My computer is infected!

Hey guys,

I got this virus which calls itself "GoSSave 3.0," more commonly known as the Go Save Virus. It is a Google-Chrome extension that installs itself without permission and carries out many harmful activities. It is undetectable by an anti-virus (I did run a full scan), and unremovable via basic methods. As described by MiTechMate,

"... Go Save changes your default home page to an unwanted website, it redirects your browser to some insecure domains, displays excessive amounts of pop-up ads on your screen and so on. Apart from that, Go Save virus can also download other malware infections onto your computer, like trojan viruses, worms, keyloggers, police ransomware. More seriously, Go Save virus is good at tracking your surfing habits. If you don't take any feasible measure to get rid of it, it may even secretly steal your personal information."

So far, I've only gotten the ads. I click somewhere, anywhere in Chrome, and once in a while it will redirect me to some random (harmful or spamful) website. I've detected the virus early, so probably it is at its early stages. I think I got it a few days ago, not exactly sure from where.

I've tried to follow the steps shown in the link above, but it mostly seems like a false-hope guide in order to draw you into live chat (they even blur out the text in the screenshots so that you have to figure things out on your own). It is a rhetoric to attract customers. Customers because they'll chat with you for a while and then give you a link where they list their "plans" for their services. One-time service cost $65 - I can't afford that. They did make a fair point though - most other services charge far more. Last time it cost $400 to fix a simple issue, so 65 isn't so bad in comparison.

Why am I writing this here? Well, because I don't see Brilliant as just a website where people share and solve math and physics problems. I see it as an intellectual community of respectful individuals who are willing to help each other out in time of need (as I've witnessed throughout multiple occasions in time being). So please, if there are any people who are good at virus sniping, I ask of your help. Otherwise, I may have to go with the 65$ option after all.

Thank you!

UPDATE 1

Noticed "GS_Booster.exe" as an unknown file in Windows Task Manager, turned out to be a virus. Solution details by FreeFixer.com.

This could be a by-product of our big virus here. The curing continues...

Markdown

Appears as

*italics* or _italics_

italics

**bold** or __bold__

bold


- bulleted
- list

bulleted
list


1. numbered
2. list

numbered
list

Note: you must add a full line of space before and after lists for them to show up correctly

paragraph 1

paragraph 2

paragraph 1

paragraph 2

[example link](https://brilliant.org)

example link

> This is a quote

This is a quote

    # I indented these lines
    # 4 spaces, and now they show
    # up as a code block.

    print "hello world"

# I indented these lines
# 4 spaces, and now they show
# up as a code block.

print "hello world"

Math

Appears as

Remember to wrap math in $ ... $ or \[ ... \] to ensure proper formatting.

2 \times 3

2 \times 3

2^{34}

2^{34}

a_{i-1}

a_{i-1}

\frac{2}{3}

\frac{2}{3}

\sqrt{2}

\sqrt{2}

\sum_{i=1}^3

\sum_{i=1}^3

\sin \theta

\sin \theta

\boxed{123}

\boxed{123}

Easy Math Editor

This discussion board is a place to discuss our Daily Challenges and the math and science related to those challenges. Explanations are more than just a solution — they should explain the steps and thinking strategies that you used to obtain the solution. Comments should further the discussion of math and science.

When posting on Brilliant:

Use the emojis to react to an explanation, whether you're congratulating a job well done , or just really confused .
Ask specific questions about the challenge or the steps in somebody's explanation. Well-posed questions can add a lot to the discussion, but posting "I don't understand!" doesn't help anyone.
Try to contribute something new to the discussion, whether it is an extension, generalization or other idea related to the challenge.
Stay on topic — we're all here to learn more about math and science, not to hear about your favorite get-rich-quick scheme or current world events.

Markdown	Appears as
`italics` or `_italics_`	italics
`bold` or `__bold__`	bold
- bulleted - list	bulleted list
1. numbered 2. list	numbered list
Note: you must add a full line of space before and after lists for them to show up correctly
paragraph 1 paragraph 2	paragraph 1 paragraph 2
`[example link](https://brilliant.org)`	example link
`> This is a quote`	This is a quote
# I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world"	# I indented these lines # 4 spaces, and now they show # up as a code block. print "hello world"

Math	Appears as
Remember to wrap math in `$` ... `$` or `\[` ... `\]` to ensure proper formatting.
`2 \times 3`	$2 \times 3$
`2^{34}`	$2^{34}$
`a_{i-1}`	$a_{i-1}$
`\frac{2}{3}`	$\frac{2}{3}$
`\sqrt{2}`	$\sqrt{2}$
`\sum_{i=1}^3`	$\sum_{i=1}^3$
`\sin \theta`	$\sin \theta$
`\boxed{123}`	$\boxed{123}$

Comments

Have you tried uninstalling Chrome and reinstalling a fresh copy? (Remembering to backup any bookmarks you want to keep.)

Suyeon Khim Staff - 6 years, 8 months ago

Ill try. Thanks.

John M. - 6 years, 8 months ago

@John Muradeli

Since it's a Google Chrome extension, I would do the following:

1) Detach your Google account from the chrome browser IMMEDIATELY.

2) Find the 'Google' folder and find the Chrome folder after. (usually in like %APPDATA% for Windows or /Library/Application Support/ in Mac. If you have Linux, check for your distro.) If your anti-virus has a storage bin for viruses, drag Chrome's base folder in. Else, you can delete it, but once you do, ALL DATA WILL BE LOST. You will have to sign in to all of your services again and it will become a clean instance of Chrome.

3) Use anti-virus and run a full scan.

4) Restart in safe mode (http://windows.microsoft.com/en-us/windows/start-computer-safe-mode#start-computer-safe-mode=windows-7) so you can prevent other programs from running by default.

5) Open Chrome again, please tell us what happens from there. A log file would be useful!

If you need clarification, just ask me in the comments.

Kevin Mo - 6 years, 8 months ago

I have a Windows XP Inspiron 8600.

Shall I proceed with #2 as follows?:

Thank you

If you don't want your history/bookmarks/etc. anymore, then go ahead! Also, you might want to delete some of the other folders in 'Google' too; just browse them to make sure the virus is not hidden there.

I have a virus chest (avast!) so I usually quarantine unsafe items there. @John Muradeli

@Kevin Mo – Would it be for the best to shred the entire a google folder? I will get the essentials with the download, right? And idc for any data I have on it.

(sorry for stretching on this, probably the last time I ask about #2. and tyvm for responding :))

@John M. – @John Muradeli You would lose the Google Toolbar and other info, but it would be easy to set back up/install if you have your Google account. (it reverts back with your bookmarks, etc.). Just don't sign it in just yet :).

Sidenote: Check what's running in the processes; there might be the virus running in the background, just waiting to reinstall the ext. back in. Also, if my steps don't work for some unknown reason, try Google Chrome Canary, the developer's version of Google Chrome; completely seperate profile from regular Chrome.

@Kevin Mo – Ok, big update:

Check UPDATE #1 in original note;

Ok, so I followed their procedures. Got rid of GS_Booster (or it seems like it). The scan also revealed GoSSave, and was unable to fix/delete and said it'd do so after a reboot. After a reboot, it tried to delete it prior to launching me to the user selection screen, but when I ran the scan again the darn thing was still there (and in GC extensions).

Enabling the dev mode, here's what I got:

And, clicking on the link below "Loaded from," I got:

(I had to log back into chrome to upload these images to google sites to get the URL for it - I don't know any other way. If you do, please share.)

So, what do you think? Any thoughts? I shall proceed with our shredding plan if that's still the best option.

@John M. – @John Muradeli First, just wondering, did you stop & uninstall the program through the Control Panel? (as @Rahul Barala suggested) It's fine if you didn't, I can better help your situation if I know what's going on :D

Second, apparently the extension runs on JS and HTML files. Can you try screenshot-ing (part of) the files' code through an editor and show it to us? Make sure you don't just double click or else it will run the virus; instead, right click and choose Open with (or something of the like) and choose a code editor or Notepad.

Thank you for showing me the virus situation and looking in to it. And yes, you can now safely shred the malicious folders.

Hope your computer gets better!

@Kevin Mo – I was unable to detect the virus in Add or Remove Programs.

What do you mean by "screenshot-ing part of the files' code through an editor"? Where do I find the files' code?

I'll begin shredding in half an hour (need to finish something first).

Thanks

(I'll be adding any new info I find about the virus from now on, probably may help.)

(New note: The virus's functionality seems to be neutralized when I delete it from extensions (but not permanently, it revives upon restart).

@John M. – Hmm, a safe mode reboot should fix all that because it will prevent it from starting up automatically.

Also, sorry if I didn't clarify what I said before; here are some screenshots for visual learners (like me!):

In here, you right click on of the virus JS files and click on Open With.. This should work on Windows XP.

Choose a text editor (eg. Notepad or other code editor) and screenshot it like so.

https://support2.microsoft.com/kb/307859

@Kevin Mo – @John Muradeli

@Kevin Mo – Oh just look at you, trying to ensure I get the message! That's cute ^.^ Yea I was really busy today, didn't have time for this jazz. I think I'll do it later today. Thanks again, Kevin!

@John M. – Ah, I see. I hope everything goes well for you (and your computer) today!

@Kevin Mo – Um, about screenshooting, I don't know where the file is. But I did find this:

The pest is spreading. I'm gonna start shreddin now.

@John M. – @John Muradeli Good idea.

Wow, the JS is a little out of hand. First:

This is obviously not how I would code JS. Ever.
It's just made up of encrypted messages that I doubt ANYONE can understand (Would you like some x8K9n1 today?), but I think those codes are defined over the cloud or in qgb8tmnx.js.

Yeah, shredding is a good idea.

@Kevin Mo – Aight gonna do some shredding tomorrow and tell ya how it went.

thx meh

@Kevin Mo – ah nvm i found it;

May God have Mercy on your soul...

cy.js s

Ioo4.js (capital i) ss

qgb8tmnx.js

3 4 5 6

You probably can't read that, though. Here are the links to all the images, respectively:

https://sites.google.com/site/golddragonclanwebsite/zzz-picture-gallery/1000overlord/wassup1.JPG

Modify the 1 from 1 to 6 for all the images.

So should I shred or what :O

this happened with me also but i uninstall that unwanted program from my pc control panel

Rahul Barala - 6 years, 8 months ago

Better install an Antivirus of your favorite, this is the only solution for this kind of malicious viruses. I have my Comodo Free Version (https://antivirus.comodo.com/antivirus-for-windows-8/ ) installed into my PC. It keeps my system protected. You should go ahead in protecting your PC just like me protecting and after that you could not spell a word that your PC suffers from virus. So go ahead with your favorite antivirus software.

Emily Lauren - 6 years ago

Actually I got a new computer - Acer Chromebook just for $200. Works perfectly.

Thanks though!

John M. - 6 years ago

my netconnect device says connected but when i run browser it says web page not available and also it shows 0 kbps receiving speed and 0 kbps sending speed.

but when i run the device on my other laptop it runs good. Help me guys.

Gautam Sharma - 6 years, 8 months ago

(Note to OP, this should be created in another note. If you can do that and share the link, I'll be happy to assist you there.)

Search it in your registry, delete the entry and delete the data in ...roaming folder. Empty the recycle bin, reset the chrome browser. Restart!

Akash Vaidya - 6 years, 8 months ago

try resetting your google chrome

Palash Som - 6 years, 8 months ago

Get free antivirus software from comodo & scan your computer. Download free antivirus here: https://antivirus.comodo.com/download-free-antivirus.php

Stacey Matthews - 5 years, 5 months ago

Math	Appears as
Remember to wrap math in `\(` ... `\)` or `\[` ... `\]` to ensure proper formatting.
`2 \times 3`	$2 \times 3$
`2^{34}`	$2^{34}$
`a_{i-1}`	$a_{i-1}$
`\frac{2}{3}`	$\frac{2}{3}$
`\sqrt{2}`	$\sqrt{2}$
`\sum_{i=1}^3`	$\sum_{i=1}^3$
`\sin \theta`	$\sin \theta$
`\boxed{123}`	$\boxed{123}$