XJUPITER?

Discussion in 'privacy problems' started by Digiti, Dec 4, 2002.

Thread Status:
Not open for further replies.
  1. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    Hello,
    Has anyone heard of this?
    My neighbor has the worse case of computer hijacking I have seen. It started with a porn dialer that I thought I eradicated with Adaware, Spybot S&D and Regcleaner. It seems to regenerate itself after rebooting several times. He also has a program called XJUPITER that has completely usurped his search functions , homepage, and I assume it is responsible for this error in his I.E. tools/ internet options menu:

    "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator"
    He can reach "internet options"in control panel only. I went to
    www.xjupiter.com where it has a link to its uninstall. I am very wary about clicking any link on this page lest I become infected with this insidious software. He is using Win98. Any information will be appreciated. Thanks.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Digiti,

    W98 it is - not W98 ME?

    regards,

    paul
     
  3. claire

    claire Guest

    Hi,
    SSD should cure XJUPITER(did you use the latest updated version?) and,if I am not mistaken ,SPYWAREBLASTER also.You can find SPYWAREBLASTER in the
    dowload section of Wilder's and ask more specific questions to PepiMK(the coder of SSD) at
    http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3dee506e5a69ffff;act=SF;f=28
    unless someone has a better idea :)
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Hi Claire,

    Spywareblaster works pro-active; it will prevent this from happening - it will not cure though, in case the damage is done.

    regards.

    paul
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Digiti,

    Please go to our downloads-section: http://www.wilders.org/downloads.htm and download startuplist.zip
    Unzip and run the program and copy and paste the results in your next post. If there is anything in there you don´t want the world to know about, you´re welcome to mail or IM it to me.

    @claire,

    Do you know anything about this site or firm. The layout of the website and the name make me shiver and think of lop.com and xupiter. Are they the same or is the resemblance coincidence?

    Regards,

    Pieter
     
  6. claire

    claire Guest

    Digiti and Paul please accept my apologies.I have wrongly
    understood the following sentence
    "As a side benefit, setting this "kill bit" will also prevent the spyware Active-X from running, in many cases, if it is already installed on your system.* "
    I will refrain of posting in the future. :oops:
    Regards

    To Pieter:Sorry I don't know this site or firm.
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    No prob Claire - and no need to apologize ;).

    regards.

    paul
     
  8. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    It is Win 98. I did not run msconfig yet to see what is running at startup.That might be a good place to start.
    I have his Spybot set up to download updates when the program starts.
    Fortunately this is Not my computer. In fact he was rather embarassed to show me his problem. I will try the Spybot forum to see if there is any information there. Thanks.
     
  9. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    No need to try the SpyBot forum.

    I'd just ask you to post a Startuplist.log like Pieter just did... :D

    Please do that, and we'll help you get rid of it.
     
  10. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    4,098
    SpywareBlaster won't remove the problem, but in some cases it can disable the spyware ActiveX component from running (this depends on various factors).

    If this is some sort of variant of Xupiter, SpywareBlaster *may* disable it from running (and it couldn't hurt to try). :)

    Best regards,

    -Javacool
     
  11. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    Thanks for the replies. I tranferred startuplist.exe to a floppy so I can use it on his machine. My spelling for XJUPITER is correct I think, but I will double check when I see him. I will keep you posted.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Please do Digiti,

    If this is a new nasty you would be helping to prevent the same from happening to other people. :)

    Regards,

    Pieter
     
  13. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    4,098
    It does remind me of Lop.com, but the domain doesn't seem to be registered to Lop's owners. I have seen a page that looked exactly like it recently - I'll see if I can find it again.

    In regard to the spelling, just wanted to cover all the bases. :) I thought it was rather interesting that the web sites (xupiter.com and xjupiter.com) were so similar in spelling - I just figured investigating a possible connection couldn't hurt. :cool: (I changed the wording of my post, since it was a little vague on this part initially.)

    Best regards,

    -Javacool
     
  14. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    4,098
    If you do find anything suspicious on that machine, don't delete it if at all possible - if this is a new nasty, it could be very useful to anti-spyware developers to get their hands on it as soon as possible (before a massive outbreak). :)

    Regards,

    -Javacool
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    XJUPITER Hmmm tricky...I found the statemant at the bottom of the page of this web site interesting....
    http://sendjoemoney.tripod.com/wedding.htm



    It States:

    "note: if XJUPITER AUTOMATICLY INSTALLED http://www.xupiter.com/uninstall is the link to uninstall. Sorry I didn't know this was happening. "

    What do you think guys..another typoo_O
     
  16. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    http://www.targetwords.com/examples.phtml

    That company that's associated with that hastalavista.com hijacker I sent a mailing around about the other night most likely.

    I think more and more hijacker sites are going to show up with portal pages put together by this targetwords.com company.
     
  17. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    OK. First thing, download HijackThis. It has StartupList bundled into it as well, so that's both programs in one.

    Go to http://www.spywareinfoforum.com/downloads.php#det , and download 'Hijack This!' .
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    Usually, most of what you'll see there is legit, but if you're browser has been hijacked, there will be telltale signs.

    When the scan is finished, click "Save Log", and please show us its contents.

    Next, press "Config" > "Miscellaneous Tools", and press "Generate Startuplist Log"

    This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and please post its contents here as well.

    HT will fix that "access denied" problem and probably most of this hijack. When/if someone figures out what files are involved, DON'T DELETE THEM. I'd like a copy and I'm sure a bunch of others would too.
    mike@spywareinfoforum.com

    I'll keep an eye on this thread. Or try to anyway.
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Thnx for your input Mike. Always greatly appreciated.
    If you forget to keep an eye on this thread I'm sure you have at least three volunteers that will keep you posted ;)

    Regards,

    Pieter
     
  19. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    Would you people trust that uninstall program from the XJUPITER website? I am dubious to say the least. This XJUPITER or XUPITER program has completely taken over my friend's computer generating pop-ups,controlling search functions and internet options through internet explorer. The only thing I could do for him was to change his homepage in control panel, but I don't know how long that will stick.I will try SPYWAREBLASTER and your other suggestions tomorrow. Thanks.
     
  20. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I would abosolutely not trust their own uninstal application.

    I would, however, listen to what these guys have told you in this thread... You will find these guys really know what they are doing/talking about and the advice you find here is some of the best (if not the best) available anywhere.

    The applications they have recommended to you are trustworthy, reliable, and will get the job done nice, clean and fast.
     
  21. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    Hello, This was Xupiter. I tried Spywareblaster and their uninstall tool. No joy at all so I sending you the startuplist which is quite long:StartupList report, 12/6/02, 9:44:44 AM
    StartupList version: 1.35.0
    Started from : A:\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v5.00 (5.00.2614.3500)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\MSHTA.EXE
    C:\WINDOWS\MSDOS423.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\KFH\CL\LAUNCHER.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
    C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
    A:\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
    Ultimate Mail Manager Event Reminder.LNK = C:\Program Files\Broderbund\The Print Shop\UMM\Crdmind.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = c:\windows\scanregw.exe /autorun
    TaskMonitor = c:\windows\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    DXM6Patch_981116 = C:\WINDOWS\p_981116.exe /Q:A
    LVComs = c:\windows\SYSTEM\LVComS.exe
    TCASUTIEXE = TCAUDIAG.EXE -off
    EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    LoadQM = loadqm.exe
    MovieNetworks = "C:\Program Files\MovieNetworks\MovieNetworks.exe" /H
    MSKernel32 = C:\WINDOWS\SYSTEM\Win32.hta
    Renovate = C:\WINDOWS\SYSTEM\Renovate.exe
    msdos423 = c:\windows\msdos423.exe
    No Credit Card = c:\windows\dialer.exe /m
    QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
    Launcher = "C:\Program Files\KFH\cl\launcher.exe" /P
    WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    WebInstall2 = C:\WINDOWS\TEMP\INS5300.TMP /R /A
    XupiterToolbarUninstaller = A:\XupiterToolbarUninstaller.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = c:\windows\SYSTEM\mstask.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
    WEBCAMRT.EXE =
    5-11-1-22 = c:\windows\5-11-1-22.exe -m
    5-1-25-449 = c:\windows\5-1-25-449.exe -m
    5-1-25-40 = c:\windows\5-1-25-40.exe -m
    5-1-25-221 = c:\windows\5-1-25-221.exe -m
    5-1-48-5 = c:\windows\5-1-48-5.exe -m
    5-1-6-43 = c:\windows\5-1-6-43.exe -m

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    Place Holder = Regsvr32.exe /s pholder.ocx

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = c:\windows\SYSTEM\ie4uinit.exe

    [>PerUser_MSN_Clean] *
    StubPath = c:\windows\msnmgsr1.exe

    [MmoptPreferredAudioDevices] *
    StubPath = rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_046D&PID_0850&MI_01\1USB&VID_046D&PID_0850&INST_0

    [PerUser_LinkBar_URLs] *
    StubPath = c:\windows\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

    [>IEPerUser] *
    StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\UNDERW~2.SCR
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 2/12/2002, 21:16:34)

    [rename]
    NUL=

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables
    @C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
    @ECHO OFF
    SET BLASTER=A220 I7 D1 T2
    SET SNDSCAPE=C:\WINDOWS
    REM [Header]
    REM [CD-ROM Drive]
    REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001
    REM [Miscellaneous]
    REM [Display]
    SET PATH=C:\PRESTO~1\PAGEMGR\
    SET PATH=%PATH%;C:\WINDOWS\Twain_32\Scanport;C:\WINDOWS\Twain\Scanport

    --------------------------------------------------

    C:\CONFIG.SYS listing:

    DEVICE=C:\WINDOWS\HIMEM.SYS
    DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
    REM [Header]
    REM [CD-ROM Drive]
    REM DEVICE=C:\CDROM\SSCDROM.SYS /D:MSCD001 /PIO
    REM [Miscellaneous]
    REM [Display]
    DEVICE=c:\windows\setver.exe

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    @echo off
    REM Notes:
    REM DOSSTART.BAT is run whenenver you choose "Restart the computer
    REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
    REM you to load programs that you might not want loaded in Windows,
    REM (because they have functional equivalents) but that you do
    REM want loaded under MS-DOS. The two primary candidates for
    REM this are MSCDEX and a real mode driver for the mouse you ship
    REM with your system. Commands that you want present in both Windows
    REM and MS-DOS should be placed in the Autoexec.bat in the
    REM \Image directory of your reference server. Please note that for
    REM MSCDEX you will need to load the corresponding real-mode CD
    REM driver in Config.sys. This driver won't be used by Windows 98
    REM but will be available prior to and after Windows 98 exits.
    REM
    REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
    REM before Windows loads and access the CD-ROM. All you have to do
    REM is press F8 and then run DOSSTART to load MSCDEX and your real
    REM mode mouse driver (no need to remember the command line parameters
    REM for these two files.
    REM
    REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
    REM - The string following the /D: statement must explicitly match
    REM the string in CONFIG.SYS following your CD-ROM device driver.
    REM MSCDEX.EXE /D:OEMCD001 /l:d
    REM REM REM MOUSE.EXE
    C:\SBPCI\APINIT
    REM C:\PROGRA~1\MOUSEW~1\MOUSE.EXE
    C:\PROGRA~1\MOUSEW~1\MOUSE.EXE

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: *Registry key not found*
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: *Registry key not found*

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRAM FILES\XUPITER\UPDATES\XTUPDATE.DLL (file missing) - {2662BDD7-05D6-408F-B241-FF98FACE6054}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Scan for Viruses.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [MaxisPublishX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MAXISP~1.OCX
    CODEBASE = http://thesims.ea.com/us/teleport/MaxisPublishX.cab

    [IPIX ActiveX Control]
    InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
    CODEBASE = http://www.ipix.com/viewers/ipixx.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://active.macromedia.com/director/cabs/sw.cab

    [ell Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEELL.DLL
    CODEBASE = http://www.ea.com/downloads/games/common/ieell.cab

    [EABootStrap Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\EABTSTRP.DLL
    CODEBASE = http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [WTHoster Class]
    InProcServer32 = C:\WINDOWS\WT\WEBDRIVER\WTHOSTCTL.DLL
    CODEBASE = http://www.wildtangent.com/install/wdriver/arcadegames/meteormadness/eacom/wtinst.cab

    [MetaStreamCtl Class]
    InProcServer32 = C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT EXPERIENCE TECHNOLOGY\AXMETASTREAM.DLL
    CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab

    [SnoopyCtrl Class]
    InProcServer32 = C:\PROGRAM FILES\EACOM\UPDATE\NPSNPY.DLL
    CODEBASE = http://aol.ea.com/downloads/games/common/snoopy/iesnoopy.cab

    [Popup Window Object]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IEPOPWND.OCX
    CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/iepopwnd.cab

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R848/V31Controls/x86/w98/en/actsetup.cab

    [{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
    CODEBASE = http://www3.adscpm.com/FreeMP3Music.exe

    [{2C38A62E-D257-40E8-8BB7-5624E38FEB0A}]
    CODEBASE = http://at-solutions.net@00010212062052/d/maerd.cab

    [MarqueeCtl Object]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MARQUEE.OCX
    CODEBASE = http://activex.microsoft.com/activex/controls/iexplorer/x86/marquee.cab

    [InstallShield International Setup Player]
    InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
    CODEBASE = http://www.installengine.com/engine/isetup.cab

    [MSN Chat Control 4.2]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT42.OCX
    CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Loader Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MACONNECT.DLL
    CODEBASE = http://connect.online-dialer.com/MaConnect.cab

    [{A1DC3241-B122-195F-B21A-000000000000}]
    CODEBASE = http://pluginaccess.com/Browser_Plugin.cab

    [DFRun Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\IEGATOR.DLL
    CODEBASE = http://webpdp.gator.com/v3/download/iegator_3296_hd3ptdm.cab

    [eConn Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ECONNECT.DLL
    CODEBASE = http://econnect.libereco.net/econnect.cab

    [Download Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\VLOADING.DLL
    CODEBASE = http://www.0190-dialer.com/VLoading.cab

    [{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
    CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37594.3418981481

    [DFRun Class]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\IEGATOR.DLL
    CODEBASE = http://webpdp.gator.com/v3/download/iegator_3490_hd3ptdm.cab

    --------------------------------------------------
    End of report, 13,451 bytes
    Report generated in 3.500 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  22. mikevop

    mikevop Guest

    You've got much worse than Xupiter there incl at least one dialer. Is there some reason you haven't cleaned all this garbage with SSD?
     
  23. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    One virus, two dialers and some very suspicious entries.

    p_981116.exe should only run once. (No harm but can be removed)

    MovieNetworks will connect you by DOMESTIC PREMIUM RATE TELEPHONE NUMBER 900-xxx-xxxx. So you get xxx rate picture and junk. And it will allow you to stay on the internet on their line and $$$ and remove the C:\Program Files\MovieNetworks directory.

    MSKernel32 = Win32.hta : Delete this key and the win32.hta file

    Renovate.exe: can't find anything about that one, good or bad. (maybe best to disable it for now)
    msdos423.exe: (this is a virus) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MENACE.A

    dialer.exe o_O
    Launcher.exe o_O
    webinstall2 o_O

    These: WEBCAMRT.EXE =
    5-11-1-22 = c:\windows\5-11-1-22.exe -m
    5-1-25-449 = c:\windows\5-1-25-449.exe -m
    5-1-25-40 = c:\windows\5-1-25-40.exe -m
    5-1-25-221 = c:\windows\5-1-25-221.exe -m
    5-1-48-5 = c:\windows\5-1-48-5.exe -m
    5-1-6-43 = c:\windows\5-1-6-43.exe -m
    belong to the win32.hta entry and should be deleted as well.

    Maybe someone else can fill in the o_O but I would disable them just to make sure.

    Regards,

    Pieter
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    After you've disabled the above mentioned, you want to get rid of the virus first. Maybe it's best if you used one of the online scanners since NAV seems to be corrupted. Look here for some free services.
    After that try running Spybot S&D once more with no IE Windows open.
    Then please download Hijackthis and post the outcome of that program here.

    Regards,

    Pieter
     
  25. Digiti

    Digiti Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    39
    Well I used adaware which found quite a bit on Xupiter which I removed. However, his I.E. will not run anymore and does not show in add/remove programs[I was going to try a repair] !The error involves a shell...dll of kind. His AOL runs fine fortunately. This xupiter would run even at the desktop without I.E. opened he says! Should I try to reinstall I.E.? He would be happy just to have the porno off the computer. He has no firewall either. I am not in front of his computer now, so I can not give the exact error. He only has a Dell restore disk no Win98 full version. Thanks.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.