Crafty Nerd PSA: Chrome crashing? Pop-ups on Firefox? Blame BetterSurf.

Edit 1/30/14 10:57 am:  It seems like a new influx of people are getting infected with BetterSurf – and the BetterSurf malware may be behaving differently than it did when it landed on my system.  So, for those of you who are stumbling across this page in your efforts to rid your system of BetterSurf, please understand the following:

  • The steps I compiled were from my own experience.  This is how I got rid of BetterSurf – your experience may be different.
  • I do not work in tech support – I just teach people how to use computers.  While I know enough do do system troubleshooting on my own, I am by no means an expert.  I can’t reach out from the depths of the internet and help you get rid of BetterSurf aside from what I’ve posted here.
  • If you want to know more about what BetterSurf does, or the steps below don’t work for you, check out this site.

I’m happy that this post was able to help an incredible amount of people (over a thousand at last count), and I hope it helps more people out as they deal with this unpleasant bit of malware/adware.

Edit 11/15 8:34 am:  I can’t believe how many people I’ve helped out with this!  If any of you who’re stumbling across this post are of the nerdy or crafty persuasion, please visit The Crafty Nerd’s Facebook page, or add my blog to your RSS reader of choice.

Still not quite sure how this virus is being spread around – some rumors have it as coming from YouTube, others remark that it’s hitting web developers pretty hard.  If you hear anything about where it’s coming from, post about it in the comments – I’d appreciate it.

Edit 11/14 6:14 pm: Holy crap I think this is the most visitors my site has ever had in an entire day ever.  I hope this walkthrough’s helping people out – share it with everyone you know!  I’ve added a section on how to remove some of the additional files that BetterSurf may have sneaked into your computer.

I know, I know, I don’t tend to do this sort of thing here, but as this was a sneaky little bit of malware that crawled into my Chrome installation without any sort of fanfare… I figured it might not be a bad idea to share with my readers.  (Plus, I’m all kinds of angry.  I’ve been spyware/malware/virus free since I don’t know when, and having something sneak in undetected… grr.)

I noticed yesterday that Chrome on my desktop and laptop computers had been crashing – while I figured it was just the Hangouts extension crashing the whole works (in the reviews of Hangouts on the Chrome Web Store, it’s notorious for crashing in all sorts of spectacular ways) and it was nothing to be worried about.  Well, this morning, Chrome crashed so spectacularly that I had to go into Task Manager and clear out the stuck Google Crash Handler processes before Chrome would even open up again – and then as it did open, a little pop-up from Chrome appeared saying “Extension BetterSurf was installed, and has been causing problems” or something to that effect, and gave me the options to disable or remove the extension.  (I’ve seen a similar window when the Adobe PDF reader extension was giving me issues.)  Since I’d never seen BetterSurf before in my life, and certainly hadn’t installed any extensions lately, nor visited any remotely questionable sites, and I also have AdBlock running on my computer too, I removed it – and then visited Google Search to see what else was out there about this.

I first found this forum thread on the subject – which was exactly what happened to me.  Chrome crashed, upon reboot the extension was installed.  The extension’s not limited to Chrome users, though.  Firefox users are affected as well, as noted by this post.  The extension seems to pop up windows advertising similar services/products to sites you’re currently visiting – which is never a good thing.  There’s also an analysis overview of BetterSurf over at Malwr.com, for those interested.

So, it might be a good idea for everyone – whether or not you’ve installed any extensions lately – to go take a quick look at what’s installed and get rid of BetterSurf if it’s there.  For Chrome users, just go to the Options menu in the very upper right hand corner (just under the Close button), point to Tools, and then click on Extensions – it’ll bring up the list of all the extensions you have installed.  If you see BetterSurf in there, click the little trash can icon to the far right of BetterSurf’s listing in your extensions – Chrome will confirm that you really want to remove it, so click Remove, and it’s gone.

There it is, lurking in my Firefox extensions.  And I haven't even opened Firefox since the AJAX class I took in July!  Grumpy Jasmine Cat is not pleased.

There it is, lurking in my Firefox extensions. And I haven’t even opened Firefox since the AJAX class I took in July! Grumpy Jasmine Cat is not pleased.

Firefox users – go to the Firefox menu at the top left of your Firefox window, then click on Add-ons – it’ll bring you to the Add-ons Manager.  Click on the Extensions tab, and should you see BetterSurf there, click Disable.  Firefox will require you to restart, so do that, go back to the Extensions tab on the Add-Ons window, and it’ll show you that BetterSurf has been disabled.  There’s not much else you can do from here.

Yep, this sucker just made itself at home...

Yep, this sucker just made itself at home…

This next part is for both Chrome and Firefox users.  The last thing to do is to remove the BetterSurf folder from your Program Files folder on the hard drive – mine showed up in the Program Files (x86) folder.  Drag that sucker to the recycle bin, right-click and then select Delete, either way will get rid of it.  Make sure to empty your Recycle Bin afterwards.  If you go back to Firefox afterwards, you’ll notice it’s not in the list of installed extensions, which is exactly what we wanted!

This next part involves a little bit of digging.  Another post mentioned the following, regarding this stupid BetterSurf crap…

There are several other things it does to your PC, including a TASK it schedules to run called AmiUpdXP, which you can find and delete from c:\windows\tasks\AmiUpdXp.job on windows 7.

 

Other things I have found: A folder is created in your appdata/local called SwvUpdater which is referenced by the Task to run Updater.exe – the frightening part, since it will be able to download and execute any future malware/virus/worm.”

I went and investigated on my own computer – and found the AmiUpdXp.job in Tasks, as well as SwvUpdater in apps/local.  Since I’ve deleted them already (and my computer hasn’t imploded), there are no screenshots for you, but here’s how to take care of the next part.

To ditch the AmiUpXp.job file, you’ll need to go into C:\Windows\Tasks – inside that folder may be a couple of different things, I deleted the AmiUpXp.job file and moved onto the next step.

SwvUpdater is indeed malware, according to ShouldIRemoveIt.com – and you can read more about it and what it does here.  I may have been ridiculous and just deleted the folder for SwvUpdater, but you can actually uninstall it via Windows, too.  Just go to Control Panel, then click on Programs and Features (or Uninstall a Program if you’re in category view).  Scroll down, and look for Software Version Updater.

See it?  This stupid little thing's been hiding in my computer since October, apparently!

See it? This stupid little thing’s been hiding in my computer since October, apparently!

Select Software Version Updater from the list, click the Uninstall button at the top, and there you go.  (To double-check that it’s really gone, for those of you who feel like it, go look in your User/AppData/Local folder and make sure that the SwvUpdater folder is gone.  You’ll have to make Windows show hidden files and folders first.)

Nobody’s quite sure how this little piece of malware snuck its way onto computers- rumor has it that it’s been spreading through YouTube somehow.  Hopefully this’ll help people who’ve been infected with this stupid add-on get rid of it!

This has been a Crafty Nerd PSA – hope this info helps my fellow crafty nerds, and others around the internet!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

41 comments

  1. Alvin Reyes says:

    Whew, thanks for the post–I found this after experiencing the same and felt the same (I can’t remember the last time I’ve had any malware on my machines! grrr).

    I noticed this today when certain words on Web pages were converted into promotional links. These “inline adds” showed up even on blog or sites that wouldn’t have this ability (like StackExchange). The pop-ups featured a product and mentioned either InformationGetter and OffersWizard.

    I’ve removed the BetterSurf extension and deleted the files mentioned in this post (however the SwvUpdater had an older time stamp–so maybe it was there already?). Thanks again for the post and Tweet!

    • Beth Hoey says:

      It’s possible – I haven’t had the time to investigate it more fully, so I might pull that update down from this post. Rumor has it, though, that it’s origins are related to either comments on YouTube or a fake Flash update. I’ll definitely add more once I know more.

  2. Sanne Tran says:

    Hey, thanks for making a post about this virus. I completely freaked out when I noticed my computer was infected, removed the extension in Chrome, but I’m still worried. http://webapps.stackexchange.com/questions/51966/bettersurf-extension-is-malware <— "There are several other things it does to your PC, including a TASK it schedules to run called AmiUpdXP, which you can find and delete from c:windowstasksAmiUpdXp.job on windows 7.

    Other things I have found: A folder is created in your appdata/local called SwvUpdater which is referenced by the Task to run Updater.exe – the frightening part, since it will be able to download and execute any future malware/virus/worm."

  3. Jacqui Murray says:

    Thanks for this. I’d stumbled through the solution exactly as you detailed and it seems to have worked. I hope there’s no lasting damage.

  4. RemixedCat says:

    Got this too on my sister’s toshiba laptop that runs windows 7 x64. They barely have any software installed and they don’t go to any shady sites either…

  5. Rus says:

    I practically guarantee that it came from one of many developer references on the web (which holds to the MO). I can say that because I got it on my work PC, and the only external sites I browse are dev references. I do all my personal browsing on my phone. I can also say that the only thing more stupid than sticking a developer with malware would be to stick your network security guy with malware. What a stupid company. The developer reference site that took cash for that nonsense deserves to have its domain squatted.

    • Rus says:

      (Oh, and thanks a ton for the directions…you saved me a whole heap of time trying to track this thing down and kill it! Now my dog gets to see me when I’m supposed to be at home)

      • Beth Hoey says:

        Yay! More dog time is always good. And I’m glad I could help out! I know that I get frustrated when I can’t find information about a specific virus/piece of malware, or if I have to go hunting all over for it, so I figured the best idea would be to lump it all together and hope others could find it. 🙂

  6. Baron Zahuranec says:

    I’m not very versed in finding stuff on my computer. Where is this appdata/local folder?

  7. Jerimie Lee says:

    Thanks so much for this.
    It was a lot of help!

  8. SingingTurnip says:

    I had this and I noticed it when I was using twitter,..anyway, I didnt have the file AmiUpdXp.job but did have the folder swvupdater…I also didnt have it in Control Panel. I am on Win7.

  9. […] Grund ist das "Better Surf" Addon, dass sich ungefragt bei mir auf dem System installiert hat. Weitere Informationen gibt es hier: http://www.thecraftynerd.com/2013/11…me-bettersurf/ […]

  10. mag says:

    Thank you very much! I’ had it since yesterday. As a lot of folks said, it seems to contaminate a lot of web developpers computers (I’m one of these too…)
    All I did yesterday was looking as some streaming videos, facebook,
    google mail and pinterest stuff. Seems to be gone after cleaning all up.

    • Beth Hoey says:

      I wish I knew why it’s so prevalent on web developer computers! I do a little bit of web development myself, and I haven’t visited anything sketchy since I don’t know when. Usually I just poke around Facebook, Reddit, and occasionally watch some stuff on YouTube and pretty much live off Gmail. Hmm.

  11. laxi says:

    This has been happening since yesterday on my Firefox and IE. 🙁

  12. laxi says:

    Does anyone know how this spread all over the freaking world?!

    • lorax1284 says:

      Adobe was hacked a few weeks ago: source code was retrieved from their website: this is a fact they have admitted to.

      SPECULATION: I believe that hackers got a hold of that source code and that source code and used it to SIMULATE a Adobe Reader or Adobe Flash Player update which wasn’t an Adobe update at all: it ran an executable that installed BetterSurf all over the place.

      I noticed that after the ‘routine’ acceptance of an Adobe update that BetterSurf prompts started showing up in my Browser… and your browser “crashing” was your browser being shut down by BetterSurf so it could install itself.

      If this speculation is true, I think the owners of BetterSurf are liable to criminal prosecution.

  13. RemixedCat says:

    I did a webroot scan of my sister’s PC yesterday and it deleted the svwupdater and updater.exe and so far so good…. hope it’s gone for good!

    also if anyone here wants a killer deal on a 5PC protection package I can give a discount if it’s ok with this blog owner?

    I can get people 50 dollars off!

  14. KP says:

    Thank you for all of the information. I did what you said and while the ads no longer come up on Google Chrome, they are coming up on Internet Explorer. Any thoughts? Thanks.

  15. Chaitanya says:

    Hi Beth!

    First of all, thanks for this really helpful information.
    I am not sure if this has happened with anybody else, but, on booting my win7 os, when I tried pressing the F8 key for safe mode, it just didn’t work. Neither did the delete key for setup. I tried interrupting the boot by restarting the pc, so that it asks for the safe mode automatically on next boot. But, it went into system repair 🙁 After the system repair, I reached your page and made all the fixes you mentioned here.

    The next step I did was cleaned up the temp files and registry using CacheCleaner.

    Later, I opened the Registry Editor and searched for “BetterSurf” and deleted all related keys/folders [NOTE: Readers be very careful if you are doing that. Otherwise you will end up damaging your OS].

    And then rebooted twice. The F8 key/Del key issue isn’t resolved yet [Might be because of my USB wireless keyboard].

    However, no BetterSurf ads now in the browsers.

    But, if we look at how smartly it injected itself in all the three browsers (IE/Firefox/Chrome), they could possibly be doing more damage than just the pop-up ads.

    I suggest everyone to change their email, banking, facebook, etc. etc. passwords immediately as there was some email id mentioned that I found in the registry. The email id is mentioned on the firefox site.

    Firefox has blocked this add-on from 15th Nov. More info here: https://addons.mozilla.org/en-US/firefox/blocked/i486

    Regards,
    Chaitanya

  16. Liz says:

    Thanks for the help – for someone who isn’t savvy with computers, it’s scary to think stuff like this can happen and nothing is stopping it! Will be spreading the word 🙂

  17. See Pin Buy says:

    Thanks for the information. The last extension I installed on Chrome was Pinterest. Looking now I found two of the better surf programs attached.

  18. Athanasie says:

    Thanks for your helpfull description for deleting this crap. I just wonder, why the newest antivirus/maleware/… scanners don’t get this shit…

  19. CleanSlateJeff says:

    I suspect Evernote. My PC has never been the same. However, I might have updated Adobe Reader recently. Also, the ads are often for unethical products and services.

  20. John Schenk says:

    Thanks for the help, really appreciated! I messed around with this for a couple hours before i found your help. First I ran a scan with norton. they found it and said it was deleted, not really. Went in to firefox and internet explorer and disabled it but it still kept popping up. Couldnt find it as a program anywhere to delete it until i found your instructions. Now its gone. Thanks again.

  21. Daniel Bent says:

    Thanks. This extension was installed on my PC after I came back from a 2 week vacation. Still no idea of how it got installed on a PC that was unplugged for 2 weeks…

  22. Dean Nor says:

    I believe mine was installed when i downloaded and installed super video convertor. The new install of super contains a bunch of adware, I thought I did a custom install and did not select those but looks like this sneaked through.

    I think this is the reason because the install data for software version updater and super was the same

  23. Scott Dichter says:

    Thanks, this thing kept popping up, triggering Defender, getting deleted and then popping up again (felt like I was being stalked), found sopme of the stuff you referenced, lets hope it takes this time

  24. Aidan Zheng says:

    mine didnt have anything on the extensions and bettersurf is still popping out everytime…? i cant find in on any of my programs either

  25. Victor says:

    I have done everything, atleast I think i have, but i still have all the ads… Please help me

  26. Victor says:

    I can’t find the User/AppData/Local folder

  27. MetalDog7 says:

    go to this page and click active. it will deactivate bettersurf

  28. […] day was November 15th, 2013 with 1,418 views, when I apparently saved the day by telling everyone how to get rid of a malicious Chrome/Firefox extension called BetterSurf (believe me, it did not make surfing the internet […]