Forgot your password?
typodupeerror
Internet Explorer The Internet

World's Most Annoying IE Toolbar 950

Posted by michael
from the someone-will-surpass-it-soon dept.
nautical9 writes "Following the same devious footsteps of the infamous Bonzi Buddy, Gator, and Comet Cursor "enhancements", Xupiter now has their own self-installing toolbar for IE. There are many claims that if you leave your security preferences at their default level, it will install itself without your express permission. And once on your system, it's gracious enough to reset your homepage to xupiter.com, forward all your searches to their search engine, download and automatically launch applications (like gambling applets), and blocks all attempts to set these back to normal. Removing it isn't trivial either - it automatically checks for updates upon reboot, where it constantly changes the registry settings it uses, making the jobs of spyware removal programs like AdAware or Spybot Search & Destroy much harder. No word yet if it collects and forwards personal data."
This discussion has been archived. No new comments can be posted.

World's Most Annoying IE Toolbar

Comments Filter:
  • My searches (Score:5, Funny)

    by govtcheez (524087) <govtcheez03@hotmail.com> on Thursday January 30, 2003 @10:03AM (#5188542) Homepage
    to their credit, Xupiter's search engine returns the best quality squirrel porn I've ever seen.
  • no it won't (Score:5, Informative)

    by rnd() (118781) on Thursday January 30, 2003 @10:06AM (#5188557) Homepage
    No, if you leave your security preferences at their default level, things like this will not install. That is clearly FUD. Even if you have your security preferences a notch lower, it will still prompt you to confirm installation.

    People get into the habbit of clicking "OK" whenever something pops up. Next thing they know, they have Gator and all sorts of junk installed.
    • Re:no it won't (Score:5, Insightful)

      by sckeener (137243) on Thursday January 30, 2003 @10:21AM (#5188710)
      I don't know what you are talking about but Xupiter is known for taking over IE without prompting you.

      I just went through 20 minutes of deleting it!
    • Wrong (Score:5, Informative)

      by Tuxinatorium (463682) on Thursday January 30, 2003 @10:23AM (#5188716) Homepage
      In earlier versions of IE for windows (like the ones that come bundled with windows 98 or ME and maybe 2000) there is a very well-known security flaw that allows malicious code on a website to make the computer download and execute arbitrary files without confirmation from the user. Most people are too stupid to download the updates to fix that vulnerability, so they should blame themselves. But that's how spamware trojans like Xupiter often spread.

      And anyway, isn't that the digital equivalent of mugging and rape? I mean they either install the thing on your computer without permission and it totally fucks with everythig, or they trick you into installing it by outright lying about it and not telling you what a piece of shit spamware/spyware TROJAN HORSE it is. Couldn't they easily be sued for fraud and/or hacking people's computers?
      • Re:Wrong (Score:3, Insightful)

        by thatguywhoiam (524290)
        Most people are too stupid to download the updates to fix that vulnerability, so they should blame themselves.

        No, they should blame Microsoft. Like that article posted earlier about Slammer, the idea of blaming the victim for the crime is a little skewed. Microsoft needs to engineer better products. Because after all,

        isn't that the digital equivalent of mugging and rape?

        Er, a bit dramatic, but yeah, kind of. You can't (shouldn't?) call someone 'stupid' for getting mugged or raped.

        • Re:Wrong (Score:5, Funny)

          by lessthan0 (176618) on Thursday January 30, 2003 @01:10PM (#5189786)
          "isn't that the digital equivalent of mugging and rape?"

          Well, if someone was walking around the Internet, flaunting their IE all over the place, with their security settings half way down to their waist, then weren't they asking for it?

          Come on, you know they wanted Xupiter. They wanted it!

      • Re:Wrong (Score:3, Redundant)

        by rnd() (118781)
        You're right... Some trojans do exploit holes in old versions of software. IE is not alone here. The same could be done with some versions of Netscape, GNU/Linux Kernel, IIS, Apache, etc.

        Microsoft has helped the situation by creating the automatic update service. It is a small app that runs every day (roughly the equivalent of code run by a cron job, but handled as a windows service) and checks to see if any security patches have been released. Depending on how you set it up, it can notify you, notify you + download the updates, or do all of the above AND install the updates.

        Two things will make the kinds of exploits being discussed impossible:

        1) Completely bug/exploit free code.
        or
        2) Widespread use of tools such as Automatic updates.

        Redhat and Mandrake both have a service that emails you the latest bugfix/security information. This, combined with MandrakeUpdate and RedHat's equivalent tool, can help a sysadmin keep up with the latest patches with minimal effort. It also lowers the bar for the amount of expertise required to properly keep a system secure.
      • Re:Wrong (Score:3, Insightful)

        by FuzzyDaddy (584528)
        Most people are too stupid to download the updates to fix that vulnerability, so they should blame themselves.

        The last time I tried to download a security update to a windows product, I was asked to:

        1) Agree to new licensing terms

        2) Download the ENTIRE update for office 2000 - tens of Meg.

        It's not stupidity - it's the enormous hassle of downloading. The whole patch system Microsoft has put in place is just too screwed up to deal with.

      • Re:Wrong (Score:4, Informative)

        by nick_davison (217681) on Thursday January 30, 2003 @03:05PM (#5190413)
        Most people are too stupid to download the updates to fix that vulnerability, so they should blame themselves. But that's how spamware trojans like Xupiter often spread.

        I run Windows Update at least once a month, closing off every IE security whole as Microsoft finds a fix for it... And Xupiter's still been a pain in the ass.

        I honestly can't say for certain that it was never "agreed" to in the first place as I'm not the sole user of my home PC. What I do know is that, even after clearing the damn thing out of my system via Spybot S&D, it'll still turn up again in the middle of a session.

        About the only lasting cure I've found (other than installing Linux *grins*) is to eradicate it and then set C:\Program Files\Xupiter to read only. Seeing as it always tries to install there, that seems to stop it.

        I'm a senior web dev for a fairly major company. I keep my system patched. I have a good degree in Comp. Sci. I've used computers for 20+ years and worked on the web since '96. I'm employed to know way more about browser issues than most normal people. ...and still Xupiter's proving to be a pain in the ass. Yes, I can kill it (and have done so) but it's been a load of hassle. That's with all of my experience - should every PC user really have to have that level of knowledge before they can simply use the web?
    • I dared and tried. After visiting that web site I was prompted "Do you want to install and run..."

      So it does ask you if you want to get it installed. Problem no. 1 is, that it's signed by Verisign. Problem no. 2 is of course sitting in front of the computer mindlessly pressing "OK" whenever it pops up.

      But there is more: visit that web page, and get a hidden window which is kind of not visible, but it is there. Next visit: Bonzi pops under, telling me my computer is broadcasting an Internet Address.

      About as obnoxious as possible. But it does not install itself (Win2k, IE 5.5SP2, not latest security patches, but not much behind).

    • Re:no it won't (Score:3, Informative)

      by joshsisk (161347)
      I had this install itself on my computer and my security settings are at the default level. It was pretty easy to uninstall though. I just did a google search on "uninstall xupiter" and found a few sites with instructions. Actually, I think Spybot Search & Destroy took care of it... It really wasn't a big deal.
    • Re:no it won't (Score:5, Insightful)

      by Patrick13 (223909) on Thursday January 30, 2003 @12:53PM (#5189698) Homepage Journal
      However, if that person has ever installed anything that has 3rd party bundled software, Kazaa, for instance, it will change the setting to automatically "trust" all software "enhancements" from certain companies. This is probably what has happened to victims of this toolbar.

    • Re:no it won't (Score:5, Interesting)

      by Blkdeath (530393) on Thursday January 30, 2003 @02:16PM (#5190158) Homepage
      No, if you leave your security preferences at their default level, things like this will not install. That is clearly FUD. Even if you have your security preferences a notch lower, it will still prompt you to confirm installation.

      I've seen and removed this toolbar from atleast a hundred machines by now, and even had machines myself on which it's become installed, and yes, it does install without my express permission. It will install as a piggy-back to another application, it will install on launch of another application, and it doesn't inform the user in the slightest.

      As for removing it, that's not terribly difficult in and of itself. Disable the toolbar in IE (View -> Toolbars -> Xupiter ... ), kill all running processes except for Explorer and Systray. Run regedit and search for 'Xupiter'. Remove all entries dedicated to the program, and the entries dedicated to the default homepage, search engine, etc. I merely change to http://www.msn.com/ and http://www.google.com/ respectively.

      For the record - I've personally witnessed software being installed on a Windows machine in real time (Win2kSP3, IE6SP1, all patches applied), with no permission dialogs appearing, letalone agreed to. (I've been in this business far too long to blindly hit "Ok"). I got a full-screen movie attempting to download (wasn't going to happen over the 56k modem) with no 'quit' option available (I had to resort to the task manager; Alt-F4, Alt-Tab, Alt-Esc, Ctrl-Esc were not responding), several icons on my desktop, and shortcuts to applications in my startup folder. I don't know if there was any further damage, or whether I prevented further damage by disconnecting from the Internet before the payload could download, but it was enough to unsettle me and send me screaming back to Mozilla.

      It not only can happen, it does happen, and it is most certainly not FUD. There is documentation of scripts/applets being downloaded and running from the "trusted" local zone which allows them pretty wide range of freedom over your system.

      Just because most Microsoft bashing is zealotry doesn't make it all false.

  • THANKS (Score:5, Funny)

    by ematic (217513) on Thursday January 30, 2003 @10:06AM (#5188560)
    Thanks a lot. I clicked on the link, and now I have this stupid toolbar installed!
    • Re:THANKS (Score:3, Funny)

      by mbyte (65875)
      you must be new to slashdot. you should not click every link thats here (didn't you learn form goatse.cx ? ;)
    • by Cpt_Kirks (37296) on Thursday January 30, 2003 @10:31AM (#5188781)
      That's what you get for running IE.

      REAL MEN parse the raw html in their heads and just imagine what the pictures are from the tags.

      Wimp.

  • by sdo1 (213835) on Thursday January 30, 2003 @10:07AM (#5188574) Journal
    No word yet if it collects and forwards personal data

    Oh yea... as if they're going to go through all of that trouble and deception and not collect and forward personal data.

    Right.

    -S

  • Pretty easy fix (Score:5, Insightful)

    by 0x0d0a (568518) on Thursday January 30, 2003 @10:08AM (#5188581) Journal
    It's pretty easy to use Moz or Opera, which never started going down the security-hostile path of automated installation from *web pages*. And bookmarking. And so forth.

    If you're using IE, you're running a piece of software *on your machine* which is advertising and providing the ability for a web page to basically screw your system up. If precisely this happens...well, you should have tried another browser. :-)

    (If you don't like the Moz suite approach, try Phoenix)
    • Re:Pretty easy fix (Score:5, Informative)

      by JimDabell (42870) on Thursday January 30, 2003 @10:40AM (#5188843) Homepage
      If you're using IE, you're running a piece of software *on your machine* which is advertising and providing the ability for a web page to basically screw your system up. If precisely this happens...well, you should have tried another browser. :-)

      At any given time there are a dozen or so security holes in Internet Explorer. Right now there are 19 security holes [pivx.com] in the latest version of Internet Explorer, with all patches and service packs applied.

    • Re:Pretty easy fix (Score:3, Insightful)

      by alcmena (312085)
      Hate to break it to you, but Mozilla does do automated installs from web pages. Just head on over to MozDev [mozdev.org] and see for yourself. Many projects, such as OptiMoz and Spellchecker, have automated install links right on the page.
      • by tjwhaynes (114792) on Thursday January 30, 2003 @11:07AM (#5189041)

        Hate to break it to you, but Mozilla does do automated installs from web pages. Just head on over to MozDev [mozdev.org] and see for yourself. Many projects, such as OptiMoz and Spellchecker, have automated install links right on the page.

        Which only work if a) you actually have software installation enabled in your preferences, b) have write access to the location where mozilla is installed and c) will prompt you BEFORE it installs the software, giving the web server and the package being installed.

        Automated installs are extremely useful - it's all a question of finding that balance between ease of use and ease of abuse.

        Cheers,

        Toby Haynes

        • by frleong (241095) on Thursday January 30, 2003 @11:52AM (#5189339)
          Which only work if a) you actually have software installation enabled in your preferences, b) have write access to the location where mozilla is installed and c) will prompt you BEFORE it installs the software, giving the web server and the package being installed.
          All of these are also available in IE. You can choose to disable downloading ANY ActiveX control (signed or not) and you'll be fine. That's what I do, after I installed the ActiveX controls I want: QuickTime and Flash.

          The basic problem is that it is easy and tempting to press "Yes" to every dialog, whether it is Mozilla or IE.

  • Help! (Score:5, Funny)

    by LucidityZero (602202) <sometimesitsalex.gmail@com> on Thursday January 30, 2003 @10:09AM (#5188588) Homepage
    Help, help! My Bonzi Buddy is eating my Gator, and my Comet Cursor is header for a direct impact with Xupiter!!!
  • No it doesn't :) (Score:5, Informative)

    by Fnagaton (580019) on Thursday January 30, 2003 @10:10AM (#5188594) Homepage Journal
    I've got default security settings and while it certainly displayed a few popups nothing else got installed. If however the user clicks 'OK' to things being installed without checking what they really do first then you get what you expect. :) Rule of thumb: Never install anything while browsing when it pops up and says "Hi install me for extra wizzy things!!!".
    • Re:No it doesn't :) (Score:3, Interesting)

      by eXtro (258933)
      I used Windows for about a year and found that occasionally something would install GatorWare (or however it is spelled). I narrowed down one instance to the software package that came with my RCA Lyra MP3 player but the source of others still eluded me. In the RCA case I had said "No, don't install GatorWare" but I still found myself the recipient of it.


      There is some mechanism where this crap gets installed and it might not be via Internet Explorer but personally can't rule it out. When I moved to Mozilla I never had this problem any more.

  • by Vapor8 (240870) on Thursday January 30, 2003 @10:10AM (#5188595)
    Isn't it ironic that the article states all the bad things that can happen to your browser/computer if you go to their site and the toolbar is installed, yet the link is provided to it? And many of us, the curious lemmings that we are, will simply click on it... ;)

    As far as I'm concerned, if you read the article and are dumb enough to go through the process of clicking the link and getting the software installed, maybe reading /. is a little over your head ;)

    Seriously folks, if you're going to want to check this think out for yourself, please have enough 'smarts' to do so with a 'non-IE' browser...
  • IE (Score:3, Funny)

    by davie (191) on Thursday January 30, 2003 @10:10AM (#5188597) Journal

    Internet Explorer

    Box of chocolates

  • Question (Score:4, Interesting)

    by Mr_Silver (213637) on Thursday January 30, 2003 @10:11AM (#5188600)
    From the article:
    Xupiter is also being bundled along with at least one peer-to-peer file sharing program

    Anyone know which P2P one it is?
    (Mainly so I can avoid it.)

  • by eXtro (258933) on Thursday January 30, 2003 @10:11AM (#5188601) Homepage
    When I first started using IBM compatibles there were forms of software which would install themselves on your system and were written to evade removal as well as modify your system in ways that you may or may not have approved of. Writing these packages was considered bad, and propogating them was even considered illegal. These small applications were called viruses.


    If it looks like a duck and quacks like a duck then it's usually pretty safe to say that it's a duck. In this case all of these enhancements sound like viruses to me, or at least a derivitave of a virus. Where viruses had to be cleverly coded in order to be as small as possible and avoid detection by a skilled hacker these new pieces of code are large and increasingly rely on being able to remove software that would remove it.


    If you modify my system without me requesting it then you've installed a virus on my system. I should be able to call the FBI computer crimes division and get proceedings underway that result in you getting some nice free government accomodations.

    • by gillbates (106458) on Thursday January 30, 2003 @10:43AM (#5188859) Homepage Journal

      I agree. But it's interesting to note that if this software had been written by an individual, rather than a corporation, the FBI would already be looking for the culprit. For some reason, corporate misbehavior is below the FBI's radar.

      From the article:

      It's a browser toolbar that some swear is doing "drive-by downloads" -- installing itself without users' permission -- then taking over their systems and making it impossible to uninstall.

      Technically, this is a virus. And IIRC, "unauthorized alteration of a computer system" is punishable by 5 years in prison and up to a $250,000 fine.

    • by demon (1039) on Thursday January 30, 2003 @10:44AM (#5188871)

      Hm. Sounds suspiciously like a trojan horse to me. Doesn't anyone know the difference anymore?

      • A virus attaches itself to other executables, and propagates by having the executable it's attached to run. It can attach to most any executable, or some attach to the boot sector.
      • A worm uses networks to attack exploitable services, and propagates that way. It doesn't necessarily require human interaction to spread.
      • A trojan horse is a program that's designed to look legitimate, but has some ill intent. It propagates by people running it. It doesn't infect other executables, it depends on people passing it on.
  • We'll show them... (Score:4, Interesting)

    by quizwedge (324481) on Thursday January 30, 2003 @10:11AM (#5188603)
    Might be fun to slashdot the site for a while to, uh, "thank" them for their generous "gift"

    Also, site said to report any problems to help@xupiter.com. How many requests do you think they'll get about the toolbard? :)
  • Man alive! (Score:3, Funny)

    by stubblehead (565808) on Thursday January 30, 2003 @10:11AM (#5188607)
    These types of apps piss me off so much! What's it gonna take for Congress to get some legislation in order...

    ***//MESSAGE TERMINATED//INSERTING REPLACEMENT//***

    XUPITER IS GREAT! EVERYONE NEEDS XUPITER! IT CAN TYPE FOR YOU! WHY DON'T YOU INSTALL XUPITER [xupiter.com] NOW?
    Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter Xupiter

  • Legal Action? (Score:3, Interesting)

    by ShwAsasin (120187) on Thursday January 30, 2003 @10:12AM (#5188617) Journal
    Could this be considered malicious? Is there any sort of legal action you could take against the company for installing the software (hacking your machine) without your permission?

    It's interesting, if a teenage computer wiz went on someones website and changed the configuration and wrote lets say "riaa is ass" they'd be charged, why is this any different? If I hack (hypothetically) into the Xupiters site and alter it, am I released from any legal liability because they did it to my machine first? Sort of like a cyber self-defence?
  • by christurkel (520220) on Thursday January 30, 2003 @10:12AM (#5188619) Homepage Journal
    But...but...I want my browser taken over too! We Mac users never any get any of the cool stuff Windows does...::snifff::
  • by Bob Abooey (224634) <bababooey@techie.com> on Thursday January 30, 2003 @10:12AM (#5188623) Homepage Journal
    There is also no word in yet if it will cause cancer or format your hard drive...

    There is also no word in yet if it will blast your brain with secret radio waves that will make you submit to secret commands from the government but it's a good idea to always wear your tin-foil hat anyways.

    Sheesh...

  • For a while now (Score:5, Insightful)

    by dachshund (300733) on Thursday January 30, 2003 @10:14AM (#5188641)
    This little beastie's been around for a while now; when I first got infected with it, most of the removal sites I found on Google were in Asian character sets, so I suppose it was pretty big over there first.

    The problem with these damn things is that you never quite know how they got onto your machine. I'm always very careful about what I install, and which dialog boxes I say "OK" to, but there's always the possibility that I accidentally let something slip through. I suppose that's why people aren't 100% sure if it can install itself right from IE without confirmation.

    I'm getting increasingly sick of using IE, but I'm constantly running across sites that Mozilla just can't handle properly (or swiftly). And yes, I've cranked up the security level, though god knows why there exists any level of "security" that would allow unconfirmed installs.

  • A Temporary Fix... (Score:5, Interesting)

    by graphicartist82 (462767) on Thursday January 30, 2003 @10:15AM (#5188649)
    Would be to activate IE's "Disable 3rd Party Extensions" option (In IE6: Tools-> Internet Options-> Advanced -> 12th Option Under the "Browsing" section)..

    I was fixing somebody's computer that had this toolbar installed and it would crash IE every time you opened IE (Or tried browsing the web via windows explorer). But once I Disabled 3rd Party Browser Extensions, it worked fine...
  • by Boss, Pointy Haired (537010) on Thursday January 30, 2003 @10:15AM (#5188659)
    Here's an alternative way to use the Security Zones of Internet Explorer to protect you from crap like this.

    First, set the "Trusted Sites" zone to the "MEDIUM" level.

    THIS MAKES YOUR TRUSTED SITES ZONE THE SAME AS THE NORMAL INTERNET ZONE.

    (People seem to flame this idea as a security risk without understanding that last bit)

    Then, modify the "Internet Zone" and disable Active Scripting.

    Finally, add all your favourite sites to the "Trusted Sites" zone.

    You can now enjoy the full functionality of JavaScript etc. on your frequently visited sites including the usual protection of the Internet Zone.

    Any site not in the Trusted Sites list cannot use JavasSript and so prevents pop-ups and other nasties such as self installing spy-ware.
  • Auto-Install (Score:5, Informative)

    by Foxxz (106642) on Thursday January 30, 2003 @10:15AM (#5188661) Homepage
    I did get this toolbar without clicking yes to anything. I wasn't on xupiter's website. I was browsing and after i was done i closed explorer. When i opened it back up late there was the tool bar. I still dont know where i got it. It took me a while to figure out who it belonged to and how to rid myself of it. I flamed away afterwards.

    -Foxxz
  • Automatic downloads (Score:5, Informative)

    by Lumpish Scholar (17107) on Thursday January 30, 2003 @10:16AM (#5188666) Homepage Journal
    On my Windows 98 SE box, I now browse with Phoenix [mozilla.org] almost all the time. I've discovered, though, that some browser downloads Internet Explorer asks me about, Phoenix installs automatically. (Phoenix seems a little too promiscuous about accepting Java, and doesn't remove .class files when it flushes the cache. Check the %WINDIR%/.jpi_cache/ directory structure.)

    It's the kind of thing you might expect from a 0.5 release; unfortunately, it's not the kind of thing you should only expect from Microsoft.
  • by bfwebster (90513) on Thursday January 30, 2003 @10:16AM (#5188675) Homepage
    My first clue about Xupiter was last night when my NIS alerted me that something called XupiterToolbar was trying to access the net. I blocked it, did a google search on Xupiter, found Spybot S&D, downloaded it, ran it, and found a whole slew of spyware, which I purged.

    Time to recheck my security settings. ..bruce..

  • by TheRaven64 (641858) on Thursday January 30, 2003 @10:18AM (#5188686) Journal
    In this country (UK) we have something called the 'Computer Missuse Act'. This is a very dull piece of legislation which says (among other things) that using someones computer without their consent is illegal. Any program which runs on your computer without your explicit consent therefore violates this. If you click 'Okay', on the other hand...
  • terrorists! (Score:3, Funny)

    by QEDog (610238) on Thursday January 30, 2003 @10:18AM (#5188687)
    this things behaves so much like a virus, that i'm sure they have to support evil terrorist with it...

    (maybe with claims like that we can convince the goverment to go start witch hunts that will go after all the irritating things like that one)

  • It's a monster (Score:5, Informative)

    by rudog (98586) on Thursday January 30, 2003 @10:21AM (#5188711) Homepage
    My wife was unfortunate enough to "click through" and victimize herself with this thing. I happened to notice 20-30 different sessions being generated every few minutes through our firewall and started tcpdump to find out what was happening.

    After finding that it did indeed have my wife's credit card number/home address/phone number I asked her what she used it for; She said that she didn't know where it came from but that it was causing her laptop to crash about every ten minutes ever since it added itself to her IE toolbar.

    I then spent about 3.5 hours hacking the WinME registry trying to peel this thing out of her laptop because it's 'uninstall' doesn't!
    • Re:It's a monster (Score:5, Interesting)

      by Rich0 (548339) on Thursday January 30, 2003 @11:36AM (#5189245) Homepage
      My wife was unfortunate enough to "click through" and victimize herself with this thing.

      This is my biggest nightmare at home. I have XP Home Edition - so I figured I finally have a solution to this problem - just make everyone else who uses the system a "limited user" - they finally figured out what unix did 20 years ago.

      Nope - turns out half the software out there doesn't run without administrator access. And it isn't just lousy shareware junk either - try running MS Flight Simulator 2002 Professional as a "limited user". So now I need an admin account for the kids to play games - I set up the ground rules as being "don't web browse when logged into the games account", but of course there is no way to enforce that. I have Mozilla installed, so that at least is a start, but IE is still out there, and even with mozilla a computer-illeterate user can download a hostile .exe.

      My only solution is to backup reasonably often. Still, I don't backup everything - just data - since it would use gobs of media. So if somebody hoses my system I'll be reinstalling everything - and that is quite a bit of junk - hundreds of megabytes of it having been downloaded from the web (redownloading over a 26k modem link isn't fun either).

      If MS would at least code their software to not require admin access I'd be happy... Then again, maybe I should find an old PIII somewhere for the kids to play games on - of course it wouldn't have the GeForce III Ti accellerated graphics...
  • Prevention tactic (Score:5, Insightful)

    by dcavanaugh (248349) on Thursday January 30, 2003 @10:32AM (#5188790) Homepage
    Somewhere along the line, my browser must have been hijacked and I got stuck with this little piece of badware. I used Ad-Aware to detect and destroy, but I got a little creative. I kept the C:\Program Files\Xupiter directory, and set the attribute to read-only. I'm hoping that any future attempted hijackings will result in the installation failing due to the inability to create or write anything into the Xupiter directory.

    attrib +r "C:\Program Files\Xupiter"
  • This is not true (Score:4, Interesting)

    by TheRealFixer (552803) on Thursday January 30, 2003 @10:38AM (#5188832)
    My IE settings on one of my boxes was set at default, as they had never been changed. Browsing to some site (either Geocities or Tripod) evidently downloaded it and installed it. There was most definatly NO dialog box, or request to install. Literally, I came back to the machine, started IE, and there was a toolbar that wasn't there before. Freaked me out.

    AdAware found it, and tried to removed it, but not everything was deleted, as there were still at least 1 or 2 DLLs that were registered and running, that couldn't be deleted. Couldn't find the processes, either. Had to use regserv to get rid of them. This company is about the lowest of the low in my book.
  • Why isn't there a 'Never trust content' checkbox? And a tab in options to review who you are and are not trusting? (Like cookies.)

    I have never checked 'always trust' and have wished for a 'Never trust, key their car, and don't ask me again' checkbox for a long, long time.

    Especially after the "Microsoft is no longer a 'Trusted' party fiasco of last year.

    If you can't trust Bill, who can you trust?

    Thanks for listening, Bonzi Buddy. You're my only friend.

  • Xupiter is the Devil (Score:4, Informative)

    by Syn404 (179434) on Thursday January 30, 2003 @10:42AM (#5188851)
    Wow. After my 15th or so run-in with Xupiter last week, I considered submitting this story to /. myself. Bah.

    Anyhow, the best page for information and removals which I've found to date is at http://www.allentech.net/parasite/Xupiter.html

    The removal info has worked every time, with the exception that on WinME it is usually possible to just drag the Xupiter folder into the Recycle Bin and delete it directly after a reboot.
  • by Necronomicant (520844) on Thursday January 30, 2003 @10:53AM (#5188932)
    I work for a fairly large tech support / helpdesk outsourcing company. Programs like this are de facto viruses from the point of view of the end user. 90% of the ones that I talk to have no idea what this is or how it works, and no idea how it got installed. I remember talking to this one person who'd had Xupiter installed and their story was "Well we clicked Yes by mistake once...."

    I find it hard to believe that it would install itself with everything set to default on a properly updated copy of IE 6.0 SP1. It's much more likely that Xupiter is just betting on people clicking yes to the security warning prompt.

    Taken from Xupiter's end user agreement [xupiter.com]: To further enhance your media viewing experience, Xupiter reserves the right to run advertisements and promotions based on URLs and/or search terms users enter when navigating the Internet. Other enhancements and to allow access, users web browser, start page, search page, auto search option, bookmarks and default error page will be changed, along with the Xupiter accessory toolbar added to the web browser. Active desktop panel will be installed on the users desktop which will enable active desktops on the system for special promotions. Our software license requires that users browser start page be set to Xupiter.com in order to continue use of the Xupiter toolbar, from time to time we verify that users start page url is set to Xupiter.com, if it is not we reserve the right to alter it back.

    Great - it enables active desktop too; what fun!
  • by rigmort (584960) on Thursday January 30, 2003 @10:53AM (#5188933)
    Do not taunt Happy Fun BarTM
  • FUI Dialogs? (Score:5, Interesting)

    by davetrainer (587868) <slashdot&davetrainer,com> on Thursday January 30, 2003 @10:56AM (#5188947)
    Healan said some installations probably occurred when people clicked "OK" in a pop-up box without really knowing what they had agreed to, or when they meant to close the pop-up window.

    Probably because the popup is a fake user interface dialog. How in God's name does even a novice user inadvertently grant permission for a software install when their original intent was to close the window? Or is it common knowledge these days that the X in the top right corner of a dialog box is synonymous with the OK button.

    Bonzi is being sued [slashdot.org] for this, and these scumbags deserve the same.

  • Ah hah! (Score:5, Informative)

    by Dannon (142147) on Thursday January 30, 2003 @11:00AM (#5188978) Journal
    So that's what this Xupiter thing is! I was visiting my family this weekend, and my sister asked me to fix her Win98 computer. IE was crashing every time she started it. I found this set of program files under this "Xupiter" directory and a bunch of load-on-startup registry items referencing them. Most of the files in this directory were locked by some running process, of course. Apparently, this Xupiter was not only self-installing but also Win98-unfriendly. And there was no uninstall program.

    Restarted at DOS prompt to delete all the files. Regedit to remove every registry entry containing "Xupiter". After that, everything worked just fine, and I cranked up the security settings before I left.
  • by bandit450 (118835) on Thursday January 30, 2003 @11:01AM (#5188991) Homepage
    Working at a university network tech support, I see a lot of this sort of thing happening. In fact, just the other day a girl came in complaining that IE was really slow and didn't work half the time. Turned out to be the Xupiter virus...not only had it commandeered IE, but it had corrupted her TCP/IP stack. Know what else we found on her computer? Gator, Ienhance (a similar toolbar that causes IE to not even load on any computer) and several other "download speeder uppers", "web enhancements", and "special offers". Security settings were set on medium, which should be plenty enough to block the installation of these toolbars, however, this girl is the type that sits on her computer and goes "ooh, I want THAT!".

    The funniest part: this is the second time she's brought her computer in with these toolbars. After we had removed them the first time, we explicitly told her NOT to download web enhancements and toolbars...here she was again.

    I have owned a computer since 1990, and since 1990, I have yet to use a passive virus scanner. Since 1990, I have yet to get a virus...this girl has had several in the past month, and she DOES have a virus scanner running.

    Less clicking, more reading.
  • by jobugeek (466084) on Thursday January 30, 2003 @11:03AM (#5189007) Homepage
    I went looked at our web site stats and Xupiter comes in at number 4 in browsers.

    1) IE

    2) Netscape

    3) Mozilla

    4)Xupiter toolbar

  • by Wolfier (94144) on Thursday January 30, 2003 @11:03AM (#5189012)
    They treat it as a virus.
    I followed this on friend's computer and it works.

    http://vil.nai.com/vil/content/v_99904.htm
  • by mao che minh (611166) on Thursday January 30, 2003 @11:08AM (#5189044) Journal
    My Windows partition is just a big heap of junk, I gave up on it a long time ago. I got me this purple bear that likes to hop at out me when I open the control panel. I got women that skate around on the title bars until I crash. There is some winsys32 process that sends my ICQ password (like I care) to a hotmail account everyday. My Internet Explorer is now more of a "Yahoo!" explorer. I even have these helpful little pop-ups that inform me of terrific new offers in internet gambling and travel - every 30 seconds.

    Actually, now that I think about it, my Redhat desktop is kind of boring.....

  • by gabe (6734) on Thursday January 30, 2003 @11:17AM (#5189110) Homepage Journal

    a thirteen year old kid writes a virus that emails itself to everyone in your address book. he's found, caught, sentenced and tossed in jail.

    a company comes along and writes a piece of "software" that installs itself on your computer without your knowledge, changes your preferences, watches your every move and reports it back to the marketeers, and digs itself into your system so the only way to get it out is to reinstall your entire computer... (oops, by the way, now that you're using Microsoft products, you may just have to buy a new version due to licensing BS) ... and the worst that happens to the company is some negative press (which, as we all know, bad press is better than no press at all).

    so, why the hell isn't the FBI busting these peoples' door down and arresting them? what is the damn difference between what they do and what script kiddies do?

    Disclaimer: I am aware that I am exaggerating, are you?

  • by phorm (591458) on Thursday January 30, 2003 @12:36PM (#5189624) Journal
    From their "terms" and "privacy policy"

    Terms
    • The Xupiter software will report back to our servers what applications may be running on your system and will resolve these conflicts whenever possible
    • Xupiter has included an auto update ... upgrades may include installation of third party applications
    • To further enhance your media viewing experience, Xupiter reserves the right to run advertisements and promotions
    • . Our software license requires that users browser start page be set to Xupiter.com
    Privacy Policy
    • Members agree to review this Privacy Policy from time to time for changes and updates


    So yeah, basically the program will pop-up-ad slam you, give away your personal info, install crap software on your PC, and has the ability to change it's "terms" to allow it to do more behind your back.
  • Going after Xupiter (Score:5, Informative)

    by Animats (122034) on Thursday January 30, 2003 @02:21PM (#5190182) Homepage
    Let's see what we can find.

    Xupiter claims to be based in Hungary. But it may not be.

    First, Xupiter appears to be the same thing as Browserwise [browserwise.com]. The content of the two sites match, and you can download their malware from either site.

    Whois for Browserwise yields:

    • BROWSERWISE.COM

    • Administrative Contact: Inc., Browserwise, admin@browserwise.com
      Browserwise, Inc
      15445 Ventura Blvd
      Sherman Oaks, California 91413
      United States
      (818)229-5631
      Technical Contact: Inc., Browserwise, admin@browserwise.com
      Browserwise, Inc
      15445 Ventura Blvd
      Sherman Oaks, California 90413
      United States
      (818)229-5631
      Domain servers in listed order:
      NS1.CANDIDHOSTING.COM
      NS2.CANDIDHOSTING.COM

    A traceroute on Xupiter isn't particularly helpful, but a traceroute on Browserwise leads to "amateurpornhouse.com", hosted on the same server. The server is thus virtual hosted by name, but if you try it by IP address [slashdot.org], you get Browserwise, so Browserwise is the main user of that server. "amateurpornouse" is thus either affiliated with Browserwise, or buys hosting from them.

    Whois for "amateurpornhouse.com" yields:

    • Registrant:

    • SC Enterprises
      P.O. Box 91114
      Henderson, NV 89009
      US
      (702) 224-7750

      Domain Name: AMATEURPORNHOUSE.COM

      Administrative Contact:
      Phucksum, Jeff webmaster@sexycouple.com
      P.O. Box 91114
      Henderson, NV 89009
      US
      (702) 224-7750

    So we check Sexycouple's legal page [sexycouple.com], and find:

    • Custodian of records for SC Enterprises: All records required to be maintained by 18 USC 2257 are kept by the custodian of records, Barry Levinson, 2810 South Rainbow Blvd. Las Vegas NV. 89146.
    (Presumably this is not the well-known film director Barry Levinson.)

    Looking up "SC Enterprises" in Las Vegas, we get

    • SC Enterprises

    • 134 Spinnaker Dr
      Henderson, NV 89015-5639
      Phone: (702) 558-8908

    Also, DNS for Browserwise is provided by CandidHosting.com [candidhosting.com], next to the police station in Tampa, FL. They have to know who's behind this, so that's where to start with legal process.

    That should be enough to get the lawyers started.

    • by mark_space2001 (570644) on Thursday January 30, 2003 @06:13PM (#5191800)
      I have a previous post [slashdot.org] with xupiter.com's IP info, for those of you who want to block them.

      Browserwise.com seems to be a totally different company, even the top level where the IP range is purchased from is different. Browserwise.com is hosted at the top level by Level 3 Communcations, while xupiter.com is hosted at the top level by Quest. I looked at both web sites (with Lynx! it's safe... ^_^) and the content does NOT seem to "match" to me.

      Sorry but I think you just got carried away in your search and these two companies are not the same, or even related in anyway.

  • by Sp00nMan (199816) on Thursday January 30, 2003 @02:52PM (#5190345) Journal
    As far as I'm concerned, this program has all the qualities of a virus: Installing itself without your permissions, modifying files on your computer, reinstalling itself, etc. How come this company isn't being jumped on by the FBI for distributing a "virus"? I mean, how much gray area is there between this and any other virus that gets on your computer and modifies your files, or pop's up a "VIVA China/Tibet/etc"??

    I think they should be shut down and prosecuted for this stuff, along with all the other companies that install spyware.
  • Done! (Score:4, Informative)

    by mark_space2001 (570644) on Thursday January 30, 2003 @04:38PM (#5190925)
    host xupiter.com
    xupiter.com has address 63.236.32.50
    mail is handled by mx1.xupiter.com

    host mx1.xupiter.com
    mx1.xupiter.com has address 63.236.50.196

    whois -h whois.arin.net 63.236.32.50
    Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
    63.236.0.0 - 63.239.255.255
    Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
    63.236.0.0 - 63.236.127.255
    Internext Media, Inc. QWEST-JSV-INTERNEXT1 (NET-63-236-32-0-1)
    63.236.32.0 - 63.236.32.63

    whois -h whois.arin.net 63.236.50.196
    Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
    63.236.0.0 - 63.239.255.255
    Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
    63.236.0.0 - 63.236.127.255
    Snapshot Productions LLC. QWEST-JSV-SNPSHTPR (NET-63-236-50-192-1)
    63.236.50.192 - 63.236.50.223

    so I added 63.236.32.0 - 63.236.32.63 and 63.236.50.192 - 63.236.50.223
    to my firewall block list, and they shalt never trouble me henceforth.

    Done! Next!

  • by rice_burners_suck (243660) on Thursday January 30, 2003 @09:50PM (#5193208)
    Where do I get this toolbar?

    My systems are set up as minimally as possible for efficiency and reliability. For the life of me, I can't figure out how people manage to screw up their computers as badly as they often do.

    I have many friends who have enormous hard drives and have filled them to the brim with all kinds of programs and downloads. Their computers, which are some of the fastest around in terms of hardware resources, run more slowly than an old 286 would if it was running Windows XP through a Pentium IV emulator written in Microsoft GW-BASIC, where the emulator's "RAM" and its processor registers reside on a slow tape drive, with each register on opposite ends of the tape. Oh, and did I mention all the graphics, sounds, windows, and other garbage that shows up all the time as they're running their computer? Just so you understand, all they ever do is write emails and write text in a word processor. But their computers are filled to the brim with crap.

    I think the xupiter toolbar would be an innovative addition to my friends' highly optimized configuration.

    Sincerely,


    The Negra Modelo Troll

    P.S., I drink Guinness too. I know I've talked smack on its flavor in the past but you have to find a bartender who knows how to pour and serve it. I can't stand the stuff out of bottles.

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...