Adware.BetterAds

Short bio

Adware.BetterAds is Malwarebytes’ detection name for adware targeting Windows systems that is delivered by bundlers. Typically, it sets a proxy on the affected system in order to show advertisements.

Symptoms

Symptoms of infection include unsolicited advertisements not related to sites you are visiting, a proxy not set by the user, and a BetterAds entry in the list of installed programs and features.

BetterAds proxy

BetterAds proxy

Betterads installed

Type and source of infection

Adware.BetterAds can reach user systems via bundlers.

Protection

Malwarebytes protects users from Adware.BetterAds by using real-time protection, and by blocking the domain that hosts the installer.

block Betterads

Malware blocks Adware.BetterAds

 

block betteradssoftware.com

Malwarebytes blocks www.betteradssoftware.com

Remediation

Malwarebytes can remove Adware.BetterAds without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

To achieve full removal, a system reboot is required. Malwarebytes will prompt you to do so if necessary.

A full removal guide for BetterAds can also be found in our forums.

Malwarebytes removal log

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/27/17
Scan Time: 11:38 AM
Logfile: mbamBetterAds.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1818
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 328803
Time Elapsed: 4 min, 6 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\winsrcsrv.exe, Quarantined, [6542], [392905],1.0.1818

Module: 1
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\winsrcsrv.exe, Quarantined, [6542], [392905],1.0.1818

Registry Key: 5
Adware.BetterAds.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\srcsrv, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Delete-on-Reboot, [6542], [-1],0.0.0
PUP.Optional.BetterAds, HKLM\SOFTWARE\WOW6432NODE\betterads, Delete-on-Reboot, [476], [383836],1.0.1818
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\MBS_INSTALL, Delete-on-Reboot, [6], [392968],1.0.1818
PUP.Optional.BetterAds, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{376CA350-6C34-4F10-B8DC-586F8CA03009}_is1, Delete-on-Reboot, [476], [383837],1.0.1818

Registry Value: 13
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SRCSRV|IMAGEPATH, Delete-on-Reboot, [6542], [392906],1.0.1818
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\MBS_INSTALL|CHANNEL, Delete-on-Reboot, [6], [392968],1.0.1818

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.BetterAds.PrxySvrRST, C:\WINDOWS\SRC_SRV, Delete-on-Reboot, [6542], [392905],1.0.1818

File: 6
PUP.Optional.BetterAds, C:\USERS\{username}\DESKTOP\SRC_SRV_AMONETIZE.EXE, Delete-on-Reboot, [476], [391675],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\WINDOWS\SRC_SRV\TRUSTED.WEB.PROXY.DLL, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\accept_cert.exe, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\Ionic.Zip.dll, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\rootCert.pfx, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\winsrcsrv.exe, Delete-on-Reboot, [6542], [392905],1.0.1818

Physical Sector: 0
(No malicious items detected)

(end)

Traces/IOCs

You may see these entries in FRST logs:

() C:\Windows\src_srv\winsrcsrv.exe
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
ProxyEnable: [S-1-5-21-1350903546-318028887-1286703239-1003] => Proxy is enabled.
ProxyServer: [S-1-5-21-1350903546-318028887-1286703239-1003] => 127.0.0.1:8003
ManualProxies: 1127.0.0.1:8003
R2 srcsrv; C:\Windows\src_srv\winsrcsrv.exe [16384 2017-04-04] () [File not signed]
C:\Windows\unins000.exe
C:\Windows\unins000.dat
C:\Windows\src_srv

BetterAds version 1 (HKLM-x32\…\{376CA350-6C34-4F10-B8DC-586F8CA03009}_is1) (Version: 1 – )

 

Associated files:

%WinDir%\src_srv\winsrcsrv.exe

Domains:

betteradssoftware.com

Related blog content

How to remove adware from your PC

10 easy ways to prevent malware infection

10 easy steps to clean your infected computer

Select your language