Adware.BetterAds

Short bio

Adware.BetterAds is Malwarebytes’ detection name for adware targeting Windows systems that is delivered by bundlers. Typically, it sets a proxy on the affected system in order to show advertisements.

Symptoms

Symptoms of infection include unsolicited advertisements not related to sites you are visiting, a proxy not set by the user, and a BetterAds entry in the list of installed programs and features.

BetterAds proxy

BetterAds proxy

Betterads installed

Type and source of infection

Adware.BetterAds can reach user systems via bundlers.

Protection

Malwarebytes protects users from Adware.BetterAds by using real-time protection, and by blocking the domain that hosts the installer.

block Betterads

Malware blocks Adware.BetterAds

 

block betteradssoftware.com

Malwarebytes blocks www.betteradssoftware.com

Remediation

Malwarebytes can remove Adware.BetterAds without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

To achieve full removal, a system reboot is required. Malwarebytes will prompt you to do so if necessary.

A full removal guide for BetterAds can also be found on our forums.

Malwarebytes removal log

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/27/17
Scan Time: 11:38 AM
Logfile: mbamBetterAds.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.96
Update Package Version: 1.0.1818
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 328803
Time Elapsed: 4 min, 6 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\winsrcsrv.exe, Quarantined, [6542], [392905],1.0.1818

Module: 1
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\winsrcsrv.exe, Quarantined, [6542], [392905],1.0.1818

Registry Key: 5
Adware.BetterAds.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\srcsrv, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Delete-on-Reboot, [6542], [-1],0.0.0
PUP.Optional.BetterAds, HKLM\SOFTWARE\WOW6432NODE\betterads, Delete-on-Reboot, [476], [383836],1.0.1818
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\MBS_INSTALL, Delete-on-Reboot, [6], [392968],1.0.1818
PUP.Optional.BetterAds, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{376CA350-6C34-4F10-B8DC-586F8CA03009}_is1, Delete-on-Reboot, [476], [383837],1.0.1818

Registry Value: 13
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYSERVER, Delete-on-Reboot, [6542], [-1],0.0.0
Adware.BetterAds.PrxySvrRST, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SRCSRV|IMAGEPATH, Delete-on-Reboot, [6542], [392906],1.0.1818
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\MBS_INSTALL|CHANNEL, Delete-on-Reboot, [6], [392968],1.0.1818

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.BetterAds.PrxySvrRST, C:\WINDOWS\SRC_SRV, Delete-on-Reboot, [6542], [392905],1.0.1818

File: 6
PUP.Optional.BetterAds, C:\USERS\{username}\DESKTOP\SRC_SRV_AMONETIZE.EXE, Delete-on-Reboot, [476], [391675],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\WINDOWS\SRC_SRV\TRUSTED.WEB.PROXY.DLL, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\accept_cert.exe, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\Ionic.Zip.dll, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\rootCert.pfx, Delete-on-Reboot, [6542], [392905],1.0.1818
Adware.BetterAds.PrxySvrRST, C:\Windows\src_srv\winsrcsrv.exe, Delete-on-Reboot, [6542], [392905],1.0.1818

Physical Sector: 0
(No malicious items detected)

(end)

Traces/IOCs

You may see these entries in FRST logs:

() C:\Windows\src_srv\winsrcsrv.exe
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
ProxyEnable: [S-1-5-21-1350903546-318028887-1286703239-1003] => Proxy is enabled.
ProxyServer: [S-1-5-21-1350903546-318028887-1286703239-1003] => 127.0.0.1:8003
ManualProxies: 1127.0.0.1:8003
R2 srcsrv; C:\Windows\src_srv\winsrcsrv.exe [16384 2017-04-04] () [File not signed]
C:\Windows\unins000.exe
C:\Windows\unins000.dat
C:\Windows\src_srv

BetterAds version 1 (HKLM-x32\…\{376CA350-6C34-4F10-B8DC-586F8CA03009}_is1) (Version: 1 – )

 

Associated files:

%WinDir%\src_srv\winsrcsrv.exe

Domains:

betteradssoftware.com

Related blog content

How to remove adware from your PC

10 easy ways to prevent malware infection

10 easy steps to clean your infected computer