Xupiter...anybody know how to

Discussion in 'privacy general' started by Chuck57, Sep 17, 2002.

Thread Status:
Not open for further replies.
  1. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    get rid of them? A friend just called me and said this site seems to have taken over his computer. He doesn't know how, but now that they're there, they won't leave.

    I don't know any more than that at this point, other than that they've inserted themselves into his registry, taken control of his home page, and won't let go.

    I'm firewalled, using Proxomitron with most filters enabled, but still don't feel comfortable trying to investigate the site to see who or what they are.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Here´s lots of info: http://and.doxdesk.com/parasite/Xupiter.html

    Wish him luck for me,

    Pieter
     
  3. You will find at this link a post by Name Game that will give you a direct download link to the Xupiter site and a page that will give you the uninstaller and the proceedure to do it. You must follow the instructions.. If you do the plugin will go away.

    http://www.dslreports.com/forum/remark,4333263~root=security,1~mode=flat

    This is a link to the FAQ for Xuipter.
    http://www.xupiter.com/help.html



    I will post it here also the Uninstaller.

    NOTE THIS IS A DIRECT DOWNLOAD LINK.

    http://www.xupiter.com/uninstall/

    Also note that after you run the uninstaller (make sure no other programs are running) you must immediately Reboot your machine for it to take affect.

    Good luck it seems to work for everyone to date. :D
     
  4. I will also tell you that none of the Spyware Groups I know of are going after Xupiter today. Xupiter has been pretty upfront on how the do business on the Net..They have unstallers of their products and a good FAQ section.

    I guess until that changes..you just have to put up with them. :doubt: :doubt: :doubt:
     
  5. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Boy, that was quick response. I'll note those URL's and pass them on. I can't believe nobody is doing anything about this outfit. Whether they post uninstallers or not, it's an intrusion.
     
  6. Please do get the word out..now a favor..can you find out where he/she did get it..I am keeping track of that.

    If we find out it is in an unsavory way..by websites that are their partners..then that should be noted. But it can not be just and IE setting thing were one could have prevented it with better security setting instead of having it wide open..so far have found that most just download it to see what it was...thanks Chuck,

    Regards,

    John
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Kuddos, John! :D

    regards.

    paul
     
  8. Just trying to pay back the great Moderators, you have in here, in a small way for all the help they have given to others. They are very resourceful..and this is fun. :)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Well, keep it up. I think you´re good at it :)

    Regards,

    Pieter
     
  10. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Re:Xupiter...John, the guy is pretty sure

    it was an About.com pop up that got him. I've given him the URL's and expect he's in the process of ridding himself of Xupiter. I also told him to download Proxomitron or a similar pop up killer.
     
  11. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    oops, forgot to add....

    that he doesn't remember what website he was on when he got hit, which is probably the most important thing.
     
  12. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    This is from my latest newsletter, which won't load right now, because someone tripped over a golf ball or something and knocked the waxed string out of the back of my site's web server. ;(

    Anyway....

    ==================================================
    A new "drive-by downloader" has come onto the scene recently. Xupiter.com's browser toolbar has been finding its way onto the computers of countless people via activex installation, and people all over the net have been running around in circles trying to figure out what to do with it. There is an enormous thread at the message boards about this which nearly broke the record for replies to a single topic, and smashed the record for page views with nearly 7,000 hits.

    Spybot S&D will soon be updated to handle this software and the other spyware removal companies have been sent the relevant information. If your company produces spyware/adware/hijacker/<insert term here> removal software and you haven't already been receiving notification of potential new targets from me, please contact me to give me an appropriate contact address.

    If you have this thing installed and wish to get rid of it now, the manual instructions are as follows (with apologies to Tony Klein for snitching his instructions):

    Open the registry (from the Start menu, click Run and enter regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete the 'XupiterStartup' entry in the Right Hand pane.

    Also delete the following Registry Keys:

    HKEY_CURRENT_USER\Software\Xupiter
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

    Reboot, and delete the entire Program Files\Xupiter directory.

    You're also likely to have a Xupiter ActiveX object in your Downloaded Program Files folder. Find that one, rightclick it, and choose properties. It has the following ID: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

    Now rightclick the file, and choose delete.

    Next, delete the Xupiter folder in Program Files.

    Finally, go to Internet Options/Programs, and hit "Reset Web Settings".

    Many, many, many, many thanks to the dozens of people that contributed information to that thread. Most especially to one of the moderators at the forums, who goes by Mr Bones, who actually installed the software to log its installation process.
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    Additionally, a Xupiter install also adds the following Favorites folders you will want to remove: Business, Computers, Cool Stuff, Entertainment, Gaming, Lifestyle, and Shopping.

    BTW, I've heard that a SpyBot S&D update due out later today is to include Xupiter detection, which will be a boon for a lot of people.
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That's for sure! Let's see what Patrick comes up with :cool:.

    regards.

    paul
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    "This is from my latest newsletter, which won't load right now, because someone tripped over a golf ball or something and knocked the waxed string out of the back of my site's web server. ;( "
    ___________
    Floss twice...keep the string taunt..use bigger coffee cans to get the word out.... on your back swing..just keep your eye on that golf ball. ;)

    Thanks for the update.
     
  16. Mike_Healan

    Mike_Healan Registered Member

    Joined:
    Mar 6, 2002
    Posts:
    302
    Location:
    USA
    ROFL!! :D
     
  17. claire

    claire Guest

    Hi,
    The Spybot's new update includesXupiter
     
  18. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    Updates of Sept, 22nd:
    updated hijacker: CnsMin
    added hijacker: Xupiter
    added trojan: MS7531, Element
    updated spyware: Aureate, HuntBar
    added Dialer: TIBS (PayPerViewDialer)
    updated dialer: All-In-One Telcom, TTW, Huysuzseks
     
  19. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    You also have two other methods you can try.


    First:Manually you can rename XTUPDATE.DLL

    Second:

    BHODemon
    What does BHODemon do?
    BHODemon scans your Registry for BHOs, and presents any it finds in a list. By highlighting a BHO in this list, and clicking the "Details" button, you can see information about this BHO, and even disable it if you wish. BHOs are disabled by simply renaming the DLL that houses them. By renaming the DLL, instead of deleting it, you have the option of enabling it later if you wish. Why would you want to do that? Because the program that installed the BHO will not run if it can't find the DLL: Go!Zilla, for example, won't run if you remove its BHOs.

    http://www.definitivesolutions.com/bhodemon.htm


    The second method here I am told will take care of more that Xupiter as they try to get the attention of your browser.

    Small 127K program.
     
  20. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    You'll have trouble renaming Xupdate.dll as it will be in use by Windows.

    The short method is going to Start > Run > Msconfig, and unchecking XupiterStartup.

    Click OK and close Msconfig.

    Disable the BHO or delete its registry key.
    Now reboot, and rename or delete the dll.
     
  21. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    You'll have trouble renaming Xupdate.dll as it will be in use by Windows.

    How about your safe or DOS :D I never had any problems
    ____________________________________________


    Browser Helper Objects: The Browser the Way You Want It
    Click here to download sample - 5267.exe.

    Dino Esposito
    Microsoft Corporation

    January 1999

    Summary: Describes how to use BHOs to customize your browser. (16 printed pages) Covers:

    Introduction
    Program Customization
    What Are Browser Helper Objects?
    The Lifecycle of Helper Objects
    The IObjectWithSite Interface
    Writing a Browser Helper Object
    Detecting Who's Calling
    Getting in Touch with WebBrowser
    Getting Events from the Browser
    Accessing the Document Object
    Managing the Code Window
    Registration of Helper Objects
    Summary

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbrowse/html/bho.asp
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    Yes, I know, but why just rename the dll?

    Let's get rid of the entire thing. That sounds like a much more sensible option.
     
  23. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Yes, I know,

    OK :D

    Now we have upteen methods. :D

    yours is fine also. Glad you posted it.

    Not interested in a competion. :rolleyes:
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,351
    Location:
    The Netherlands
    Neither am I.

    I'm sorry to hear you seem to regard it as such.

    Cheers,
     
  25. microwiz3

    microwiz3 Registered Member

    Joined:
    Sep 25, 2002
    Posts:
    6
    Location:
    Goshen, IN
    Re:Xupiter

    Hope this might be of some help!
    Here is where my wife "acquired" Xupiter recently:

    http://wwx.dollhouseminiaturesclub.freeservers.com

    Then go to the "Craftroom" and a screen extoling the virtues of Xupiter having a "certificate" should appear.
    (The usual ActiveX approval screen).

    Interestingly enough although I found it on her computer it had never activated. I just happened to see a directory named Xupiter when I was looking around for something else. Removed without a hitch.

    Also Lavasoft (AdAware) has included Xupiter in the files as of 9-24-02. I went in and "acquired" it just to test and AdAware caught it and removed it with no problem.

    I don't think we have seen the last of these guys. Hope this helps. Happy computing! :rolleyes:

    URL provided has been altered for security reasons - Forum Admin
     
Loading...
Thread Status:
Not open for further replies.