I don't have a proven solution per se, Bob, but I just wanted to confirm to you and Grif some things you may already know. I'm also including highlights of the steps I took to eradicate this issue from my system last year.
The same thing (a SweetPacks infection) occurred roughly a year or so ago. There was extensive discussion about it here in the forums because you (Bob) helped to track it back to a CNet/Downloads copy of VMWare Player (I think) that had recently been promoted.
I found the popular deinstallers and adware/malware eradicators could not completely remove SweetPacks. Even after things seemed all fixed, a couple weeks later I found remnants of SweetPacks trying to access the Internet, presumably to update or further-infect my system. I'll explain.
I had used Malwarebytes, AdwCleaner, and also Revo Uninstaller. Interestingly, SweetPacks had its own deinstaller, which I didn't trust, of course. However, even when using Revo, the SweetPacks deinstaller would pop-up and obscure the Revo window, thereby almost tricking the user into using the SweetPacks deinstaller instead of proceeding with using Revo. Was there any sense in trusting the SweetPacks deinstaller? I avoided it.
I had three browsers installed -- Firefox, IE, and Chrome -- and ALL were affected. To fix the browsers, I used their respective Options/Preference tools to remove the visible effects of SweetPacks (add-ons, home page, and default search site), but checking About:Config for Firefox revealed that remnants remained.
By the way, Bob, after taking your advice when this originally occurred, I've been using AdBlock and Web of Trust, both of which have effortlessly helped me to avoid getting into trouble again. Thank you very, VERY much!
After doing all of the above, all seemed okay. Then two weeks later a firewall warning indicated something called "ExtensionUpdaterService.exe" was trying to access the Internet. Checking online revealed this was associated with SweetPacks. This pressed my knowledge of safe PC usage, but I dared to look in my Registry. Other than a boot sector contamination or something being started by MSConfig, the Registry was the only other place I knew to check. Sure enough I found entries in the Registry, too, which spawned visits to a particular web address (which I don't recall). After manually removing all the SweetPacks entries from my Registry I could find,
fortunately my system was still in good working order. I've re-checked
several times and thankfully, Registry entries with "sweetim" and
"sweetpacks" have not reappeared.
I hope this helps, folks. All the best!
Was this reply helpful? (1) (0)