Ridding/Avoiding spyware/hijackware programs on your PC

Avoiding sureptitious installation of spyware/hijackware

From tride on 11/25/02
I've just come across a fascinating program that uses an idea I hadn't thought of before to stop spyware from running. It's called "SpywareBlaster" and it can be found from Spywareblaster. It works by setting the "kill bit" of well-known spyware ActiveX controls, such as Comet Cursor, Xupiter, and so on. After this has been done, the spyware will not run on your computer, and best of all - if you go to a page which would otherwise automatically install it, IE will recognise that the kill bit is set and refuse the installation. All other ActiveX controls will work fine. It's probably worth pointing out to your readers that if they have any software which uses spyware, that disabling it in this way may cause these programs to stop functioning. It's probably best to run Ad-Aware [or Spybot] first to detect the Spyware and which programs they come from, and then to install SpywareBlaster afterwards. I found this on the "Spyware Weekly" newsletter at SpywareInfo

by nick_danger_3rd_eye on Feb-25-03 at 13:30
I think just about every single program you download, with few exceptions, wants to become your best buddy and take over things, and you just have to tell them 'no' by setting the proper preferences. I think most of a Netscape download gives you an opportunity to keep it in the background, by way of selecting options in various popup windows.

The Pacs Portal page has been great in helping me keep out as much as possible from my startup menu, where most of those downloads want to live. I also downloaded Startup Monitor to let me know when programs try to sneak into the startup menu. It's very useful to have when doing downloads.

The Internet has countless shareware programs, many of which are great additions to your computer. Some, however, are likely to give you more trouble than they're worth.

Kim's advice is to skip the following downloads:
Comet Cursor
Bonzi Buddy
Go Hip

If you've already downloaded and installed one or more of these programs, you've probably discovered that getting them off your system is a much more challenging task than getting them on.

Here's where to go for step-by-step instructions on removing each program:

Comet Cursor
Bonzi Buddy
Go Hip

From: http://www.komando.com/tips_show.asp?showID=2787

For Fee "Virus Removal Utilities by OnlinePCfix" http://www.onlinepcfix.com/spyware/Xupiter.htm

A list of known adware and spyware vendors and products can be found on various sites around the Internet, such as this one:
Adware, Spyware and other unwanted "malware" - and how to remove them

Gator and Xupiter Removal

What Xupiter does:

Xupiter consists of an Internet Explorer toolbar containing link buttons to the search engine at xupiter.com and a task run at Windows startup which downloads updates to the software and may launch pop-ups. It also contains functionality to periodically hijack your home page and search settings to point to xupiter.com, and add links pointing to xupiter.com to your bookmarks. It consist of a hidden program files, a plugin and a sneaky, very well hidden ini or inf file, and makes changes to you system registry. The plugin allows Xupiter to call home for the updates, and possibly report your search and browser use. (thus it is also spyware)

How did I get the parasite?

Many programs that you d/l come with spyware and you have to take care to realize what your d/l ing. The comet cursor {curse} is one such item. However, in the case of Xupiter it most likely rode in because you visited a web site that took advantage of your lower IE activeX security settings.

Adjustment of security settings

Security settings are a matter of personal choice, but on the IE menu bar, under tools> internet options> under the security tab (with Medium security selected for the Internet zone)> under the Custom level button, you should change your activeX settings to:
ActiveX controls and plug-ins... prompt, prompt, enable or prompt, enable, enable.
If you were to set everything for prompt, IE will be asking all the time if you will allow this or that.
Then go down to your java settings and set for "high safety". Those are not the only security settings a user should make "as a matter of choice" but that should keep you from getting the Xupiter curse again. Unless you accept a pop up d/l and then it's your fault.

How to get rid of the Xupiter Tool bar:

First confirm that you have Xupiter by Start>Run> msconfig .. look under the startup tab and see if it is running. Unchecking the box will have no effect because Xupiter just reloads itself at boot. GOING to Xupiter.com and using the uninstaller is also useless because all the uninstaller does is to disable the tool bar, but leaves the program intact and spyware running.

The recommended way to get rid of Xupiter is to d/l the program Ad-aware or Spybot. Ad-aware simply removes the program files, but leave the plugin, hidden file and registry parts intact... thus the spyware may still be active. Also, it doesn't fix your search settings or homepage setting or IE toolbar.

I fully endorse the program Spybot - Search & Destroy by PepiMK Software; it is freeware but the programer takes contributions. http://security.kolla.de/index.php?lang=en&page=knowledgebase/threats/index Also, Free Downloads#SpyBot http://shinobiresources.com/downloads.htm#SpyBot

SPYBOT features advantages over the free version of Ad-aware, too. Unlike Ad-aware, which doesn't give you any information about what it finds on your PC, Spybot provides you with a clear list of everything it's discovered. Simply mouse-over any item on the list, and you can find out where it came from, what it does, and what Spybot recommends you do--keep it or destroy it.

I like Spybot because, although it can be only a tiny bit aggressive, you control what to remove.. it has a spyware update capablilty like the better anti-virus programs have. Of course both spybot and avg are needed to provide good protection. And perhaps a firewall.
It also does search and find xupiter. I can't determine if it would find all of it..due to the hidden file xupiter puts on the drive.. but I would bet it does. IT seems to find stuff the ad-aware misses.
I am not willing to reinfect my machine to find out if it does get all of xupiter... so the manual removal tool is a good reference to check up on it because ad-aware only kills the program and its file folder not the plugin, registry reference, or hidden file.. Spybot does search out the registry.

jcksrobbins 3:06pm December 12, 02
Xupiter is a search engine, but is very parasitic. It basically takes control of your browser and its settings. It is not dangerous to your computer, but as you already know, it is very annoying.
Here is some good information on how to remove it:

Manual Removal of Xupiter

IN MY OPINION: (Be careful you will have to edit your registry for this to work) The only way to rid your system of Xupiter, is the following (win98):
Delete the directory c:\program files\Xupiter with "FIND" or Win. Explorer. However winfile or dos is a better choice.
(That will only work if you have set your "folder options" to show all files")
(Win. explorer> view, folder option, view tab)

IN winfile or dos this is C:\progra~1\Xupiter
(In winfile .. view, by file type.. all file types and show hidden or system files)
Using winfile (start, run, winfile) Yes, I said winfile.
(With show all hidden or system files turned on as noted above) Click down to the following directory.

C:\windows\downlo~1 and look for the Xupiter.ini or .inf file at the bottom of the file list.

Before you delete it, look at the File, properties. IT will give you the name of the plugin that has to be "removed". It should look like this: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C}
Make a note of it, or skip to the next step (leave winfile open) and then delete it.
(Note: this file is completely hidden from windows. Win. Explorer cannot detect this file.
The file has some interesting properties that keeps windows from doing this.
The whole c:\windows\downloaded program files is a hidden directory. Explorer can "see" that hidden directory, but not this file.)

Next, Right click on the IE icon, and select properties.
In internet options, click on the "settings", then "view objects" button(s).
This will open the "downloaded program files" directory.
This is the only place windows will allow you to "remove" the plugin.
Find the plugin named above, or highlight all the plugins with the long #'s and right click, then select properties.. to locate the Xupiter plugin.. and then right click and remove it.
Close the directory..but leave internet options open.

The next step is a very very bad place to play.. Novices be careful! [It is recommended that you make a backup of your registry. See the instruction to make a backup of your registry.]
Start, run, regedit .
This opens your registry system file. Mess up this file and you have lots of trouble.
Before you delete anything you can do a run through and take note of the "find" matches.

Under "edit" select find. Put Xupiter in the search box. Click ok. Delete anything that matches Xupiter
After each deletetion press F3 to continue the search till you have gone all the way through the registry.

You should get at least 3 matches:
Delete the 'XupiterStartup' entry in the Right Hand pane.

Also delete the following Registry Keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Once your registry is Xupiter free close it and go back to the Internet Options.
Go to Internet Options, Programs tab, and hit "Reset Web Settings".
Close Internet Options.

Next, open IE, click on View, Explorer Bar, Search.
The search pane will open on the left of your browser.
Side it wider till you can see the "customize" search button and reset all your search choices.

Reboot your computer. If all is right with your system, do this: start, run, scanreg and accept the backup.

You should now be Xupiter tool bar free.

In reference to the xupiter tool bar.. After working on a file to explain how to remove it, I received a note that while ad-aware may not fully remove it till they release ver.6 that spybot is kept up to date...The recommended fix for xupiter is still spybot, but I think my remove by hand is still a complete fix.. Anyone want to infest their machine and see?

However, my remove was written for win98 and maybe ME, I don't know what XP people whould do.

Example: I down loaded the ad-aware and found a lot more I didn't want on here. I thought I got it all off but it would not let me take something off called gator. Now this morning xupiter is back on but a button keeps pooping up saying xupiter toolbar is not installed please install. I dont want it here!; anybody know what I can do?

by asters on Nov-18-02 at 04:58
Here's how to use Ad-aware to remove Gator:

Launch Ad-aware.
Under "Sections to scan," place a check mark next to My Computer. Single-click the "Scan now" button.
If Gator was removed from your computer already, then you should have about five remaining entries to delete. If it's still installed on your system, then Ad-aware should find about 50 or more entries to delete.
Place check marks next to each entry marked "Gator."
Single-click the Continue button.
Click OK.

Also check settings> Control Panel> add/remove programs and delete from there too.
To Uninstall Xupiter toolbar also see: http://www.computing.net/windows95/wwwboard/forum/126620.html
and http://www.spywareinfo.com/newsletter/archives/september-2002/09212002.html

by PWW
DO NOT GO TO THE xupiter site and use their uninstaller... It only disables the toolbar and does not uninstall Xupiter!!
Yes, the activeX component hides in the downloaded program file..

This little parisite has a very nasty habit of hiding files, that windows cannot see
To start with go to start run msconfig> startup and look to see if the xupiter tool bar is now checked or uncheck...
Then do this:
Open Explorer, click on the view menu, folder options, then view tab and make sure "Show all files" (hidden files area) is turned on...close explorer. Then click on the View(menu item), folder options
Now check the box "include subfolders".. lower left corner, then go to the advance tab and set it like this picture:
find advance

Next, do a start> find (check your "advance" find settings to make sure it is set for "all files and folder" and in the find box, the Include subfolders box is checked) put in xupiter and search each HDD, one at a time.
IF you find anything in the find list you can Right click & Delete... (NOTE: any webpages with that in the title will also appear in the list, don't worry about that, we want files)... Then go to Recycle bin and clear it out.

Here is the next step:
Right click on the IE icon (on the desktop) and select "properties" IE properties
In the first window, of Internet properties... (don't mess with the home page setting yet...) Click on the settings button.. then "view objects"... this will open the folder.. Downloaded internet files..

Okay.. after you have opened IE properties, then click on the settings button to open (note: the "view files" button, we will use it later) and clicked on the "view objects" button, You will get Downloaded program files
You need to highlight (click once) the activeX plugin {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} and then right click and remove it.
(This is the only place that windows will allow you to remove plugins!) Then Edit menu, "select all", Right click on any of the highlighted items select properties...and one at a time (in slide show fashion) the properties of each plugin will come up. Check to see if it is from a "known" source like microsoft, shockwave, housecall, etc....

(If you're online, and you open your "downloaded program files" folder, when you right click on a plugin, the option to update it appears also (only when online). And the reason I open internet properties from the Icon and not the IE tool menu, is the Browser window that you open it from will be disabled until you close ie properties making it hard to type a reply to instuctions but if opened from the icon, doesn't affect the browser's currently open.)

When you right click and check the properties of a plugin.. it will say, for example, http://active.macromedia.com/flash2/cabs/swflash or micosoft.. or other helpful places like your web cam..IF you have one.. a ms plugin ..and these are okay.. But if you have one marked Xupiter or from an unknown web site.. remove it...

The thing about plugins is that if you remove them with the exception of MS ones or installed program plugins, like say, the one for housecall, the next time you vist that site it will ask to reinstall the plugin.

For now, only remove the one that you're sure don't belong; you can come back and remove any others later.. The plugins allow the program to connect with your machine. Since I don't know all the programs on you machine, for now I have to stick with the Xupiter tool bar.... (However, IF you have a plugin named BUDDY I have to ask: DO you have AOL ?? Buddy is a bundled software program that many AOL users try out, stop using, and then find out it's spyware.)

As the properties of a plugin come up, it may have web site listed. You can use a blank browser window to check out the home page of the site.. and see if it belongs.. Stuff that says MS activex or shockwave should stay.

Okay, close if your done. Close the download program folder and we will move onto the next step.
The Next step after closing the IE properties (BTW> we will be back..) IS to start, run winfile ... an old file management program..

by cegs on Nov-18-02 at 11:07
OK, I'm back, just when you think you're at the end there's more. So I gotz to get rid of the registry now?

by PWW
We're not up to the registry step yet... we have to get rid of the hidden Xupiter.INI files that windows cannot see or detect...
Start, run , winfile
When you have winfile open ... View menu.. select by file type... checkmark all the boxes, including show hidden system files and click ok.
Top row text labels should say: File disk tree view options window help - - Under View, Enable all the boxes ESP. the one to view all hidden files

Now under the file menu, 3rd item from the bottom, select search and in the search box type:
Xupiter.* with the search starting at the begining of the c: drive and searching all subdirectories...
The search will reveal 1 or 2 hidden files (hidden from even windows explorer) in this directory:
C:\WINDOWS\DOWNLO~1 called xupiter.ini or something similar.. use the delete key to carefully delete only that file... you should only get a match for that.. and not one for c:\progra~1\xupiter

Each search will open a new window, under the window menu it best to keep them down to just the one, by closing the little x under the big X in the upper right corner... I am sure a .ini file for xupiter will be found on your system unless adaware removed it...
You could also point and click your way down to c: >windows> DOWNLO~1 dirctory.. and then look in the list of files on the right to see if its under X(upiter) at the end of the list.
(first highlight the file, and then File properties or hotkey alt+enter to open the file properties; copy the information on the file and post it please.)

by cegs on Nov-18-02 at 12:34
OK, I gotz it,
[version] ; version signature (same for both NT and Win95) do not remove signature="$CHICAGO$" AdvancedINF=2.0 [Add.Code] XupiterToolbarLoader.exe=XupiterToolbarLoader.exe [XupiterToolbarLoader.exe] ;File-Win32-x86=thiscab clsid={A27CFCAE-9351-4d74-BFFC-21EB19693D8C} version= Hook=InstallerHook [InstallerHook] run=%EXTRACT_DIR%\XupiterToolbarLoader.exe /CabInstall ; end of INF file

by phantonwerwolf on Nov-18-02 at 12:50
Note: In post above (at 12:34), I believe you will see the code that tells windows not to remove or unistall this file.. Thus this may be why explorer cannot detect it... Good job cegs, now you can delete the file.. note that the {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} is the name of the plugin that had to be removed.. and you should be free of the plugin in your settings.. dowloaded program file.. After you delete it, find your way back up to c: progra~1 and make sure the xupiter directory is also gone.

IF you think this was fun so far.. now we get serious.. IF AT ANY part of the next step you have a question stop and ask it, because you only get to delete stuff in the registry once. And this is the only way to get the Xupiter tool bar item out of your browser> view> toolbars.. even though it now doesn't work because the files are gone. IF anyone wants to step in and help cegs backup the registry now is the time......

How to create a backup Registry file.
Click Start
Click Run
Type in "regedit"
Click OK
Highlight "My Computer" on the left
Click the Registry menu at the top and select "Export Registry File"
Name the file "backup" and save it to your Desktop. If you screw-up, locate the "backup" file on your Desktop and double-click it. Select Yes and your registry will be restored.

[Restoring the registry
If for some reason registry checker fails and Windows won't boot, you can try to restore the registry in DOS. Just boot into DOS and type scanreg/restore at the DOS prompt.
If you want to be extra safe, you should create copies of the two files that make up the registry (User.dat and System.dat) and place them in a separate backup folder on your hard drive (they're too big to fit on a floppy).
You'll find User.dat and System.dat in the C:/Windows folder but won't have access to them unless you go into Windows Explorer and choose View, Folder Options, click on the View tab, and check Show All Files.]

Here's how to Backup your Registry for different versions of Windows:

Here's the way for those of us who just cannot leave well enough alone to backup your registry prior to any edit you may do:
From xyste:
How to back up the entire Windows registry

Making a backup of the entire Windows registry lets you restore the registry if you want to reverse changes that you make while editing it.

This is the recommended and safest method. It is also somewhat more difficult, and it is different for each operating system, except for Windows 98 and Me, which both use the same method.

For instructions on how to back up the entire registry, read the documentation that came with your operating system or one of the following Microsoft Knowledge Base articles:

Windows 95/98/Me
Windows NT/2000/XP
Read the section"How to Back Up the Whole Registry" in the Microsoft Knowledge Base article that applies to your operating system:
For additional information about the Windows registry and the use of the Registry Editor, read the following documents:

Now, Start> run> regedit ... when the program opens look under the edit menu and select find ... In the box type xupiter Each time you get a "hit" delete that key and press F3 to continue the search. examples of what you will find are:

Delete the 'XupiterStartup' entry in the Right Hand pane.

Also delete the following Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

The remaining instuctions after you have edited your registry (and made sure the files are gone) are: Open internet (explorer) options... go to the "program" tab... Click the button "reset web settings" ...return to the general window as set your home page.

Next, inside a browser window.. VIEW.. explorer bar..search (you could use ctrl+E) at the right edge of search is a customize button.. It is sometimes hard to see if the "pane" is narrow but it is there.. go thru the customize sections and reset you search choices.

At this point you system should now be X(St)UPITER tool bar free.... THEN you have to reboot and make it so...IF everything is in order,, you should start run, scanreg to put a copy of the new registry on file.

The only search word you need to put in is xupiter
You can delete anything that matches xupiter However, so you will more comfortable with this you can run regedit, and do the search !without! deleting anything just keep pressing f3 to continue the search and take notes... see how many matches you get.. probably about 3 because one will show up from the "find" we did. That's normal.

by cegs on Nov-18-02 at 13:47
I found 3 and deleted them; do I now restart my pc?

by phantonwerwolf on Nov-18-02 at 13:54
Open internet (explorer) options (right click IE icon and select properties)... go to the "program" tab... Click the button "reset web settings" ...return to the general window as set your home page. Next, inside a browser window.. VIEW.. explorer bar..search (you could use ctrl+E) at the right edge of search is a customize button.. It is sometimes hard to see if the "pane" is narrow but it is there.. go thru the customize sections and reset you search choices. As you pull the search pane wider > a customize button should appear.
When you click the button to reset websettings it asks if you want to set web settings to their original ie defaults? And you do.

Then reboot your PC.

FYI.. The program Quick buddy is part of AIM... it was bonzi buddy that was spyware I think... After you reboot check your aim program not your INFO and if it doesn't work because we removed the plugin uninstall and reinstall... I am looking at it now..deciding if I want to load it.

by cegs on Nov-18-02 at 15:11
Is it time to do the security settings yet? when I rebooted, I ran the ad-ware and there was 3 new things on since this morning. I think mine are set too low. I found the settings under internet properties and they're set at medium.

by phantonwerwolf on Nov-18-02 at 15:33
Check your aim program.. Adaware is going to pick up stuff all the time.. things like double click cookies show up constantly and are a minor annoyance

Lets start where you already are.. Internet options/properties... Security tab>.. medium is a start and then we are going to go custom level...
IF you set for "prompt" the browser will ask before doing anything.. this can be annoying but the little box will have a "don't ask me again" and that changes the setting to enable.

Starting with your activeX settings IMO I recommend...
Prompt, prompt, enable or prompt, enable, enable,
Cookies: enable, enable,
Downloads: user choice I often leave this off because I use a 3rd party download managment program..(not a web accellerator)
font: prompt
MS VM: high java next lines: prompt, disable, enable, disable, prompt, enable, High Safety, enable, enable ..
That takes us to scripts..another user defined place depending on your choices..
Enable, enable, enable and prompt for user password. You could use prompt instead of enable, your choice.

Now.. IF one had a fixed list of places they wanted to go on the net,,, those location can be added to the "trusted site" zone with lesser security and those that where a very bad idea can be added to the "restricted site" with HIGH security... I live on the edge and mostly use the standard settings that just got set.

When you leave the security settings, it is noteworthy to look at the content tab. IF you choose to read up on the "content" choice and enable it with a password it will act like netnanny program to keep kids out of certian sites.. as filtering software... PROBLEM is any child that has any computer savy can search google and find the way that content advisor or netnanny can be broken temp. or permanently disabled.. and you never know it.. as long as they covered their tracks by clearing the cookies, files and history.

Choose the OK button.. the reset button will "reset" all your settings to the default.

Okay.. the next step is to go over to the advance tab.

IMO the following helps a computer: but it's user's choice
First 2 empty...
Browsing: ON, off (no to: automatic IE updates) on, on...next 4 off..(ESP. the install on demand)
ON, (disable script debug) Users choice(download notice), off, on, off, user choice (go button), on,
users (underline links), on, on, off, on, on,
MS VM> on, off on, MULTIMEDIA> off, on, on, on, off, on, on,
Printing:> on,
SEARCH users choice I have no selection at that point
Next part:
Security> off, off, on!, on!, off(profile asst. user choice)
On, on, off, last 4 on....

To be automatically notified when this page contents change, copy the address for this page
and use this link to get Free Change Notification by email


Go to the "Computer Chat" board FAQ