Xupiter (IE 6 Sp1)

Topic

New Reply

I recently had quite a surprise. I was “xuped” by Xupiter. It hijacked my browser. I was able to completely remove it using Spybot Search and Destroy. Has anyone had the same experience. I would like to know what I should do to prevent it from occurring again. My IE secrurity settings are set at the default. I also blocked http://www.xupiter.com from my browser. Any other advice? Thanks

Reply | Quote

Replies

Don’t be surprised if it continues to happen again. There exists a whole new breed of downloads and hijacks that only require you to mouse over them. You can supress the automatic occurrences of this by setting your Security settings to at least medium and either disabling or prompting your various custom settings in the ActiveX controls, java and scripting to suit your needs.

Reply | Quote

Thank you both for your suggestions, especially the articles about this. What a pain! Too bad these programmers can’t put their talents to use for the good of all.

Reply | Quote

Do you know if these hijackers rely on the ‘OnMouseOver=’ command? If so, Proxomitron includes a filter that can deactivate mouseover commands, replacing the command with ‘OnPheasantOver=’ … a little on the silly side perhaps, but it stips mouseovers in their tracks.

Reply | Quote

David, I do not know. I have been trying to find exactly from where Xupiter is executed so I can view the code. It is quite surreptitious and I always happen to have multiple instances of IE open when it downloads. It seems even more aggressive now as I have acquired it without prompts and have been sleuthing to find the offending page. If I catch it I will post back.

Reply | Quote

Bruce–
Xupiter’s web page came up–possibly it was linked to something– didn’t think much about it and some time later, Paint Shop Pro trialware appeared downloaded, but I hadn’t gone to Jasc to download it. I looked for it with Ad Aware, and didn’t find it–searched out the file and thought I had deleted it, then looked in the Registry and found it at:

HKEY_CURRENT_USER>Softwear>Xupiter

defrag

Reply | Quote

I agree with Bruce. If you want stop this from happening, you are going to have to limit the “active content” in your Internet zone. There is always a price for security — ever lock yourself out of your car?

Well, if you want your computer secure from these cretins, you’re going to have to lock it up tighter. It is your choice.

Here is some reading:

Browser Hijacking
Homepage Hijackers
Adware, Spyware and other unwanted “malware” – and how to remove them

Reply | Quote

I’ve pretty much given up on Swiss cheese IE and switched to Mozilla. The only issue I’ve run into with Mozilla is downloading .RAR files. It’s probably some setting that I need to tweak.

Reply | Quote

Thank you both for your suggestions, especially the articles about this. What a pain! Too bad these programmers can’t put their talents to use for the good of all.

Reply | Quote

I would recommend double checking your Program files for Xupiter .dll files that can remain despite Spybot’s efforts. Also, I would search your registry and remove all instances of Xupiter. When you do this, watch carefully for names with X immediately before and after those entries as they are Xupiter entries as well and need be deleted. As always, perform a registry back up before tooling around in the event of a muck up.

Reply | Quote

Thanks for your advice. There were still a few instances where I found xupiter and deleted them from the registry.

Reply | Quote

I also installed “Browser Hijack Browser Blaster” from one of the websites mentioned for more information. I wish I could remember which one! Sorry. Its supposed to monitor the use of Active X and java scripts. IF you are interested, I could send you the downloaded file.

Reply | Quote

Here are some sites–looks interesting Gottlieb. Thanks for the offer.

Wilder Security
Browser Hijack Blaster Released Spam Cop List

There are active suits in multiple jurisdictions against a number of these–including one against the purple chimp Bonzi Class Action Filed Against FUI Bonzi Software demanding $500 for each victim.

defrag

Reply | Quote

Here’s an interesting development. I have Browser Hijacker Blaster installed and running. Twice in the last two days while not using IE, an alert came up stating that the home page was changed from http://www.excite.com to [nothing]. I try to change it back and it keeps changing back to nothing. If I check the home page under “General Internet Options” there are six ?????? in the box. The only way that I can get it to stay, is to reboot the computer. I also got an alert that a new BHO was detected from Adobe. I ran both adaware and spybot and nothing was picked up. Any ideas?

Reply | Quote

Here’s an interesting development. I have Browser Hijacker Blaster installed and running. Twice in the last two days while not using IE, an alert came up stating that the home page was changed from http://www.excite.com to [nothing]. I try to change it back and it keeps changing back to nothing. If I check the home page under “General Internet Options” there are six ?????? in the box. The only way that I can get it to stay at my home page, is to reboot the computer. I also got an alert that a new BHO was detected from Adobe. I ran both adaware and spybot and nothing was picked up. I have XP firewall installed and tested at some testing sites and the computer is secure…all ports are closed and my IP is not pingable. This morning (I leave the computer on all night) I checked the computer and Browser Hijacker had an alert screen up telling me that the home page was changed again. I uninstalled Browser Hijacker, and I haven’t had this problem all day. Any ideas?

Reply | Quote

Since your Browser Hijacker Blaster didn’t work (and I don’t trust it anyway) check out this homepage hijacker page and see if it or it’s links might help.

Also, I failed to mention to remove a Xupiter ActiveX object in your Downloaded Program Files folder. Find that @#$!% and exterminate! It has the following ID: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C}.

Sorry I couldn’t be of more direct help

Reply | Quote

Thanks for the website. I did find a mention of the” start page as none” using “Hijackthis” software mentioned in a link on the site you suggested. I deleted it, so we’ll see what happens. I checked the Downloaded Program Files folder and that ID is not there. Thanks for all of your time and help.

Reply | Quote

I did end up on a forum with the address you sent and communicated with the author of Browser Hijacker Blaster who did admit af ter a while that his software might have caused the problem re: changing the home page to nothing! He said, “Wait until version 2 comes out.”!! Thanks again

Reply | Quote