Virus Help....possibly spyware?

[The BIGSTUD]

I passed it on to some techies. I'll get back to you after I hear from them.

[PhillyPhreak54]

Thanks, man.

I think that I found some of the stuff that is causing my problem.

That gopher search shtein seems suspicious. I clicked on the description of it and it said it was not needed and could cause a change in the start up and homepage.

I did not delete anything though. I will wait to see what your peeps have to say.

[Susquehanna Birder]

That gophersearch thing was the first thing I noticed, too.

[PhillyPhanInDC]

Phreak,
Do this (print it first, you may not be able to access this page when you are in Safe Mode.)

When in Safe Mode:
Locate and delete: C:\WINDOWS\system32\gpstool.dll

Open HijackThis and put a check by these (if you find them, if not, no worries some may not be there) but don't hit the fix checked button yet.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

O2 - BHO: ohb - {22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB} - C:\WINDOWS\system32\gpstool.dll

Now Make sure all the windows/browsers/other apps (minus HijackThis) are closed and then hit the "Fix Checked Button."

Scan with AdAware, and remove anything it finds and and then delete evertyhing in the quarantine.

[PhillyPhanInDC]

After that, restart and go into safe mode again, and delete any of these files if you find them. Restart into "normal" mode and see how the machine is running. Do more scans if it seems okay. Either way, run hijack this again and post it back in here.

Go back to Safe Mode and Locate and Delete these

C:\Program Files\Common files\updmgr (Folder)

C:\Program Files\Common Files\CMEII (Folder)

C:\Program Files\Common Files\GMT (Folder)

C:\Program Files\Altnet (Folder)

C:\Documents and Settings\as\Favorites\Health<< Folder

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk

[PhillyPhanInDC]

Phreak,

Couple of questions, one, do you own a Dell? And two, do you the "MyWay Search Assistant"? It is a program that comes with Dell PCs, from what I know of it, it will show news and things, but also advertise all kinds of Dell products. Some people like, other consider it Spyware/Adware. If you want to remove it, let me know and I'll walk you through it.

[PhillyPhreak54]

Good stuff, bro. I will do this stuff tonight.

Yes, I do own a Dell. But the MyWay thing hasn't been a problem. I don't even know if I have it and if I do, it likely isn't activated because I have never seen anything from it.

[PhillyPhreak54]

Hey dude, those two links aren't working for me. I get a message saying that file 404 not found or some shtein.

[PhillyPhanInDC]

Well, it should show up under your Add/Remove programs menu (Start>Control Panel>Add/Remove Programs) and you should be able to remove it under there if you want. I generally don't like to have shtein on my PC that one, I didn't install, and two, that I don't use.

In regards to switching operating systems, I like the Mac stuff, but I currently use a version of Linux (which is absolutely free, and virtually virus free) called Ubuntu. You can get a free copy to play with (you can put in on a CD/DVD and boot from it and run it without installing it and deleting your Windows installation) at www.ubuntu.com.

[PhillyPhanInDC]

Hey dude, those two links aren't working for me. I get a message saying that file 404 not found or some shtein.

Sorry, they're probably old.

Try this for safe mode:

Windows XP

If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.

If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

And for show hidden files and folders:

Show Hidden Program or System Files

Showing hidden files can come in handy—for example, say you've tried to delete everything from a floppy disk and the disk properties still indicate 100K of disk space is being used by hidden files.

To see hidden files and folders:

1. On the Tools menu in Windows Explorer, click Folder Options.

2. Click the View tab.

3. Under Hidden files and folders, click Show hidden files and folders.

Note: To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.

[PhillyPhreak54]

After that, restart and go into safe mode again, and delete any of these files if you find them. Restart into "normal" mode and see how the machine is running. Do more scans if it seems okay. Either way, run hijack this again and post it back in here.

Go back to Safe Mode and Locate and Delete these

C:\Program Files\Common files\updmgr (Folder)

C:\Program Files\Common Files\CMEII (Folder)

C:\Program Files\Common Files\GMT (Folder)

C:\Program Files\Altnet (Folder)

C:\Documents and Settings\as\Favorites\Health<< Folder

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk

Ok, when you say delete any of these if you find them when I restart into normal mode am I deleting the ones you listed in the post above or am I deleting the ones quoted in this post at this point in the process? I assume you mean the R1 and RO and 02 stuff, right? Because I don't want to delete the program files stuff until I go into safe mode again, right?

[PhillyPhanInDC]

No, in the initial list of things to do, you run (in safe mode) HiJackThis to take care of these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

O2 - BHO: ohb - {22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB} - C:\WINDOWS\system32\gpstool.dll

Check these in HijackThis, make sure all other windows/apps/browsers are closed then hit the "Fix Select Button". Once it is done, restart and go back into safe mode then...

Delete these files if you find them (remember to clear your Recycle Bin too):

C:\Program Files\Common files\updmgr (Folder)

C:\Program Files\Common Files\CMEII (Folder)

C:\Program Files\Common Files\GMT (Folder)

C:\Program Files\Altnet (Folder)

C:\Documents and Settings\as\Favorites\Health<< Folder

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk

After that, restart the machine in normal mode, and see how it runs. If everything is shiny and happy, update all you virus defs and Spyware/Aware programs, and run them all deleting anything they find. If it is not running right,  there are some other things we can look at. Either way, after you have done all of this, get HijackThis to spit out another report and paste it in the thread again.

[PhillyPhreak54]

Ok, I am in safe mode now and have removed these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.gophersearch.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gophersearch.com/

I cannot find this:

O2 - BHO: ohb - {22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB} - C:\WINDOWS\system32\gpstool.dll

It was not in the HiJack list after I ran it again. Matter of fact, nothing with the gpstool.dll is on the computer than I can find. I searched all files and the hard drive and come up empty on the search.

I also removed this:

C:\Program Files\Common files\updmgr (Folder)

But I cannot find any of the others you listed after that. The only thing that came up for the GMT was time setting stuff. All other searches came up empty. I am going to restart in normal mode and see whats up and let you know. After that I will restart in safe, run HiJack and post the log

[PhillyPhanInDC]

No need to run the HiJackThis in safe mode again. Can run it in the normal Window environment.

Don't worry about the ones you couldn't find....

[PhillyPhreak54]

Well, I restarted in normal mode and everything was moving fast until another one of those popups killed it.

This time it was a porn pop up. Most of the time before it was for that stupid add/remove adware thing. A porn one would come up every so often. But it came up again after I restarted. When it comes up it locks up the system for the most part. I had to restart the system. I am in safe mode again. Because in normal mode it takes forever to close that popup and load Mozilla to start.

How do I get rid of that?

I am about to run HiJack after I restart in normal. I just wanted to post this real quick.