How to remove Adware:Win32/BetterSurf in Google Chrome

Adware:Win32/BetterSurf is an advertising scam malware that forces itself into your Windows system and main web browsers and encrusts unwanted ads banners in all your web navigation pages.

It is a true pain in the ass that refuses to get removed and keeps coming back.

It stays unlisted (no icon) in Windows Program Manager/remove.

You probably caught it when voluntary or accidentally clicking a phishing spam banner asking you to upgrade Flash Player or your media player or any other sort of banner/link that forces you to download some app to access some content. It's a scam.

A fast Microsoft Security Essentials cleaning just removes one instance before it comes back endlessly.

In Chrome://Extension, Adware:Win32/BetterSurf appears as Media Player 1.1 which it is NOT. It is NOT a media player and you do NOT need it at all. But there is no way to deactivate it there. The checkbox is grey and cannot be unchecked. Damn trick! Let's outsmart and nuke that bugger.

HOW I finally MANAGED TO REMOVE Adware:Win32/BetterSurf :

I-1. Perform a COMPLETE (not fast) free Microsoft Security Essentials scan and cleaning (& delete!)

I personally stopped the process and cleaned as soon as it had found the result copied in the end of that Tutorial.

II-1. Clean the Registry
- Click Windows Logo (Start), in the "Search Programs and Files" field type "regedit" and press Enter.
- Find HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
- Delete the registry key which has a same data value as the ID of the managed extension.

III-1. Clean Chrome
in chrome://extensions/,

- Check "Developper Mode" (at the top of the page) in order for all your extension to show their ID.

- "Adware:Win32/BetterSurf" hides itself as an extension named "Media Player 1.1"

with the "ID : jmbnopkkgnmpaabbppbggfapfbekopjd" in my case. Copy/Paste that ID name.

3. Close all Google Chrome and web browers

4. in Windows file explorer,

- Locate "C:\YourUserName\AppData\Local\Google\Chrome\User Data"

- Search for the ID returned in step 3. "jmbnopkkgnmpaabbppbggfapfbekopjd" in my case,

Returned result will be as many folders as you have Chrome User Profiles that you have used since that malware installed itself in your system.

- Select the folders named with that ID ("jmbnopkkgnmpaabbppbggfapfbekopjd" in my case)

- ERASE all those folders named after that extension ID.

- Empty your Recycle Bin

5. Et VOILA! Open Chrome and chrome://extensions/ shows the extension gone!

For other Browsers, I guess the procedure is similar. You just need to find out where each of them stores its extensions.

Microsoft Security Essentials Scan result:

Catégorie : Logiciel de publicité

Description : Ce programme affiche des publicités potentiellement non désirées sur votre ordinateur.

Action recommandée : N’autorisez cet élément détecté que si vous faites confiance au programme ou à l’éditeur du logiciel.

Éléments :

file:Z:\J\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmbnopkkgnmpaabbppbggfapfbekopjd\1.1_0\ffMediaPlayerV1alpha415chaction.js

Z: is my Windows Documents Drive. I chose this last letter to prevent seeing the drive letter change whenver I take other dirves in and out)/

\J is my username on that Windows machine