINDOWS\Twain\Scanport

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
REM [Header]
REM [CD-ROM Drive]
REM DEVICE=C:\CDROM\SSCDROM.SYS /D:MSCD001 /PIO
REM [Miscellaneous]
REM [Display]
DEVICE=c:\windows\setver.exe

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM REM REM MOUSE.EXE
C:\SBPCI\APINIT
REM C:\PROGRA~1\MOUSEW~1\MOUSE.EXE
C:\PROGRA~1\MOUSEW~1\MOUSE.EXE

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: *Registry key not found*
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: *Registry key not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRAM FILES\XUPITER\UPDATES\XTUPDATE.DLL (file missing) - {2662BDD7-05D6-408F-B241-FF98FACE6054}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Scan for Viruses.job

--------------------------------------------------

Enumerating Download Program Files:

[MaxisPublishX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MAXISP~1.OCX
CODEBASE = http://thesims.ea.com/us/teleport/MaxisPublishX.cab

[IPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://active.macromedia.com/director/cabs/sw.cab

[ell Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEELL.DLL
CODEBASE = http://www.ea.com/downloads/games/common/ieell.cab

[EABootStrap Class]
InProcServer32 = C:\WINDOWS\SYSTEM\EABTSTRP.DLL
CODEBASE = http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[WTHoster Class]
InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
CODEBASE = http://www.wildtangent.com/install/wdriver/arcadegames/meteormadness/eacom/wtinst.cab

[MetaStreamCtl Class]
InProcServer32 = C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT EXPERIENCE TECHNOLOGY\AXMETASTREAM.DLL
CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab

[SnoopyCtrl Class]
InProcServer32 = C:\PROGRAM FILES\EACOM\UPDATE\NPSNPY.DLL
CODEBASE = http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab

[Popup Window Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEPOPWND.OCX
CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/iepopwnd.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R848/V31Controls/x86/w98/en/actsetup.cab

[{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
CODEBASE = http://www3.adscpm.com/FreeMP3Music.exe

[{2C38A62E-D257-40E8-8BB7-5624E38FEB0A}]
CODEBASE = http://at-solutions.net@00010212062052/d/maerd.cab

[MarqueeCtl Object]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MARQUEE.OCX
CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/marquee.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

[MSN Chat Control 4.2]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX
CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Loader Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MACONNECT.DLL
CODEBASE = http://connect.online-dialer.com/MaConnect.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

[DFRun Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IEGATOR.DLL
CODEBASE = http://webpdp.gator.com/v3/download/iegator_3296_hd3ptdm.cab

[eConn Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ECONNECT.DLL
CODEBASE = http://econnect.libereco.net/econnect.cab

[Download Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\VLOADING.DLL
CODEBASE = http://www.0190-dialer.com/VLoading.cab

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37594.3418981481

[DFRun Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IEGATOR.DLL
CODEBASE = http://webpdp.gator.com/v3/download/iegator_3490_hd3ptdm.cab

--------------------------------------------------
End of report, 13,451 bytes
Report generated in 3.500 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

You've got much worse than Xupiter there incl at least one dialer. Is there some reason you haven't cleaned all this garbage with SSD?

One virus, two dialers and some very suspicious entries.

p_981116.exe should only run once. (No harm but can be removed)

MovieNetworks will connect you by DOMESTIC PREMIUM RATE TELEPHONE NUMBER 900-xxx-xxxx. So you get xxx rate picture and junk. And it will allow you to stay on the internet on their line and $$$ and remove the C:\Program Files\MovieNetworks directory.

MSKernel32 = Win32.hta : Delete this key and the win32.hta file

Renovate.exe: can't find anything about that one, good or bad. (maybe best to disable it for now)
msdos423.exe: (this is a virus) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MENACE.A

dialer.exe ???
Launcher.exe ???
webinstall2 ???

These: WEBCAMRT.EXE =
5-11-1-22 = c:\windows\5-11-1-22.exe -m
5-1-25-449 = c:\windows\5-1-25-449.exe -m
5-1-25-40 = c:\windows\5-1-25-40.exe -m
5-1-25-221 = c:\windows\5-1-25-221.exe -m
5-1-48-5 = c:\windows\5-1-48-5.exe -m
5-1-6-43 = c:\windows\5-1-6-43.exe -m
belong to the win32.hta entry and should be deleted as well.

Maybe someone else can fill in the ??? but I would disable them just to make sure.

Regards,

Pieter

After you've disabled the above mentioned, you want to get rid of the virus first. Maybe it's best if you used one of the online scanners since NAV seems to be corrupted. Look here (http://www.wilders.org/free_services.htm) for some free services.
After that try running Spybot S&D once more with no IE Windows open.
Then please download Hijackthis (http://www.spywareinfo.com/downloads.php) and post the outcome of that program here.

Regards,

Pieter

Well I used adaware which found quite a bit on Xupiter which I removed. However, his I.E. will not run anymore and does not show in add/remove programs[I was going to try a repair] !The error involves a shell...dll of kind. His AOL runs fine fortunately. This xupiter would run even at the desktop without I.E. opened he says! Should I try to reinstall I.E.? He would be happy just to have the porno off the computer. He has no firewall either. I am not in front of his computer now, so I can not give the exact error. He only has a Dell restore disk no Win98 full version. Thanks.

If he's unable to do an online scan I would advise you to try and see if you can get the latest update for his NAV installed. You can find those here: http://www.symantec.com/avcenter/download/pages/US-N95.html
When you scroll down a little there's an option to download three parts which can be put on floppy.

Regards,

Pieter

If I were you, I'd follow every single piece of advice given by my learned colleagues.

Launcher.exe (KFH) probably belongs to a game, but why not disable it, as Pieter proposed.

The others are all malware for sure: Webinstall is from Downloadware/Network Essentials, and ought to be removed by SpyBot.

The following should go as well:

Renovate = C:\WINDOWS\SYSTEM\Renovate.exe
msdos423 = c:\windows\msdos423.exe
No Credit Card = c:\windows\dialer.exe /m
WebInstall2 = C:\WINDOWS\TEMP\INS5300.TMP /R /A
XupiterToolbarUninstaller = A:\XupiterToolbarUninstaller.exe

and of course:

5-11-1-22 = c:\windows\5-11-1-22.exe -m
5-1-25-449 = c:\windows\5-1-25-449.exe -m
5-1-25-40 = c:\windows\5-1-25-40.exe -m
5-1-25-221 = c:\windows\5-1-25-221.exe -m
5-1-48-5 = c:\windows\5-1-48-5.exe -m
5-1-6-43 = c:\windows\5-1-6-43.exe -m


As a matter of fact, after unchecking those in Msconfig/startup, reboot, and empty the entire contents of your Windows\Temp folder.

Also find and delete the following:

C:\WINDOWS\SYSTEM\Renovate.exe
c:\windows\msdos423.exe
c:\windows\dialer.exe
c:\windows\5-11-1-22.exe -m
c:\windows\5-1-25-449.exe -m
c:\windows\5-1-25-40.exe -m
c:\windows\5-1-25-221.exe -m
c:\windows\5-1-48-5.exe -m
c:\windows\5-1-6-43.exe -m


And there are a huge amount of "bad" ActiveX objects in your Downloaded Program Files folder.

Go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all objects you see there.

Rightclick each one in turn, chose 'properties', and check the Version tab.

If the company is anyone else but Macromedia, Apple, or Microsoft, rightclick the file, and choose 'remove'.

Reboot when you're done.

What do you guys think re: reinstall I.E. 5.0[see my post above]?
I have SPYBOT S&D set to update automatically,unfortunately no references to Xupiter showed up there in the scan? The reason Adaware did not find it at first was because someone in his family deleted it. When I reinstalled I did not have the ref file up to date. The fact that there is no firewall is really stupid to say the least.
I will have him try trendmicro's site for an online virus scan through his AOL broadband browser.Like I said this is a really bad malware infestation on his computer . Thanks.

Reinstalling Internet Explorer will not do away with any of the malware detected.

You need to follow ALL steps exactly like we detailed, or you won't get rid of this stuff.

Thanx for filling in some of my question marks there Tony.
Do you see any other reason why NAV might not have picked up W95.SoFunny.Worm@m aka Worm_Menace.A ?
I think I jumped to conclusions by presuming NAV wasn´t updated, since this one was discovered in July,2001

Regards,

Pieter

No idea. It ought to have caught this one without any prob whatsoever, I should think.

But maybe this antivirus hasn't ever been updated...

It happens... ::)

No it is not up to date. I don't know if it is OEM[90days] or is update-able for one year. I removed all references to Xupiter with Adaware, and deleted dialers on drive C: but not some of the other files suggested yet. I will see how he makes out with AOL's browser for now. I can not see him until another day. Thanks.