Greenguy's Board


Go Back   Greenguy's Board > General Business Knowledge
Register FAQ Calendar Today's Posts

Reply
 
Thread Tools Search this Thread Rate Thread Display Modes
Old 2014-02-28, 05:45 AM   #1
ecchi
Banned
 
ecchi's Avatar
 
Join Date: Oct 2003
Location: About to be evicted!!!!
Posts: 4,082
Adware

I have picked up a piece of adware which appears to be impossible to remove. I have tried disabling it, uninstalling it via control panel, and deleting it manually, but it always reappears. My conclusion is that I have a piece of software that keeps reinstalling it. However I have no idea what software is doing this. Searches on Google simply tell me how to uninstall the software that pops the ad, and gives no clue as to what keeps re-installing it.

The software appears on IE/Crome as an add on which has variably been called "Better Surf", "Movie Viewer", and "Media View". Does anyone know what software keeps re-installing this little bastard?

Thanks.
ecchi is offline   Reply With Quote
Old 2014-02-28, 09:25 AM   #2
ArtWilliams
You can now put whatever you want in this space :)
 
ArtWilliams's Avatar
 
Join Date: Sep 2004
Location: Toronto, Canada
Posts: 6,244
Send a message via ICQ to ArtWilliams
Here are a couple of things I found. Not sure if you've tried them already:

http://malwaretips.com/blogs/bettersurf-virus-removal/
http://community.norton.com/t5/Norto...e/td-p/1051431
ArtWilliams is offline   Reply With Quote
Old 2014-03-02, 05:06 AM   #3
ecchi
Banned
 
ecchi's Avatar
 
Join Date: Oct 2003
Location: About to be evicted!!!!
Posts: 4,082
Thanks, but those just tell me how to delete the program once it is installed. What I need to know is the name of the software that keeps re-installing it, so I can remove that.
ecchi is offline   Reply With Quote
Old 2014-03-03, 11:09 AM   #4
tadpole
Oh! I haven't changed since high school and suddenly I am uncool
 
tadpole's Avatar
 
Join Date: Aug 2007
Location: Darkest Africa
Posts: 258
Send a message via ICQ to tadpole
Hi

Clear all your cookies and cache.

Download Malwarebytes Anti-Malware Free here http://www.malwarebytes.org/downloads/

Rename the file you download called mbam-setup.exe to mb.exe Install it and update the programs data base, then run it.

It is a very good little program. It should find the offending program and delete it. After a reboot delete all your restore points and set new ones.
__________________
tadpole is offline   Reply With Quote
Old 2014-03-03, 02:03 PM   #5
housekeeper
Oh! I haven't changed since high school and suddenly I am uncool
 
housekeeper's Avatar
 
Join Date: Sep 2009
Location: New York City
Posts: 250
Send a message via ICQ to housekeeper
You would surely need some instructions on this, but whats happening is these programs find different places in your registry to lurk and hibernate. You would need to go to your registry editor 'regedit' and search through the directories related to 'software', 'internet explorer' and others, and search your local keys and hkeys. There are 'values' that are set that runs like little clocks, which is why the programs continue to become activated after you've seemingly uninstalled them.

In cases where you're unable to actually delete or modify the key or value, you can change the 'permissions' to make it inactive. Virus this sophisticated sometimes can't be totally removed, but there are ways of tricking it into not functioning.

The Malwarebytes is good stuff, unfortunately G will take you through a bunch of steps that always end up selling you something, and Microsoft sites and forums are not always a safe source of reference, again they are simply trying to sell you something. So be very careful what you download and be wise as to your choices of removal.

I realize my instruction for the registry search were a little vague, but if you go in and look throughout those directories you will surely find those items living in discreet areas, and the values will be active. Again, once you recognize them if they don't delete, change the 'permissions' and make them inactive.

The Mawarebytes Root Kit is an excellent tool for this type of infection http://www.malwarebytes.org/antirootkit/

Also disable your browser add-ons as they are surely living there, check and clear your temp folder %temp%. You would also be wise to go into your 'administrator' desktop and scan from there as well.
__________________
Trans-Glam Productions
photography - design - video production
twitter

Last edited by housekeeper; 2014-03-03 at 02:08 PM..
housekeeper is offline   Reply With Quote
Old 2014-03-03, 04:22 PM   #6
Simon
That which does not kill us, will try, try again.
 
Simon's Avatar
 
Join Date: Aug 2003
Location: Conch Republic
Posts: 5,150
Send a message via ICQ to Simon Send a message via AIM to Simon Send a message via Yahoo to Simon
And take a moment to be glad it's not ransomware. A neighbor called me last week to come help him as his computer had downloaded something that wouldn't let him do anything aside from go to their website and pay for the program they sell. It wouldn't let him use the Control Panel or boot into Safe Mode on restart via any of the usual methods so he was about to toss it in the canal.

(For those who may need it, we got to Safe Mode by restarting and then pulling the plug on power just after it began the startup sequence. This made his PC open the Startup Settings screen so we were able to restore a previous good save point.)

The reason I bring this up is to ask if you've tried using System Restore to just move back to an earlier save point before the adware infected your computer?
__________________
"If you're happy and you know it, think again." -- Guru Pitka
Simon is offline   Reply With Quote
Old 2014-03-05, 06:19 AM   #7
ecchi
Banned
 
ecchi's Avatar
 
Join Date: Oct 2003
Location: About to be evicted!!!!
Posts: 4,082
Thanks.

The Malware software threw up over a hundred things it thought were malware, but on investigation most were not. Some were even PHP pages I had written myself which may have been malformed (I usually use Perl, and am only just beginning to learn PHP) but were defiantly not malware! However it did throw up four programs with "Better Surf" in the name which was a surprise for two reasons. Firstly I run a malware blocker and I was assuming that would block such shit. I thought the bastard doing this would be some free software that I had downloaded that also installed Better Surf as a sideline. Secondly, I have twice run Windows file search thingy looking for files with "better surf" in their name, it did not find these four!

I have also removed a couple of keys using the words "Better Surf" in their name. I am not entirely sure what I did and was a little worried that my computer may not boot after my amateur brain surgery on it. But it seems OK.

Thanks everyone for your help.
ecchi is offline   Reply With Quote
Old 2014-03-05, 12:19 PM   #8
housekeeper
Oh! I haven't changed since high school and suddenly I am uncool
 
housekeeper's Avatar
 
Join Date: Sep 2009
Location: New York City
Posts: 250
Send a message via ICQ to housekeeper
Cool, just as an aside and I'm sure you already know. Always best to use 'selective startup' and disable everything except your anti virus software, check that if you haven't already: run > 'msconfig' > 'system configuration utility'
__________________
Trans-Glam Productions
photography - design - video production
twitter
housekeeper is offline   Reply With Quote
Old 2014-03-16, 09:14 AM   #9
ecchi
Banned
 
ecchi's Avatar
 
Join Date: Oct 2003
Location: About to be evicted!!!!
Posts: 4,082
Didn't work, the bastard just re-installed itself as Media View!
ecchi is offline   Reply With Quote
Old 2014-03-16, 09:40 AM   #10
tadpole
Oh! I haven't changed since high school and suddenly I am uncool
 
tadpole's Avatar
 
Join Date: Aug 2007
Location: Darkest Africa
Posts: 258
Send a message via ICQ to tadpole
Quote:
Originally Posted by ecchi View Post
Didn't work, the bastard just re-installed itself as Media View!
Did you delete all your restore points and set new ones after running malwarebytes and deleting the offending files? Did you delete your cache?
__________________
tadpole is offline   Reply With Quote
Old 2014-03-16, 03:02 PM   #11
ecchi
Banned
 
ecchi's Avatar
 
Join Date: Oct 2003
Location: About to be evicted!!!!
Posts: 4,082
Quote:
Originally Posted by tadpole View Post
Did you delete all your restore points.......?
Don't think I have done anything that leaves "restore points", but other than that I deleted everything that could possibly hold spurious data.
ecchi is offline   Reply With Quote
Old 2014-03-16, 06:54 PM   #12
abatis
A boy without mischief is like a bowling ball without a liquid center
 
abatis's Avatar
 
Join Date: Jul 2007
Posts: 431
ive had surprising success in the past with this free tool from norton.

-abatis
abatis is offline   Reply With Quote
Old 2014-03-17, 06:52 AM   #13
tadpole
Oh! I haven't changed since high school and suddenly I am uncool
 
tadpole's Avatar
 
Join Date: Aug 2007
Location: Darkest Africa
Posts: 258
Send a message via ICQ to tadpole
Quote:
Originally Posted by ecchi View Post
Don't think I have done anything that leaves "restore points", but other than that I deleted everything that could possibly hold spurious data.
Windows and some programs automatically set restore points before performing certain functions, it acts as a safety net. These will have copies of the crapware that can then reinstall itself. Update and Run malwarebytes again and delete the offending files, then go here for instructions on deleting and resetting clean restore points.http://www.majorgeeks.com/content/pa...m_restore.html
__________________
tadpole is offline   Reply With Quote
Old 2014-03-17, 05:22 PM   #14
housekeeper
Oh! I haven't changed since high school and suddenly I am uncool
 
housekeeper's Avatar
 
Join Date: Sep 2009
Location: New York City
Posts: 250
Send a message via ICQ to housekeeper
Quote:
Originally Posted by ecchi View Post
Didn't work, the bastard just re-installed itself as Media View!
Hmm, you'll have to do some digging I suspect, it sounds as if the value in your registry is still active and perhaps you can't locate it. You'd be wise to try this if you haven't

http://support.microsoft.com/mats/pr...ninstall/en-us

Generally works pretty good, I'm surprised Malwarebytes didn't have an effect, did you use the 'root kit' version?

It can be stopped I'm quite certain, unfortunately you've got to keep going through the same steps over and over as I'm sure it's reattaching itself to your browser add ons.

If you find a way to kill those specific values, you should be back in working order. You may not be able to delete the directory in your registry, but there is a way to trick it into stopping.
__________________
Trans-Glam Productions
photography - design - video production
twitter
housekeeper is offline   Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 06:46 PM.


Mark Read
Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© Greenguy Marketing Inc