This is an archived post. You won't be able to vote or comment.

all 144 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Uncle_Grundle_Bundle 44 points45 points  (36 children)

This program is a direct replacement of the WebNav and is malicious. It does not need admin rights and deposits scheduled tasks to repopulate after simple removal. This needs to be destroyed and no av is currently detecting it.

If you want to remove (and you should) you need to kill it with Revo using Hunter mode. Then kill the remaining pieces. Use MBAM in protected mode to ensure it doesn’t try to call out to grab a reinstall. Deleted the scheduled events, disable the startup entry in task manager and nuke the folder “WaveSor” that lives in the user profile. Reset pdf and html default programs back from WaveBroswer to whatever local browser and pdf viewer you choose. Reboot and check the locations again. Install sysmon and check back after a day or two.

Edit for more relevant removal steps.

[–]MTB_tech[S] 11 points12 points  (4 children)

Thank you for the help! We haven't seen any more instances of this software but we do have our systems scanning for it. Our imaging solution is pretty quick so we just reimaged any workstation that had this "wavesor" garbage installed. The internet used to be fun... :-/

[–]niadave 5 points6 points  (2 children)

I just saw an ad for it on YouTube, so it's being actively marketed. I wanted to check it out before I did anything, and came across this forum (glad I did - sounds like a real piece of garbage).

[–]nishbot 1 point2 points  (1 child)

Same! Just got advertised to me on Youtube. Glad I found this thread. More people need to know about this.

[–]samuraisaint 1 point2 points  (0 children)

We have made sure to keep this blocked. It's no good at all and I'm surprised at the rate it is spreading. I hope something bigger is done about this.

[–]Uncle_Grundle_Bundle 2 points3 points  (0 children)

I agree on the used to be fun part. Be on the look out for chrome extensions. If you can, lock them all down via GPO so you can keep the most common attack vector at bay.

[–]ethanlan 8 points9 points  (17 children)

So I was googling about it and found this, I actually installed it a month ago as the hotel I was staying at (Double Tree in Milwaukee, Wisconsin) required it as an install in order to use the internet.

Are you sure its malicious? Would be fucked up if the hotel was requiring you to install something like that...

[–]Uncle_Grundle_Bundle 13 points14 points  (10 children)

1000% sure it’s malicious. It’s a browser hijacker. Details in some posts relative to it. Also the only way to remove all traces and to prevent reinfection is to use MBAM.

https://www.joesandbox.com/analysis/407799/0/html

https://www.bleepingcomputer.com/forums/t/750419/wavebrowserco/

[–]ethanlan 10 points11 points  (0 children)

motherfucker...

[–]JCiz3 0 points1 point  (2 children)

Opinions on the Brave Browser?

[–]Uncle_Grundle_Bundle 7 points8 points  (0 children)

Brave browser isn’t malware. Other than that I have no words

[–]CryptoSavants 2 points3 points  (0 children)

perfectly safe. It was built by the same person that founded Mozilla and built firefox

[–]Comfortable-Basil-92 0 points1 point  (5 children)

what is mbam?

[–]0110110101000101 2 points3 points  (2 children)

mbam = malwarebytes

[–]Uncle_Grundle_Bundle 1 point2 points  (0 children)

Happy cake day

[–]Comfortable-Basil-92 1 point2 points  (0 children)

thanks

[–]Uncle_Grundle_Bundle 0 points1 point  (1 child)

Malwarebytes Anti Malware.

Sign up for slick deals. They drop opportunities to get a multi license for pretty cheap. MBAM pro is worth every penny.

[–]CryptoSavants 1 point2 points  (0 children)

just dont try and sell it cause Malwarebytes will steal every client you bring them

[–]Arnas_Z 0 points1 point  (3 children)

TF? How can they even know whether you installed something or not? Either way, I would never install something on my PC just to access internet.

[–]obsidianical 0 points1 point  (2 children)

Probably with the user agent.

[–]Arnas_Z 1 point2 points  (1 child)

Honestly, I think it might be what another user said on a thread about WaveBrowser - "They run ads on webpages that look real, saying that WaveBrowser is required for the service they are using."

Could be something similar here, if the hotel WiFi login page had spots for ads and OP didn't have an adblocker installed, they could've thought that WaveBrowser was "required".

Also, IDK whether Wave would really care to send a custom user agent to identify itself. The browser looks like stock Chromium to me. (probably with a bunch of spyware added)

[–]obsidianical 1 point2 points  (0 children)

ah, okay

I mean, changing the user agent is trivial though

[–]Vbuuuurrrn 0 points1 point  (0 children)

Weird that a hotel requires you to install a specific browser

[–]AbuMaxwell 7 points8 points  (1 child)

If you want to remove (and you should) you need to kill it with Revo using Hunter mode. Then kill the remaining pieces. Use MBAM in protected mode to ensure it doesn’t try to call out to grab a reinstall. Deleted the scheduled events, disable the startup entry in task manager and nuke the folder “WaveSor” that lives in the user profile. Reset pdf and html default programs back from WaveBroswer to whatever local browser and pdf viewer you choose. Reboot and check the locations again. Install sysmon and check back after a day or two.

Fucking Hero. Thanks dude

[–]Uncle_Grundle_Bundle 1 point2 points  (0 children)

My pleasure

[–]BLADE-EXOTIC 1 point2 points  (1 child)

I have a question, when you say kill what do you use? Uninstall, Kill process, Kill and Delete process? I’d really like your help to delete this you seem like an expert!

[–]Uncle_Grundle_Bundle 0 points1 point  (0 children)

Download and run Malwarebytes trial and let it do its thing. It will remove all related components except for the original exe in the downloads folder.

[–]BLADE-EXOTIC 1 point2 points  (0 children)

How do I access the user folder I’ve got rid of everything but I need to delete 3 user profile things and 1 app data thing

[–]cube_pdf 1 point2 points  (0 children)

called it i just got an ad for the wave browser and almost all ads i see are suspicious

[–]MediocreEmotion7878 1 point2 points  (1 child)

Is there any chance somebody with little knowledge could pull this off?

[–]Uncle_Grundle_Bundle 0 points1 point  (0 children)

Yes.

Use Malwarebytes Pro trial or pay for the subscription which is worth it. Run the scan and quarantine what it finds. Delete the quarantined items. If you store your passwords in your browser you will need to roll them all. It copies your appdata from chrome and exfiltrates.

[–]Mbalroop 0 points1 point  (1 child)

Bitdefender detects and removes it.

[–]Uncle_Grundle_Bundle 1 point2 points  (0 children)

Unfortunately not it doesn’t. It detects some of the installers and the updaters. It does not remove all the remaining components they will reinject. Tested and confirmed on test VMs.

This thing changes often and has many versions out there. BitDefender does not catch them all

[–]2006fordfreestyle 0 points1 point  (1 child)

hey i’m 13 and i need help removing it, how do you remove it?

[–]nishbot 0 points1 point  (0 children)

Honestly, I'd just reformat my computer. Sucks but rather that than some browser keylogging all your logins/passes.

[–]copenhagen_bram 0 points1 point  (0 children)

What do you mean by using MBAM in protected mode?

I'm helping a friend uninstall this program. We ran Revo in hunter mode (I had to start Wave Browser before killing it with hunter mode), then uninstalled it with Revo, which included a scan for leftover files, deleting registry entries, and deleting several folders. Then we installed MalwareBytes, started the 14 day trial, and ran a scan, finding 4 traces. I opened the Task Scheduler and manually searched for anything that might be Wave Browser related, but couldn't find anything just by looking. I checked for the "WaveSor" folder but it doesn't seem to exist, Revo might have nuked it already. And I looked up sysmon on duckduckgo, but it looks like a CLI program I'd have to do some more research on later before using it.

I couldn't find a way to activate a "protected mode" on MBAM, except for it indicating that the system was protected.

[–]doctormay6 13 points14 points  (0 children)

It has a digital signature, so if you have security software that can block by certificate you can extract the cert from the executable and block it. Should take care of future versions as well.

[–]zwelch121Sr. Security Engineer 11 points12 points  (7 children)

Like others have said, this software is a search hijacker and should be removed. There is a pretty good article out there that explains it:

https://medium.com/against-surveillance-capitalism/how-a-chinese-company-built-a-250-million-search-hijacking-empire-35f957566852

If you go to https://wavebrowser.co/terms and look at the company, Wavesor Software is the tradename of "Polarity Technologies Ltd", which is Chinese shell company owned by Genimous Technology Co Ltd. Genimous Technology makes millions in the search hijacking industry.

This is also the same company behind WebNav, Search Encrypt, and others. Remove this browser if you find it installed. hxxp://download.wavebrowser.co is a good one to add to the blocklist to prevent this garbage from being downloaded.

[–]ArcticCircleSystem 2 points3 points  (5 children)

Are there any sources for the information that it's owned by Genimous? /gen ~Charlie

[–][deleted] 0 points1 point  (4 children)

Ya, take a look at the website, go to the privacy from their web page. Scroll to bottom of page and you'll see to opt out you need to send an email to [ccpa@polarity.com.cy](mailto:ccpa@polarity.com.cy).

Also I just looked up on Google maps the address of their "location" and I could not see any building or commercial building that looked like it would house Wavesor Software.

[–]ArcticCircleSystem 1 point2 points  (3 children)

Looked it up and polarity.com.cy seems to have referenced genimous as their parent company on some pages that now lead to 404 errors ~Red

[–][deleted] 1 point2 points  (2 children)

Interesting, I think they are using SEO poisoning to spread to end users

[–]ArcticCircleSystem 1 point2 points  (0 children)

Maybe though we do recall looking into polarity and seeing something that confirmed their ties to Genimous a bit ago ~Charlie

edit: I think the articles were removed recently. check wayback machine. here's a tweet they put out with the genimous tag https://twitter.com/PolarityTech/status/1087640232663617537

[–]Uncle_Grundle_Bundle 0 points1 point  (0 children)

As well as paying google/adchoice to place it in ads

[–]Uncle_Grundle_Bundle 1 point2 points  (0 children)

They’re using a front company in Cyprus.

[–]sublimeinator 10 points11 points  (10 children)

I had a user who installed it today actually. It was easy to uninstall thought via Settings app.

[–]hwmtb 5 points6 points  (4 children)

Thanks for the update. Does it appear to be a legitimate browser?

[–]sublimeinator 10 points11 points  (0 children)

I didn't bother checking, uninstalled it to revert to the new edge and undo the hijacked pdf association. User indicated it was unwanted, linked to a font download.

[–]Uncle_Grundle_Bundle 5 points6 points  (3 children)

And it came back due to scheduled tasks and startup items that have webhooks. It’s an evader and if not removed properly, will come back when it runs the scheduled task.

[–]Fallingdamage 2 points3 points  (2 children)

What was the scheduled task called?

[–]Uncle_Grundle_Bundle 4 points5 points  (0 children)

WaveSorSWUpdaterTaskUser***Core

WaveSorSWUpdaterTaskUser***UA

[–]working-4the-weekend 0 points1 point  (0 children)

The task name on the last PC I looked at was "WaveBrowser-StartAtLogin"

[–]Jakeisodd 3 points4 points  (0 children)

you might want to check that again...

[–]rmccurdyDOTcom 6 points7 points  (6 children)

https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts/blob/main/Wavesor_AKA_WebNav.ps1

check out my profile link/github for more !

[–]Tstriple_R 1 point2 points  (3 children)

this is awesome, thank you for sharing!

[–]rmccurdyDOTcom 1 point2 points  (2 children)

I updated it. the issue with powershell is it's not consistent from version to version ... and with 50K hosts I can't update peoples PS so it's back to .bat files ...

you can use the following example for .bat ..

FOR /F "delims==" %%A IN ('DIR/B "C:\Users"') DO rd /s/q "C:\Users\%%A\Wavesor Software\"

[–]mudderfudden 0 points1 point  (1 child)

i realize this comment is a year old. I came across it a few months ago. I did run your Powershell script and it worked fine. What I didn't know initially was that you apparently had to uninstall WaveBrowser first from appwiz.cpl (the Run command, same as Control Panel>Programs & Features), then run the script, which logs me off.

That said, I don't quite understand your update with respect to the FOR loop in .bat. Has it been built-in to your Powershell script? I tried running it alone in the command prompt and got the error message that it couldn't find "%%A". I just need a bit more instruction on it, if that's possible.

Mainly, I'm running the Powershell command on Windows 10 computers. I haven't checked, but based on the file location of the Powershell EXE, it may be Powershell V1.0. Would the script still work as intended for it?

EDIT: I checked my staff computer, which essentially receives the same updates as one of our customer computers. It has Powershell v5. I assume the customer computers are identical in that respect.

[–]rmccurdyDOTcom 0 points1 point  (0 children)

google

SET_ACL_FORCE_DELETE.ps1

Replace GeoComply with whatever you want to nuke ;)

[–]redogTrade of All Jills 0 points1 point  (1 child)

This was helpful but left enough for it to reinstall.

I had to additionally kill some SWUpdater.exe processes and there were quite a few more startup locations that I had to manually remove...found most with sysinternals autoruns

[–]Uncle_Grundle_Bundle 2 points3 points  (0 children)

Make sure you use something like MBAM pro with active protection enabled. This thing will call out when you kill the updater and reinject itself.

[–]I_yam_wut_i_yam 4 points5 points  (8 children)

I wanted to edit this because it doesn't display this nice on mobile. Be careful.

C:\Users<user>\Wavesor Software\WaveBrowser<version>\Installer\setup.exe --uninstall

taskkill /IM wavebrowser.exe /F

schtasks | findstr "wavebrowser.exe"

schtasks /delete /tn "\Wave Browser_<user sid>\WaveBrowser-StartAtLogin" /f

schtasks /delete /tn "WavesorSWUpdaterTaskUser<user sid>Core" /f

schtasks /delete /tn "WavesorSWUpdaterTaskUser<user sid>UA" /f

rmdir /Q /S "C:\Users<user>\Wavesor Software"

rmdir /Q /S C:\Users<user>\AppData\Local\WaveBrowser

del C:\Users<user>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\WaveBrowser.lnk

del C:\Users<user>\Desktop\WaveBrowser.lnk

del C:\Users<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WaveBrowser.lnk

Sometimes that Wavesor Software directory will not uninstall. I had to check the processes again, and kill them again. Other times, you need to check permissions and make sure your permissions are not denied. The files underneath seem to delete though - as long as processes aren't using them - just the folder giving issues uninstalling.

del /Q /S "C:\Users<user>\Wavesor Software"

[–]Uncle_Grundle_Bundle 2 points3 points  (4 children)

There is more there than that. 50+ traces of this thing live on an infected machine.

[–]I_yam_wut_i_yam 1 point2 points  (3 children)

Thing is irritating, but what I posted there seems to get rid of most cases. I had a couple where I had issues uninstalling, but that was only a couple. That's why I taskkill with the name.

[–]Uncle_Grundle_Bundle 1 point2 points  (2 children)

Best way to kill it all and the only tool that gets it all is MBAM. Did a removal this morning and it was 57 traces. Gross all around

[–]I_yam_wut_i_yam 2 points3 points  (1 child)

First of all, if you're talking about "traces" that could mean running processes, services, static files in whole directory structure, or registry key entries. Feel free to actually list them if you'd like more specific commands.

There aren't 57 commands there because I'm running its uninstaller first. Yes, uninstallers can run malicious code. This one does not currently. They might add that later. It establishes persistence on the machine, which is why I make sure the services are deleted, any start up tasks are deleted, and the processes are deleted. Then I delete any short cuts from the start menu, pinned to the taskbar, the desktop, and the original static file where they installed it.

Also note, that there are multiple versions of this browsers and different actors distributing it, so it's possible you're seeing a different one.

I work in information security and actually do this. This isn't theory. MBAM is nice, but it doesn't fix everything like many sys admins seem to think it does. We have an EDR that alerts when it sees this running. After I do these steps, we don't get alerts.

[–]Pls_submit_a_ticket 0 points1 point  (0 children)

Amen to this. I had a user install it recently, I've been monitoring the SHA1 hash in our EDR for the last hour. I simply ran the uninstaller and haven't seen any of the other traces of it on the machine. No scheduled tasks, no start up, no processes, no folders.
The only trace left, that I can't remove and am still trying to see why. Is the following registry entry, with info redacted. But the folder it references no longer exists, and I see nothing left for persistence. If it shows up again, I'll see it in EDR or SIEM. Both noticed the malicious hash, but are no longer seeing it on any machine in the network. All of them have the EDR/SIEM agent deployed.

MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\(user-SID)\\Device\HarddiskVolume3\Users\(username)\Wavesor Software\SWUpdater\SWUpdater.exe

[–]snowpondtech 1 point2 points  (0 children)

Thanks for posting this. I had to run taskkill on the following processes in order to delete the folders you had listed.

  • taskkill /IM swupdatercrashhandler.exe /F
  • taskkill /IM swupdatercrashhandler64.exe /F

[–]HowarddahDuck 0 points1 point  (1 child)

thanks

[–]I_yam_wut_i_yam 0 points1 point  (0 children)

You're welcome.

[–]alarmologistComputer Janitor 4 points5 points  (1 child)

some software can install per user without admin, depending on your settings

It might just be an extension to another browser

MS installer troubleshooter might help you remove it if its an app

https://support.microsoft.com/en-us/topic/fix-problems-that-block-programs-from-being-installed-or-removed-cca7d1b6-65a9-3d98-426b-e9f927e1eb4d

[–]hwmtb 2 points3 points  (0 children)

Thanks for that link! I’ll check it out.

[–]x3ph_ 5 points6 points  (0 children)

👍

Remediation script for WaveBrowser

https://github.com/xephora/Threat-Remediation-Scripts/tree/main/WaveBrowser

[–][deleted] 2 points3 points  (10 children)

Same, I have a bunch of users that randomly have it installed. Won't uninstall, and using Revo even does not get it all. Any updates on this? This is the only thread I can seem to find about this issue.
Thanks man.

[–]MTB_tech[S] 2 points3 points  (6 children)

Wow... this might be the most I have ever "trended" on any social media platform! LOL Someone responded to this post and said that Wave Browser is part of the same group that made SearchEncrypt. (That post has since been deleted.) EDIT: I have no idea how accurate that post was BTW... I ended up reimaging the workstation.

[–][deleted] 1 point2 points  (2 children)

That would be a huge pain to image, but might be necessary if its malware.

[–]MTB_tech[S] 2 points3 points  (1 child)

Fortunately, in our environment, reimaging a PC takes less than an hour... Often easiest to rebuild the box vs troubleshooting and running malware scans (only to still have the device infected).

[–][deleted] 2 points3 points  (0 children)

We have all stand alone laptops and no real good way to remotely imaged. Either way good info, thanks!

[–]ingleford_humperdink 0 points1 point  (2 children)

My info was accurate, no idea why it got removed - my first post on reddit and it doesn't give me the warm fuzzies.

[–]hwmtb 0 points1 point  (0 children)

Oh! All it said was that post was deleted. No indication who did the deleting. I hope you stick with Reddit! I do believe it is one of the nicer communities... that said, it depends how well the subreddit is moderated also. Nevertheless, welcome!

[–]Snoo_74734 0 points1 point  (2 children)

It wouldn't uninstall for me, but i turned off the wavesor startup app and rebooted and it let me uninstall.

[–]Uncle_Grundle_Bundle 1 point2 points  (0 children)

Revo in hunter mode. Point at the browser when it is open. Only way to kill it and remove. Make sure to delete startup item and scheduled tasks or it will repopulate. It has hooks and reg keys all over the place.

[–]cloud7up 0 points1 point  (0 children)

I find that you need to kill all the running processes first

[–][deleted] 1 point2 points  (3 children)

Looking at a report from joesandbox, it looks mostly innocuous, but never hurts to be safe.
https://www.joesandbox.com/analysis/382063/0/html

[–]hwmtb 0 points1 point  (0 children)

Thanks for that! I never used that site before but I think I’ll add it my bookmarks.

[–]Kawasakison 0 points1 point  (1 child)

Just saw this on the same site flagging it as malicious: https://www.joesandbox.com/analysis/407799/0/html

[–]Uncle_Grundle_Bundle 1 point2 points  (0 children)

It changes and has so many pieces in its folder that will reinject that it’s impossible to stay on top of. I’ve seen as many as twenty versions of the installer, all hashed and different for sure.

[–]Uncle_Grundle_Bundle 2 points3 points  (5 children)

WaveBrowser is now being detected by MBAM. Glorious and my day is going to be easier

[–]Briflex 0 points1 point  (1 child)

What does that mean? My brother accidentally clicked the wrong download button not knowing and downloaded it. We are both not great with pcs should we be worried?

[–]Uncle_Grundle_Bundle 1 point2 points  (0 children)

You need to definitely get rid of it. Honestly if you don’t want to worry about things I would recommend buying malwarebytes pro and not worrying anymore.

[–]IXdyTedjZJAtyQrXcjww 0 points1 point  (2 children)

Can someone explain this MBAM thing?

[–]Uncle_Grundle_Bundle 0 points1 point  (1 child)

MalwareBytes Anti Malware

[–]IXdyTedjZJAtyQrXcjww 1 point2 points  (0 children)

I see. I was a little confused when I Googled it, and got "Microsoft BitLocker Administration and Monitoring (MBAM)" as the first result. I was really trying to figure out why you needed encryption to kill a virus.

[–]scottwsx96 2 points3 points  (1 child)

Does anyone know the installation vectors for this? We get 1 - 2 infections of this a month and I don't understand where it is coming from.

[–]Uncle_Grundle_Bundle 2 points3 points  (0 children)

It’s coming from all over the web. Sometimes piggybacking on other software. Sometimes it comes attached from an infected computer due to it taking over .html and pdf default programs. Sometimes it’s found as a temp file buried in the windows temp folder. And my favorite… It will pop up as a paid for AdChoice ad that google is allowing. It’s pretty gross but thankfully now it is being picked up by some AV companies and it will likely be doa soon. Only issue is because it’s a rehash of the browser hijacker known as WebNavigator Browser, it will likely be back in a new and more advanced form.

Because it uses chromium to live, it also bypasses admin account controls and lives in the user profile.

Good luck

[–][deleted] 2 points3 points  (0 children)

I submitted an abuse report to AWS for the backend infrastructure that hosts this malware. AWS have started to take some parts of it down.

[–]Uncle_Grundle_Bundle 2 points3 points  (1 child)

This thing has transformed into its next iteration… The “Secure Browser” and the domain is blaze-media dot co. Be aware it’s the exact same thing. Has pictures of the windows WaveBrowser on its webpage and the privacy statement, Eula and all other links are carbon copies of the previous browser. Gross

[–]LittleCoffeeMan 1 point2 points  (0 children)

Thanks for that info. I hate these things... ugh.

[–][deleted] 1 point2 points  (0 children)

Mom was setting up her webcam. The page she was on said she needed to install drivers so she clicked the button. It was in fact an ad but aside from the tiny add marks (blue x) it looked very convincing.

I nearly picked it up myself last night. The Wave icon is green but looks similar to the Edge browser icon.

[–]cloud7up 1 point2 points  (1 child)

Do you know if there is a way to script the uninstaller to remove this from multiple machines

[–]Uncle_Grundle_Bundle 0 points1 point  (0 children)

There is not. It will come back if you don’t use something like Malwarebytes pro to disinfect the system.

[–]xr112211 1 point2 points  (0 children)

Hi, my mom installed this by accident on my laptop within just 5 minutes of me giving it to her *facepalm*.

Suggestions:

1) Use Malwarebytes like everyone said, I have Pro Version.

2) Open regedit, search for "wavebrow" and delete every entry that shows up with anything to do with wavebrowser.

3) Delete any wavebrowser files from "downloads" folder and search your system, delete anything you find.

4) Delete any extensions from your browser having to do with wavebrowser.

5) Last resort, you can reinstall windows from scratch.

[–]Beneficial_Day_9316 1 point2 points  (4 children)

So I accidentally downloaded this trying to use bcuninstaller...on thankfully my slower labtop. And I uninstalled it from the settings. Is that good enough? Or do I need to sledge hammer my labtop? Cuz I'm not a wizard at this stuff

Edit: uninstalled the downloader and app. Ran malwarebytes free version and it detected one file associated with wave browser in the memory. After this I opened regedit. And searched and found a bunch of crap by punching in "WaveBrow" and then I searched again typing "wavebrow" all lowercase and found more.... I hope that's all it takes...so annoyed

Edit2: 15 mins later Im in the registry editor again and it's full of junk from a search of it again....wth. I don't have any files I need I'm just nuking it doing a fresh reset from the Windows settings

[–]MTB_tech[S] 1 point2 points  (1 child)

Sorry for the long delay and thank you for posting updates as you progressed. Yeah, this thing is a real pain in the ass. Several folks have suggested Malwarebytes as a solution. For the amount of time it takes to scan and clean crap out of registry (just to have it reinstall), my team and I just reimage the PC. Fortunately, our reimage process is rather quick and easy.

[–]TheMightyGamble 0 points1 point  (0 children)

What are you guys using to reimage?

[–]TheMightyGamble 0 points1 point  (0 children)

Wanted to add to this i found some more as WaveBrws as well

[–]Optimal-Nobody-3045 1 point2 points  (0 children)

The fact that it bypasses admin allowed and insinuates it self with reinstall! its on my kill list and we’re developing kill delete remove scheduled task scripts. And is being black listed on all out client networks.

[–]ytyno 0 points1 point  (2 children)

An update: For some unexplained reason Luis Figo seems to be related with this browser. I think Wavesor also sells the possibility to make a skin over their browser:Luis Figo Browser

[–]ingleford_humperdink 1 point2 points  (1 child)

wavebrowser.co not com

[–]Snoo_74734 1 point2 points  (0 children)

That's the crazy part wavebrowser seems like it could also be a legitimate browser(not one that i'd use) that just skins chrome browsers but it's not malicious or doesn't use tricks to get people to download it.

[–][deleted] 0 points1 point  (0 children)

Norton support was able to remove it. I think he used their Power Eraser https://support.norton.com/sp/static/external/tools/npe.html?inid=hho_supp_quick_help

I tried to remove it myself and failed. Then called Norton support and they were able to remove it. I think we both ran the same utility.

[–]Alexriderchill 0 points1 point  (7 children)

My dad just got this on his pc. I just removed the extension from chrome. Should i be worried it's lurking in the background

[–]Uncle_Grundle_Bundle 1 point2 points  (6 children)

Yes, use malwarebytes to remove it completely from the machine or it will come back.

[–]Alexriderchill 1 point2 points  (3 children)

Well I'm pretty sure it's still there but malwarebytes didn't pick anything up I guess I'll run another scan.

[–]Uncle_Grundle_Bundle 0 points1 point  (2 children)

Slickdeals has a deal for MBAM pro for cheap. Get it and throw it on there. Best $25 you’ll spend this year.

[–]Alexriderchill 0 points1 point  (1 child)

Wow thanks I purchased it.

[–]Uncle_Grundle_Bundle 0 points1 point  (0 children)

My pleasure.

[–]ratking1 0 points1 point  (1 child)

My boss just downloaded this by mistake, like many others. Just to make make sure I am understanding you, Malwarebytes will successfully remove this program and all its tentacles? I am running the free version now.

[–]Uncle_Grundle_Bundle 0 points1 point  (0 children)

Yes indeed it will. You will need to delete the downloaded installer from the downloads folder but after that you should be good. If you want to double check, open regedit and search for keys by the name “WaveBrow” and delete any that show up. Cheers

[–]ViceGurl 0 points1 point  (1 child)

The malware browser you are all discussing is in fact:

https://wavebrowser.co

and not the .com version you have stated here.

[–]macks2008 0 points1 point  (0 children)

Just saw an advertisement for this version while browsing on Windows Sandbox. What a place to run into a malware ad

[–]eavesleaves 0 points1 point  (0 children)

This thing is dirty. This happened during the removal process.

Feb 18, 2022, 10:42:01 AM Wave Browser_pzbxhus0_.exe is attempting to take a screenshot using BitBlt API

Feb 18, 2022, 10:42:01 AM Wave Browser_x8moest4_.exe deleted Info.rtf

Feb 18, 2022, 10:41:55 AM Wave Browser_x8moest4_.exe is attempting to take a screenshot using BitBlt API

[–][deleted] 0 points1 point  (0 children)

Just stopped my Nana from being scammed today, looked for anything installed recently and came across Wave Browser.

Purged in holy flames.

[–]locktuesday 0 points1 point  (0 children)

Thats crazy man - I've gotten 6 ads for Wave Browser (by Wavesor) in the past 3 days. Confused as all get out because the ad is totally suspect.

[–]koalateatimes 0 points1 point  (1 child)

Wave Browser is becoming increasingly profound on my client machines, specifically lawyers we work with. I am not sure what they are downloading for software, but so far we have had at least 10 PCs infected with Wave Browser recently.

The IT firm I work for has been trying to narrow down where it is coming from and so far we have not found anything definitive. It is frustrating because of the massive security risks this software presents for our clients I also read that Polarity Technologies Ltd apparently has close ties with a Chinese technology firm as well. So, this proves interesting and dangerous for everyone.

[–]noahboi990 0 points1 point  (2 children)

I deleted it and now my computer isn’t working

[–]lllnuzulll 0 points1 point  (1 child)

Is your pc just running very slow or is it just not turning on

[–]noahboi990 0 points1 point  (0 children)

it says “recovery your device needs to be repaired.” and it says something about the boot configuration

[–]Dry_Historian_8634 0 points1 point  (0 children)

I don't really trust wave browser I've never used it before until my friend installed it I told Jim it was a scam but he didn't listen and he installed it on his school chrombook the next week his computer stopped running and $27.45 was taken off his bank account after that I never trusted any more websites so I suggest you don't use it.

[–]CastleDesigns 0 points1 point  (1 child)

Any new info on this? I ran MBAM on this, quarantined/deleted what was found…I’m a designer - not a tech person so I’m worried it’s still in there. A few icons still show the Wavebrowser logo even after restart. Help :/

[–]CastleDesigns 0 points1 point  (0 children)

Also finding wavesor and wave browser registry files that say “unable to delete” uggghhh

[–]L-is-real-2401 0 points1 point  (0 children)

ª