Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Strange block of software being auto installed

29 Jul 2011   #1
hugeproblem

Windows 7 64 bit
 
 
Strange block of software being auto installed

I'm having an issue with a group of programs being installed onto my computer, I have no idea where its coming from.

It started about two days ago when I found that a program called 7pic was sitting on my desktop, the logo and interface was actually professional and I didn't think it was spyware, I uninstalled it and moved on.

Last night I rebooted my machine and suddenly five installers pop up as soon as I'm in windows, installers for 7pic, Downvision, Got Clip, Babylon, and Yantoo Layers. I removed them and then ran spybot but when I restarted again a bach file fired off 15 or so commands.

I can't find anything on what these programs are or how to remove them, spybot can't remove the last bits of them even when you start spybot after a reboot. What kind of action do I need to take to remove these programs?


My System SpecsSystem Spec
.

29 Jul 2011   #2
GEWB

32bit: XP, Win7 H.P. / 64bit: Win7 Pro, Ultimate / Win8.1 / Several flavors of Linux
 
 

> Downvision claims to be the next generation torrent client (for downloads).
> 7pics is an image hosting service.
> Yantoo Layers creates virtual layers that can be edited to create the appearance of having made changes to the underlying Web site (sometimes associated with Facebook, MySpace, etc.).
> Got Clip is for downloading online videos (think YouTube).
> Babylon is a translation program that can translate words, phrases and even entire paragraphs in seconds. It can also leave you with an extra toolbar in your Internet browser that isn't removed when you delete the program. See:
How to Uninstall Babylon | eHow.com

Someone clicked something without considering the consequences - it may be a bear to track down. I would start by running regedit and look under:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
MSCONFIG might also have startup entries - if so you can deselect them.

Tracking down the trigger and the file locations could be a challenge.

Good luck.

Regards,
GEWB
My System SpecsSystem Spec
29 Jul 2011   #3
hugeproblem

Windows 7 64 bit
 
 

I'm the only user (that I know about) on this machine so the onus is on me, but I have absolutely no idea where I picked these up, I'm not one to install random software, this is the first malware I've had in probably ten years. I'll start with the registry. I've already uninstalled it, and removed the plug ins in my browsers but it has something that tells everything to reinstall once I've uninstalled.
My System SpecsSystem Spec
.


29 Jul 2011   #4
SlasherIT

Ubuntu 12.10
 
 

Try a Malwarebytes Anti-Malware full scan in Safe Mode and then use CCleaner to remove all startup entries related to this crapware.

Slasher
My System SpecsSystem Spec
29 Jul 2011   #5
GEWB

32bit: XP, Win7 H.P. / 64bit: Win7 Pro, Ultimate / Win8.1 / Several flavors of Linux
 
 

Quote   Quote: Originally Posted by hugeproblem View Post
I'm the only user (that I know about) on this machine so the onus is on me, but I have absolutely no idea where I picked these up, I'm not one to install random software, this is the first malware I've had in probably ten years. I'll start with the registry. I've already uninstalled it, and removed the plug ins in my browsers but it has something that tells everything to reinstall once I've uninstalled.
I feel your pain, really, I do. It could have come from anywhere. I'll indulge with an experience I had several years ago.

My then 82 year old father called to say his PC was suddenly running very slow. He only browses news and church related sites as well as email. His A/V is updated daily.

My forensic investigation found numerous trojans had installed on his PC to send spam - they had loaded 163,000 files into one directory! It brought the OS to it's knees.

I was able to narrow down when it happened (plus or minus 2 minutes) one afternoon. I also found (with high probability) that it came as a zero-day "drive-by" exploit severed up as an advertisement on CNN. All dad had to do was visit the news site, not click on anything, and BAM! he got hit.

It took me 6 hours to clean it up - had to do much of the work using a Linux live disk because Windows wouldn't allow me to delete some of the mess!

So I really do feel your pain and wish you the best of luck.

Regards,
GEWB

EDIT: it appeared to be a Flash exploit (I'm 90% certain about that)
My System SpecsSystem Spec
29 Jul 2011   #6
GEWB

32bit: XP, Win7 H.P. / 64bit: Win7 Pro, Ultimate / Win8.1 / Several flavors of Linux
 
 

Quote   Quote: Originally Posted by hugeproblem View Post
It started about two days ago when I found that a program called 7pic was sitting on my desktop, the logo and interface was actually professional and I didn't think it was spyware, I uninstalled it and moved on.

Last night I rebooted my machine and suddenly five installers pop up as soon as I'm in windows, installers for 7pic, Downvision, Got Clip, Babylon, and Yantoo Layers. I removed them and then ran spybot but when I restarted again a bach file fired off 15 or so commands.
Perhaps this is a clue: 7pic is part of a pay-per-install affiliate program. See:

7pic Pay Per Install Affiliate Program

Some sites/programs can get very aggressive to make money - NOT saying it is 7pic doing this as it could have come from many/any place.

Have you loaded any downloaded software recently?

Regards,
GEWB
My System SpecsSystem Spec
29 Jul 2011   #7
hugeproblem

Windows 7 64 bit
 
 

That would explain the batch file just installing the programs, I haven't installed any new programs within the day or two before I started getting the programs. I suppose I need to check my browsing habits.

Malwarebytes didn't find anything took darn near three hours to do so, too.

So I'm very stumped, if this was someone else computer I would fix it but in the interest of my own time I may just nuke the machine if I can't get it cleaned within the next day or so.
My System SpecsSystem Spec
29 Jul 2011   #8
hugeproblem

Windows 7 64 bit
 
 

For anyone who every googles this problem, it looks like the issue was in a program called Gsservice.exe

For me it was in my windows/syswow64 folder, I deleted it in safe mode, and then went into regedit, and just searched for anything with the name gsservice in it and deleted it.

Also use the autoruns program to find the service and delete it.

Make sure before doing any of this you disable system restore. If this was not the fix I will check back in. Thanks for the help guys the bit about it 7pic not being spyware helped me track down the root of the problem. As you said it's probably someone with an affiliate account who uses an exploit somewhere to download the service and start installing a block of affiliate programs.
My System SpecsSystem Spec
29 Jul 2011   #9
GEWB

32bit: XP, Win7 H.P. / 64bit: Win7 Pro, Ultimate / Win8.1 / Several flavors of Linux
 
 

Glad we could provide a clue to tracking it down. Hope you get it eradicated.

Regards,
GEWB
My System SpecsSystem Spec
Reply

 Strange block of software being auto installed




Thread Tools





Similar help and support threads
Thread Forum
How do I block programs that are not installed on my Computer?
As the title says I want to know how to block programs that are not installed in my units e.g. IDM, I run a computer shop business and my customers have been complaining lately that there's been a lot of people using IDM to download stuffs. I did disable program installations on my units but...
General Discussion
installed HD 2600 pro card, installed AMS driver, but no ccc software?
I was wondering if this would help? http://www.sevenforums.com/graphic-cards/195195-fix-catalyst-control-center-ccc-will-not-open-install.html I see no evidence that the AMD driver installed at all. Right click desktop does not show ccc, and ccc is not in the lower right panel. Windows...
Graphic Cards
Strange Block with yellow dot
I have a Strange Block with yellow dot appearing on my screen and have no idea what it is. If I click on it it will then disappear but will popup again later on and will always remain on top of everything else as in the screen shot, mouse pointer pointing to it :confused:
System Security
Strange auto deleting of files?
Every time I switch on my computer there are files in my recycle bin. These files have not been deleted by me but are deleted automatically by the computer for some reason. How can I find out where or how these files are being auto deleted?
General Discussion
How do I block Driver Software Installation?
Ok, I have spent a few days on this and I am about to take a sledge hammer to this laptop and just call it a day. Laptop =Dell Insipron m5010 Windows 7 Home Premium Now I have two Mice, both Microsoft. Wired Comfort Mouse 4500 and Wireless Mobile Mouse 3500.
Drivers

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:48.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App