Remove 'The Best Offers Network'

[Markbnj]

Does anyone know of a tool that can clean out The Best Offers Network from my daughter's machine? I've been trying to avoid a reformat, but after working on it most of this weekend I am about ready to put my fist through the monitor.

This has to be one of the toughest bastards to remove. I've scanned with Avast!, Spybot, and AdAware in diagnostic startup mode. Spybot find some 'ABetterInternet.Aurora' keys associated with this adware, but the damn thing comes back every time I reboot into normal startup mode. I've been through the startup folders, run, runonce, and runonceex keys in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.

I think maybe it has a hook into Internet explorer and is reinstalling itself every time the browser is started.

Is PestPatrol worth buying? Will it get rid of this piece of crap? Is a reformat the only way to a clean system here?

 

[timswim78]

I just got it off of a friend's laptop using webroot. There is a 14 day trial of it floating around somewhere. (The trial on the webroot's Web site does not allow for removal). Just PM me if you cannot find the 14 day trial.

Spybot and Adaware cannot touch this thing.

The Best Offers Network offers uninstallation instructions on their Web site.
http://www.bestoffersnetworks.com/uninstall/

 

[Markbnj]

Just for the record their uninstall is a joke. Clicking on the uninstall from add/remove programs takes you to their website, where they tell you to click on the uninstall in add/remove programs! I downloaded their uninstall utility and ran it and Avast went nuts. Not that I expected it to actually remove the software.

I also just ran Windows Defender Beta 2 after reading somewhere that it gets it, and it did indeed seem to hobble the software: the popups still appear but they are empty.

I'll give webroot a try, thanks.

Edit: stumbled upon this, which was apparently just filed last month:

http://www.direct-revenue.com/Sotelo_Settlement_Notice.pdf

I did find a free trial of Webroot, going to install that and give it a spin tomorrow.

 

[xtknight]

pserv.cpl

Maybe you will find that it has setup a 'service' or 'device'. With pserv.cpl you can just delete said service/device.

 

[timswim78]

I forgot to mention Schandenfroh's thread about cleaning up computers. It is really good.
http://forums.anandtech.com/messageview...atid=33&threadid=1658987&enterthread=y

 

[Markbnj]

Thanks, that's a great thread. And thanks for the link to the pserv tool, xt. That seems worth a look on its own merits.

This is a pretty slick little number. It drops Nail.exe into c:\windows, and drpmon.dll into windows\system32. When I first started looking into it there was a directory called program files\TBONAS\ that was full of their crap as well. The first couple of times that I removed all this stuff in safe mode it came back. Now for some reason it isn't recreating the TBONAS directory, but it is still recreating nail.exe and the dll. I also got rid of a bunch of registry keys related to it, and to aurora.aurorahandler but so far I haven't found where their hook is, and the stuff keeps coming back. There is nothing in run, runonce, or runonceex, or in the startup folders. I'm going to look at the IE browser helper object list tomorrow. I'm betting that's where the hook is, and it'll be a class implemented in some obscure dll somewhere.

 

[domllama]

Try this: Ad-Aware SE Personal Edition 1.06

http://www.download.com/3000-2144-10045910.html

It will eliminate most spyware/bestoffer network crap off a computer. It's free too.
Their free version of this actually works a hell of a lot better than most software you have to buy.

If that doesn't work I would pick up a full copy of Zone labs: Zone Alarm Suite... I just put this on my aunt's computer who cannot avoid adwarel..and it works wonders. All problems handled. Try the Ad-aware first though..it should get rid of the problem.
Let me know..I know a lot about handling adware/spyware/virus' etc.

 

[Markbnj]

Yeah, I run AdAware and Spybot S&D as part of my usual suite of defenses. AdAware picks up 3 registry keys and 3 files, but on reboot they're back. Spybot doesn't find it at all. Avast sees the DLL file as having a trojan/adware, but it's back on reboot after a delete or a quarantine.

So there's something these tools, and MS Antispyware, are missing.

 

[mechBgon]

I suggest this routine:

1) uinistall Avast and install a 30-day trial of Kaspersky Antivirus Personal. Configure it as shown here for full protection, including the Extended Databases option.

2) install Windows Defender from http://www.microsoft.com/athome/security/spyware/software/default.mspx and update it.

3) install Spybot S&D from http://www.safer-networking.org and update it

4) install your Webroot trialware and update it.

5) Set up to follow this routine: http://www.omnicast.net/~tmcfadden/scan.txt This is a command-line utility from McAfee. They recognize Adware-BestOffers so you should get results.

6) now reboot into Safe Mode With Command Prompt, do the scan shown in #5 above, then start explorer.exe, stay in Safe Mode With Command Prompt and run a Kaspersky scan, a Webroot scan, a Windows Defender scan and a Spybot scan, all on the same Safe Mode session.

So that's two heavy-duty antivirus products plus three anti-spyware products. See how it goes. Also, consider making her regular user account a Limited account