Scumware contained in some of the Logons

I came across some scumware, when unzipping one of the logons. I sent a message to wincustomize's IT people to advise same. THeir response was that I was stupid and didn't know what I was talking about. The exchange is appended:


Subject: Re: Fwd: scumware
To: "Stardock Support"

LMAO.......you use MS Security, there's a well know oxymoron. The scum installed WHILE I was downloading, and unzipping, the Logons. The scum is contained in one of the zipped files. I see that, instead of checking the problem, your IT people chastise people for reporting such things.

Xupiter does not work on a time delay, it runs at the next bootup/restart. As I have ActiveX controls disabled, it cannot install on my system. Additionally, it installs as an IE toolbar....NOT a standalone active desktop utility.

Seems you need to learn to read what people report........not assume that they are stupid and you are 'Holier Than Thou'.

Thanks for nothing



Stardock Support wrote:


Dear Sir,
None of the skin files contain executables, so it is not possible
that it came from our site. However, if you had recently been
surfing the next, you most likely ran into a web site that did not
protect themselves against Xupiter, which is spyware which will
download and install on your computer from an infected web site
usually on a time delay. We use all current MS internet securities
that safeguard us from such attacks.

Thank you,
Angie

On Wed, 15 Jan 2003 11:42:22 -0500, Stardock General Information
wrote:

>==================BEGIN FORWARDED MESSAGE==================
>>Return-path:
>>Received: from web12402.mail.yahoo.com ([216.136.173.129])
>> by stardock.com ([127.0.0.1])
>> with SMTP (MDaemon.PRO.v6.0.3.R)
>> for ; Wed, 15 Jan 2003 10:57:27 -0500
>>Message-ID:
>>Received: from [24.129.45.113] by web12402.mail.yahoo.com via HTTP; Wed, 15 Jan 2003 08:00:44 PST
>>Date: Wed, 15 Jan 2003 08:00:44 -0800 (PST)
>>From: Doyle
>>Subject: scumware
>>To: [email protected]
>>MIME-Version: 1.0
>>Content-Type: multipart/alternative; boundary="0-1469653529-1042646444=:7431"
>>X-MDRcpt-To: [email protected]
>>X-MDRemoteIP: 216.136.173.129
>>X-Return-Path: [email protected]
>>X-MDaemon-Deliver-To: [email protected]
>
>
>
>
>Last night, while downloading Logons, for Stardock's LogonStudio(TM), at least one of them installed scumware on my system. Specifically, an active
>desktop componant which was a large 'Search toolbar' style piece of scumware. Took me almost 2 hours to track this slime down, and turn it off (Registry,
>Run) I've yet to find the scumware so I can delete it. IF you bother to find and remove the file(s) containing this slime, I would greatly appreciate being
>advised on how to find and remove the scumware that installed on my system.
>
>Thank you, Doyle aka Citizen d1g3r4t1
46,532 views 221 replies
Reply #1 Top
Where in the mail they said You where stupid exactly ? Did I miss that part ?
And it would have been helpful if You had named the file in question...

Powered by SkinBrowser!
Reply #2 Top
OK...5 will get you ten that you contracted this spyware from an infected site and NOT from here.
There is a word in the English language called 'coincidence'.....comes a bit before 'contrition'.

I only hope your spyware was not contracted while perhaps warez-hunting for Stardock products.

See? It's easy to provide accusatory counter-hypotheses...

A 2 minute search found me these instructions for removing the spyware....

Open the registry (from the Start menu, click Run and enter regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Delete the 'XupiterStartup' entry in the Right Hand pane.

Also delete the following Registry Keys:

HKEY_CURRENT_USER\Software\Xupiter
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Reboot, and delete the entire Program Files\Xupiter directory.

You're also likely to have a Xupiter ActiveX object in your Downloaded Program Files folder. Find that one, rightclick it, and choose properties. It has the following ID: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C}

Now rightclick the file, and choose delete.

Next, delete the Xupiter folder in Program Files.

Finally, go to Internet Options/Programs, and hit "Reset Web Settings".
Reply #3 Top
OK here's the deal. Stardock' logon format (.logonxp) isn't an executable and connot contain a virus.
On the other hand, the logonui.exe format made with TGTSoft's product, is indeed an executable and CAN contain virii.

Incidently, I spotted a logon that included both formats in his ZIP. Although I scanned the LogonUI.exe file for virus, it doesn't appear to be infected. Which doesn't mean it doesn't include a spyware. I have temporarely exiled the Logon in question just to be safe. And anyway, we don't want to have any executable in our files.
I am refering to AnthiStatic's Midgard logon. Is that the one you were refering to?
Reply #4 Top
Patric....I'll install that 'logonui.exe' on an alternate drive...just to check what it DOES do, and if it's 'clean'.
I've looked at it in hex and via other means and have found nothing 'odd'....

I find it a bit 'confusing' that our complainant had activeX protected and yet managed to be hit by an activeX 'object'.
Was he 'protected' or wasn't he?...
Reply #5 Top
OK...I have an alternate XP OS drive....a copy of the suspect logonui.exe, a copy of 'spybot' to find the evil critter if it's there and a copy of the reg settings to restore/remove.

What's the bet it's clean....and someone is just barking up the wrong tree?....
Reply #6 Top
Ooops! I was going to be nit-picky - but my coffee just finished brewing, and that's more important! I bet it's clean, myself! But still - enh, better safe than sorry!


Powered by SkinBrowser!
Reply #7 Top
It wasn't Xupiter. Some 'Search' scumware I've never seen and haven't been able to identify.

It's not an activeX component. It installed after unzipping.

I'm not sure which file it was. I grabbed 30 or so of them and performed a mass Unzip.

Why would I ware'z hunt for free component? DUH

A 2 minute search for Xupiter wouldn't be necassary. Spybot and Ad-ware both kill Xupiter........neither, by the way, hit on this piece of scumware.
Reply #8 Top
Oh...so what we have here is an unknown 'thing' from an unknown source that does some unknown injury.

Thanks for telling me....here I am assuming the world is wrong and you are right and am wasting my time trying to help someone do something they have o idea about themselves.
Ta, muchly.
BTW....I am now in that alternate OS...have 'tried' to install that logonui.exe...it seems to do exactly nothing, and a scan finds nothing and there is absolutely no change to anything.

Tell me again why I am bothering?
Reply #9 Top
I have an unknown scum, from a known source.

As it installed and activated during the unzip, it would have been included in the archive, not buried in the logon.

There is a word in the English Language called 'ASSume'.

Tell me again, why am I bothering?
Reply #10 Top
The majority of Stardock's products are 'paid-for' product....only some are 'freeware'.

It would not be the first time someone complained here about a pirated proggy 'gone wrong'...
Reply #11 Top
OK, what say YOU locate the source....you found it once, see if your memory is better than your manners...
Reply #13 Top
'installed and activated during the unzip'....that's pretty neat for a zip.
I've unzipped literally thousands of zips [and many other formats] and never had one actually run off and 'activate' itself...
Reply #14 Top
And if I downloaded it somewhere else, why would I be trying to warn people the archive located HERE has scumware contained?

You'll find "logic" under the L's
Reply #15 Top
Did I say it activated itself???? or did you ASSume that?

'SmartMove' catches mouse clicks where you don't want them sometimes.
Reply #16 Top
Be mindful of manners and not quite so quick to prejudge.

If you genuinely posted here for help and assistance, that's fine.
If it's purely a Stardock/Wincustomize.com bashing session then that is not quite as 'fine'.

If you seek help you 'may' get it.
If you seek argument you may get that, too, or alternatively have your access here removed.

Help us to help you, and don't make it difficult for yourself.
Reply #17 Top
AFAIK, unless the archived zip is an executable (self-unzip), nothing gets executed when you unarchive a ZIP file.
My guess is that your spyware got installed another way. Are you sure you didn't run any executable?

Jafo: OK, it seems that file is clean then. Should we put it back, or email the author to remove the executable (we already established in previous discussions that no executable should be included with skins or wallpapers).
Reply #18 Top
If you cannot locate the source why do you 'know' it originated here?
Why could it not be an email, or another site you surfed through to get here?
Why cannot it be time-bombed from months ago and only occured now, since you cannot locate the source and do not know what it is/was how is it not a delayed install?
Reply #19 Top
Jofo, be mindfull of your own manners.

You can remove anything you feel like.

I don't need assistance.

I posted to warn.

YOU started ASSuming things.

Only a few of the Logon archives are zipped. Shouldn't be too hard to track down.
Reply #20 Top
Patric...I think it's OK...but if it did 'nothing' on my comp I wonder if it is worth having anyway.
Give it a day...I'll look into it more closely.

And this is a 'virgin OS', too....not even 'skinned'...
Reply #22 Top
Doyle, the name is 'Jafo', not 'Jofo'.

All of the logon files are 'zipped'...the format 'logonui'as a suffix is a renamed 'zip'.
Reply #23 Top
WELL TELL US THEN.

Typing in all caps is not good manners, either....
Reply #25 Top
d1g3r4t1: again, unzipping a file cannot execute anything. So look somewhere else cause that's not it.