What is Fast save 1.1?

I noticed one day while viewing my website in Google Chrome that a script from the following domain was being loaded and was taking a very long time:

srv1.mediads.info

I thought this was a bit strange, so I investigated further since I don’t remember referencing that domain in any of my code. I looked at the source code (Right Mouse Click -> View page source) of the webpage and couldn’t see any reference to srv1.mediads.info. So I decided to look at the Google Chrome debugger tool. In Chrome, while still viewing the same website in question, I pressed F12 and there it was. There were a few other scripts I didn’t recognize as well.

Chrome Debugger

Chrome Debugger

In fact, the following scripts were loaded dynamically upon accessing the website:

<script type="text/javascript" src="http://include-it.net/?p=119"></script>

<script type="text/javascript" src="http://srv1.mediads.info/i/?tid=23&amp;subid=2017"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/sf_main.jsp?dlsource=cbsfastsave&amp;userId=4fc9a7ce0ea27582051112&amp;CTID=p2017"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/js/base_single_icon.js?ver=12.0.1.6"></script>

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/dojo/1.5.1/dojo/dojo.xd.js"></script>

<script type="text/javascript" src="http://includeit.info/include.js?id=js29"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/getSupportedSitesJSON.action?ver=5.6&amp;callback=SF_isURISupported" id="sufioIoScript1" charset="utf-8"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/rvwl.action?ver=3&amp;callback=SF_isRvURISupported" id="sufioIoScript2" charset="utf-8"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/getCouponsSupportedSites.action?ver=15&amp;callback=SF_cpnWlCb" id="sufioIoScript3" charset="utf-8"></script>

<script type="text/javascript" src="http://includeit.info/scripts/inl_dmmtch2.min.js"></script>

<link type="text/css" rel="stylesheet" href="http://static.cpchero.biz/style.css" media="screen">

<script type="text/javascript" src="http://xml.cpchero.biz/search?query=web-backlinks.com&amp;feed=3624&amp;subid=dommatch&amp;url=http%3A%2F%2Fweb-backlinks.com%2F&amp;user_ip=caller&amp;ua=caller&amp;count=10&amp;format=json&amp;callback=RXYO_Interstitial.DoInterstitial"></script>

Upon further investigation, I found out that it was caused by a Google Chrome extenstion called Fast save 1.1. What is Fast save 1.1? I don’t know what it is, but as far as I’m concerned, it’s a malicious code that needs to be removed immediately. Any piece of code that causes the CPU on your laptop to max out, and cause your browser to be unresponsive is malicious. Any piece of code that dynamically injects scripts into every website that you visit is malicious.

Get rid of Fast save 1.1 extension immediately from your Google Chrome browser by going to Settings (Wrench on the right hand side), Tools, Extensions, then untick Enable next to Fast save 1.1.

Fast Save 1.1

Fast Save 1.1

ShareShare on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

12 Responses

  1. Mark McCorkle says:

    Same thing here — noticed when I was working on my own code that I was hitting googleapis.com and superfish.com — both related to fast save which I don’t remember installing in chrome (and I’m usually pretty good about that kind of stuff). The only thing new I’ve done recently is started using chrome on my android phone. Did you do the same?

  2. ryelpango says:

    Mark,
    Yes, I don’t remember installing it either. I also started using chrome on my on my android pad.

    Ariel

  3. Semik says:

    My thing is not calling superfish.com but smartsuggestor.net. Otherwise it is pretty similar. Captured HTML is: http://tomasek.cz/stuff/staff.cesnet.cz-semik.zip

    Thanks for your article, it seams you are the first one who noted this and published about it.

  4. Fergeeks says:

    I just posted about this tonight after finding ads covering the logo of my blog… http://www.fergeeks.com/chrome-tips/fast-save-1-1-chrome-extension-adding-ads-causing-havoc/

    Took awhile to find the culprit 🙂

  5. Josh says:

    It looks like Google completely removed Fast Save 1.1 (and also Click 2 Save) from their app/extension downloads area today. They must have realized it pissed off a lot of people, and opened up the doors for a class action lawsuit. My co-worker tried deleting, downloading and re-installing Chrome to check if Fast Save was still sneaking in. The extension was not installed with it.

  6. christina says:

    Thank you sooooooooooooooo much for posting how to get rid of this horrible extension.

  7. ryelpango says:

    Christina,
    No worries, happy to help 🙂

    Cheers,
    Ariel

  8. brady says:

    I use Amazon and ebay a lot… this fastsave was all over it and was getting on my nerves. Thanks for the help!

  9. This page is the first result I got when I searched for static.cpchero.biz. My IE 8 was hijacked and it was loading this page every time I visited most websites like cnn.com, youtube.com etc. After trying a lot of solutions like reinstalling IE8 checking for BHO and for any third party software that might have spyware I finally found the solution days later.

    I read on another site about hijacked browsers that it might be a root thing and to scan it with Kaspersky Tdsskiller and it detected this “Virus Win32, Zaccess.k on the “ipsec” service. It asked me to restarted and like a miracle it was fixed!

    Thank God it was getting really annoying to have every website to redirected to static.cpchero.biz

    God bless you everyone who reads this. I hope this info is useful for someone.

  10. Bynens Yannick says:

    since today on virtually every website I visit several words are underlined in green and if my mouse is on the word links appear like russian or chinese women and stuff in french, and the link below is xml.cpchero.biz, if does not affect me browsing on sites, it doesn’t do anything apart from it being an irritating add, but i want to know how to get rid of it cause i’ve tried to change my firefox add on settings and it didn’t work, i’m no tech guy and i’m out of ideas, can somebody help me with it?

  11. X-notifier is another addon that superfish.com is using to sneak in our machines. This is amazing! I’ve waisted hours researching and removing this. What a way to make money!!!

  12. Laura says:

    Most of the posts I’ve seen on this are maybe 6 months or a year or so old. Seems like this is coming back around. It wasn’t listed as it’s own extension as either superfish or Fast Save. I found it glommed onto my Pinterest extension. I had to disable “Visual Deals” in the options. Odd thing is that I’ve had that extension for quite a while but the adware just started showing up this week. Mac, running 10.7.5, Most recent update of Chrome. That got it to stop running, now to get it off my machine.

Leave a Reply

Your email address will not be published. Required fields are marked *