Waste less time on Facebook — follow Brilliant.
×

My computer is infected!

Hey guys,

I got this virus which calls itself "GoSSave 3.0," more commonly known as the Go Save Virus. It is a Google-Chrome extension that installs itself without permission and carries out many harmful activities. It is undetectable by an anti-virus (I did run a full scan), and unremovable via basic methods. As described by MiTechMate,

"... Go Save changes your default home page to an unwanted website, it redirects your browser to some insecure domains, displays excessive amounts of pop-up ads on your screen and so on. Apart from that, Go Save virus can also download other malware infections onto your computer, like trojan viruses, worms, keyloggers, police ransomware. More seriously, Go Save virus is good at tracking your surfing habits. If you don't take any feasible measure to get rid of it, it may even secretly steal your personal information."

So far, I've only gotten the ads. I click somewhere, anywhere in Chrome, and once in a while it will redirect me to some random (harmful or spamful) website. I've detected the virus early, so probably it is at its early stages. I think I got it a few days ago, not exactly sure from where.

I've tried to follow the steps shown in the link above, but it mostly seems like a false-hope guide in order to draw you into live chat (they even blur out the text in the screenshots so that you have to figure things out on your own). It is a rhetoric to attract customers. Customers because they'll chat with you for a while and then give you a link where they list their "plans" for their services. One-time service cost $65 - I can't afford that. They did make a fair point though - most other services charge far more. Last time it cost $400 to fix a simple issue, so 65 isn't so bad in comparison.

Why am I writing this here? Well, because I don't see Brilliant as just a website where people share and solve math and physics problems. I see it as an intellectual community of respectful individuals who are willing to help each other out in time of need (as I've witnessed throughout multiple occasions in time being). So please, if there are any people who are good at virus sniping, I ask of your help. Otherwise, I may have to go with the 65$ option after all.

Thank you!


UPDATE 1

Noticed "GS_Booster.exe" as an unknown file in Windows Task Manager, turned out to be a virus. Solution details by FreeFixer.com.

This could be a by-product of our big virus here. The curing continues...

Note by John Muradeli
2 years, 3 months ago

No vote yet
1 vote

Comments

Sort by:

Top Newest

@John Muradeli

Since it's a Google Chrome extension, I would do the following:

1) Detach your Google account from the chrome browser IMMEDIATELY.

2) Find the 'Google' folder and find the Chrome folder after. (usually in like %APPDATA% for Windows or /Library/Application Support/ in Mac. If you have Linux, check for your distro.) If your anti-virus has a storage bin for viruses, drag Chrome's base folder in. Else, you can delete it, but once you do, ALL DATA WILL BE LOST. You will have to sign in to all of your services again and it will become a clean instance of Chrome.

3) Use anti-virus and run a full scan.

4) Restart in safe mode (http://windows.microsoft.com/en-us/windows/start-computer-safe-mode#start-computer-safe-mode=windows-7) so you can prevent other programs from running by default.

5) Open Chrome again, please tell us what happens from there. A log file would be useful!

If you need clarification, just ask me in the comments. Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo I have a Windows XP Inspiron 8600.

Shall I proceed with #2 as follows?:

s

s

Thank you John Muradeli · 2 years, 3 months ago

Log in to reply

@John Muradeli If you don't want your history/bookmarks/etc. anymore, then go ahead! Also, you might want to delete some of the other folders in 'Google' too; just browse them to make sure the virus is not hidden there.

I have a virus chest (avast!) so I usually quarantine unsafe items there. @John Muradeli Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo Would it be for the best to shred the entire a google folder? I will get the essentials with the download, right? And idc for any data I have on it.

(sorry for stretching on this, probably the last time I ask about #2. and tyvm for responding :)) John Muradeli · 2 years, 3 months ago

Log in to reply

@John Muradeli @John Muradeli You would lose the Google Toolbar and other info, but it would be easy to set back up/install if you have your Google account. (it reverts back with your bookmarks, etc.). Just don't sign it in just yet :).

Sidenote: Check what's running in the processes; there might be the virus running in the background, just waiting to reinstall the ext. back in. Also, if my steps don't work for some unknown reason, try Google Chrome Canary, the developer's version of Google Chrome; completely seperate profile from regular Chrome. Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo Ok, big update:

Check UPDATE #1 in original note;

Ok, so I followed their procedures. Got rid of GS_Booster (or it seems like it). The scan also revealed GoSSave, and was unable to fix/delete and said it'd do so after a reboot. After a reboot, it tried to delete it prior to launching me to the user selection screen, but when I ran the scan again the darn thing was still there (and in GC extensions).

Enabling the dev mode, here's what I got:

GS

GS

And, clicking on the link below "Loaded from," I got:

ss

ss

(I had to log back into chrome to upload these images to google sites to get the URL for it - I don't know any other way. If you do, please share.)


So, what do you think? Any thoughts? I shall proceed with our shredding plan if that's still the best option. John Muradeli · 2 years, 3 months ago

Log in to reply

@John Muradeli @John Muradeli First, just wondering, did you stop & uninstall the program through the Control Panel? (as @Rahul Barala suggested) It's fine if you didn't, I can better help your situation if I know what's going on :D

Second, apparently the extension runs on JS and HTML files. Can you try screenshot-ing (part of) the files' code through an editor and show it to us? Make sure you don't just double click or else it will run the virus; instead, right click and choose Open with (or something of the like) and choose a code editor or Notepad.

Thank you for showing me the virus situation and looking in to it. And yes, you can now safely shred the malicious folders.

Hope your computer gets better! Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo I was unable to detect the virus in Add or Remove Programs.

What do you mean by "screenshot-ing part of the files' code through an editor"? Where do I find the files' code?

I'll begin shredding in half an hour (need to finish something first).

Thanks

(I'll be adding any new info I find about the virus from now on, probably may help.)


(New note: The virus's functionality seems to be neutralized when I delete it from extensions (but not permanently, it revives upon restart). John Muradeli · 2 years, 3 months ago

Log in to reply

@John Muradeli Hmm, a safe mode reboot should fix all that because it will prevent it from starting up automatically.

Also, sorry if I didn't clarify what I said before; here are some screenshots for visual learners (like me!):

In here, you right click on of the virus JS files and click on Open With.. This should work on Windows XP.

In here, you right click on of the virus JS files and click on Open With.. This should work on Windows XP.

In here, you right click on of the virus JS files and click on Open With.. This should work on Windows XP.

Choose a text editor (eg. Notepad or other code editor) and screenshot it like so.

Choose a text editor (eg. Notepad or other code editor) and screenshot it like so.

Choose a text editor (eg. Notepad or other code editor) and screenshot it like so.

https://support2.microsoft.com/kb/307859 Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo @John Muradeli Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo Oh just look at you, trying to ensure I get the message! That's cute ^.^ Yea I was really busy today, didn't have time for this jazz. I think I'll do it later today. Thanks again, Kevin! John Muradeli · 2 years, 3 months ago

Log in to reply

@John Muradeli Ah, I see. I hope everything goes well for you (and your computer) today! Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo ah nvm i found it;

May God have Mercy on your soul...

cy.js

s

s

Ioo4.js (capital i)

ss

ss

qgb8tmnx.js

3

3

4

4

5

5

6

6

You probably can't read that, though. Here are the links to all the images, respectively:

https://sites.google.com/site/golddragonclanwebsite/zzz-picture-gallery/1000overlord/wassup1.JPG

Modify the 1 from 1 to 6 for all the images.


So should I shred or what :O John Muradeli · 2 years, 3 months ago

Log in to reply

@Kevin Mo Um, about screenshooting, I don't know where the file is. But I did find this:

s

s

The pest is spreading. I'm gonna start shreddin now. John Muradeli · 2 years, 3 months ago

Log in to reply

@John Muradeli @John Muradeli Good idea.

Wow, the JS is a little out of hand. First:

  • This is obviously not how I would code JS. Ever.
  • It's just made up of encrypted messages that I doubt ANYONE can understand (Would you like some x8K9n1 today?), but I think those codes are defined over the cloud or in qgb8tmnx.js.

Yeah, shredding is a good idea. Kevin Mo · 2 years, 3 months ago

Log in to reply

@Kevin Mo Aight gonna do some shredding tomorrow and tell ya how it went.

thx meh John Muradeli · 2 years, 3 months ago

Log in to reply

Have you tried uninstalling Chrome and reinstalling a fresh copy? (Remembering to backup any bookmarks you want to keep.) Suyeon Khim Staff · 2 years, 3 months ago

Log in to reply

@Suyeon Khim Ill try. Thanks. John Muradeli · 2 years, 3 months ago

Log in to reply

Better install an Antivirus of your favorite, this is the only solution for this kind of malicious viruses. I have my Comodo Free Version (https://antivirus.comodo.com/antivirus-for-windows-8/ ) installed into my PC. It keeps my system protected. You should go ahead in protecting your PC just like me protecting and after that you could not spell a word that your PC suffers from virus. So go ahead with your favorite antivirus software. Emily Lauren · 1 year, 8 months ago

Log in to reply

@Emily Lauren Actually I got a new computer - Acer Chromebook just for $200. Works perfectly.

Thanks though! John Muradeli · 1 year, 8 months ago

Log in to reply

this happened with me also but i uninstall that unwanted program from my pc control panel Rahul Barala · 2 years, 3 months ago

Log in to reply

Get free antivirus software from comodo & scan your computer. Download free antivirus here: https://antivirus.comodo.com/download-free-antivirus.php Stacey Matthews · 1 year ago

Log in to reply

try resetting your google chrome Palash Som · 2 years, 3 months ago

Log in to reply

Search it in your registry, delete the entry and delete the data in ...roaming folder. Empty the recycle bin, reset the chrome browser. Restart! Akash Vaidya · 2 years, 3 months ago

Log in to reply

my netconnect device says connected but when i run browser it says web page not available and also it shows 0 kbps receiving speed and 0 kbps sending speed.

but when i run the device on my other laptop it runs good. Help me guys. Gautam Sharma · 2 years, 3 months ago

Log in to reply

@Gautam Sharma (Note to OP, this should be created in another note. If you can do that and share the link, I'll be happy to assist you there.) Kevin Mo · 2 years, 3 months ago

Log in to reply

×

Problem Loading...

Note Loading...

Set Loading...