1

When I was browsing (a local copy of a site off my own hard drive), I was greeted by a pop-up that took up the entire bottom half of my screen that detected that I was on the site that had a menu of specials, and this pop-up basically counter-offered me other specials from our client's competitors.

A smaller, similar popup came up on the bottom right of my screen later and made reference to savings.com.

I noticed a new Firefox extension I'd never seen: BetterSurf 1.0. Date it was updated? TODAY.

I'm guessing I somehow got some malware. Could have come from a Firefox or Google Chrome update installation, or perhaps it was from when I downloaded and installed NetBeans 7.4 a couple of weeks ago. (Why, then, would this situation manifest itself NOW?)

I ran MalwareBytes Antimalware (came up with over 100 suspect objects!) and rebooted. I'm not getting the pop-ups any more, and I'm also not seeing any of the subdirectories in C: that are mentioned in any answers.

bettersurf disabled

What is this extension and why did it appear?

Improve this question
2
  • 1
    @dauber It maybe wise to download & run bleepingcomputer.com/download/adwcleaner
    – Simon
    Commented Nov 16, 2013 at 15:26
  • 1
    "Could have come from a Firefox or Google Chrome update installation" - this is not possible, unless you grabbed either browser manually from an untrusted third party site.
    – Collin Grady
    Commented Dec 28, 2013 at 7:35

2 Answers 2

Reset to default
1

Short answer (what worked for me): disable it and delete the folder "Bettersurf" in the Program Files folder

Long answer: It happened to me after updating firefox to the recent version (25.0). The fact that I didn't install it and firefox add-ons search for the extension doesn't provide any results seems reasonable to me to assume it's a malware. So what I did, I disabled it and if you go the Program Files folder, it has created its own folder with the name "Bettersurf" and I deleted it permanently. Restart firefox and the add-on not there anylonger.

Improve this answer
1

It appears to be malware and is now officially blocked in Firefox. If it wasn't installed knowingly through (running) Firefox, or via a Windows software installation that also informed about adding a Firefox add-on, then it could have been installed on the system by another application (the name could be totally different) that also surreptitiously added a Firefox extension.

It would also be a good idea to further scan the system with two or more anti-malware scanners / live_CD/USB anti-malware kits. Preferably, set the scanners at the highest/strictest levels of detection so as to also detect less rated threats like PUP in addition to viruses, rootkits, trojans, etc.

From the looks of it (no Remove button) there could be two possible locations for its installation files:

  1. Firefox install_directory\browser\extensions. Usually only the default theme folder named {972ce4c6-7e08-4474-a285-3208198ce6fd} would be present here though there could also be anti-malware and other legitimate extensions.

  2. A location specified in the right pane of the relevant Windows registry HKCU or HKLM key (here also there could be listings of anti-malware and other legitimate extensions).

In either case it would be possible to uninstall the extension by deleting its file(s)/folder, and (if applicable) deleting the registry key. Please also note that if it appears even after deleting the correct file(s)/folders and/or registry key then most probably there could be another main program or a helper program running constantly or intermittently that re-installs this extension, and possibly changes Firefox settings.

Troubleshoot Firefox issues caused by malware

Improve this answer

You must log in to answer this question.