# xupiter.com



## Guest (Sep 2, 2002)

Somehow this evil webpage has been taking over my internet. Everytime open explorer it makes itself my homepage, even after i switch it back to my normal one. This website is driving me insane, i dont even know where it came from. Any time i try to go to ANY webpage xupiter will try to take over and take me to their page. What in the world can i do to delete this page from existance in my life?!?! HELP ME!

Laura


----------



## rkselby98 (May 6, 2000)

This is how you fix it.

http://www.rselby.com/Windows.html#xp27

But first you must get ride of it.

Ad-Ware Checks and removes spyware
http://www.spychecker.com/download.html

SWAT a free trojan program and free updates for life.
http://lockdowncorp.com/bots/downloadswatit.html

PC Cillion is an online free virus checker
http://housecall.antivirus.com/housecall/start_corp.asp


----------



## TonyKlein (Aug 26, 2001)

It might or might not be something targeted by Ad-Aware, but it would be nice if we could have a look at your startups:

Go to Start/run, and type Msinfo32, followed by OK.
Go to Software Environment/Startup Programs.
Click Edit/'Select all', and then 'copy'
Now paste the contents in your post.


----------



## ronhum (Sep 5, 2002)

Holy Cow! I see what you mean by this Xupiter bar thing. My computer has been hijacked also. It keeps carrying me back to the Xupiter site, and my internet is acting strange. When I open the msn site, random words start typing into the search blank all by them selves!

I have tried to get rid of it, but can't. I have never seen anything like this. sheesh. 

Any more help with this appreciated.


----------



## ronhum (Sep 5, 2002)

Here is some of the weird things that are happening. When I tried to type in a post subject just now, weird random characters started appearing on their own, and are even trying to appear now! while I am typing in this box!

Here is the startup

AdaptecDirectCD	"c:\program files\roxio\easy cd creator 5\directcd\directcd.exe"	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe	c:\winnt\system32\ctfmon.exe	BARDOCK\Katie	HKU\S-1-5-21-1487682723-1260927497-516276246-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe	c:\winnt\system32\ctfmon.exe	BARDOCK\Dad	HKU\S-1-5-21-1487682723-1260927497-516276246-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
desktop	desktop.ini	NT AUTHORITY\SYSTEM	Startup
desktop	desktop.ini	BARDOCK\Katie	Startup
desktop	desktop.ini	BARDOCK\Dad	Startup
desktop	desktop.ini	.DEFAULT	Startup
desktop	desktop.ini	All Users	Common Startup
GWMDMMSG	gwmdmmsg.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hot Key Kbd 9910 Daemon	sk9910dm.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPAiODevice(hp psc 700 series) - 1	c:\progra~1\hewlet~1\aio\hppsc7~1\bin\hpobrt07.exe -deviceid 1029987300	All Users	Common Startup
Jet Detection	c:\program files\creative\sbaudigy\program\adgjdet.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KaZaA Media Desktop	c:\program files\kazaa\kazaa.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Keyboard Preload Check	c:\oemdrvrs\keyb\preload.exe /devid: /class:keyboard /runvalue:"keyboard preload check"	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LVCOMS	c:\program files\common files\logitech\qcdriver\lvcoms.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS	"c:\program files\messenger\msmsgs.exe" /background	BARDOCK\Katie	HKU\S-1-5-21-1487682723-1260927497-516276246-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS	"c:\program files\messenger\msmsgs.exe" /background	BARDOCK\Dad	HKU\S-1-5-21-1487682723-1260927497-516276246-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NAV Agent	c:\progra~1\norton~1\navapw32.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon	rundll32.exe nvqtwk,nvcpldaemon initialize	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PROMon.exe	promon.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Share-to-Web Namespace Daemon	c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UpdReg	c:\winnt\updreg.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDVDPatch	cthelper.exe	All Users	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager	c:\progra~1\yahoo!\messen~1\ypager.exe -quiet	BARDOCK\Katie	HKU\S-1-5-21-1487682723-1260927497-516276246-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
--

Any help in this bizaree problem appreciated!!the


----------



## diver165 (Sep 5, 2002)

very annoying indeed.... I hate when things take over my computer. Somehow this xupiter thing got by me too. Here is the uninstall that I used to get rid of it.

http://www.xupiter.com/uninstall/

Follow the instructions and you should be fixed.



Roger


----------



## Guest (Sep 5, 2002)

hey there,
while browsing through my computer i found that xupiter had put itself in my program files so i just deleted it outta there and i have been fine ever since! Thank you so much for your help... xupiter is definitly a doosie!!!!

laura


----------



## catskat (Sep 5, 2002)

I have tried the uninstall on this hijacking site and now every time I try to go to the browser or change sites I get a popup that says "xupiter is not installed properly, please reinstall"!!?? I have found it in the program files but can not delete it from there. I used to get the message that the source file may be in use, now I get the above mentioned message. I can't delete, I can't uninstall, I keep losing my homepage (of my work computer) to this trash. Isn't there anything to get it completely off my system????


----------



## brendandonhu (Jul 8, 2002)

Im surprised AdAware didnt take care of it. If you boot into DOS and delete the program files from there it may take out some important parts of the software and fix things. Im about to set my security settings to high and check out that web site to see what it says.


----------



## ronhum (Sep 5, 2002)

Well I finally got rid of the Xupiter web page. I ran the ad remove program, and the uninstall.

However, there is still a problem I believe may have been picked up at the same time.

When I open IE, there are random words, dots, etc. generated in the search Window, as if a ghost is typing.

If I go to another, site such as Yahoo, the same thing. And it would even type in this box I am typing in if I were on the infected computer.

Insterestingly, Norton will not detect anything, and I also ran a program designed to remover bots and trojans, and it did not find anything.

Any body have any ideas?


----------



## Guest (Sep 5, 2002)

Though it took a while, i successfully got rid of Xupiter a few days ago... one of the problems mentioned above was that Xupiter wouldn't delete because it was "running." I found that if any internet is running, for example: my internet explorer wasn't open, but it was running, i had to ctrl alt delete and close out of all internet programs. Then Xupiter was shut out of my computer, so i could successfully delete it out of my program files!!!

-Laura
PS~ Make sure that xupiter is completely out of your program files as well as out of the temp internet files!!!


----------



## parevalo (Sep 6, 2002)

I found, using msinfo32 Software Environment/32Bits Loaded Modules, that the XTUPDATE.DLL is there.

XTUPDATE.DLL, which I guess is the responsible for the message "Xupiter Toolbar is not installed properly, please resinstall..." that appears every time I open an explorer or iexplorer window, is the file installed with Xupiter under Program Files which is not possible to delete 'cause Windows is always using it.

I tried to find it under msinfo32 Software Environment/Startup Programs, as TonyKlein recommended, but it was not there.

Following the instructions to remove programs that run themselves at start-up on http://cexx.org/startup.htm, referred by Rick Selby in his page under "Getting rid of unwanted ... from your computer", I removed the reference to the Xupiter thing from a -Run entry in the system Registry, but the messages continued appearing.

So I looked for all other references of Xupiter or XTUPDATE on the system Registry and I found it suscribed as a class and as a library under HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE\Software\CLASSES (I guess there is even a looping reference), and as the default search bar for the HKEY_CURRENT_USER and HKEY_USERS\DEFAULT.

It's also referenced under HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units.

I'm attaching a file where all Register entries found were copied.

Could someone tell me please, what should I do now?

Patricia.


----------



## TonyKlein (Aug 26, 2001)

If you find it in HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units, you're likely to have a Xupiter ActiveX object in your Downloaded Program Files folder.

Take a look, spot anything (un)likely there, rightclick it, and choose 'remove'.

You might also want to download BHODemon, launch the program, and tell us what BHOs it detects.


----------



## catskat (Sep 5, 2002)

YEAH- it's finally gone. Had the same problems of toolbar not being installed, not being able to delete because it was running, etc. Finally went into the command prompt, changed the name of the files, deleted them and then restarted the computer. It seems to be gone, at least until I hit the web page that has the redirect connected to it again. I am keeping my fingers crossed it doesn't happen. Wish they would get nuked!!!


----------



## parevalo (Sep 6, 2002)

I found a damaged Xupiter ActiveX object {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} in the Downloaded Program Files folder. When removing it, a message appeared saying there was not enought information and that I should try via the control panel. However the entry was removed.

BHODemon detects the XTUPDATE BHO.
Number:0
CLSID:{2662BDD7-05D6-408F-B241-FF98FACE6054}
DLL Path: C:\ARCHIVOS DE PROGRAMA\XUPITER\UPDATES\XTUPDATE.DLL
Satus: New
More details in the attached file.

I disabled it, and now I'll try to reboot.


----------



## parevalo (Sep 6, 2002)

Ok! The XTUPDATE module was no more loaded by disabling it with BHODemon, and I finally was able to delete the DLL file.

Thanks a lot Tony! ;D


----------



## TonyKlein (Aug 26, 2001)

You're welcome!


----------



## serryp (Sep 4, 2002)

FINALLY got rid of it as well! Thanks Rick and Laura!

Here's what I had to do...I use Windows XP.

1. Boot in safe mode, go to the Program Files/Xupiter directory and delete it. Also emptied the recycle bin JUST to be safe...hehe.

2. Went to Start, Run, Regedit, Edit, Find, typed in Xupiter, and deleted any and all entries it came up with that had Xupiter in it (and there were many!), using F3 key to go from one instance to the next to delete them. Exited the Registry.

Rebooted...and it worked! Thank you Rick and Laura for all of your emails to help me fix this!


----------



## aardvark (Sep 7, 2002)

I have tried the "safe mode" thing and cannot get rid of Xupiter.

What in the world is this?

Can someone please help!

And isn't there a regulatory issue about a site that ACTIVELY invades peoples' computers?

Jeepers..........


----------



## TonyKlein (Aug 26, 2001)

Download BHODemon, launch the program, and uncheck Xtupdate.dll > {2662BDD7-05D6-408F-B241-FF98FACE6054}

You may not need to, but reboot anyway, and next, do a search for, and delete Xtupdate.dll.

You're also likely to have a Xupiter ActiveX object in your Downloaded Program Files folder. 
Find that one, rightclick it, and choose properties.
It probably has the following ID: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Now rightclick the file, and choose delete.

There will be more registry entries, not to mention an entire Xupiter folder in Program Files, but this should at least stop it from starting up.

Hopefully Ad-Aware and Spybot will start targeting this one soon.


----------



## The Guru (Sep 7, 2002)

Hi guys
When I connect to the internet I get a message from zonealarm to the effect that xupitertoolbarloader is trying to connect to the internet. I have not allowed it to do so. How can i get rid of this beastie before it gat a hold of things?.

Pretty please


----------



## rkselby98 (May 6, 2000)

Go to start, find and do a search for it. Also search for the file Xtupdate and delete it if it finds it.

Delete all files it finds.

Delete all files and folders in the temp folder, delete all folders in the internet temp folder. Do this one from Window Explorer.

Delete all cookies, offline files and history from internet options.

FOR YOU SLOW LEARNERS, 

stay away from the site before you have the same problems. Going to the site is looking for problems.


----------



## The Guru (Sep 7, 2002)

I should ad that when I refuse access I get a message------

that xupiter is experiencing problems and will have to shut down

and....if the problem persists I should contact the program vendor.....yeah right


----------



## The Guru (Sep 7, 2002)

Hi Rick
Thanks for your help.....I followed your instructions exactly and it seems to have cured the problem....One file in windows temp I could not delete / access denied.... The file is called linkts.mlg......I tried using norton AV to isolate it but this didn't work either?

Gratefull slow learner


----------



## rkselby98 (May 6, 2000)

Good to hear it came out that easily.

Now do yourself a favor, next time you see something like this run, don't walk, but run in the opposite direction and never check it out.

One question, have any idea where you got it, did you go to the site? Like to know how this is all of a sudden showing up on computers.

Maybe your experience will help someone else keep from getting it..

Thanks for letting us know we do apprecitate that.


----------



## The Guru (Sep 7, 2002)

Rick
I have no idea where this came from..... I do try to be careful with this sort of thing...they seem to sneak in unnoticed, probably from popups....Don't you just hate them.......


----------



## brendandonhu (Jul 8, 2002)

I went to their site and it was just one of those things where it has all the topics you can choose and a pay-per-click search engine. Didn't even have a download link for a toolbar that I saw, must be a pretty sneaky program.


----------



## rkselby98 (May 6, 2000)

Yes these people are getting really good. I wish I had their talents. Sure wouldn't waste them seeing how badly I could mess up someone's computer.

Good talent wasted. Sure is a shame and I hope they are reading this.

One suggestion, don't know if you have tried it or done it but go into internet options, advanced tab and remove the checks from BOTH install on demand.

Might help, don't know. Bill Gates isn't the only smart one any more.

Good luck with your computering and if you need help please ask.


----------



## The Guru (Sep 7, 2002)

Thanks for the tip...that should be a big help too


----------



## cathyl1221 (Sep 8, 2002)

Tony,
I downloaded and tried the BHODemon.
I unchecked the Xupiter dll,
and now my Outlook Express won't open,
it can't find the shortcut!
What did it do to this?


----------



## cathyl1221 (Sep 8, 2002)

When I click the icon in the taskbar for OE, a box appears 
LAUNCH OUTLOOK EXPRESS PROPERTIES
TARGET TYPE; APPLICATION
LOCATION;OE
TARGET;CROGRAM FIRLES\OE\MSIMN.EXE
START IN (this box is emty)
SHORTCUT KEY: NONE
a box says ....FIND TARGET
When I click on that, then it takes me into the program files
to the Outlook Express icon there.
Double click and I am there.
But what did the Xupiterstartup do to this icon that I can't use it now?
Cathy


----------



## TonyKlein (Aug 26, 2001)

Cathy,

It should be unrelated.

So you're saying that doubleclicking Msimn.exe in the OE Program Files folder _will_ work?

In that case just delete the OE Shortcut in Quick Launch (your taskbar), and drag Msimn.exe to it.

It will create a fresh shortcut which ought to work.


----------



## vpn (Sep 8, 2002)

the xupiter browser bar on my system was automaticly installed from a pop up, two days later, it [something] had downloaded and installed several programs.


----------



## rkselby98 (May 6, 2000)

For all of you that are reading this post do the following. Don't know if it will help in this case but it CAN'T HURT eiter.

Go to Tools, internet options, advanced tab and remove the two checks from

"INSTALL ON DEMAND"

Can't hurt...


----------



## TonyKlein (Aug 26, 2001)

Ah, but that's only for MS applications.

From Description of the "Install on Demand" and "Automatically Check for Updates" Features (Q222639)

"Install On Demand 
The Install On Demand feature specifies whether to automatically download and install Web components that can be installed by Internet Explorer Active Setup by using the component's cabinet information file (CIF) for Setup instructions. Typically, a Web page may need to download items to display the page properly, or to perform a particular task. For example, if you open a Web page that requires Japanese-text display support (Charset=euc-jp), Internet Explorer automatically prompts you to download the Japanese Language Pack component if it is not already installed and the Install On Demand feature is enabled. "


----------



## rkselby98 (May 6, 2000)

Don't know but I E has "Install on demand (Internet Explorer) and also "Install on demand (Others)"

Just maybe this would come under the others!


----------



## TonyKlein (Aug 26, 2001)

(other) is a new addition to IE 6.0:

NOTE: In Internet Explorer 6, components that can be installed by Active Setup by using the CIF for Setup instructions are controlled by the Enable Install on Demand (Internet Explorer) setting. _Components that can be installed by using self-installing program files that are registered with Internet Explorer 6 are controlled by the Enable Install on Demand (Other) setting. For Internet Explorer 6 for Windows 2000, only Microsoft Windows Media Player 7 can be installed on demand if the Enable Install On Demand (Other) option is enabled. Install On Demand is not available for other components in Internet Explorer 6 for Windows 2000, and Install On Demand is not available for any components in Internet Explorer 5.x for Windows 2000. _

These are all Installable Components in Internet Explorer


----------



## vpn (Sep 8, 2002)

it was easy to remove, all i had to do was remove all the registry keys then boot into safe mode and delete it all.


----------



## cathyl1221 (Sep 8, 2002)

I used the www.xupiter.com/uninstall that diver125 gave.
It worked.
Thanks for all your posts and suggestions to help, Tony and Rick.
But now I have a folder in my program files.
Can I drag that to the recycle bin, or delete it without
hurting anything?


----------



## TonyKlein (Aug 26, 2001)

Drag it to the Recycle Bin, and keep it there for a couple of days.

If all goes well, delete it.


----------



## cathyl1221 (Sep 8, 2002)

Thanks I'll try that before I get into the Registry.
I've had to do that 3 times in my life and I think it is where
brave men dare not go if they can help it! 

I downloaded a cute little email program called Incredimail.
that is how I think I got this xupiter. It was right after that,
it took over my homepage.
The Incredimail was cute, but not at that expense!!
So thanks all.
This is a great site for us newbies.


----------



## EmrldSky (Sep 9, 2002)

After THREE hours of trying to get rid of Xupiter, I finally did all of the suggestions..I got adware...I got BHODemon...I edited the registry...I rename the .dll file..I restarted...I re-edited the registry and NOW I am Xupiter Free! I just wanted to thank those of you who posted because without you, I'd have gone insane. You guys rule!


----------



## rkselby98 (May 6, 2000)

Sorry you had to go through all you did and 

WELCOME TO TSG

Hope you come back the next time and visit without a problem.


----------



## EmrldSky (Sep 9, 2002)

Thanks! I should know better...I'm a Senior Residential Computer Consultant for Purdue and we run into people having problems loading webpages and stuff like that all the time...oi, oh well. I'm just glad it's over. =o)


----------



## TonyKlein (Aug 26, 2001)

Glad to hear you got it fixed!


----------



## Crossfire (Sep 11, 2002)

I just did battle with this xupiter.com B.S. myself. Apparently, it installed itself - IN THE BACKGROUND, WITHOUT MY KNOWLEDGE OR PERMISSION AND WITHOUT MY CLICKING ON ANY LINK TO IT - after popping up as one of those annoying ad windows. I *thought* I saw a quick flash of something being downloaded - an unexpected and unrequested download?! - but as you know, an increasing number of these ads are made to look like real Windows messages ["Warning: Your socket is fragmented! Click here!"] to fool clueless newbies. Well, I figured I had seen just another Windows-look-alike ad, until I discovered all of the following:

1. It changed my home page. [First clue.]
2. It added itself to my MSIE toolbar.
3. It added itself to my "Run" entries in the registry to load at startup.
4. It added a pile of URL's - all linking to xupiter.com - to my Favorites.
5. It made itself my default search engine.

So, without any intervention or consent on my part, a pop-up ad window was allowed to automatically install software which took over my browser, and for God knows what purpose. This was even with "Allow install on demand" disabled in my browser options. If THIS isn't a good reason to install a pop-up ad blocker, I don't know what is, and if this isn't a VERY good reason to launch a crusade against these *******s... This kind of web site behavior should not be allowed. I didn't WANT xupiter, I didn't ask for it, I didn't click on any link to it, but it popped up in an ad window and hooked itself into the guts of my browser and registry anyway, without so much as giving me the option to cancel the installation.

I ripped that damned thing out of my system with my bare hands, put xupiter.com into my "Restricted" zone, and the IT head here is going to get an advisory e-mail from me about these slimeballs.


----------



## TonyKlein (Aug 26, 2001)

Strange question maybe, but could you PM me the site where you got hit?

I'm looking to install it running an install log, so that I'll be able to see what exactly it does.

Please don't post the url here, as we wouldn't want other people to have to go through the same thing.


----------



## Crossfire (Sep 11, 2002)

Just a quick footnote... I noticed, when doing a whois search on these clowns, that their DNS records list no real names for technical or administrative contacts, their address is a P.O. box, and their phone number is listed as - and I quote - 000-000-0000. Sounds like a really REPUTABLE bunch, doesn't it...?  I can only assume that they just don't want to field the inevitable flood of complaints [to put it mildly] from irate unwitting "users" of their site.

Something just doesn't seem quite right here...


----------



## EmrldSky (Sep 9, 2002)

very very insterning....


----------



## whiskyd (Sep 12, 2002)

I was momentarily excited about avoiding the extensive uninstall instructions for this nasty little visitor by going to the url
http://www.xupiter.com/uninstall but surprise it is gone!! I guess it was being visited by a lot of us disgruntled victims.


----------



## brendandonhu (Jul 8, 2002)

The whole site is gone! They must have dropped the project or run out of money. Some site must have a mirror of the ununstaller...


----------



## whiskyd (Sep 12, 2002)

Even though the site is gone it remained a nuisance. I was able to get rid of it by following the instructions above to delete the registry entries, cookies, and favorites. I was not able to get rid of the dll though until I installed BHODemon. The interim period --with everything but the dll installed was a whole new kind of hell. Everything I did on the pc choked with the now famous message indicating the toolbar was installed incorrectly. Total time lost --over an hour. I hope they have run out of money and been run out of town.


----------



## brendandonhu (Jul 8, 2002)

Theres not a trace of them left on the web. Not a even an article about their oh so tragic business failure. Turns out you can get rid of it by renaming a DLL.


----------



## Howie Lowe (Sep 12, 2002)

Hi guys. Am new to this forum. Just stumbled upon the Xupiter ''issue'' on my PC. Thanx to this forum, I was able to remove everything Xupiter-related.

My computer is running fine, but I'm having one leftover problem. Or should I say, there is one problem that I'm aware of. I may stumble upon other problems with time.

I use Netscape 4.79 as my default browser. Netscape was defaulting to Xupiter as my homepage. I changed the homepage back to my original selection (after removing Xupiter stuff) via Netscape Messenger/ Edit/Preferences.

When I come on to the 'Net via Netscape, the computer just SEARCHES for my selected homepage. It doesn't connect; it just continues searching for it. But when I then click on the 'home' icon, it then brings me to the correct homepage. When I then re-check the homepage setting to ensure it is correct, it IS in fact correct and set as it should be.

Having this problem repeatedly after I removed Xupiter (including the ".dll" file), I did a Windows (2000) error-check and I also reinstalled Netscape 4.79. I've done a 'search' on 'Xupiter' on my C-drive and am satisfied that there is nothing Xupiter-related on my 'puter.

Bottom line: Problem of initial Netscape connection to correct homepage (without my clicking on the 'home' icon) is unresolved. Please forward me any suggestions/fixes c/o [email protected]

BTW, I also use MSIE 5.5 and automatic logging on at the correct homepage is not an issue.


----------



## EmrldSky (Sep 9, 2002)

did you do a search on the registry after you delted the .dll? If you didn't, there are probably still files there and you'll need to get rid of them and that might be the problem. Anyone else have any ideas?


----------



## Howie Lowe (Sep 12, 2002)

EmmrldSky wrote:
did you do a search on the registry after you delted the .dll? If you didn't, there are probably still files there and you'll need to get rid of them and that might be the problem. Anyone else have any ideas?


I assume this means I would need to run regedit. Not an area I'm particularly familiar with. Any guidance would be appreciated. I assume I can mess something up here if I don't know what I'm doing. Thanx, Herb


----------



## brendandonhu (Jul 8, 2002)

Go into Regedit and search for Xupiter and delete all references to it. It also uses registry keys called something else, I think its XT or XP. Anyone heard of that?


----------



## Howie Lowe (Sep 12, 2002)

JC and Others Who Have Replied-- I did as you said. Deleted all references in registry to "Xupiter". Restarted computer (did not shut it down) and problem is still 
there. Netscape searches for my selected homepage, but doesn't find it. When I click the 'home' 
icon, it gets me to the correct homepage. 

More ideas? I may not continue with any additional advice until Friday after work. But 
keep them ideas coming. Thanx, all. -Howie.


----------



## TonyKlein (Aug 26, 2001)

Did you disable the Xupiter dll with BHODemon, and delete xupdate.dll?


----------



## EmrldSky (Sep 9, 2002)

I think he mentioned he deleted "the .dll" in his first post, but at least I'm unsure of whether or not he deleted the xupdate one..cuz there are two that I saw. Other than that, I really have no clue what else he could do...he did say he reinstalled netscape once already, =o/. I wish I could be of more help.


----------



## TonyKlein (Aug 26, 2001)

Reinstalling Netscape won't make any difference whatsoever.

Open the registry (from the Start menu, click Run and enter regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete the 'XupiterStartup' entry. 

Disable the BHO, reboot, and and delete the Xupiter ActiveX object in Downloaded Program Files.


----------



## Howie Lowe (Sep 12, 2002)

Found the problem. It was in Netscape under Edit/Preferences/Navigator. There on the right it was set at "Navigator starts with Blank Page".

Problem fixed. Thanx to all for your $.02 --
It was all very valuable.



Come visit the website:

http://mywebpages.comcast.net/herbwx/index.html
Mid-Atlantic Weather Station


----------



## Howie Lowe (Sep 12, 2002)

Had Netscape problems becuz of Xupiter, as noted here yesterday, due to Xupiter on my 'puter. Had to clean out the registry to remove all the leftover files --

I used Run / regedit.
I then exported regedit file to my desktop and saved desktop file as
'registrybkp.reg' (i.e., a renamed backup <bkp> registry file).
I then made my registry changes. Exited out rebooted/all works fine.

Questions:

May I now delete my desktop file called "regeditbkp.reg" ?
What is the regular registry file called ?

Thanx,
Herb c/o [email protected]


----------



## EmrldSky (Sep 9, 2002)

You can go ahead and delete that. That file was just in case you deleted something you shouldn't have. But since there doesn't seem to be any problem, go ahead and delete it.


----------



## cathyl1221 (Sep 8, 2002)

I have it again. My daughter said it just popped up while she was surfing, and it made it the homepage again.
She couldn't remember what site she was on, so I asked her to note the next time the pop up ever comes up.
But thanks to you guys, I now know how to delete all of it.
Cathy


----------



## cathyl1221 (Sep 8, 2002)

How do I put Xupiter.com in my restricted zone?
Cathy


----------



## EmrldSky (Sep 9, 2002)

In an Internet Explorer window, go to "Tools" -> "Internet Options" then click on the "Securtiy" tab, click on the icon that says "Restricted Sites", then click on "Sites..." and you can type in www.xupiter.com and click add, then ok, ok. =o)


----------



## Howie Lowe (Sep 12, 2002)

> _Originally posted by EmrldSky:_
> *In an Internet Explorer window, go to "Tools" -> "Internet Options" then click on the "Securtiy" tab, click on the icon that says "Restricted Sites", then click on "Sites..." and you can type in www.xupiter.com and click add, then ok, ok. =o) *


Good info. What's the equivalent for Netscape ? (version 4.79 specifically, altho probably similar procedure-- if one exists -- for most NS versions)

Herb c/o [email protected]


----------



## cathyl1221 (Sep 8, 2002)

Thank you for everything,
You guys are the best!


----------



## Crossfire (Sep 11, 2002)

I should note that even though I have placed xupiter.com in my "Restricted" zone, I still don't know whether this actually will protect my system from having xupiter automatically installed again. I have not encountered another one of the pop-up ad windows that installed xupiter on my machine, and I don't intend to go to that site just to test it, nor do I intend to return to the site I was viewing when that pop-up appeared. At the very least, my restricted zone settings disable everything that can be disabled in that zone - it is at the maximum possible security level. I hope that will be enough.

TRACERT from my machine reveals that xupiter.com is still reachable, and the "Safe Browser" at samspade.org - which displays only the raw HTML code from a site - is returning HTML content from xupiter. Therefore, xupiter IS still active. And apparently, according to a whois search at samspade.org, xupiter has moved from a P.O. box in Van Nuys, California - which was where they were listed as being located a few nights ago when I got hit - to somewhere in Hungary. I wonder where they'll be in another three days from now?


----------



## brendandonhu (Jul 8, 2002)

Xupiter was down a couple of days ago. Putting it in the restricted zone doesnt stop the popups, they are generated locally, not on a website and Xupiter.com has no download of its spyware, or popups.


----------



## EmrldSky (Sep 9, 2002)

I'm not sure what the equivalent for netscape is just because I don't use netscape on a regular basis. I can do some checking into that in the next couple of days (i.e. play around with netscape). If you figure it out before I do, please share. =o)


----------



## Crossfire (Sep 11, 2002)

I found a page with some useful information:

http://and.doxdesk.com/parasite/Xupiter.html


----------



## brendandonhu (Jul 8, 2002)

Xupiter was in todays LangaList. Heres the article.

4) Xupiter = Scumware?

Hiya Fred, I love the newsletter! I recently found a new
scumware called "xupiter" on my freshly reloaded system. I not
only don't know where this came from but it was a pain in the
tuckus to remove. Adaware didn't even detect it. Once again a
quick google search saved the day.

Thought the other readers would like to know how to remove
xupiter if they find it. details are at,
http://and.doxdesk.com/parasite/Xupiter.html Have a GREAT
day! =) Dave (aka Frndlylion)

Xupiter is a toolbar that may install itself into IE without your
permission, if your security settings are too low. It appears to come
bundled with some software or may be force-downloaded with some ads.

There are actually two problems here: One is Xupiter itself, and the
other is that people infected with Xupiter (or similar software) have
had items installed on their systems without their knowledge or
permission.

That should NEVER happen: Nothing should ever be able to self-install
without your knowing about it. Unfortunately, it happens all the time---
with things like Xupiter, Comet Cursor, and a host of other programs
that take advantage of the fact that many people go online with
incorrect browser security settings that allow downloaded software to
self-install.

Even if you don't have Xupiter, you need to make sure your security
settings are such that you'll always, always, *always* be asked before
any downloaded software installs itself. We'll show you how in a moment.
For the first problem--- getting rid of Xupiter--- the site Dave
mentions above can help; so can http://www.spywareinfo.com/newsletter/ .

It's a little hard to root out Xupiter, but it can be done.
For the second problem--- incorrect security settings--- we covered one
way to set up your browser security to prevent software from self-
installing in an old issue at http://www.langa.com/newsletters/2000/2000-09-07.htm#3

There's a better and easier way at PC Pitstop: take their free tests,
and if they find that your browser security settings are not optimal,
they'll offer simple point-and-click fixes that work very well.
http://www.pcpitstop.com

When your browser is set up properly, you'll always get an "OK to
install?" dialog whenever a program tries to force its way onto your
system. If you want the program, that's fine--- just say yes. But if you
don't, the right security settings will let you refuse the installation,
and that's the way it should be.


----------



## AlanSmith (Sep 28, 2002)

The free program Ad-aware from www.lavasoft.de safely and easily removes Xupiter, Huntbar and other browser hijackers and spyware programs from your computer.

Use the latest reference file dated 9-24-2002.

Alan


----------



## TonyKlein (Aug 26, 2001)

Yup, and so does Spybot - Search & Destroy: http://security.kolla.de/ , again providing that the latest updates have been applied.


----------



## EmrldSky (Sep 9, 2002)

I don't know if anyone on here realizes...but if you use Kazaa and run ad-aware, it'll find a program called Cydoor...if you delte it, you'l hvae to reinstall Kazaa...without Cydoor, Kazaa wont' work. =o/ it really really sucks.


----------



## TonyKlein (Aug 26, 2001)

That's why it's a good idea to uninstall Kazaa, run Ad-Aware, and install a P2P program that is _not_ dependent on spy/foistware to run.

KazaaLite is a popular alternative.

So are WinMX, and many others.


----------



## brendandonhu (Jul 8, 2002)

As TonyKlein mentioned, KazaaLite is the best alternative to Kazaa. The reason being that it connects to the same network, so you can access the same files.


----------



## AlanSmith (Sep 28, 2002)

There are three different ways of obtaining the latest reference file: 

1. If you just downloaded aaw.exe, it should already include the latest reference file. You can check that by installing and running Ad-aware and looking at the status bar on the bottom. It should say 'Signaturefile in use : 042-24.09.2002'. 

2. For future use you can download and install RefUpdate 2.0. Then whenever you need to run Ad-aware again, you can run RefUpdate first to update your reference file. In RefUpdate, select a server that works. 'digital-solutions.co.uk' seems to work. Be sure to check the status bar on Ad-aware when you run it afterward to see if it shows the latest reference file. 

3. Download the reference file from a mirror site. You have to try all the mirror sites to see if any of them has it. The RefUpdate method above is the easiest way to get the latest reference file. 

Alan 


> I downloaded the aaw.exe file but was unable to get 
> the latest reference file dated 9-24-2002. The link 
> did not work to that file. Do you have any 
> suggestions as to how else to obtain the latest 
> reference file. Thanks in advance.


----------



## Guest (Oct 14, 2002)

hey i got this email from Carlos, but i have not the slightest clue on what to do... :

Hi! I made a major mistake when deleting this [email protected]#[email protected] parasite from my computer. WEll, I deleted the Code Store Database file entirely, how will this affect my computer? I didn't have any dates setup for system restore, so I cannot use that! I followed the rest of your recommendations to delete the parasite and I think I did so, but I'm worried for the deletion of Code Store Database file! What is gonna happen now? I have a Windows ME Operating Syste. I'll appreciate your response. 
Thank you!
Carlos


Thanks guys,
Laura


----------



## TonyKlein (Aug 26, 2001)

That particular Code Store Database entry only referenced the corresponding Xupiter ActiveX object in Downloaded Program Files.

There's absolutely nothing to it, and it couldn't affect your computer in any way imaginable.

Cheers,


----------



## LisaM (Nov 4, 2002)

I have been following this thread with great interest. I was directed to your website today from one of the Community Newsgroups at Microsoft. 

For the past 2 weeks, I have been having problems with IE. In the middle of browsing, a box would pop up telling me that IE had caused an invalid page fault in one of several DLL modules. The only response was to close IE and start again. Very annoying. Right around the same time, I started noticing the Xupiter toolbar - which I certainly did not install. I put 2 and 2 together and figured that the Xupiter mess was the source of my problems. 

I was directed today to the Xupiter uninstall website and the toolbar has disappeared. Suddenly (with my fingers crossed), the invalid page faults have disappeared. When I check Windows Explorer, I still have program files for Xupiter in the computer but the toolbar is gone from my browser. Most importantly, as of now, so are my problems. 

Should I delete these program files? I am too scared to go into the Registry unless I absolutely have to. To delete these files, do I just highlight them and hit delete or is there something else to do?

Your forum (which I just joined) is terrific!

Lisa


----------



## TonyKlein (Aug 26, 2001)

Don't remove them manually, if you don't want to.

Download Spybot - Search & Destroy

It looks for spyware, but also targets dialers, keyloggers, and other nasties, and it's freeware.

It's an excellent alternative to Ad-Aware, which has been updated less than frequently in recent times, and it handles Xupiter without a problem as well.

After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .

These aren't needed for your present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, hit 'Check All', and have SpyBot remove all it finds.

Good luck,


----------



## LisaM (Nov 4, 2002)

Tony: Thanks for the quick response. I will go to Spybot first thing tomorrow. I tried Ad-Aware earlier today and it didn't find Xupiter. 

Do you think that Xupiter could be the source of all of my invalid page faults? I didn't have the problems which other people have described in this thread (i.e. taking over my home page, etc..) but the invalid page faults were a nuisance. It was just too coincidental that my problems started at the same time that I noticed the Xupiter toolbar. 

Thanks again. I will report back after installing Spybot.

Lisa


----------



## TonyKlein (Aug 26, 2001)

Ad-Aware will remove Xupiter, provided you install the latest reffile before having it scan your drives.

However, there's a new version out, with components that as yet only SpyBot discovers.

As for your page faults, you could have other malware installed, or it could be due to something else again.

Wait a little before you run SpyBot, and do this first, please:

Go to http://www.spywareinfo.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

Unzip, doubleclick it, and it will generate a text file that will list all running processes, _all_ applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and please post the contents here.


----------



## LisaM (Nov 4, 2002)

Tony: When I installed and unzipped it, it became a Word document in gibberish.


----------



## TonyKlein (Aug 26, 2001)

It doesn't install. It just runs, and creates a list.

That's strange.

After unzipping, did you find a a Startuplist.exe file inside?

And when you doubleclicked that, you got the garbled Word document?

Would you download it again, unzip it once more, and try again?

If no joy, rename the exefile to Startuplist.*com* and doubleclick _that_.


----------



## LisaM (Nov 4, 2002)

Tony: I followed your newest instructions but nothing would work. The first time it was gibberish again. When I renamed it startuplist.com, a dialog box popped up and said that the program had performed an illegal operation and would be terminated. The details section said that it had tried to execute an invalid instruction.


----------



## LisaM (Nov 4, 2002)

Tony: I just got my first new invalid page fault since uninstalling Xupiter (at least I ran the uninstall for Xupiter). The details were:
"Explorer caused an invalid page fault in module MSHTML.DLL at 0187:6358fcb7"

Any thoughts?

Lisa


----------



## TonyKlein (Aug 26, 2001)

Lisa,

I wonder what exactly it was you downloaded.

I doubt it was Startuplist, or else you somehow got a corrupted copy.

I suppose other applications _do_ work? Like other programs you install?

Or if you go to C:\Windows, and doubleclick Notepad.exe, Notepad does open, I assume?

In that case it can only be the file you downloaded.

And we do need to see the list if we're going to offer any meaningful advice.

If you don't mind, send me a Private Message with your e-mail addie, and I'll send you an unzipped, working copy of Startuplist.exe.


----------



## LisaM (Nov 4, 2002)

Tony: It worked like a charm. The following are the results from the Startuplist:

StartupList report, 11/4/02, 4:27:06 PM
StartupList version: 1.34.0
Started from : C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GJ4PQ5IX\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\GATOR.COM\GATOR\GATOR.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GJ4PQ5IX\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.ExE
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
TaskMonitor = c:\windows\taskmon.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

[>PerUser_MSN_Clean] *
StubPath = c:\windows\msnmgsr1.exe

[PerUser_LinkBar_URLs] *
StubPath = c:\windows\COMMAND\sulfnbk.exe /L

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[>IEPerUser] *
StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 1/11/2002, 13:11:28)

[Rename]
C:\WINDOWS\SYSTEM\WMPCD.DLL=C:\WINDOWS\SYSTEM\SETB6.TMP
C:\WINDOWS\SYSTEM\WMPCORE.DLL=C:\WINDOWS\SYSTEM\SETB5.TMP
C:\WINDOWS\SYSTEM\WMPLOC.DLL=C:\WINDOWS\SYSTEM\SETB4.TMP
C:\WINDOWS\SYSTEM\WMP.OCX=C:\WINDOWS\SYSTEM\SETB3.TMP
C:\WINDOWS\SYSTEM\WMPUI.DLL=C:\WINDOWS\SYSTEM\SETB2.TMP
C:\WINDOWS\SYSTEM\WMVCORE.DLL=C:\WINDOWS\SYSTEM\SETB1.TMP
C:\WINDOWS\SYSTEM\WMASF.DLL=C:\WINDOWS\SYSTEM\SETB0.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
@ECHO OFF
SET BLASTER=A220 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS
REM [Header]
REM [CD-ROM Drive]
REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001
REM [Miscellaneous]
REM [Display]
SET PATH=C:\PROGRA~1\DELL\RESOLU~1\COMMON\BIN

--------------------------------------------------

C:\CONFIG.SYS listing:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE NOEMS
REM [Header] 
REM [CD-ROM Drive]
REM DEVICE=C:\CDROM\SSCDROM.SYS /D:MSCD001 /PIO
REM [Miscellaneous]
REM [Display]
DEVICE=c:\windows\setver.exe

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

@echo off
REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer 
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows 
REM you to load programs that you might not want loaded in Windows, 
REM (because they have functional equivalents) but that you do 
REM want loaded under MS-DOS. The two primary candidates for 
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the 
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD 
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match 
REM the string in CONFIG.SYS following your CD-ROM device driver.
REM MSCDEX.EXE /D:OEMCD001 /l:d
REM REM REM REM REM MOUSE.EXE
C:\SBPCI\APINIT
REM REM REM REM LH C:\PROGRA~1\MICROS~1\MOUSE\MOUSE.EXE
REM REM REM C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE
REM REM C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE
REM C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE
C:\PROGRA~1\LOGITECH\MOUSEW~1\MOUSE.EXE

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\VGIEHELPER1-2-0-27.DLL - {00000000-623A-11D4-BCDB-005004131771}
(no name) - C:\WINDOWS\SYSTEM\RDXPH.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
(no name) - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL - {c900b400-cdfe-11d3-976a-00e02913a9e0}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Scan for Viruses.job

--------------------------------------------------

Enumerating Download Program Files:

[Rotor.VersionControl1]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ROTOR.DLL
CODEBASE = http://www.rotor.net/packages/Rotor.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[VgCompanion Class]
InProcServer32 = C:\WINDOWS\SYSTEM\VGIECOMPANION1-2-0-27.DLL
CODEBASE = http://www.videogate.com/vgcdownloads/salton/vgiecompanion.exe

[{15589FA1-C456-11CE-BF01-00AA0055595A}]
CODEBASE = http://www.twistedhumor.com/program_files/2002/alf-britney/BritneySpecInstall.exe

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\SHOCKWAVE 8\DOWNLOAD.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[DmiReader Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SYSPROFLCD.DLL
CODEBASE = http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1097/V31Controls/x86/w98/en/actsetup.cab

[{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}]
CODEBASE = http://www.elx.com/free_plugin.exe

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/23f5a3241498b86b4014/netzip/RdxIE6.cab

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

[{280168BC-76BF-4CD0-B835-3D686EFA8DDC}]
CODEBASE = http://www.xupiter.com/uninstall/XupiterToolbarUninstaller.cab

--------------------------------------------------
End of report, 10,922 bytes
Report generated in 0.859 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## TonyKlein (Aug 26, 2001)

Well, you still have quite some foistware left, some of which Ad-Aware should have detected, incidentally.

Go to Start > Run, type Msconfig, and uncheck the following items on the Startup tab:

GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe 
Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe 
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe 
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE 
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE" 
LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

Click OK, close Msconfig, but don't reboot at this point.

Now download BHODemon, launch the program, and locate the following BHOs: RDXPH.DLL and WHIEHLPR.DLL

Highlight each one, click 'details', and in "Select Status" click *disabled*

Click OK, and close the program

Now go to Internet Options > Settings > Show Objects, and delete the following ActiveX objects:

[Rotor.VersionControl1] 
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ROTOR.DLL 
CODEBASE = http://www.rotor.net/packages/Rotor.CAB

[{15589FA1-C456-11CE-BF01-00AA0055595A}] 
CODEBASE = http://www.twistedhumor.com/program...SpecInstall.exe

[{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}] 
CODEBASE = http://www.elx.com/free_plugin.exe

[RdxIE Class] 
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL 
CODEBASE = http://207.188.7.150/23f5a3241498b8...tzip/RdxIE6.cab

[{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}] 
CODEBASE = http://www.xupiter.com/search2/inst...olbarLoader.cab

[{280168BC-76BF-4CD0-B835-3D686EFA8DDC}] 
CODEBASE = http://www.xupiter.com/uninstall/Xu...Uninstaller.cab

Finally, reboot.

You may want to run SpyBpt S&D now, in the manner I advised before.

Cheers,


----------



## LisaM (Nov 4, 2002)

Wow...I noticed that you said I should prevent the Gator program from starting. I actually like Gator since it remembers my passwords. I assume that, in the Startup tab, I should leave the Gator eWallet. Should I also leave the GStartup.Ink?

Do any of the other files have something to do with Gator?


----------



## TonyKlein (Aug 26, 2001)

I think you should get rid of Gator, as it phones home about your browsing habits.

Read this: http://www.cexx.org/gator.htm

Go for RoboForm

It is a lot smarter than Gator, contains no spyware, and will even allow you to import Gator data.

You can't lose! 

I'd advise you to do that, import the Gator data, and then uninstall Gator

The other startups are unneeded, and LDM/Backweb also phones home.

The two BHO's are foistware as well. Here's about your Webhancer BHO:

http://www.cexx.org/webhancer.htm

And the ActiveX objects definitely have to go as well.

All these things slow you down, cause conflicts, and error messages.


----------



## Bladeaholic (Nov 12, 2002)

xupiter.com invades your life if you install kazaa. Voila, let it be known 

I don't think it leeched on when I installed grokster on another machine, but it definitely came with kazaa. So tell all your friends and enemies to stay away from kazaa, and use grokster if they can...


----------



## brendandonhu (Jul 8, 2002)

Or just use KazaaLite. Its the EXACT same thing, same files, same interface as Kazaa but it has no ads/spyware.


----------



## Bladeaholic (Nov 12, 2002)

I think I was mistaken. I believe the xupiter.com baggage came along with grokster - rather than kazaa, which I mistakenly posted yesterday. I did install grokster on one machine without getting the plague but when I installed it two months later on another, it came with baggage - xupiter.com.

Both machines are running Windows 2000 Pro, if that tells anyone anything. I also installed kazaa lite on a Win 98 box without the baggage. Scum baggage like xupiter makes me think seriously about becoming a terrorist!

Just kidding  
James


----------



## Bladeaholic (Nov 12, 2002)

Spybot removes xupiter like a champ 

Wow, I was impressed by this program. The author is destined to become rich one day. This is a tool NO ONE should be without!

You can find it at any of these sites:

http://beam.to/spybotsd
http://security.kolla.de/
http://www.majorgeeks.com/article.php?sid=2471&cat=16
http://www.pcworld.com/downloads/file_description/0,fid,22262,00.asp
http://www.net-integration.net/downloads/spybot.html
http://www.winload.de/download/13795/0190-Warner/Spybot++S&D-1.0.html

Enjoy!


----------



## munchkin (Nov 25, 2002)

I have read through all the messages and tried most everything... gulp... I hate going to regedit. I have deleted all visible files linked with xupiter, but am left with this problem:

When I use the explorer search address bar on IE, it says:

The page cannot be displayed 
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. 

Great. I've tried everything that I can to fix this and it just won't work. Before xupiter hijacked my search function it was fine. I realized I had xupiter and began deleting it's files and that's when I lost my search function. 

I was able to correct the search function on the toolbar icon with "Customize" option, however, I cannot fix the actual search window on the toolbar. 

Any suggestions???


----------



## TonyKlein (Aug 26, 2001)

Hi! 

I'd start by repairing Internet Explorer:

Control Panel > Software add/Remove > MS Internet Explorer > REmove > Repair IE


----------



## munchkin (Nov 25, 2002)

That did it!!! 

THANK YOU. I never knew that was an option when you add/remove Internet Explorer. 

You put a smile on my day!!


----------



## TonyKlein (Aug 26, 2001)

Great! 

Good to hear that fixed it for you.

Cheers,


----------



## LisaM (Nov 4, 2002)

Hi Tony: 

Quick question for you. When I run msconfig, I noticed that something called Hidserv.exe is checked in the Start Up process. Can I safely uncheck this?

Thanks,

Lisa


----------



## TonyKlein (Aug 26, 2001)

Lisa,

You can use Pacman's List of Startup Applications to determine what should stay, and what needs to go.

It holds more than 1800 entries, and you'll find Hidserv there as well.

Cheers,


----------



## LisaM (Nov 4, 2002)

Thanks, Tony, as usual, for your help!

Lisa


----------



## Fire an' Ice (Nov 28, 2002)

Finally managed to get rid of the damnable thing by following thye ling http://www.xupiter.com/uninstall Good ridance to the b****rd and all....


----------



## DianaG (Nov 29, 2002)

This is a multiple part problem, but falls under that dastardly Xupiter.com "menace to society." First of all - background on computer. I have an HP Pavilion model 8755C with WinME (which HP tells me is not advisable to upgrade to Win2000, by the way), so I'm stuck with ME's problems, which so far I've managed to work around, with a few minor cussing sessions. I also have cable broadband (roadrunner), which I opt to access through AOL, version 8.0. So, please no ME or AOL bashing, please. The ME I can't do anything about and the AOL is being debated. But I will keep my cable broadband through Roadrunner! I love it! I also have Ad-Aware, and both McAfee antivirus & firewall.

Two weeks ago, while accessing the internet through AOL, but opting to do my searching through explorer - the Xupiter.com also mysteriously appeared, everytime I tried to do a search. It would give me an error reading and default to Xupiter, unless I knew the specific web address of what I was hunting. However, I had no problem whatsoever getting there through AOL, which I ultimately had to do. OK, I did everything their website said to do to get rid of it. Nothing worked, either. The "uninstall" feature defaulted to the "install" feature. Numerous emails went unanswered, also. So, I found the Techguy website, printed out all the posts and started each suggestion 1 by 1 to get rid of it.
Just for the heck of it, I went back to Xupiter's website, and the uninstall actually worked this time. It's gone finally.Yea!!! BTW, Ad-Aware did NOT detect the files in my computer, even with updates.

HOWEVER, at about the same time Xupiter mysteriously appeared on my computer, the following problems developed in
my computer, which I'm tackling one by one with a handy-dandy list I made as a result of the same time frame. I could not update McAfee, check for virus scans, update firewall, download virus updates. Those problems will be addressed with McAfee. I also went to update the WinME recent updates, and here are the error messages I received. 

While restarting my computer after the Win updates, I got this message: "Windows could not upgrade from %1 to %2." It idled awhile, then the following reason came up: Error: C:windows\system\inetcpl.cpl

I have no clue what this means, but it eventually booted up after idling for awhile, and seems to be running ok, but what is this error and does it have anything to do whatsoever with Xupiter.com? Thanks for any opinions.


----------



## TonyKlein (Aug 26, 2001)

Hi, and welcome to the board.

As for your %1 to %2 error, do a search for a file named *wininit.ini* 
If you find it, delete it.

_Don't_ touch Wininit.*exe* or *Win*.ini.

Reboot, and tell us whether that makes a difference.


----------



## DianaG (Nov 29, 2002)

Hi, and welcome to the board. 

As for your %1 to %2 error, do a search for a file named wininit.ini 
If you find it, delete it. 

Don't touch Wininit.exe or Win.ini. 

Reboot, and tell us whether that makes a difference.

Tony - that file is not on my computer.


----------



## TonyKlein (Aug 26, 2001)

It usually is the cause.

However, if in the meantime you rebooted once again, your wininit.ini will have been renamed to wininit.bak, which explains why you weren't able to find it.

Are you still getting that error message, or has it gone now?

No relation with Xupiter, BTW, I think.


----------



## DianaG (Nov 29, 2002)

However, if in the meantime you rebooted once again, your wininit.ini will have been renamed to wininit.bak, which explains why you weren't able to find it. 

Are you still getting that error message, or has it gone now? 

No relation with Xupiter, BTW, I think.

No, I haven't rebooted since I got the error message, HOWEVER, I did find wininit.bak! Should I delete that?


----------



## TonyKlein (Aug 26, 2001)

You sure can, but it will not make much of a difference one way or the other.

Could you try rebooting, and see whether you'll get the error again, please?


----------



## DianaG (Nov 29, 2002)

You sure can, but it will not make much of a difference one way or the other. 

Could you try rebooting, and see whether you'll get the error again, please?


Tony...

I rebooted and didn't get the message again - it booted up fine, and I also deleted the wininit.bak file. BTW, this website is great.
I'm not exactly a newbie (been online for 6 years), but the tech stuff is something I just don't have time to get into on a regular basis unless a problem happens. Normal maintenance, etc., is about my speed. What I like about this is that I get "layman's terms." I don't have to be retrained every Monday morning. I have a younger sister who is one of those who had url's and networking, building computers, etc., spliced into her DNA by some unknown alien intelligence, and makes a handsome living at it. However, when I ask her a tech problem I first get a "poor baby, you are so deficient in your cerebral cortex, please endure - yet again - my patronizing scolding speech, and then I may or may not answer the question in phraseology you can understand. That's your price for me being a legend in my own 
mind." My reply is, "Respect your elders, unless you want an elder's foot up your you-know-what. I might be middle-aged, but I'm not braindead and buried yet."

Again, Tony - thank you for your help.


----------



## TonyKlein (Aug 26, 2001)

You're welcome, Diana.

I trust that will have been the last you saw of that particular error message.

Cheers,


----------



## Charmed1 (Dec 3, 2002)

I've been reading through some of the messages left about Xupiter and I ran into this problem on Thanksgiving day of all days. I was made aware of the Xupiter problem through another online group that I am in so when my start page changed I took a look and sure enough there it was. Ok...I went and did a file search for it and deleted out all the files and thought that took care of it but tonight I went to do a search from the address bar and it wouldn't search right. So I went to the Search button and it was Xupiter Search so I tried to customize it and it wouldn't let me do that. I was then told to go through my registry but going to Start/Run/regedit.exe...ok I did that and sure enough I had some leftovers. Needless to say, I deleted out them items and rebooted but...I still can't search from my address bar and If I go to the top of my browser (IE) and go to View/Toolbars....Xupiter is listed in the options. I've tried looking for a .dll file and can't find one....so how do I fix this and get that out of there and be able to search from the address bar again. Also, I found the exe's in my startup when I go to MSCONFIG and I do have them unchecked....is there anyway of removing them from there too? Any help would be greatly appreciated!


----------



## TonyKlein (Aug 26, 2001)

Hi,

Download Spybot - Search & Destroy

It looks for spyware, but also targets dialers, keyloggers, and other nasties, and it's freeware.

It removes Xupiter quite easily.

After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after *closing down Internet Explorer*, hit 'Check All', and have SpyBot remove all it finds.

SSD will sometimes not be able to remove all _active_ components in the first 'run'. 
In that case you will get a dialog asking you to run SSD at next start. 
Click yes and reboot. SSD will then come up before the system puts these components 'in use'. 
You will then be able to fix everything.

Good luck,


----------



## Charmed1 (Dec 3, 2002)

I did as you suggested and it worked!! Thank you ever so much for helping resolve this problem! There was lots of stuff from this xupiter lingering and now all traces of it are gone. Thank again!! You were a tremendous help!!!!!


----------



## Charmed1 (Dec 3, 2002)

ok....I'm still having some problems with searching from the address bar. How do I resolve this?? when I type in a search word instead of searching, it goes to that like it's a web site. I was able to search from the addy bar before all this xupiter problems.


----------



## Charmed1 (Dec 3, 2002)

Ok, never mind....lol. I did an Internet Explorer repair as suggested in an earlier message. I think it was #101.....and it fixed my problem.


----------



## twenty4 (Dec 6, 2002)

Just wanted to say thanks for all the info,searched for days until i found your site.Now all that crap is off my computer.


----------



## kaweenee (Dec 7, 2002)

Thanks so much to all who have contributed suggestions to this thread. My daughter came home for Thanksgiving...and left me with the Xupiter gift (as well as a cold!) I thought that Adware had repaired all of my files but....I still had Xupiter popping up in the Search bar, etc. Spybot has taken everything else away but I still can't run a search from the address bar. I tried to follow your advice and go thru Control Panel to repair Explorer but it didn't show up in the programs!!! Any ideas????


----------



## TonyKlein (Aug 26, 2001)

Hi, and welcome to the board.

If you've never upgraded IE, it won't feature in the Software list.

In that case, upgrade your installation of Internet Explorer itself. What version are you running now, please?

Also, if you're running XP, here's how ro repair IE:

How to Reinstall or Repair Internet Explorer and Outlook Express in Windows XP (Q318378)


----------



## kaweenee (Dec 7, 2002)

Thanks, Tony. I am just backing up my registry...just in case. I am running XP and IE 6.0 with the xpsp update....


----------



## kaweenee (Dec 7, 2002)

Okay...now I am confused. I followed the info, edited the registry, and uninstalled IE.. I then rebooted and got a message "Internet Explorer has been uninstalled". When I prepared to reinstall, I got a message saying that I couldn't complete the installation because I was "missing necessary files....run setup again". I tried but I wasn't able to do so. Strangely enough, I clicked on the IE icon...and still have it on the computer but not in the Control Panel.
Am I doing something radically wrong???


----------



## TonyKlein (Aug 26, 2001)

I don't understand exactly what you did. You shouldn't uninstall IE, just install it on top of itself, like explained in the article:

Go to Start > Run > *Regedit*.

Drill down to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

Rightclick the *IsInstalled* value in the right pane, click 'Modify', change its value from from 1 to 0, and then click OK .

Quit Registry Editor.

Now Windows ought to let you reinstall.

Would you try that again, please?

Empty the contents of the your %UserName%\Local Settings\Temp directory completely as well.

Before you set about installing IE again, make sure you shut down all unnessecarily running programs, especially your antivirus.


----------



## kaweenee (Dec 7, 2002)

It worked! This is like having Mr. Wizard in the room with me...Ain't technology wondrous? 
I had done it correctly (didn't uninstall IE, merely tried to reinstall over old IE)...but I hadn't shut down the virus programs.
Thanks so much, Tony. You and the Spybot guys should get rich one day soon! (Just fyi for the folks online, I pay upwards of $50 for tech service!!! Hope you are doing well!)


----------



## TonyKlein (Aug 26, 2001)

Hey, I'm relieved to hear you managed to get everything working again! 

Now let's hope that also took care of your Xupiter problem.

It may actually not have, but in that case please repost, and'we'll get rid of it another way.


----------



## lunarcub (Dec 7, 2002)

i have xupiter on my browser too!!!
i have run:
ad aware -3 times
nortons twice
swat it -once (took 11 hours)
reg cleaner
and i still have it
what can i do
hellllllllp


----------



## TonyKlein (Aug 26, 2001)

Neither of those will remove the latest version of Xupiter.

Norton, Swat-It, and RegCleaner because they don't 'do' spyware, and Ad-Aware because it hasn't been updated for eons.

Download Spybot - Search & Destroy

It looks for spyware, but also targets dialers, keyloggers, and other nasties, and it's freeware.
It deals with all versions of Xupiter without a prob.

After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, _after closing down Internet Explorer_, hit 'Check for Problems', and have SpyBot remove all it finds.

NOTE: SSD will sometimes not be able to remove all _active_ components in the first 'run'. 
In that case you will get a dialog asking you to run SSD at next start. 
Click yes and reboot. 
Subsequently SSD will come up before the system puts these components 'in use', and it will then be able to 'fix' the rest.

Good luck,


----------



## irvingaggie (Dec 11, 2002)

I have found the following instructions to remove Xupiter from our network computers seems to work.

find the following registry key using regedit:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .
Delete the 'XupiterStartup' entry

Unregister 3 dll files by typing in the start / run line:
regsvr32 /u "C:\Program Files\Xupiter\Updates\XupiterToolbar.dll"

regsvr32 /u "C:\Program Files\Xupiter\Updates\XTUpdate.dll"

regsvr32 /u "C:\Program Files\Xupiter\Updates\XTSearch.dll"

Restart your computer and you should be able to now delete the Xupiter folder in c:\Program Files.

Now delete the registry keys:
HKEY_CURRENT_USER\Software\Xupiter

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Restore Database\Distribution Units\A27CFCAE-9351-4D74-BFFC-21EB19693D8C

Hope this helps!

Pat Swartz


----------



## a50sfreak (Dec 14, 2002)

Some people were asking about the different ways that people got the lovely Xupiter bug on their computer...this is how I got it on mine:
I'm a member of a webboard on www.WTKS.com where someone posted a link to a quiz...(last online quiz I'll ever take unless it's from the Quizilla website, BTW) the quiz was called What Drink Are You? and it seems that pretty much everyone that clicked on that quiz ended up infected with Xupiter. Luckily I didn't have some of the problems that I've heard about like the form windows in search engines automatically being completed...that's really scary!

I think I've cleared it all up now and I just wanted to contribute to the great TSG website and thank everyone here for all of your help!

By the way, I'm a 'Bourbon and Soda' drink, which is quite interesting since bourbon and ginger is what I always drink...sure did suck that I had to go thru the Xupiter experience to find out that I drink what I already drink, lol...


----------



## Rhettman5.1 (Sep 25, 2002)

Anyone reading this post , click tools and then internet options, then advanced, scroll down to the boxes for install on demand, make sure to uncheck them, don't allow these sights to load BS on your PC...Rhett


----------



## brendandonhu (Jul 8, 2002)

Well, I was just going to pacs-portal.co.uk and I clicked an external link, it started a cycle of popups and said "You must install the following component to view this page" then it gives the box asking if you would like to install xupiter. I hate when they do that, I always click no and see if the site works, because you rarely need an activex control or anything to view a site. The only one I can remember that I wanted was 1 for a multiplayer game site and 1 at a site that displays your hardware information.


----------



## a50sfreak (Dec 14, 2002)

Ok, so I think I've removed all the Xupiter crap from my computer, I edited a bunch of crap in my HKEY's (whatever, I just followed all the instructions I found in this thread), I installed, updated and ran Spybot Search and Destroy, Panicware's Pop-Up Killer and also BHO Demon later, just to be sure (it found nothing except a Norton BHO)...I did pretty much every single fix I found on this entire Xupiter thread (which, I might add, was totally awesome!).

I'm running Win2000Pro with IE 6.0 for my browser.

Here's the problems I'm having which I could find no other solutions for in these forums:

First, in the Address Bar I still can't do any searches without getting "The page cannot be displayed" for a result. At least I don't get that damn Xupiter page, though...*whew*

Secondly, I've gone to a couple of links that can be used to remove yourself from someone else's Buddy list on Yahoo, http://www.bysf.room41.net/nobuddy.html and also http://www.geocities.com/drakkar355/denybuddy.html which used to both work for me, but now when I try to use them and submit my information, I get an Invalid Cookie error. Neither of them are a secure site so I can't add them to my trusted sites. Both of these sites go to http://edit.yahoo.com/config/set_buddygrp and Yahoo is set to accept cookies already...hmmm...I was just thinking, maybe Yahoo has changed their own site so that could be the problem and it's just a coinkydink that I'm having this problem after I had the Xupiter problem...whatdaya think?

Edit: I just went to check my mail and somehow my desktop shortcut for Outlook Express (my defaul mail program) was missing...I couldn't find the program under Start - Programs either...I checked in my Norton Recycle Bin and there it was, I recovered it and when I started it up it said that Outlook Express wasn't currently my default mail program...WTF is up with that? I'm scared now, or something...

Thanks for all help in advance!
Karin


----------



## TonyKlein (Aug 26, 2001)

As for the Address Bar search issue, you could try repairing IE, or if that doesn't help, re-install or upgrade to IE 6.0 SP1.


----------



## a50sfreak (Dec 14, 2002)

> _Originally posted by TonyKlein:_
> *As for the Address Bar search issue, you could try repairing IE, or if that doesn't help, re-install or upgrade to IE 6.0 SP1. *


I have already installed Service Pack 1 for IE 6.0 and I don't see anything in my Add/Remove Programs that will let me repair IE...I thought I remember seeing it back when I had Win98SE but that wasn't that many months ago and I don't think I've been there since I installed Win2000Pro. I already tried to re-install IE from the Microsoft web site but it won't let me cuz it says I already have a newer version on my computer.

Thanks again,
Karin


----------



## TonyKlein (Aug 26, 2001)

There's a trick:

Go to Start > Run > *Regedit*.

Drill down to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

Rightclick the *IsInstalled* value in the right pane, click 'Modify', change its value from from 1 to 0, and then click OK .

Quit Registry Editor.

Now Windows will let you reinstall.


----------



## a50sfreak (Dec 14, 2002)

> _Originally posted by TonyKlein:_
> *There's a trick:
> 
> Go to Start > Run > Regedit.
> ...


Ok, cool...you forgot to tell me to restart though...I went on the Microsoft page right after I did the Regedit thing and it still wouldn't let me reinstall IE. Then I restarted and I got a message that says that IE had been uninstalled and asked me if I wanted to reset my personal settings or something. And, of course, my Address Bar search works just fine now...one day I'd like to know how to change the default search engine in my Address bar to Google instead of MSN. *wink*

TY again,
Karin


----------



## TonyKlein (Aug 26, 2001)

I'm a bit mystified about what happened there. I've done this myself a few times, and there's no question of uninstalling IE, or rebooting.

You change the reg value, and simply install IE on top of itself.

Anyhow, nice to hear everything's again working like it should.

And Googlifying your browser is a cinch:

Download this file to make Google the default search engine for Internet Explorer: http://www.google.com/google.reg
The "search" button will then bring up a Google search box down the left side of your browser.

The "Search The Web" menu option from the "Go" menu will take you to Google.

When you click on the above link, IE will ask you whether to open or to save the file.

Select "open" to immediately make the changes .


----------



## a50sfreak (Dec 14, 2002)

Ok, that was interesting, indeed...
When I first clicked on your Google link I got a browser window that read in plain text:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.google.com"
"Search Bar"="http://www.google.com/ie"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""="http://www.google.com/keyword/%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://www.google.com/ie"

So, I promptly copied that info in case I needed it later or something and clicked one more time on your link, only then did I get the installation and confirmation boxes.

Google comes up now as my Search engine only when I click the Search button but the one in the Address Bar still defaults to MSN (yes, I opened a fresh browser to test it)...I do have Start Page Guard installed on my computer but it didn't send me any messages that anything had been altered...let's see what happens when I reboot now. I didn't want to do that before I responded because I would have lost the info above that I had stored on my clipboard.

*Edit:* After I restarted, Start Page Guard said that my Search page had been changed but the values for Default Search URL, Search Bar, Search URL and Search Assistant all say NOT USED (OK)...note: I didn't install the Start Page Guard until after the Xupiter calamity happened and I forgot to mention about it before. Can I just uninstall Start Page Guard, do I need to have it or will all the other fixes I applied keep Xupiter or something else from changing it again?

Also, I'm having problems with my browser windows opening too small at first, I have to hit the Maximize thingy every time and some smaller browser boxes don't even have the Maximize option and it seems like I'm having a hard time getting to see everything in those smaller windows.


----------



## TonyKlein (Aug 26, 2001)

About your browser windows:

Right-click the Internet Explorer icon on the Quick Launch toolbar (or your IE shortcut in Start Menu) and select Properties. 
On the Shortcut tab, next to Run, click the down arrow and select Maximized. 
Click OK, and the next time you click that icon, Internet Explorer will take over the entire screen.

If it doesn't, please repost, and we'll deal with it.

This does _not_ work for windows opened by clicking hyperlinks.

These have to be resized manually:

Start IE, right click any link on a web page, and select Open in a New Window.
Go back to the first IE window you opened and close it.
Return to the second window and manually drag it to fill the screen.
(Do not use the maximize button, for that's a temporary setting that will not be retained.)

Now press the Ctrl button, and close this second window, holding the Ctrl button depressed, using 'close' in the File menu (important!).

This should force Windows to remember the settings, and windows will now open maximized.


----------



## Guest (Dec 14, 2002)

Once again i have been over taken by this dreadful website, Xupiter. Thankfully, spybot has done the job of removing xupiter cleanly as far as i know. My question is, now xupiter has gotten itself on my computer 3 times. I dont know where this weed has come from, but how can i prevent it? Isn't there some sort of block? Gator and Xupiter are most commonly removed with spybot on my computer. i just want to know how i can stop them from being there in the first place. 
Thanks so much,
- laura


----------



## TonyKlein (Aug 26, 2001)

Hi,

1) Go to IE > Tools > Windows Update > Product Updates, and install ALL Critical Updates listed.

2) Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

- Set ALL ActiveX options that are at present set to 'allow', to 'prompt'.
- In the 'Scripting' section, set "Allow paste operations via script" to Disable or Prompt.

Now you will be _asked_ whether you want ActiveX objects to be executed and whether you want software to be installed.

Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

3) And some more advice:

Install Javacool's SpywareBlaster

It will protect you from all spy/foistware in it's database.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program(NOTE: this is NOT spyware found on _your_ computer) 
Press "select all", then "kill all checked", and you're done.

The spyware that you told Spywareblaster to set the "kill bit" for wont be a hazard to you any longer.

Don't forget to check for updates every week or so.

There's a small board at Wilderssecurity as well.


----------



## Guest (Dec 14, 2002)

hey tony, 
i did all u suggested, but upon trying to open spyware blaster i got a message saying "run-time error '339'. Component 'mscomctl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid"
what does this mean? and what can i do?

thanks so much you are such a big help
-laura


----------



## TonyKlein (Aug 26, 2001)

Hi Laura.

Take a look here:

SpywareBlaster problems with MSINET.ocx or MSCOMCTL.ocx? Read in...


----------



## eternalpunk (Dec 24, 2002)

Hey guys i just recently got this thing from browsing also.

I did everything you guys posted and it was still there.

The thing that got rid of it is SPYBOT. Even after i searched the reg myself spybot found 12 entries.

I had to repair IE because Xpoopiter destroyed my search.

Thanks for all the help. I might have to visit more often.


----------



## Toddles18 (Jul 18, 2001)

This must be the most persistent and common problems people are having across the web. Everytime I go into the who's online page I see multiple guests viewing this thread. I was only "offered the chance" to download this software once so far. I respectfully declined. That so many people are having problems with this just goes to show that you should always read what those little annoying IE pop-up's about installing software before you click yes. Other one's to avoid are the Date and time one, and of course Gator. I know theres more to avoid but no others come immediately to mind.


----------



## TonyKlein (Aug 26, 2001)

Oh, there's much more than that:

Adware, Spyware and other unwanted "malware" - and how to remove them

http://www.mvps.org/inetexplorer/Darnit.htm

http://217.115.153.73/parasite/


----------



## brendandonhu (Jul 8, 2002)

Toddles18, dont forget about Spywareblaster, it will prevent you from installing many of the Install On Demand spyware programs.


----------



## TonyKlein (Aug 26, 2001)

But only providing they use ActiveX, so it doesn't protect you from everything.

Just see it as an extra layer of protection.


----------



## boadie (Jan 9, 2003)

went to www.xupiter.com/uninstall like you guys told me,now i'm rid of xupiter and all of it's evil . thanx a lot you guys. most helpful site i come across . thank you again


----------



## brendandonhu (Jul 8, 2002)

No problem 
Toddles, those boxes dont give any insight as to whether or not its spyware, or what it does. But you can get the name and do a search for it.


----------



## LisaM (Nov 4, 2002)

Are you guys familiar with something called Sqwire.com? It just managed to insert itself on my toolbar. Is there a removal tool?


----------



## ~Candy~ (Jan 27, 2001)

If it just happened, you might try a scanreg /restore to the day prior.....I just had something similar mess with my toolbar too, and going back one day eliminated it.....


----------



## LisaM (Nov 4, 2002)

Actually...I went to their home page and found an "uninstall" feature. So far, it has worked. I was afraid that it had taken over my computer just like Xupiter.


----------



## PooFace (Feb 14, 2003)

Xupiter struck one of my friends and I got blamed for having pop-up ads on my site. I know I don't have any ads, and it took me quite a while to figure out what was happening. My friend is in adware denial now. Anyone know how I could convince him he's got it on his system and it isn't my site?

If only I could wrap my hands around the neck of the little imp that wrote it... that'd be nice.


----------



## brendandonhu (Jul 8, 2002)

Sqwire is basically a different version of Xupiter.

To prove it to him should be easy.
First- have him run an online spyware scan in IE at
http://doxdesk.com/parasite/

It should find Xupiter. If it does, he can use Spybot to remove it.
If not, its probably other Spyware, have him scan with spybot anyway.

Then print out the HTML code to your site, showing that there is no code that would trigger a pop up.


----------



## xupiterinfo (Feb 18, 2003)

Hi all,

I found this old post by the same guy who OWNS [email protected]

he lists his cell phone how nice of him to make this information public! why not give him a call and tell him how you feal about his software?

more info can be found in this news article:

http://www.wired.com/news/infostructure/0,1377,57553,00.html

-- origonal post by xupiter owner below

On Thu, 18 Oct 2001 [email protected] wrote:

> 
> Hello, 
> 
> I found your site listed on googles search engine and wanted to see if we could work out a deal. I am the owner of CashClicks and therefore have the ability to work out special deals. Our base payout is $35/trial signup but I am willing to start you off at $40/trial signup because I really want your business. Also, our sites are niche and convert extremely well and outperform most programs on the web. It would be great if you could throw our banners up for a week to see what I mean. If you have any questions at all feel free to phone me or email me and if you do decide to give us a try, email me with your account username so I can adjust your payrate to $40/signup. Let me know. 
> 
> Thanks, 
> Dan. 
> 
> -- Daniel Yomtobian 
> Erika Online Inc. 
> 15445 Ventura Blvd Suite 318 
> Sherman Oaks, CA 91403 
> 
> www.CashClicks.com 
> 
> Phone: 818-728-6677 
> Cell: 818-516-3091


----------



## Almeiraz (Jun 2, 2003)

1. HOW XUPITER GETS INSTALLED:

You will see a button on your bottom bar, saying .....Microsoft.
It looks like a minimized window. If you right-click it, it gives you the option "close". Close it, and it goes away. If you double-click it, thinking it will restore the window to its full size, so you can see what it is, it installs the monster, Xupiter.

2. It always comes-so far- with another button, with a ...Lake name, which shows a pretty lake scene, for you to use as a free wallpaper. Do not do it-it's loaded with spyware. Just close it.

3. Even though Spybot got rid of Xupiter completely, for weeks I would see the above two buttons appear, moments after I turned on my machine, without being connected to the Internet. I could not figure out what was notifying someone out there that my computer just got turned on.

I hit "control-Alt-delete" and checked all the programs there. At the bottom was something I could not recognize, called "USBportdetect". I wondered if that might be the culprit, detecting my open port and passing on the info.

I then hit "start", 'find', and I entered "USBportdetect". sure enough, it was a folder in my C drive. First, I deleted it by sending it to the recycle bin. I waited days to make sure my machine ran well without it. It did, so I "emptied' the recycle bin. I have not seen those 'lake' and Xupiter buttons since, and I am so happy!
I have no idea who or what installed that "USBportdetect" but I bet it gets installed with Xupiter, it does not uninstall by its "uninstall" program, and it is not detected by Spybot.

Together with Spybot, I use "stop-the-pop-up" constantly, from http://www.sureshotsoftware.com/stopthepop/index.html?source=appvisit 
and I love seeing the thousands of pop-ups it kills.


----------



## daweeda2000 (Jun 11, 2003)

XUPITER DIE DIE DIE!!! Even after running the uninstaller, I found TWO instances of them on my system using Spybot Search & Destroy. I was (Cut words here) infuriated that I sent them an email, stating: "You have one of 2 serious (and Here) problems. Either, you invaded my machine and privacy, harassed me, and are subject to legal action; OR there is nothing illegal (putting morality aside momentarily) about running software on someone else's machine without their permission, in which case, I will SOON have some of MY software running on YOUR servers. Have a nice day, And again here!!!!"

I have yet to hear a reply, apology, or restraining order.

Edited out unnecessary comments! Dave


----------



## Davey7549 (Feb 28, 2001)

daweeda2000
Welcome to TSG!
I edited out your unnecessary and vulgar adjectives. Please do not use that type of language at TSG even if you are upset and need to express yourself!

Dave


----------



## daweeda2000 (Jun 11, 2003)

oops... sry bout that... I thought the ** would have been ok... My bad. 

Otherwise, thx for the warm welcome


----------



## Crossfire (Sep 11, 2002)

You can't deny, though, that Xupiter certainly does deserve every last expletive that is thrown at it.  Bleepin' verminous browser-highjacking scumware garbage... If there isn't a law, there should be.


----------



## Davey7549 (Feb 28, 2001)

I totally agree Crossfire but I would rather see language the old cartoon character "Mumbles the Dog" used! 
*Rassin Fracking, Friggin, Frackin!* XJupiter....... RapidBlaster Flaster Rassin Frackin!!!

Take Care

Dave


----------



## *aussie_blondie (Nov 29, 2002)

This is the thing, this xupiter THING, that's nearly trashed my comp....had me in tears for nearly all day. I've just realised. What IS it......not a virus, 'just' a web site that installs onto people's comps? How DARE they? 
My problems started off with getting an 'error8007ffff' when i tried to save a pic to my hd; that may not be related to xupiter. Then the 'find' thingy couldn't find files that I knew were there. Then, with ie open, suddenly I'd be taken off to this xupiter site and 8, 9, 10 copies of ie would open, all from xupiter. My recycle bin got its attribute reset to hidden. I've ran a virus checker, no virus. 
Thanx for letting me vent. Is there anything we can do about this? I mean as far as the pea brains who dreamt this little trick up. 
I've looked in my regisrty.....no xupiter. I'll go back now and read through all of your other suggestions. GRrrrrrr @ them silly people!


----------



## Crossfire (Sep 11, 2002)

> What IS it......not a virus, 'just' a web site that installs onto 
> people's comps?

More than that, and worse than that, as you've learned the hard way. It highjacks the browser to turn it into what is essentially a slave of xupiter.com - xupiter becomes your home page, it becomes your default search method, it becomes a huge chunk of your bookmarked favorites, AND it installs a program that automatically resets any changes you might try to make. It seems that it might also report [to whom?] your surfing activities. That little farglebargle [how's that, moderator?] of a program hooks into the RUN key in your registry to ensure that it can load, run, and reset your browser to xupiter's own settings whenever you reboot.

The absolute WORST thing it does is exploit inadequate browser security to install itself in the background without the user's consent, and that IMHO is inexcusable. Or, if you do happen to get hit with a version that ALLEGES to ask for your consent, you still can't trust it at all. It WILL install itself, regardless. In my experience, if you see it asking you whether you want it to install, it's too late - it already has installed, and apparently the prompt exists only to give the hapless victim a false sense of security.

In addition to the usual security tools you'll see recommended here, I would also recommend installing Microsoft's WinTop utility - it lists ALL running processes, even system processes that wouldn't normally be shown by Ctrl+Alt+Del, and allows you to shut down nearly any one of them, even stubborn ones that won't respond to a click on the [X]. WinTop probably could be used to help kill Xupiter manually - the program itself MUST be killed if you ever hope to reset your browser to the way it was.


----------



## daweeda2000 (Jun 11, 2003)

I actually downloaded the uninstall util from their site, and it removed the user visible end of it's program, however, Using Spybot search & destroy (available at www.shinobiresources.com ), I found 2 instances of their software elsewhere on my machine.

Regarding ways to fight such software, aside from blocking their site or installing very tight protective software, I see only 2 actions.

1 - I know this seems impossible to organize, but introduce legilation (to whatever governing bodies influence Internet policy... yes, there are actually some that govern ISP actions) that institutes higher user interaction for installing software on PC's. While a tangled mess, this WILL eventually become a critical issue if more companies take actions like XUPITER.

2 - If no governing body or judicial authority wants to touch this issue, then they probably won't say anything if some of our own.... errrr.... software finds it's way onto XUPITER's servers. Fair is fair.... if they want to play hardball, they have to be able to take it as well as they dish it out. (Note to moderator) I'm not advocating malicious hacking and destruction.... but I am stating what many of us feel... that our PC's are our personal property, and many of us spend quite a bit of time tuning them for optimal performance, and when a piece of unwanted software is FORCED on us, that it is a personal attack, and an affront to our privacy and even our civil liberties. In such event, we have a right to protect ourselves. Moreover, we do not feel that we should have to merely protect our systems from attack... we have a right to eliminate the threat if it is aggressively searching for us.

It's analogous to a foreign military power rolling down the streets in your neighborhood. You don't JUST turn your home into a bunker capable of repelling an attack, you are afterall not subject to THEIR rule. They are in YOUR neighborhood. XUPITER doesn't own the Internet. They are blind redirecting from other sites even! Lax protection of your own machine IS unacceptable, but with the resources available to the individual vs. a corporation like STUPIDER, the tables are tilted in their favor, and I have had about all I can take.

- Internet Freedom Fighter Coalition of the Southern United States of P.O'd Net Doggies


----------



## *aussie_blondie (Nov 29, 2002)

Exactly, that's just how I feel. It's MY computer, how dare they put something on MY property? And I'm too intimidated to even email them 'cos heaven knows what they might do with an email address or ip number.


----------



## *aussie_blondie (Nov 29, 2002)

Thought I'd go find 'WinTop' rather than ask here......but can't find. Is it shareware, please?


----------



## someguy03 (Jun 15, 2003)

This evil creation of some psycho has attacked me as well. Xupiter was installed on my computer but i used ad-aware and spybot to get rid of it. The problem is that I think it harmed my computer. I can't enter chat rooms on yahoo. When I try to, IE closes itself. Please help.


----------



## brendandonhu (Jul 8, 2002)

Someguy-Try reinstalling Java. The yahoo chats are powered by java.
http://java.sun.com


----------



## someguy03 (Jun 15, 2003)

OK, thanks...I reinstalled java, but it still doesn't work. Any other ideas?


----------



## Crossfire (Sep 11, 2002)

To aussie_blondie - WinTop is an "unsupported" Microsoft product, which basically means that they'll give you a free copy to download, and you use it at your own risk. It's a simple little program, and I've never had any problems with it. At any rate, try searching Microsoft's site. You might find it in the "Power Toys" section.

What WinTop does is show you a list of all running processes, even hidden ones, and how much CPU time each of them are using. [That can be quite useful when you're trying to find out what is slowing down your machine.] Processes in the list can be expanded to show how many threads they are executing and, again, the CPU usage of each thread. By right-clicking on a process to bring up a short menu, you can usually force it to shut down, even when it is not responding. This is a good way to close programs that have locked up and/or refuse to be closed, and it is often a better method than Ctrl+Alt+Del.

I would use it to shut down anything that doesn't look right before I ran a check with SpyBot, etc. One could probably manage a complete removal of garbageware such as Xupiter without having to reboot and run another check, which is usually necessary because SpyBot apparently can't shut down such programs on its own - it can just ensure that it won't run again at the next startup by deleting the program and its registry keys. The program, however, remains active in memory. Shut it down first, and you can probably kill it completely with just one SpyBot check.


----------



## Crossfire (Sep 11, 2002)

Quick update... It's in the "Kernel Toys" download section of microsoft.com, filename W95KRNLTOYS.EXE. [Search for kernel toys.] This little package is meant for Win95 machines, but it works on Win98 too. I don't know about any newer versions - I couldn't find any - and I doubt you'll get any answer from Microsoft if you ask them, since they state that it's unsupported.

The entire download is only about 56K.


----------



## steamwiz (Oct 4, 2002)

someguy03

Go to C\windows\download program files...look for any Java appletts that are damaged and delete them...if in doubt delete everything in the folder...you'll be prompted to re-download them again if or when they are needed.


----------



## someguy03 (Jun 15, 2003)

Yes! It worked! Thank you sooooo much.


----------



## steamwiz (Oct 4, 2002)

someguy03

You're welcome 

steam


----------



## Gwynn (Aug 21, 2003)

I've read this whole thread and while I did not have xupiter I had a relative of it, the IGetNet version. 

I found out about this parasite while visiting a friendly site and was referred to the doxdesk site (previously linked in this thread) and followed all the instrutions and have no further problem. One thing I notice no one has reiterated here is the 'HOSTS' file, the one with no extension of SAM. It's in the instructions to open this file with notepad and remove the following:

216.177.73.139 auto.search.msn.com 
216.177.73.139 search.netscape.com 
216.177.73.139 ieautosearch 

and then save the file again. This apparently affects searching in the address bar and prevents this parasite from redirecting a search to their site. 

Gwynn


----------

