Hi,

How to remove the Win32/Gaslide.c virus plz ?
I can not go to the display property anymore ....

Thx in advanced.

Hey Alexander,

I searched and did not have much luck finding information on Win32/Gaslide.c .There was a brief mention about it at Kaspersky. How do you know you have it? Is there another name associated with it? Is your computer doing strange things?

If you think it is in a file, you can get a free scan at Kaspersky Sorry, I wish I could give you more help.

Thx to reply BillC

The "in32/Gaslide.c" is also known as "trojan.gaslide" by Kaspersky avp.

The solution done by Symantec is available for "trojan.gaslide.a" only :
http://securityresponse.symantec.com/avcenter/venc/data/trojan.gaslide.html

But my Pc is infected by the "trojan.gaslide.c"

Actually, I can't go to my display properties (control pannel).
The trojan want to block my desktop wallpaper.
I can't change my resolution or enable the Tv out no more ...

Help plz.

Hi again Alexander,

Sounds to me like you know what it is that has infected your machine, but I'm still curious how you know? Did you do some type of scan?

OK, I've got a couple of ideas that might help. First, if you think you have a trojan, you can get a 14 fully functional trial version of Anti-Trojan that may be able to catch the critter.

If that does not work, I'd suggest a Highjack This scan that most all the time will reveal the culprit to a trained eye. You can get it free Here. If you end up with HJT, unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log as a .txt file, and copy and paste its contents into your next post. Someone will help.

Alas, I'm not a HJT expert, but withenough time and Google, perhaps we can get this sorted out. Anyway, that's my view.

I know I'm very late, but I got one of these trojans today and even a Norton AV 2004 with the latest definitions didn't detect anything. Quite a mess. I'm unsure which version I had, but I will write a short summary about removal. I surely will fail to remember the exact location of some of the files, because I did not intend to write something like that, but you will find the files easily.

No website mentioned this variant, not Symantec, not McAfee, Kaspersky, etc.. I love such kind of ignorance.

Change every path according to your circumstances. %windows% means your windows, but sometimes I only refer to c:\windows.

What happened: After a normal start of Windows I saw a slideshow with pictures of gay men. Normal stopping procedure with ctrl+alt+del didn't show up, I did it "Windows-Key"+R for run and executing some programs I normally use for listing and killing of tasks. Disconnecting from the web via physical interruption should work, too.

Then I saw a very nasty picture as background (at least they used condoms) and no possibility to change that.
To enable it again, open the registry and change the setting
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System "NoDispBackgroundPage" from "1" to "0". You should delete the picture, you find it here %windows%\system32\xtra.bmp. Then delete %windows%\system32\gay.mpg.

This trojan tries to reinstall itself and set these things back, so let us change some entries.

Search the registry for cdrunxp.exe. You should find it here
\HKEY_CLASSES_ROOT\exefile\shell\open\command
C:\WINDOWS\system32\cdrunxp.exe "%1" %*
and here
\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
C:\WINDOWS\system32\cdrunxp.exe "%1" %*
ONLY DELETE THE C:\Windows\system32\cdrunxp32.exe PART!!! Else you can't start any EXE anymore before you fix that again. Perhaps you prefer to let somebody do it for you. Then got to http://www.dougknox.com/xp/file_assoc.htm and download http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip. The file contains a registry fix for executables.

To delete the file %windows%\system32\cdrunxp.exe, first disable the system recovery. Look for the procedure at http://securityresponse.symantec.com/avcenter/venc/data/trojan.gaslide.html. It is linked from the item "1. Disabling System Restore". Search the harddrive for additional copies and delete. Then search for a file called helpctl.exe and delete all its entities, too.
I did not have files with the extension ".gst", no nload.vxd, no gsupx.exe, but I had notepad.exe, notepad32.exe, iexplorer.exe. iexplorer.exe is to delete, the real IE executable is called iexplore.exe. To find the malicious notepad, open the properties of every file. The version should read like 5.1.2600.0, not 1.0.0.0. Have a look at the rest of the info and you will identify every fraudulent file.

My IE told me "Gaysex is great!!!", but I still think I will continue to prefer other ways of leveling my hormones. Search for this line in your registry and delete the line, not the complete entry!!! You should find it at \HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
Window Title.

My two HDDs were called gaylove and gaysex. Renaming to the former entries were possible.

The homepage of the IE was changed (could be called "homopage"), but it was possible to switch back with the usual way. Open IE and then Tools - Internet Options - change the entry at home page.

At last reenable System Recovery and reboot.

Sounds like you got this one licked {pun intended!} I've not seen what it displays, but I can imange. Thanks for the reponce on the steps you took.

There often seems to be copycats that see a virus/trojan and then make their own version. Sometimes these are slow to be identified if not widely spread.

Your security programs are up to date. Three things, if you don't have a good firewall, get one. Never open attachments unless you know what they are. And be very careful about file sharing.

Zone Alarm has a great basic free firewall.

you can also try LooknStop with enhanced ruleset.
Very effective firewall with small footprint and very low on ressources

http://www.looknstop.com

This version of the virus will not be recognised by a firewall because I got it from a downloaded file. I'm still not sure which one, but I will identify it with the help of filemon and regmon from http://www.sysinternals.com. After that I will pack all this stuff together and send it to Symantec. Norton AV with signature oct, 3rd can't detect it. I don't use this system for direct connection to the web, so it is not very protected. I simply will disallow changes to the registry with the account I use. But I looked into it a little further, so I can give some more precise insights.

The webpage it tries to open is www.findgaypix.com. You find the files here:

c:\windows\system32\xtra.bmp
c:\windows\system32\gay.mpg
c:\windows\system32\notepad.exe
c:\windows\system32\cdrunxp.exe
c:\windows\iexplorer.exe

It is not necessary to disable System Recovery. Just delete them and change the entries in your registry.

There are two additional files you need to delete:

helpctl.exe and mscomctl.vxd. You find them in your Temp folder. It is a bit difficult to explain where this is, because the folder depends on your account and is hidden, so you need to change some configurations in your folder options to see it. It should be easier to search for the files in "Documents and Settings".

My virus has a name already, it is called Trojan.Win32.Gaslide.d and can be found p.e. from Kaspersky Lab since august, 29th. I have no idea why Symantec can't do that either.

Hello!

I got trouble with this thing, too. My brother is not very good with computers and he somehow managed to get his system infected with Gaslide. Since he does most of his business via programs like e-donkey, I think that it spreads with the help of filesharers.

My brother told me that for a few days now the system crashed, when trying to open a .txt file. In C:\Windows\System I found NOTEPAD.EXE and NOTEPAD32.EXE which had XP-Style logos while my brother is using WinME. After I deleted them, they re-appeared.

Now after everything else failed, I was looking for the answer on the web using another machine.

I first tried to open regedit - but I get the error that is usually displayed when you try to run a corrupted exe-file: "regedit is not a valid win32 application". This may be different for the real english windows as I am using a localized version; but I am sure, you get, what I mean.
It is the same with RUNDLL32 (I tried to use that to get into the window that would let me change the wallpaper). Many other programs also won't run (like Norton at startup!). Yet I am sure that they are not corrupted. Gaslide did something to the system that prevents it from running. Normally I would simply format and rebuild the pc. But it is a matter of principle.

With most of the tools (like regedit) gone, I simply do not know what to do. I abandoned windows allmost completely after Win98 and switched to FreeDOS and Linux. I do not have much experience with all these new windows versions like ME, 2k and XP. I was thinking about editing the registry manually from a dos-bootdisk. But I am a bit unsure; as far as I know, the registry were the files USER.DAT and SYSTEM.DAT. But I think I red somewhere that this is different for WinME. But I can't recall what exactly I red. Was there a third one? Something with CLASSES or something like this? Bah. M$-Windowez. Does anybody know how Gaslide managed regedit (and the other win32 applications) not to run?

Except for this win32-exe thing, it behaves completely like the one described by just4info. Maybe Gaslide.d? Or perhaps my brother thought this matter to be to embarrassing and did not told me until yesterday while having it on his system for a few days.

Thanks for your time!

go to our stickies at the top of this forum and try the on-line removals and links....also the Symantec links

Hi there,
got the same virus mentioned here. the only problem i got -I can't delete the fiels in the system root as described on symantec.com

C:\Helpctl.gst
C:\Notepad.gst
C:\Notepad32.gst
C:\Nload.vxd

-I don't see ANY files in the root except the folders. Also using del filename in CMD doesn't work! :/

Somebody got an idea how to work around this problem???

thnx

... download the regfix from the link above... after u added this to the registry, u should be able to execute files... for me it worked...

This virus has done something else to my machine, that is, when R-clicking on Properties from My Computer icon, it come up with the error message:
rundll32.exe - Entry Point Not Found
The procedure entry point RemoteAssistencePrepareSystemRestore could not be located in the dynamic link library WINSTA.dll.

Any ideas?

Many Thanks

I forgot to say: it also thinks i need to format my second hard drive when I try and access it. Strangley I can access it from my other computer via networking.

Any Ideas on this one?