Strange block of software being auto installed

[hugeproblem]

I'm having an issue with a group of programs being installed onto my computer, I have no idea where its coming from.

It started about two days ago when I found that a program called 7pic was sitting on my desktop, the logo and interface was actually professional and I didn't think it was spyware, I uninstalled it and moved on.

Last night I rebooted my machine and suddenly five installers pop up as soon as I'm in windows, installers for 7pic, Downvision, Got Clip, Babylon, and Yantoo Layers. I removed them and then ran spybot but when I restarted again a bach file fired off 15 or so commands.

I can't find anything on what these programs are or how to remove them, spybot can't remove the last bits of them even when you start spybot after a reboot. What kind of action do I need to take to remove these programs?

 

[GEWB]

> Downvision claims to be the next generation torrent client (for downloads).
> 7pics is an image hosting service.
> Yantoo Layers creates virtual layers that can be edited to create the appearance of having made changes to the underlying Web site (sometimes associated with Facebook, MySpace, etc.).
> Got Clip is for downloading online videos (think YouTube).
> Babylon is a translation program that can translate words, phrases and even entire paragraphs in seconds. It can also leave you with an extra toolbar in your Internet browser that isn't removed when you delete the program. See:
How to Uninstall Babylon | eHow.com

Someone clicked something without considering the consequences - it may be a bear to track down. I would start by running regedit and look under:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

MSCONFIG might also have startup entries - if so you can deselect them.

Tracking down the trigger and the file locations could be a challenge.

Good luck.

Regards,
GEWB

 

[hugeproblem]

I'm the only user (that I know about) on this machine so the onus is on me, but I have absolutely no idea where I picked these up, I'm not one to install random software, this is the first malware I've had in probably ten years. I'll start with the registry. I've already uninstalled it, and removed the plug ins in my browsers but it has something that tells everything to reinstall once I've uninstalled.

 

[SlasherIT]

Try a Malwarebytes Anti-Malware full scan in Safe Mode and then use CCleaner to remove all startup entries related to this crapware.

Slasher

 

[GEWB]

I'm the only user (that I know about) on this machine so the onus is on me, but I have absolutely no idea where I picked these up, I'm not one to install random software, this is the first malware I've had in probably ten years. I'll start with the registry. I've already uninstalled it, and removed the plug ins in my browsers but it has something that tells everything to reinstall once I've uninstalled.

I feel your pain, really, I do. It could have come from anywhere. I'll indulge with an experience I had several years ago.

My then 82 year old father called to say his PC was suddenly running very slow. He only browses news and church related sites as well as email. His A/V is updated daily.

My forensic investigation found numerous trojans had installed on his PC to send spam - they had loaded 163,000 files into one directory! It brought the OS to it's knees.

I was able to narrow down when it happened (plus or minus 2 minutes) one afternoon. I also found (with high probability) that it came as a zero-day "drive-by" exploit severed up as an advertisement on CNN. All dad had to do was visit the news site, not click on anything, and BAM! he got hit.

It took me 6 hours to clean it up - had to do much of the work using a Linux live disk because Windows wouldn't allow me to delete some of the mess!

So I really do feel your pain and wish you the best of luck.

Regards,
GEWB

EDIT: it appeared to be a Flash exploit (I'm 90% certain about that)

 

[GEWB]

It started about two days ago when I found that a program called 7pic was sitting on my desktop, the logo and interface was actually professional and I didn't think it was spyware, I uninstalled it and moved on.

Last night I rebooted my machine and suddenly five installers pop up as soon as I'm in windows, installers for 7pic, Downvision, Got Clip, Babylon, and Yantoo Layers. I removed them and then ran spybot but when I restarted again a bach file fired off 15 or so commands.

Perhaps this is a clue: 7pic is part of a pay-per-install affiliate program. See:

7pic Pay Per Install Affiliate Program

Some sites/programs can get very aggressive to make money - NOT saying it is 7pic doing this as it could have come from many/any place.

Have you loaded any downloaded software recently?

Regards,
GEWB

 

[hugeproblem]

That would explain the batch file just installing the programs, I haven't installed any new programs within the day or two before I started getting the programs. I suppose I need to check my browsing habits.

Malwarebytes didn't find anything took darn near three hours to do so, too.

So I'm very stumped, if this was someone else computer I would fix it but in the interest of my own time I may just nuke the machine if I can't get it cleaned within the next day or so.

 

[hugeproblem]

For anyone who every googles this problem, it looks like the issue was in a program called Gsservice.exe

For me it was in my windows/syswow64 folder, I deleted it in safe mode, and then went into regedit, and just searched for anything with the name gsservice in it and deleted it.

Also use the autoruns program to find the service and delete it.

Make sure before doing any of this you disable system restore. If this was not the fix I will check back in. Thanks for the help guys the bit about it 7pic not being spyware helped me track down the root of the problem. As you said it's probably someone with an affiliate account who uses an exploit somewhere to download the service and start installing a block of affiliate programs.

 

[GEWB]

Glad we could provide a clue to tracking it down. Hope you get it eradicated.

Regards,
GEWB