Adware:Win32/BetterSurf is an
advertising scam malware that forces itself into your Windows system
and main web browsers and encrusts unwanted ads banners in all your
web navigation pages.
It is a true pain in the ass that
refuses to get removed and keeps coming back.
It stays unlisted (no icon) in Windows
Program Manager/remove.
You probably caught it when voluntary or accidentally clicking a phishing spam banner asking you to upgrade Flash Player or your media player or any other sort of banner/link that forces you to download some app to access some content. It's a scam.
A fast Microsoft Security Essentials
cleaning just removes one instance before it comes back endlessly.
In Chrome://Extension,
Adware:Win32/BetterSurf appears as Media Player 1.1 which it is NOT. It is NOT a media player and you do NOT need it at
all. But there is no way to deactivate it there. The checkbox is grey
and cannot be unchecked. Damn trick! Let's outsmart and nuke that
bugger.
HOW I finally MANAGED TO REMOVE
Adware:Win32/BetterSurf :
I-1. Perform a COMPLETE (not fast) free Microsoft Security Essentials scan and cleaning (& delete!)
I personally stopped the process and cleaned as soon as it had found the result copied in the end of that
Tutorial.
II-1. Clean the Registry
- Click Windows Logo (Start), in the "Search Programs and Files" field type "regedit" and press Enter.
- Find HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
- Delete the registry key which has a same data value as the ID of the managed extension.
III-1. Clean Chrome
in chrome://extensions/,
- Check "Developper Mode" (at
the top of the page) in order for all your extension to show their
ID.
- "Adware:Win32/BetterSurf"
hides itself as an extension named "Media Player 1.1"
with the "ID :
jmbnopkkgnmpaabbppbggfapfbekopjd" in my case. Copy/Paste that ID
name.
3. Close all Google Chrome and web
browers
4. in Windows file explorer,
- Locate
"C:\YourUserName\AppData\Local\Google\Chrome\User Data"
- Search for the ID returned in step 3.
"jmbnopkkgnmpaabbppbggfapfbekopjd" in my case,
Returned result will be as many folders
as you have Chrome User Profiles that you have used since that malware
installed itself in your system.
- Select the folders named with that ID
("jmbnopkkgnmpaabbppbggfapfbekopjd" in my case)
- ERASE all those folders named
after that extension ID.
- Empty your Recycle Bin
5. Et VOILA! Open Chrome and
chrome://extensions/ shows the extension gone!
For other Browsers, I guess the
procedure is similar. You just need to find out where each of them
stores its extensions.
Microsoft Security Essentials Scan
result:
Catégorie : Logiciel de publicité
Description : Ce programme affiche
des publicités potentiellement non désirées sur votre ordinateur.
Action recommandée : N’autorisez
cet élément détecté que si vous faites confiance au programme ou
à l’éditeur du logiciel.
Éléments :
file:Z:\J\AppData\Local\Google\Chrome\User
Data\Default\Extensions\jmbnopkkgnmpaabbppbggfapfbekopjd\1.1_0\ffMediaPlayerV1alpha415chaction.js
Z: is my
Windows Documents Drive. I chose this last letter to prevent seeing
the drive letter change whenver I take other dirves in and out)/
\J is my username on that Windows
machine