Strange block of software being auto installed


  1. Posts : 4
    Windows 7 64 bit
       #1

    Strange block of software being auto installed


    I'm having an issue with a group of programs being installed onto my computer, I have no idea where its coming from.

    It started about two days ago when I found that a program called 7pic was sitting on my desktop, the logo and interface was actually professional and I didn't think it was spyware, I uninstalled it and moved on.

    Last night I rebooted my machine and suddenly five installers pop up as soon as I'm in windows, installers for 7pic, Downvision, Got Clip, Babylon, and Yantoo Layers. I removed them and then ran spybot but when I restarted again a bach file fired off 15 or so commands.

    I can't find anything on what these programs are or how to remove them, spybot can't remove the last bits of them even when you start spybot after a reboot. What kind of action do I need to take to remove these programs?
      My Computer


  2. Posts : 1,030
    Linux Mint / XP / Win7 Home, Pro, Ultimate / Win8.1 / Win10
       #2

    > Downvision claims to be the next generation torrent client (for downloads).
    > 7pics is an image hosting service.
    > Yantoo Layers creates virtual layers that can be edited to create the appearance of having made changes to the underlying Web site (sometimes associated with Facebook, MySpace, etc.).
    > Got Clip is for downloading online videos (think YouTube).
    > Babylon is a translation program that can translate words, phrases and even entire paragraphs in seconds. It can also leave you with an extra toolbar in your Internet browser that isn't removed when you delete the program. See:
    How to Uninstall Babylon | eHow.com

    Someone clicked something without considering the consequences - it may be a bear to track down. I would start by running regedit and look under:

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    MSCONFIG might also have startup entries - if so you can deselect them.

    Tracking down the trigger and the file locations could be a challenge.

    Good luck.

    Regards,
    GEWB
      My Computer


  3. Posts : 4
    Windows 7 64 bit
    Thread Starter
       #3

    I'm the only user (that I know about) on this machine so the onus is on me, but I have absolutely no idea where I picked these up, I'm not one to install random software, this is the first malware I've had in probably ten years. I'll start with the registry. I've already uninstalled it, and removed the plug ins in my browsers but it has something that tells everything to reinstall once I've uninstalled.
      My Computer


  4. Posts : 1,375
    Ubuntu 12.10
       #4

    Try a Malwarebytes Anti-Malware full scan in Safe Mode and then use CCleaner to remove all startup entries related to this crapware.

    Slasher
      My Computer


  5. Posts : 1,030
    Linux Mint / XP / Win7 Home, Pro, Ultimate / Win8.1 / Win10
       #5

    hugeproblem said:
    I'm the only user (that I know about) on this machine so the onus is on me, but I have absolutely no idea where I picked these up, I'm not one to install random software, this is the first malware I've had in probably ten years. I'll start with the registry. I've already uninstalled it, and removed the plug ins in my browsers but it has something that tells everything to reinstall once I've uninstalled.
    I feel your pain, really, I do. It could have come from anywhere. I'll indulge with an experience I had several years ago.

    My then 82 year old father called to say his PC was suddenly running very slow. He only browses news and church related sites as well as email. His A/V is updated daily.

    My forensic investigation found numerous trojans had installed on his PC to send spam - they had loaded 163,000 files into one directory! It brought the OS to it's knees.

    I was able to narrow down when it happened (plus or minus 2 minutes) one afternoon. I also found (with high probability) that it came as a zero-day "drive-by" exploit severed up as an advertisement on CNN. All dad had to do was visit the news site, not click on anything, and BAM! he got hit.

    It took me 6 hours to clean it up - had to do much of the work using a Linux live disk because Windows wouldn't allow me to delete some of the mess!

    So I really do feel your pain and wish you the best of luck.

    Regards,
    GEWB

    EDIT: it appeared to be a Flash exploit (I'm 90% certain about that)
      My Computer


  6. Posts : 1,030
    Linux Mint / XP / Win7 Home, Pro, Ultimate / Win8.1 / Win10
       #6

    hugeproblem said:
    It started about two days ago when I found that a program called 7pic was sitting on my desktop, the logo and interface was actually professional and I didn't think it was spyware, I uninstalled it and moved on.

    Last night I rebooted my machine and suddenly five installers pop up as soon as I'm in windows, installers for 7pic, Downvision, Got Clip, Babylon, and Yantoo Layers. I removed them and then ran spybot but when I restarted again a bach file fired off 15 or so commands.
    Perhaps this is a clue: 7pic is part of a pay-per-install affiliate program. See:

    7pic Pay Per Install Affiliate Program

    Some sites/programs can get very aggressive to make money - NOT saying it is 7pic doing this as it could have come from many/any place.

    Have you loaded any downloaded software recently?

    Regards,
    GEWB
      My Computer


  7. Posts : 4
    Windows 7 64 bit
    Thread Starter
       #7

    That would explain the batch file just installing the programs, I haven't installed any new programs within the day or two before I started getting the programs. I suppose I need to check my browsing habits.

    Malwarebytes didn't find anything took darn near three hours to do so, too.

    So I'm very stumped, if this was someone else computer I would fix it but in the interest of my own time I may just nuke the machine if I can't get it cleaned within the next day or so.
      My Computer


  8. Posts : 4
    Windows 7 64 bit
    Thread Starter
       #8

    For anyone who every googles this problem, it looks like the issue was in a program called Gsservice.exe

    For me it was in my windows/syswow64 folder, I deleted it in safe mode, and then went into regedit, and just searched for anything with the name gsservice in it and deleted it.

    Also use the autoruns program to find the service and delete it.

    Make sure before doing any of this you disable system restore. If this was not the fix I will check back in. Thanks for the help guys the bit about it 7pic not being spyware helped me track down the root of the problem. As you said it's probably someone with an affiliate account who uses an exploit somewhere to download the service and start installing a block of affiliate programs.
      My Computer


  9. Posts : 1,030
    Linux Mint / XP / Win7 Home, Pro, Ultimate / Win8.1 / Win10
       #9

    Glad we could provide a clue to tracking it down. Hope you get it eradicated.

    Regards,
    GEWB
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 04:21.
Find Us