complaints

[wyocowboy]

I've tried using the latest (as of 5/12/05) version of MS
Antispyware to get rid of the remnants of adware on a
customer's machine. The main holdup at this point is the
lack of information provided in the MS/AS popups. They do
offer a link for more information, but when you click on
them, it just takes you to the MS/AS website home page,
which is useless - make it context-based and give me the
specifics, or tell me that there is no info. Don't make me
hunt for it.

If the alerts referenced the dll or file that is trying to
install, in this case, Xupiter, then you can hunt it down
and kill it. If I tell MS/AS to remove it, it claims to
have done so, offers to do a scan, but does not find any
further trace. Logging off/on as the same user starts the
sequence all over again.

Same sort of issue when it pops up and says that something
is trying to change the Internet Zone settings - just tell
me what is trying to do it!

 

[bill sanderson]

As you've observed, you aren't clean yet.

I'd recommend updating the antivirus defs, and restarting
in safe mode, and scanning with both Microsoft Antispyware
and your antivirus in that mode. Scan with both until a
scan comes through clean.

This isn't a guarantee at all, but you have a better
chance of success, particularly with a bug that Microsoft
Antispyware identifies, but isn't cleaning successfully in
normal mode.

You should also take a good look at the tools, advanced
tools, system explorers. These will show you the vast
majority of the bugs, if you know what to look for, but
I've not worked with Xupiter--I'm not sure whether it will
show there or not, and what to look for. Use google to
find cleaning instructions, in general--or check, for
example, Symantec's site to see if they have a automated
cleaning tool.

 

[Andre Da Costa]

Expect to see changes to this in beta 2.

 

[Ed Barba]

I had to use Spyware Doctor and Sunbelt Counterspy to remove Xupiter. None
of the other products even saw it for me.
Ed

 

[fireryone]

hi wyoCowboy

Try Spybot Search & Destroy and try the beta version too (Beta2) with latest
(beta) defs.
and and AdAware SE (Pro/Trial) if the client isnt a business try the
AdAwareSE Personal too.
Bazooka AntiSpyware & Adaware tool.

--
---------------
fireryone

SCI-FI Quote:
"I will love the light for it shows me the way, Yet I will endure the
darkness for it shows me the stars." -Og Mandino

Say NO to TCPA http://www.againsttcpa.com/what-is-tcpa.html

(Drunk Duck- Free Online Comics)
http://www.drunkduck.com/?r=5353

(Warhead's Freeware Game Collection)
http://earth.prohosting.com/fware

 

[AndyManchesta]

Hi there to get rid of Xupiter for good check for any of
the following in case MS Antispy has missed any of the
entries

There's a few variants of this so it could be called any
of these :

Xupiter , Xjupiter , Xupiter/2003 , BrowserWise ,
Xupiter/Browser , Sqwire , OrbitExplorer


The only variant that has a built in uninstall is the
orbit explorer so check the add/remove screen for this
entry (orbit or orbit explorer)

Id advise using adaware & spybot to remove any traces of
this that may be left

Ad-Aware SE

http://www.download.com/3000-2144-10045910.html?
part=69274&subj=dlpage&tag=button

Spybot S&D

http://ejrs.com/spybot/spybot.exe



Here's some of the registry entries for this but go for
the two removers above first as they both target this


Manual Removal :

Open the registry (from the Start menu, click Run and
enter regedit) and find the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run.

Delete the entries

'XupiterStartup'
'XupiterCfgLoader'
'SQUpdatesChecker'
'SQConfigChecker' (Sqwire variant)
'OrbitUpdate' and 'OrbitView' (OrbitExplorer variant).

Open a DOS command prompt window (Start->Programs-

Accessories) and enter the following commands to

deregister the toolbar (Xupiter and BrowserWise
variants):

first copy and paste the first line in and press enter
then copy and paste the second line in which starts
regsvr32 and ends with .dll"


cd "%WinDir%\System"



regsvr32 /u "\Program
Files\Xupiter\Updates\XupiterToolbar.dll"

regsvr32 /u "\Program Files\Xupiter\Updates\XTUpdate.dll"

regsvr32 /u "\Program Files\Xupiter\Updates\XTSearch.dll"


(The earliest variants of Xupiter didn't have the
XTSearch.dll file, so don't worry if this last command
gives an error.)


For the 2003 variant, use:


cd "%WinDir%\System"

regsvr32 /u "\Program Files\Xupiter\XupiterToolbar.dll"

regsvr32 /u "\Program Files\Xupiter\XTUpdate.dll"

regsvr32 /u "\Program Files\Xupiter\XTSearch.dll"


For the Browser variant, use:

cd "%WinDir%\System"


regsvr32 /u "\Program
Files\Browser\Updates\BrowserToolbar.dll"

regsvr32 /u "\Program Files\Browser\Updates\BWUpdate.dll"

regsvr32 /u "\Program Files\Browser\Updates\BWSearch.dll"



For the Sqwire variant, use:

cd "%WinDir%\System"

regsvr32 /u "\Program Files\Sqwire\t.dll"

regsvr32 /u "\Program Files\Sqwire\u.dll"

regsvr32 /u "\Program Files\Sqwire\s.dll"



For the OrbitExplorer variant, use:

cd "%WinDir%\System"


regsvr32 /u "\Program Files\Common Files\OE\toolbar.dll"

regsvr32 /u "\Program Files\Common
Files\OE\redirector.dll"

regsvr32 /u "\Program Files\Common Files\OE\search.dll"


Restart the computer and open the Program Files folder.
Delete the

'Xupiter'
'Browser'
'Sqwire'
'Orbit'

and in the OrbitExplorer variant also the 'OE' folder
inside Common Files. For the Sqwire and OrbitExplorer
variants, you should also open 'Downloaded Program Files'
in the Windows folder and remove the 'Loader class' entry
if it is there.

You can now restore your home page (Internet Options-

General->Home page) and your search settings (Internet

Options->Programs->Reset web settings).

You can also delete the settings to clean up : open the
registry and delete the key

HKEY_CURRENT_USER\Software\Xupiter,

HKEY_CURRENT_USER\Software\SQ (Sqwire variant) or

HKEY_CURRENT_USER\CLSID\{0FDA4D2B-7975-405d-8D7C-
F5E2247EAE80} (OrbitExplorer variant).




Here's a write up on Xupiter from a site called wired
news


It's a browser toolbar that some swear is doing "drive-by
downloads" -- installing itself without users'
permission -- then taking over their systems and making
it impossible to uninstall.

"When I find the bastards who programmed this thing I'd
be happy to castrate them with a pair of dull pinking
shears," fumed one of Xupiter's many unhappy victims in a
newsgroup posting.

Xupiter is an Internet Explorer toolbar program. Once
active in a system, it periodically changes users'
designated homepages to xupiter.com, redirects all
searches to Xupiter's site, and blocks any attempts to
restore the original browser settings.

The program attempts to download updates each time an
affected computer boots up, and has been blamed for
causing system crashes. Several versions of Xupiter also
appear to download other programs, such as gambling
games, which later appear in pop-up windows.

Some said that Xupiter has taken over their browsers.

"Random words and characters now appear when I attempt to
enter info on search sites or other forms. It's as if
there's a ghost in my machine," New York resident Beth
Vanesky said.

Xupiter.com is registered to a company called Tempo
Internet, in Gyongyos, Hungary. Calls and e-mails to
Tempo were not returned.

Xupiter offers an uninstall utility, but many said that
it didn't work, and in some cases made things worse.

"I ran the Xupiter Uninstall, and now every time I try to
launch Explorer I get error messages saying 'Xupiter is
not installed properly, please reinstall,'"

Xupiter has spawned long message threads on some tech
support sites, as users wrestle to reclaim their machines
from the terrible toolbar.

"When Xupiter first appeared, we spent a week trying to
figure it out," said Mike Healan, of
SpywareInfo. "There's a monstrous thread with over 26,000
page views where a couple dozen of us tested it until we
figured what it did and how to deal with it."

But Healan said that every time people sort out what
Xupiter is doing, Xupiter's programmers tweak its code.
It also appears that Xupiter may be selling its "service"
to other websites.

"About once every month or two this software starts
hijacking people to a new site," Healan said. "And every
time a new version comes out, it adds a different startup
entry, uses a different method to change the search
function and is basically a bigger pain to remove."

Xupiter's site claims the toolbar isn't installed without
express permission, but many insisted that they had not
agreed to install the program.

"Xupiter is the worst thing I've ever personally
encountered on the Internet," said Ed Olexa. "You only
realize that it has been installed when you start your
browser and see that Xupiter's search page is now your
homepage."

Olexa had to manually edit his system registry to remove
Xupiter.

"Xupiter seems to have the ability to reinstall itself if
each and every component is not removed," Olexa
said. "Computer novices might never really get rid of
it."

Healan recommended Spybot Search & Destroy to eradicate
the program.

Healan said some installations probably occurred when
people clicked "OK" in a pop-up box without really
knowing what they had agreed to, or when they meant to
close the pop-up window.

Xupiter is also being bundled along with at least one
peer-to-peer file-sharing program. And the toolbar will
install itself automatically when Internet Explorer's
security settings aren't set to the highest level.






Hope this helps


Andy