Edit 11/15 8:34 am: I can’t believe how many people I’ve helped out with this! If any of you who’re stumbling across this post are of the nerdy or crafty persuasion, please visit The Crafty Nerd’s Facebook page, or add my blog to your RSS reader of choice.
Still not quite sure how this virus is being spread around – some rumors have it as coming from YouTube, others remark that it’s hitting web developers pretty hard. If you hear anything about where it’s coming from, post about it in the comments – I’d appreciate it.
Edit 11/14 6:14 pm: Holy crap I think this is the most visitors my site has ever had in an entire day ever. I hope this walkthrough’s helping people out – share it with everyone you know! I’ve added a section on how to remove some of the additional files that BetterSurf may have sneaked into your computer.
I know, I know, I don’t tend to do this sort of thing here, but as this was a sneaky little bit of malware that crawled into my Chrome installation without any sort of fanfare… I figured it might not be a bad idea to share with my readers. (Plus, I’m all kinds of angry. I’ve been spyware/malware/virus free since I don’t know when, and having something sneak in undetected… grr.)
I noticed yesterday that Chrome on my desktop and laptop computers had been crashing – while I figured it was just the Hangouts extension crashing the whole works (in the reviews of Hangouts on the Chrome Web Store, it’s notorious for crashing in all sorts of spectacular ways) and it was nothing to be worried about. Well, this morning, Chrome crashed so spectacularly that I had to go into Task Manager and clear out the stuck Google Crash Handler processes before Chrome would even open up again – and then as it did open, a little pop-up from Chrome appeared saying “Extension BetterSurf was installed, and has been causing problems” or something to that effect, and gave me the options to disable or remove the extension. (I’ve seen a similar window when the Adobe PDF reader extension was giving me issues.) Since I’d never seen BetterSurf before in my life, and certainly hadn’t installed any extensions lately, nor visited any remotely questionable sites, and I also have AdBlock running on my computer too, I removed it – and then visited Google Search to see what else was out there about this.
I first found this forum thread on the subject – which was exactly what happened to me. Chrome crashed, upon reboot the extension was installed. The extension’s not limited to Chrome users, though. Firefox users are affected as well, as noted by this post. The extension seems to pop up windows advertising similar services/products to sites you’re currently visiting – which is never a good thing. There’s also an analysis overview of BetterSurf over at Malwr.com, for those interested.
So, it might be a good idea for everyone – whether or not you’ve installed any extensions lately – to go take a quick look at what’s installed and get rid of BetterSurf if it’s there. For Chrome users, just go to the Options menu in the very upper right hand corner (just under the Close button), point to Tools, and then click on Extensions – it’ll bring up the list of all the extensions you have installed. If you see BetterSurf in there, click the little trash can icon to the far right of BetterSurf’s listing in your extensions – Chrome will confirm that you really want to remove it, so click Remove, and it’s gone.
There it is, lurking in my Firefox extensions. And I haven’t even opened Firefox since the AJAX class I took in July! Grumpy Jasmine Cat is not pleased.
Firefox users – go to the Firefox menu at the top left of your Firefox window, then click on Add-ons – it’ll bring you to the Add-ons Manager. Click on the Extensions tab, and should you see BetterSurf there, click Disable. Firefox will require you to restart, so do that, go back to the Extensions tab on the Add-Ons window, and it’ll show you that BetterSurf has been disabled. There’s not much else you can do from here.
Yep, this sucker just made itself at home…
This next part is for both Chrome and Firefox users. The last thing to do is to remove the BetterSurf folder from your Program Files folder on the hard drive – mine showed up in the Program Files (x86) folder. Drag that sucker to the recycle bin, right-click and then select Delete, either way will get rid of it. Make sure to empty your Recycle Bin afterwards. If you go back to Firefox afterwards, you’ll notice it’s not in the list of installed extensions, which is exactly what we wanted!
This next part involves a little bit of digging. Another post mentioned the following, regarding this stupid BetterSurf crap…
There are several other things it does to your PC, including a TASK it schedules to run called AmiUpdXP, which you can find and delete from c:\windows\tasks\AmiUpdXp.job on windows 7.
Other things I have found: A folder is created in your appdata/local called SwvUpdater which is referenced by the Task to run Updater.exe – the frightening part, since it will be able to download and execute any future malware/virus/worm.”
I went and investigated on my own computer – and found the AmiUpdXp.job in Tasks, as well as SwvUpdater in apps/local. Since I’ve deleted them already (and my computer hasn’t imploded), there are no screenshots for you, but here’s how to take care of the next part.
To ditch the AmiUpXp.job file, you’ll need to go into C:\Windows\Tasks – inside that folder may be a couple of different things, I deleted the AmiUpXp.job file and moved onto the next step.
SwvUpdater is indeed malware, according to ShouldIRemoveIt.com – and you can read more about it and what it does here. I may have been ridiculous and just deleted the folder for SwvUpdater, but you can actually uninstall it via Windows, too. Just go to Control Panel, then click on Programs and Features (or Uninstall a Program if you’re in category view). Scroll down, and look for Software Version Updater.
See it? This stupid little thing’s been hiding in my computer since October, apparently!
Select Software Version Updater from the list, click the Uninstall button at the top, and there you go. (To double-check that it’s really gone, for those of you who feel like it, go look in your User/AppData/Local folder and make sure that the SwvUpdater folder is gone. You’ll have to make Windows show hidden files and folders first.)
Nobody’s quite sure how this little piece of malware snuck its way onto computers- rumor has it that it’s been spreading through YouTube somehow. Hopefully this’ll help people who’ve been infected with this stupid add-on get rid of it!
This has been a Crafty Nerd PSA – hope this info helps my fellow crafty nerds, and others around the internet!