Several months ago, out of nowhere, a new toolbar called "NetSearch"
appeared on my browser. I know that I can make it disappear visually.
The problem is that it seems to have taken over the search function on
my browser. It used to be that when I clicked on "search" the standard
explorer window would open up. It allowed me to use several engines
simultaneously. Now, when I click on the "search" button, a window
opens with what appear to be advertising categories such as
"gambling", "viagra", "money", etc. I want my old search function
back!!! I've had something similar happen with something called
"xupiter". I went to their website, where they offered what I think
was a fake uninstall program. I uninstalled, then searched files for
"xupiter". There it was! I've deleted everything I could find, but
can't be sure it's really gone. The problem with "NetSearch" is that
nothing comes up when I search files for it. Help and thank you.
Alex

alexandraroman,

You have been hit with what is called a spyware or scumware
application.  Netsearch is a very well known application in that it
removes search toolbars, such as Yahoo! or Google that you ahve
installed.  It is also thought that this application may track URLs
that you have visited as well.  Fear not, though, there is a way to
uninstall this beast.  If you visit
http://www.panicware.com/product_downloads.html and download Pop-Up
Scanner, which is free, it will scan and remove the compnents of the
NetSearch.  It is also a pop-up blocker for future surfing.

If you would rather remove and not add anything to block pop ups, you
can visit http://ww2.ieplugin.com/uninstall2.html for several options,
including automatic and manual removal instructions.

Now, this being said, you may still have some other spyware/scumware
applications on your computer that is causing the the pop-ups.  I
highly recommend, even if the removal of NetSearch clears your
problem, that you visit http://www.lavasoftusa.com and downlowad
AD-Aware.  This free program will scan your computer for scumware and
spyware and remove it.  You will be amazed at what it finds.  I run it
weekly as part of my maintenance to be sure those applications stay
off of my PC.

Good luck and if you need any additional clarification, please let me
know.

Regards,

-THV

Search Strategy:
NetSearch spyware

References:
PanicWare
http://www.panicware.com/product_popupscanner.html

---

Request for Answer Clarification by alexandraroman-ga on 09 Dec 2002 16:43 PST

Hi. Thank you very much for responding so quickly.  I downloaded the
Pop-Up Scanner. Unfortunately, this did not seem to solve either the
toolbar or the search window problem. So, as you suggested, I
downloaded the Ad-Aware. Many (83) suspicious items were found. After
I had them removed (after backing up first for safety), the extra
toolbar was gone for real (it's no longer listed as "new item", or
something like that, in the Toolbars menu). However, when I clicked on
my standard search button, I got the same annoying ad-type search
window opening up on the left of my screen instead of my old search
window. This time, I moved my cursor into the window and right clicked
(something I should have done before). It's that damn xupiter! I've
run find files and removed everything with the name and still it's
there! "Beast" is right. When I right click and go to properties it
lists the following: "http://www.xupiter.com/search2.html"
I have come across the following (at
http://www.broadbandreports.com/forum/remark,4874385~root=spam~mode=flat):
"I GOT XUPITERED
The evolution of IP vandalism continues.
Stage 1: Viruses
Stage 2: SPAM
We're now at Stage 3: XUPITER

Xupiter is the combination of a virus and SPAM, hence the phrase, "I
got Xupitered"!

Twice in as many months I've had this spam/virus install itself on my
computer without my permission. What does it do?

While surfing the net, a window will appear asking if you want Xupiter
and before you can answer, it installs itself as a HIDDEN series of
programs. It appears to install as a browser plug-in however it
operates in 100% stealth mode. You won't find it in your registry,
therefore you cannot simply go to uninstall programs to rid yourself
of it - it won't be there. It also does not appear as a browser
plug-in, at least, Norton CleanSweep cannot find it. It does however
install itself with a Program Files folder called Xupiter. If you
really want to install it, go to their website (xupiter.com) and after
a lot of searching you will see a reference to, "If you want to
install Xupiter, download and execute this program" YEAH, RIGHT! If it
installs itself without your permission, can you imagine what the
uninstaller will do??

It also installs a new toolbar, which can be turned off from
View|Toolbars. The toolbar is a search feature which all leads back
to...guess where?? You cannot uninstall it.

It also installs a sniffer that operates in stealth mode. What all it
does I have not confirmed but after waiting for it to install itself
(couldn't do anything else and it also crashed my Internet Explorer
session), I ran LavaSoft AdAware and it found the sniffer. It was
directly linked to Xupiter so I suspect that it gathers data about
what the user is doing and the company probably sells the info to
their advertisers.

What is the most noticeable and ANNOYING "feature"? IT replaces the
browser's error404 page with a redirect to the Xupiter search engine.
If you try to hit your back button, you can't - it always
autorefreshes back to itself.

Where are they located? Hungary. It's a hidden company that is
virutally impossible to locate. Why would they want anyone to find
them after the damage it has inflicted on unsuspecting users.

So, what can a victim do?

1. Flood the newsgroups and forums with the new catchphrase, "Xupiter"
and "Xupitered", meaning, I got hit by something far more invasive
than a virus and spam combined.
2. Contact Xupiter's advertisers - including VERIZON WIRELESS and tell
them about it. Better yet - BOYCOTT the advertisers' services and tell
them you are!
3. Contact your ISP and ask them to block all traffic from
xupiter.com. It will help your ISP save money for everytime a user
gets a 404, they generate packet traffic to xupiter. THAT COSTS US
ALL!
4. REFUSE to accept this TRASH as a fact of Internet life! FIGHT BACK!
PUT XUPITER OUT OF BUSINESS!
5. REPEAT #1. The new Internet catch phrase is, "I GOT XUPITERED"! "
****************************************************************************
I would appreciate your advice on how to deal with this. Thanks again.
Alex

---

Clarification of Answer by tar_heel_v-ga on 09 Dec 2002 17:31 PST

alexandraroman, 

First, I would like to apologize. I read that you had taken care of
the Xupiter problem, but it is apparent you did not.  In researching
Xupiter, it appears that it is one of the nastiest ones out there in
regards to scumware.

There are a couple of things you can do.  First, be sure that you have
most current version of AD-Aware as it should detect and clean Xupiter
according to the September 21st edition of Spyware Weekly found at
http://www.spywareinfo.com/newsletter/archives/september-2002/09212002.html

You may want to give Spybot, at http://security.kolla.de/, a shot. 
Another spyware/scumware application remover, they also say their most
current version will clear Xupiter.

If all else fails, here is the manual way to get rid of Xupiter, as
posted on From http://www.spywareinfo.com/newsletter/archives/september-2002/09212002.html
:

Open the registry (from the Start menu, click Run and enter regedit)
and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Delete the 'XupiterStartup' entry in the Right Hand pane.

Also delete the following Registry Keys:

HKEY_CURRENT_USER\Software\Xupiter
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution
Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Reboot, and delete the entire Program Files\Xupiter directory. 

You're also likely to have a Xupiter ActiveX object in your Downloaded
Program Files folder. Find that one, rightclick it, and choose
properties. It has the following ID:
{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Now rightclick the file, and choose delete. 

Next, delete the Xupiter folder in Program Files. 

Finally, go to Internet Options/Programs, and hit "Reset Web
Settings".

However, before fiddling with your registry, be sure you have all
updates to AD-Aware and give Spybot a shot.

Now, regarding what a victim can do.  You have made one of the most
important steps in voicing your opinion.  Your ideas are all valid and
have been implemented in small, grass roots campaigns all over the
Internet. Visit the forums at AD-Aware,
http://www.lavasoftsupport.com/ , and Spybot,
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi as they
both have many active members that feel the same way as you.

Here are some more locations where you can find out more about
spyware/scumware and the options you have to protest:

alt.privacy.spyware
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=alt.privacy.spyware

Spychecker.com
http://www.spychecker.com/

Spyware Watch
http://www.spyware.co.uk/


Again, good luck to you and let me know if there is anything else I
can do.  This, along with using the updated AD-Aware and Spybot should
take care of that garbage once and for all.

-THV

I installed the spybot & it got rid of the xupiter!!! Thank you. There
was certainly no need to apologize. I thought that I HAD gotten rid of
the xupiter.I should have thought of right-clicking the search window
earlier. After the xupiter was gone, I faced the temporary problem of
a blank white space at the left side of my screen after clicking on
search. The customize did not work. However, after reseting the
internet defaults (under Tools), I was able to click on search, get
the blank window, click on customize, choose my engines and, finally,
get my old search function back. Once again, thank you for your help!