The GoHip Web Virus
Note (October 11, 2000): For some reason people from time to time associate this site (http://www.gctech.net) with GoHip.com. Let us state emphatically that GCTech.net has nothing to do with GoHip whatsoever. This information is provided here solely for the benefit of our users.
You will find here a description of the effect of the GoHip Web Virus and some suggestions on how to remove it. Because to the feedback I have received from several victims, I believe that some of the ways of the GoHip thing may have changed, thus making some of these instructions obsolete.
GoHip has made available a removal tool and their own instructions that on their site. For your convenience we are providing a the link to that page.
Warning: All suggestions on the GCTech site regarding GoHip are to be used at your own risk. Gilman Computer Technologies cannot guarantee that this will resolve your GoHip problem. We are also not responsible for any adverse effects caused to your system as a result of attempting to remove GoHip.
for the GoHip Removal tool and instructions.
More information and comments: email@example.com
I recently got an e-mail from someone and it included the following message and link (I changed gohip.com to gohip.cm, so that you would not be able to activate it):
Anyway, my curiosity got the better of me and I went there. While I was at the page, I was prompted to allow the installation of an ActiveX control (usually a small program to enhance the particular page you are on). This is common on web sites and I thought nothing of it. When I accepted it, it did not seem to do anything until later, when I created a new mail message. That's when I saw the new signature with the link to GoHip.
It not only created a new default signature file it made itself the default start page and default search engine in both Internet Explorer and Netscape browsers.
This is one of the worst forms of Internet marketing I have ever seen.
You have been infected by the GoHip virus if links to that site are now appearing in your new e-mail messages and if it is the new start page in your browser.
How to get rid of the GoHip Web Virus
The following directions are suggestions only. I cannot guarantee that this will solve the problem. It is always a good idea to make a complete backup of your system before making changes.
What was actually causing this was a new signature in Outlook and Outlook Express (not sure about other e-mail programs) called "sig" that was specified as the default. Now changing the signature setting would rectify this, but my suspicion is that there were other things that would have restored it, so I will give you all I did. It is possible that not all this is necessary, you will have to decide.
First go to Control Panel|Add/Remove Programs and uninstall a program called ClickFree.
Then go to your Windows Startup folder (C:\WINDOWS\Start Menu\Programs\StartUp) and delete a program called "Windows Startup."
Next go to your windows folder (c:\windows) and delete the following two files:
- Microsoft Outlook Internet Settings.rtf
Next, in Outlook and/or Outlook Express go to Tools|Options|Mail Format. In the Signature section at the bottom, click on the Signature Picker button. Find the Signature called "sig" and confirm that it is the culprit. Click Remove to delete it. Click OK. Make sure your desired Signature is active and click OK.
You will also have to fix the Word template that is used when Word is used as your e-mail editor. Go to where your Word templates are stored (on my system, it is in: C:\Program Files\MSOffice\Office). Find the filed called "sig.dot." Right click it and select "Open". Do not select "New" since that will not edit the actual template. Erase all the contents of the template and save it.
You can change your default start page in your browser by going into its Options or Preferences.
This thing also forces Netscape and Internet Explorer's Autosearch and Search buttons to default to its own search portal. This is rectified through the Window's registry and replacing references to "GoHip" with preferred URLs (only someone experienced with the Registry should do this).
If you have any additional information on this or web viruses like it, please send your comments to: firstname.lastname@example.org