World's Most Annoying IE Toolbar 950
nautical9 writes "Following the same devious footsteps of the infamous Bonzi Buddy, Gator, and Comet Cursor "enhancements", Xupiter now has their own self-installing toolbar for IE. There are many claims that if you leave your security preferences at their default level, it will install itself without your express permission. And once on your system, it's gracious enough to reset your homepage to xupiter.com, forward all your searches to their search engine, download and automatically launch applications (like gambling applets), and blocks all attempts to set these back to normal. Removing it isn't trivial either - it automatically checks for updates upon reboot, where it constantly changes the registry settings it uses, making the jobs of spyware removal programs like AdAware or Spybot Search & Destroy much harder. No word yet if it collects and forwards personal data."
no it won't (Score:5, Informative)
People get into the habbit of clicking "OK" whenever something pops up. Next thing they know, they have Gator and all sorts of junk installed.
Ouch.. (Score:1, Informative)
Popups can appear of nowhere, and other strange things occur, but the most disturbing thing is that it is causing other programs to crash! Okay, it's windows, but still.
It's evil!
This is old news (Score:2, Informative)
No it doesn't :) (Score:5, Informative)
Was it smart to include the link? (Score:5, Informative)
As far as I'm concerned, if you read the article and are dumb enough to go through the process of clicking the link and getting the software installed, maybe reading
Seriously folks, if you're going to want to check this think out for yourself, please have enough 'smarts' to do so with a 'non-IE' browser...
Xupiter removal (Score:1, Informative)
http://www.xupiter.com/uninstall/ [xupiter.com]
It's not a security "hole"... (Score:2, Informative)
Basically, default permissions say that any "signed" ActiveX control is OK to install without a prompt. So Xupiter just goes ahead and installs it.
People need to read up and learn how to use the (fairly powerful) security settings in IE6, and Microsoft needs to be chastized again for making default security too trusting.
But it's NOT a bug.
Simple tip for IE users (Score:5, Informative)
First, set the "Trusted Sites" zone to the "MEDIUM" level.
THIS MAKES YOUR TRUSTED SITES ZONE THE SAME AS THE NORMAL INTERNET ZONE.
(People seem to flame this idea as a security risk without understanding that last bit)
Then, modify the "Internet Zone" and disable Active Scripting.
Finally, add all your favourite sites to the "Trusted Sites" zone.
You can now enjoy the full functionality of JavaScript etc. on your frequently visited sites including the usual protection of the Internet Zone.
Any site not in the Trusted Sites list cannot use JavasSript and so prevents pop-ups and other nasties such as self installing spy-ware.
Auto-Install (Score:5, Informative)
-Foxxz
Automatic downloads (Score:5, Informative)
It's the kind of thing you might expect from a 0.5 release; unfortunately, it's not the kind of thing you should only expect from Microsoft.
Re:no it won't (Score:1, Informative)
Detected by Norton Internet Security (Score:4, Informative)
Time to recheck my security settings. ..bruce..
Re:*groan* (Score:3, Informative)
Re:This is old news (Score:5, Informative)
Re:Ouch.. (Score:5, Informative)
Complete uninstall? (Score:5, Informative)
I don't know about this week's version of the uninstaller, but previous versions were nice enough to leave behind big chunks of the program. Still running. Sort of the way a tick will leave its head behind if you yank it out with tweezers.
This is a pretty common and ugly tactic among spyware developers.
It's a monster (Score:5, Informative)
After finding that it did indeed have my wife's credit card number/home address/phone number I asked her what she used it for; She said that she didn't know where it came from but that it was causing her laptop to crash about every ten minutes ever since it added itself to her IE toolbar.
I then spent about 3.5 hours hacking the WinME registry trying to peel this thing out of her laptop because it's 'uninstall' doesn't!
Wrong (Score:5, Informative)
And anyway, isn't that the digital equivalent of mugging and rape? I mean they either install the thing on your computer without permission and it totally fucks with everythig, or they trick you into installing it by outright lying about it and not telling you what a piece of shit spamware/spyware TROJAN HORSE it is. Couldn't they easily be sued for fraud and/or hacking people's computers?
Re:Misplaced blame (Score:3, Informative)
Check out their invasion (er...privacy) policy ! (Score:2, Informative)
Read just the first couple paragraphs to find out what they admit to collecting:
Your time zone
Sites you visit and for how long
How you enter and exit sites
Response rate to ads
Applications on your computer (to resolve SW conflicts...right).
License terms can be found at http://www.xupiter.com/terms.html. Frankly, I am scared to read them.
peptidbond
Personal Data collected (Score:2, Informative)
HOW DOES Xupiter WORK?
We provide you with advertisements that match your interests to make your Internet experience more satisfying. We determine your interests by collecting information about what sites you visit on the Web. For example if you visit a travel Web site, we may present an advertisement that promotes the sale of airline tickets. These special offers and advertisements may be displayed using various browser enhancements and pop-up windows on Web sites you visit.
Standard Web log information and computer settings such as your IP addresses, browser type and versions, screen resolution, time zone selected and the version numbers of some of the software installed on your computer.
Information about Web sites you visit -- this information includes the Web sites address (URL), the amount of time spent at a Web site, and how you entered and exited a particular Web site.
By using the Xupiter software application we are able to create a profile that is used to select and deliver special offers and advertisements that we think might be of interest to you. This profile is stored on Xupiter servers and contains the following information:
Your Xupiter ID which is a numeric identifier that is generated by the Xupiter software application.
A historical record of content and advertisements delivered by Xupiter, and the response rate associated with the content and advertisements that was delivered to you through the Xupiter software application.
I think that qualifies as close enough to collecting personal information...
Re:Ouch.. (Score:5, Informative)
http://www.doxdesk.com/parasite/Xupiter.html
Or use Spybot S'n'D to remove it - Ad-Aware 5 hasn't been updated and can't get rid of all variants of it properly.
This page:
http://www.doxdesk.com/parasite/
will test you for Xupiter and 60-odd other nasties, if you're using IE.
Re:no it won't (Score:2, Informative)
This thing however did install itself automatically. I was going to a site.. do as I would normally do. I in fact never saw any questions popup. maybe I had a few popup windows that I closed quickly. Other than that nothing. Though next time I started up IE.. All the sudden I had this Xupiter thing. So tell me I'm lieing but that was my experience
On a Side note, What I did to uninstall was to first try and turn off the bar.. then uninstall from Apps/programs remove. Then I did an exhaustive search through my hard drive for any more xupiter programs.. deleted them. Then did a search in regedit to find anything that remotely looked like xupiter.. deleted those things.. and in some of them they had some stealthily named programs, of which I then searched for and deleted off my hard drive.. Took a bit of effort but got it off. Most normal people probably would have no idea how to get rid of this thing.
Re:Question (Score:5, Informative)
Grokster.
I don't believe it's in the current distribution, but there's an awful lot of other unsolicited commercial software in it. Grokster and iMesh are competing for the 'most offensively spyware-laden app' prize.
True and tried: no it won't (Score:3, Informative)
I dared and tried. After visiting that web site I was prompted "Do you want to install and run..."
So it does ask you if you want to get it installed. Problem no. 1 is, that it's signed by Verisign. Problem no. 2 is of course sitting in front of the computer mindlessly pressing "OK" whenever it pops up.
But there is more: visit that web page, and get a hidden window which is kind of not visible, but it is there. Next visit: Bonzi pops under, telling me my computer is broadcasting an Internet Address.
About as obnoxious as possible. But it does not install itself (Win2k, IE 5.5SP2, not latest security patches, but not much behind).
Re:no it won't (Score:3, Informative)
Re:Pretty easy fix (Score:5, Informative)
At any given time there are a dozen or so security holes in Internet Explorer. Right now there are 19 security holes [pivx.com] in the latest version of Internet Explorer, with all patches and service packs applied.
Xupiter is the Devil (Score:4, Informative)
Anyhow, the best page for information and removals which I've found to date is at http://www.allentech.net/parasite/Xupiter.html
The removal info has worked every time, with the exception that on WinME it is usually possible to just drag the Xupiter folder into the Recycle Bin and delete it directly after a reboot.
Re:no it won't (Score:5, Informative)
So I guess you dislike mozilla too?
Hint: Google for xpinstall or go to mozdev and install a browser expansion - directroly from the web page.
Re:Pretty easy fix (Score:2, Informative)
Trouble Is... (Score:2, Informative)
(a) This Agreement constitutes the entire agreement between the parties concerning the subject matter hereof;(b) This Agreement and any dispute arising out of it shall be governed by the laws of Hungary; (c) Unless otherwise agreed in writing, all disputes relating to this Agreement (excepting any dispute relating to intellectual property rights) shall be subject to final and binding arbitration in the country of Hungary; (d) This Agreement shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods; (e) If any provision in this Agreement should be held illegal or unenforceable by a court having jurisdiction, such provision shall be modified to the extent necessary to render it enforceable without losing its intent or severed from this Agreement if no such modification is possible, and other provisions of this Agreement shall remain in full force and effect; (f) A waiver by either party of any term or condition of this Agreement or any breach thereof, in any one instance, shall not waive such term or condition or any subsequent breach thereof; (g) The provisions of this Agreement that require or contemplate performance after the expiration or termination of this Agreement shall be enforceable notwithstanding said expiration or termination; (h) you may not assign or otherwise transfer by operation of law or otherwise this Agreement or any rights or obligations herein. (i) This Agreement shall be binding upon and shall inure to the benefit of the parties, their successors, and assigns; (j) Neither party shall be in default or be liable for any delay, failure in performance (excepting the obligation to pay), or interruption of service resulting directly or indirectly from any cause beyond its reasonable control.
Isn't that bloody well lovely?
Ah hah! (Score:5, Informative)
Restarted at DOS prompt to delete all the files. Regedit to remove every registry entry containing "Xupiter". After that, everything worked just fine, and I cranked up the security settings before I left.
McAfee's Xupiter Removal Instructions (Score:5, Informative)
I followed this on friend's computer and it works.
http://vil.nai.com/vil/content/v_99904.htm
Re:Ouch.. (Score:5, Informative)
Basic protections ... (Score:5, Informative)
Hate to break it to you, but Mozilla does do automated installs from web pages. Just head on over to MozDev [mozdev.org] and see for yourself. Many projects, such as OptiMoz and Spellchecker, have automated install links right on the page.
Which only work if a) you actually have software installation enabled in your preferences, b) have write access to the location where mozilla is installed and c) will prompt you BEFORE it installs the software, giving the web server and the package being installed.
Automated installs are extremely useful - it's all a question of finding that balance between ease of use and ease of abuse.
Cheers,
Toby Haynes
Re:No it doesn't :) (Score:5, Informative)
The relevant registry keys... (Score:2, Informative)
HKEY_LOCAL_MACHINE
Software
Microsoft
Intern
Toolbar
{Your Band Object's CLSID GUID}
Find its CLSID and remove it. Also remove the object's COM registry entry by removing the following key:
HKEY_CLASSES_ROOT
CLSID
{Your Band Object's CLSID GUID}
Be careful though - the menu, address, links, radio, etc... toolbars are also controlled this way. Make sure you're deleting the right entries!
Unless there's some other program running in the background that re-establishes these keys, there isn't any way that IE can load the toolbar if these entries are not present.
Kelly
lexteq.com (we've done a few toolbars ourselves)
The Computer Misuse Act is criminal law (Score:1, Informative)
Besides,
(e) If any provision in this Agreement should be held illegal or unenforceable by a court having jurisdiction, such provision shall be modified to the extent necessary to render it enforceable without losing its intent or severed from this Agreement if no such modification is possible
and that's even if clickwrap licenses are binding in the UK (it hasn't been tested, but the prevailing opinion seems to be that it's unlikely).
Re:Thank God for Mozilla (Score:3, Informative)
Re:If it's going through all that trouble... (Score:2, Informative)
Re:If it looks like a duck and quacks like a duck. (Score:3, Informative)
That's OK, I listened to a radio show about Slammer on the way in today. Their 'computer experts' explained that a virus is a program that destroys files on your hard drive, whereas a worm is one that replicates itself. They get paid pretty well for these appearances.
God, I need an iPod.
More information and removal instructions... (Score:3, Informative)
Re:Basic protections ... (Score:5, Informative)
The basic problem is that it is easy and tempting to press "Yes" to every dialog, whether it is Mozilla or IE.
Why don't you just uninstall it? (Score:2, Informative)
'Course, it requires you to download and run another application from the same slimy people that gave you the spyware anyway. And yes, it IS spyware-Read their privacy policy-they freely admit it.
I cannot vouch for how well their uninstaller works because I was never infected (I use a Mac).
As an aside, I was just talking to my friend yesterday on the phone and he mumbled something like, "Xupiter? what the hell is this? This isn't my home page." (He uses a Gateway).
Re:Thank God for Mozilla (Score:3, Informative)
Uninstall (Score:3, Informative)
why they cant put an entry in add/remove control is beyond me... oh, I forgot, this is a sypware/trojan/worm/virus, it dosnt like to be uninstalled.
Re:Automatic downloads (Score:3, Informative)
Re:Pretty easy fix (OR TRY THIS) (Score:2, Informative)
kmeleon.sourceforge.net
Re:It's a monster (Score:5, Informative)
it does send some personal info (Score:2, Informative)
Re:THANKS (Score:5, Informative)
You don't need an applet. Someone on slashdot has already done this. See this [slashdot.org] slashdot post, which, if you click the link in the posting, takes your browser on a carefully crafted roller coaster of 302 Object Moved across several different servers, eventually leading you to either the correct (advertised) New York Times article, or to goatse.cx if you are using IE. See my four replies under the post that explain how this was done. Note that the first of my replies was moderated as Troll because I was warning people about a goatse link.
A few questions answered: (Score:5, Informative)
Terms
So yeah, basically the program will pop-up-ad slam you, give away your personal info, install crap software on your PC, and has the ability to change it's "terms" to allow it to do more behind your back.
Search Results on removal from Xupiter web site (Score:3, Informative)
I like the fact that the Xupiter site can be used to find anti-Xupiter pages.
Re:My searches (Score:3, Informative)
Going after Xupiter (Score:5, Informative)
Xupiter claims to be based in Hungary. But it may not be.
First, Xupiter appears to be the same thing as Browserwise [browserwise.com]. The content of the two sites match, and you can download their malware from either site.
Whois for Browserwise yields:
Administrative Contact: Inc., Browserwise, admin@browserwise.com
Browserwise, Inc
15445 Ventura Blvd
Sherman Oaks, California 91413
United States
(818)229-5631
Technical Contact: Inc., Browserwise, admin@browserwise.com
Browserwise, Inc
15445 Ventura Blvd
Sherman Oaks, California 90413
United States
(818)229-5631
Domain servers in listed order:
NS1.CANDIDHOSTING.COM
NS2.CANDIDHOSTING.COM
A traceroute on Xupiter isn't particularly helpful, but a traceroute on Browserwise leads to "amateurpornhouse.com", hosted on the same server. The server is thus virtual hosted by name, but if you try it by IP address [slashdot.org], you get Browserwise, so Browserwise is the main user of that server. "amateurpornouse" is thus either affiliated with Browserwise, or buys hosting from them.
Whois for "amateurpornhouse.com" yields:
SC Enterprises
P.O. Box 91114
Henderson, NV 89009
US
(702) 224-7750
Domain Name: AMATEURPORNHOUSE.COM
Administrative Contact:
Phucksum, Jeff webmaster@sexycouple.com
P.O. Box 91114
Henderson, NV 89009
US
(702) 224-7750
So we check Sexycouple's legal page [sexycouple.com], and find:
Looking up "SC Enterprises" in Las Vegas, we get
134 Spinnaker Dr
Henderson, NV 89015-5639
Phone: (702) 558-8908
Also, DNS for Browserwise is provided by CandidHosting.com [candidhosting.com], next to the police station in Tampa, FL. They have to know who's behind this, so that's where to start with legal process.
That should be enough to get the lawyers started.
Re:no it won't (Score:4, Informative)
2.Pull down Edit.
3.Select preferences.
4.Select advanced.
5.Select Scripts&plugins.
6. there are check boxes under "allow scripts to," uncheck them.
How to quickly uninstall ANY IE toolbar (Score:1, Informative)
It can also uninstall plugins and browser helper objects (BHOs).
You can download it from CNET [com.com].
Re:Wrong (Score:4, Informative)
I run Windows Update at least once a month, closing off every IE security whole as Microsoft finds a fix for it... And Xupiter's still been a pain in the ass.
I honestly can't say for certain that it was never "agreed" to in the first place as I'm not the sole user of my home PC. What I do know is that, even after clearing the damn thing out of my system via Spybot S&D, it'll still turn up again in the middle of a session.
About the only lasting cure I've found (other than installing Linux *grins*) is to eradicate it and then set C:\Program Files\Xupiter to read only. Seeing as it always tries to install there, that seems to stop it.
I'm a senior web dev for a fairly major company. I keep my system patched. I have a good degree in Comp. Sci. I've used computers for 20+ years and worked on the web since '96. I'm employed to know way more about browser issues than most normal people.
Done! (Score:4, Informative)
xupiter.com has address 63.236.32.50
mail is handled by mx1.xupiter.com
host mx1.xupiter.com
mx1.xupiter.com has address 63.236.50.196
whois -h whois.arin.net 63.236.32.50
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Internext Media, Inc. QWEST-JSV-INTERNEXT1 (NET-63-236-32-0-1)
63.236.32.0 - 63.236.32.63
whois -h whois.arin.net 63.236.50.196
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Snapshot Productions LLC. QWEST-JSV-SNPSHTPR (NET-63-236-50-192-1)
63.236.50.192 - 63.236.50.223
so I added 63.236.32.0 - 63.236.32.63 and 63.236.50.192 - 63.236.50.223
to my firewall block list, and they shalt never trouble me henceforth.
Done! Next!
Re:A few questions answered: (Score:3, Informative)
So, when you go to goodpr0n.com it reads the site, and assume that you must be suffering from some type of relationship dysfunction. The next day: welcome to the viagara spammail list!
We won't even get into what happens if it combines results: you visit goodpr0n one day and a petcare site the next...
Re:no it won't (Score:2, Informative)
I think you're wrong... (Score:4, Informative)
Browserwise.com seems to be a totally different company, even the top level where the IP range is purchased from is different. Browserwise.com is hosted at the top level by Level 3 Communcations, while xupiter.com is hosted at the top level by Quest. I looked at both web sites (with Lynx! it's safe... ^_^) and the content does NOT seem to "match" to me.
Sorry but I think you just got carried away in your search and these two companies are not the same, or even related in anyway.
Ok, here's what I got..... (Score:1, Informative)
Xupiter.com's netblock is registered to:
CustName: Internext Media, Inc.
Address: 15445 Ventura Blvd., Suite 318 Sherman Oaks CA 91403
Country: US
RegDate: 2002-05-09
Updated: 2002-05-09
NetRange: 63.236.32.0 - 63.236.32.63
Some other interesting things registered there are:
WHOIS whois.dotster.com cashclicks.com:
Registrant:
Erika Online Inc.
15445 Ventura Blvd Suite 318
Sherman Oaks, ca 91403
United States
WHOIS whois.dotster.com nudelink.com:
Registrant:
Universal Net
15445 Ventura Blvd Suite 318
sherman oaks, ca 91403
United States
Registrar: DOTSTER
Domain Name: ABCSEARCH.COM
Registrant:
Internext Media Corp.
P.O. Box 260542
encino, ca 91426
United States
ABCSEARCH.COM is run by a gentleman by the name of Daniel Yomtobian. Do a search and you'll be amazed by the number of lawsuits against the guy for domain squatting.
Sounds like a contender to me.
Use some decent browser proxy/filtering (Score:2, Informative)
I have found a good combination is Proxomitron and JD5000 filterset. Both can be found here
http://home.satx.rr.com/jd5000/
It works with all browsers that support proxies (EG IE, Moz, Opera, Netscape) and best of all beside's ad blocking it does some rather cool features.
First filter I find handy is
Convert - Flash to Links.
Visit a site that has flash crap on it and it will say Flash removed/disabled. Next to it will be a option to turn on flash for the selected website only. This website URL will go into a blockfile named Allow - Flash.txt
Disable - Applet, Object, and Embed.
Now this is really damn handy as it will disable java applets, embedded crap and activeX objects, IE How Xupiter manages to get through.
If I need a site that has been verified by me that absolutely needs java or activex I can add it to the Allow - ActiveX blockfile.
THIS is basically how Proxomitron and JD5000 work's. It has a lot of features for security/ad blocking and more. Has also the usual filters to disable javascript or tame it down entirely, prevent nasty IE exploit's, etcetra.
To give everyone a idea at what exactly the filters the latest JD5000 update has, below are two pictures showing *ALL* the filters. First is the web page filters, second is the Browser Header filters. Filters that are in black are what I have turned on for day to day use.
Proxomitron's JD500 Web Filters (Jan 13th Release) [sympatico.ca]
Proxomitron's JD500 Browser Header Filters (Jan 13th Release) [sympatico.ca]
If configured right, Proxomitron+JD5000 can secure any browser a lot more, especially IE from all the nasties that rely on Activex to try and get through to your machine.