# My computer is infected!

Hey guys,

I got this virus which calls itself "GoSSave 3.0," more commonly known as the Go Save Virus. It is a Google-Chrome extension that installs itself without permission and carries out many harmful activities. It is undetectable by an anti-virus (I did run a full scan), and unremovable via basic methods. As described by MiTechMate,

So far, I've only gotten the ads. I click somewhere, anywhere in Chrome, and once in a while it will redirect me to some random (harmful or spamful) website. I've detected the virus early, so probably it is at its early stages. I think I got it a few days ago, not exactly sure from where.

I've tried to follow the steps shown in the link above, but it mostly seems like a false-hope guide in order to draw you into live chat (they even blur out the text in the screenshots so that you have to figure things out on your own). It is a rhetoric to attract customers. Customers because they'll chat with you for a while and then give you a link where they list their "plans" for their services. One-time service cost $65 - I can't afford that. They did make a fair point though - most other services charge far more. Last time it cost$400 to fix a simple issue, so 65 isn't so bad in comparison.

Why am I writing this here? Well, because I don't see Brilliant as just a website where people share and solve math and physics problems. I see it as an intellectual community of respectful individuals who are willing to help each other out in time of need (as I've witnessed throughout multiple occasions in time being). So please, if there are any people who are good at virus sniping, I ask of your help. Otherwise, I may have to go with the 65$option after all. Thank you! UPDATE 1 Noticed "GS_Booster.exe" as an unknown file in Windows Task Manager, turned out to be a virus. Solution details by FreeFixer.com. This could be a by-product of our big virus here. The curing continues... Note by John M. 6 years, 2 months ago This discussion board is a place to discuss our Daily Challenges and the math and science related to those challenges. Explanations are more than just a solution — they should explain the steps and thinking strategies that you used to obtain the solution. Comments should further the discussion of math and science. When posting on Brilliant: • Use the emojis to react to an explanation, whether you're congratulating a job well done , or just really confused . • Ask specific questions about the challenge or the steps in somebody's explanation. Well-posed questions can add a lot to the discussion, but posting "I don't understand!" doesn't help anyone. • Try to contribute something new to the discussion, whether it is an extension, generalization or other idea related to the challenge. • Stay on topic — we're all here to learn more about math and science, not to hear about your favorite get-rich-quick scheme or current world events. MarkdownAppears as *italics* or _italics_ italics **bold** or __bold__ bold - bulleted- list • bulleted • list 1. numbered2. list 1. numbered 2. list Note: you must add a full line of space before and after lists for them to show up correctly paragraph 1paragraph 2 paragraph 1 paragraph 2 [example link](https://brilliant.org)example link > This is a quote This is a quote  # I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world" # I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world" MathAppears as Remember to wrap math in $$ ... $$ or $ ... $ to ensure proper formatting. 2 \times 3 $2 \times 3$ 2^{34} $2^{34}$ a_{i-1} $a_{i-1}$ \frac{2}{3} $\frac{2}{3}$ \sqrt{2} $\sqrt{2}$ \sum_{i=1}^3 $\sum_{i=1}^3$ \sin \theta $\sin \theta$ \boxed{123} $\boxed{123}$ ## Comments Sort by: Top Newest Have you tried uninstalling Chrome and reinstalling a fresh copy? (Remembering to backup any bookmarks you want to keep.) Staff - 6 years, 2 months ago Log in to reply Ill try. Thanks. - 6 years, 2 months ago Log in to reply @John Muradeli Since it's a Google Chrome extension, I would do the following: 1) Detach your Google account from the chrome browser IMMEDIATELY. 2) Find the 'Google' folder and find the Chrome folder after. (usually in like %APPDATA% for Windows or /Library/Application Support/ in Mac. If you have Linux, check for your distro.) If your anti-virus has a storage bin for viruses, drag Chrome's base folder in. Else, you can delete it, but once you do, ALL DATA WILL BE LOST. You will have to sign in to all of your services again and it will become a clean instance of Chrome. 3) Use anti-virus and run a full scan. 4) Restart in safe mode (http://windows.microsoft.com/en-us/windows/start-computer-safe-mode#start-computer-safe-mode=windows-7) so you can prevent other programs from running by default. 5) Open Chrome again, please tell us what happens from there. A log file would be useful! If you need clarification, just ask me in the comments. - 6 years, 2 months ago Log in to reply I have a Windows XP Inspiron 8600. Shall I proceed with #2 as follows?: s Thank you - 6 years, 2 months ago Log in to reply If you don't want your history/bookmarks/etc. anymore, then go ahead! Also, you might want to delete some of the other folders in 'Google' too; just browse them to make sure the virus is not hidden there. I have a virus chest (avast!) so I usually quarantine unsafe items there. @John Muradeli - 6 years, 2 months ago Log in to reply Would it be for the best to shred the entire a google folder? I will get the essentials with the download, right? And idc for any data I have on it. (sorry for stretching on this, probably the last time I ask about #2. and tyvm for responding :)) - 6 years, 2 months ago Log in to reply @John Muradeli You would lose the Google Toolbar and other info, but it would be easy to set back up/install if you have your Google account. (it reverts back with your bookmarks, etc.). Just don't sign it in just yet :). Sidenote: Check what's running in the processes; there might be the virus running in the background, just waiting to reinstall the ext. back in. Also, if my steps don't work for some unknown reason, try Google Chrome Canary, the developer's version of Google Chrome; completely seperate profile from regular Chrome. - 6 years, 2 months ago Log in to reply Ok, big update: Check UPDATE #1 in original note; Ok, so I followed their procedures. Got rid of GS_Booster (or it seems like it). The scan also revealed GoSSave, and was unable to fix/delete and said it'd do so after a reboot. After a reboot, it tried to delete it prior to launching me to the user selection screen, but when I ran the scan again the darn thing was still there (and in GC extensions). Enabling the dev mode, here's what I got: GS And, clicking on the link below "Loaded from," I got: ss (I had to log back into chrome to upload these images to google sites to get the URL for it - I don't know any other way. If you do, please share.) So, what do you think? Any thoughts? I shall proceed with our shredding plan if that's still the best option. - 6 years, 2 months ago Log in to reply @John Muradeli First, just wondering, did you stop & uninstall the program through the Control Panel? (as @Rahul Barala suggested) It's fine if you didn't, I can better help your situation if I know what's going on :D Second, apparently the extension runs on JS and HTML files. Can you try screenshot-ing (part of) the files' code through an editor and show it to us? Make sure you don't just double click or else it will run the virus; instead, right click and choose Open with (or something of the like) and choose a code editor or Notepad. Thank you for showing me the virus situation and looking in to it. And yes, you can now safely shred the malicious folders. Hope your computer gets better! - 6 years, 2 months ago Log in to reply I was unable to detect the virus in Add or Remove Programs. What do you mean by "screenshot-ing part of the files' code through an editor"? Where do I find the files' code? I'll begin shredding in half an hour (need to finish something first). Thanks (I'll be adding any new info I find about the virus from now on, probably may help.) (New note: The virus's functionality seems to be neutralized when I delete it from extensions (but not permanently, it revives upon restart). - 6 years, 2 months ago Log in to reply Hmm, a safe mode reboot should fix all that because it will prevent it from starting up automatically. Also, sorry if I didn't clarify what I said before; here are some screenshots for visual learners (like me!): In here, you right click on of the virus JS files and click on Open With.. This should work on Windows XP. In here, you right click on of the virus JS files and click on Open With.. This should work on Windows XP. Choose a text editor (eg. Notepad or other code editor) and screenshot it like so. Choose a text editor (eg. Notepad or other code editor) and screenshot it like so. https://support2.microsoft.com/kb/307859 - 6 years, 2 months ago Log in to reply @John Muradeli - 6 years, 1 month ago Log in to reply Oh just look at you, trying to ensure I get the message! That's cute ^.^ Yea I was really busy today, didn't have time for this jazz. I think I'll do it later today. Thanks again, Kevin! - 6 years, 1 month ago Log in to reply Ah, I see. I hope everything goes well for you (and your computer) today! - 6 years, 1 month ago Log in to reply Um, about screenshooting, I don't know where the file is. But I did find this: s The pest is spreading. I'm gonna start shreddin now. - 6 years, 1 month ago Log in to reply @John Muradeli Good idea. Wow, the JS is a little out of hand. First: • This is obviously not how I would code JS. Ever. • It's just made up of encrypted messages that I doubt ANYONE can understand (Would you like some x8K9n1 today?), but I think those codes are defined over the cloud or in qgb8tmnx.js. Yeah, shredding is a good idea. - 6 years, 1 month ago Log in to reply Aight gonna do some shredding tomorrow and tell ya how it went. thx meh - 6 years, 1 month ago Log in to reply ah nvm i found it; May God have Mercy on your soul... cy.js s Ioo4.js (capital i) ss qgb8tmnx.js 3 4 5 6 You probably can't read that, though. Here are the links to all the images, respectively: https://sites.google.com/site/golddragonclanwebsite/zzz-picture-gallery/1000overlord/wassup1.JPG Modify the 1 from 1 to 6 for all the images. So should I shred or what :O - 6 years, 1 month ago Log in to reply this happened with me also but i uninstall that unwanted program from my pc control panel - 6 years, 2 months ago Log in to reply Better install an Antivirus of your favorite, this is the only solution for this kind of malicious viruses. I have my Comodo Free Version (https://antivirus.comodo.com/antivirus-for-windows-8/ ) installed into my PC. It keeps my system protected. You should go ahead in protecting your PC just like me protecting and after that you could not spell a word that your PC suffers from virus. So go ahead with your favorite antivirus software. - 5 years, 6 months ago Log in to reply Actually I got a new computer - Acer Chromebook just for$200. Works perfectly.

Thanks though!

- 5 years, 6 months ago

my netconnect device says connected but when i run browser it says web page not available and also it shows 0 kbps receiving speed and 0 kbps sending speed.

but when i run the device on my other laptop it runs good. Help me guys.

- 6 years, 2 months ago

(Note to OP, this should be created in another note. If you can do that and share the link, I'll be happy to assist you there.)

- 6 years, 2 months ago

Search it in your registry, delete the entry and delete the data in ...roaming folder. Empty the recycle bin, reset the chrome browser. Restart!

- 6 years, 2 months ago

- 6 years, 1 month ago