Adware.BrowserSafer

Short bio

Adware.BrowserSafer is Malwarebytes’ detection name for adwarefrom browsersafer.com, which claims it will protect users while browsing the web but really serves up advertisements.

Symptoms

BrowserSafer sets a proxy

Type and source of infection

BrowserSafer website

Protection

Malwarebytes blocks Adware.Browsersafer

Remediation

Malwarebytes can detect and remove Adware.BrowserSafer without further user interaction.

1. Please download Malwarebytesto your desktop.
2. Double-click MBSetup.exeand follow the prompts to install the program.
3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
4. Click on the Get started button.
5. Click Scan to start a Threat Scan.
6. Click Quarantineto remove the found threats.
7. Reboot the system if prompted to complete the removal process.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:Malwarebyteswww.malwarebytes.com-Log Details-Scan Date: 4/20/18Scan Time: 9:01 AMLog File: af5ae79a-4468-11e8-aefd-080027235d76.jsonAdministrator: Yes-Software Information-Version: 3.3.1.2183Components Version: 1.0.262Update Package Version: 1.0.4808License: Premium-System Information-OS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser:{computername}\{username}-Scan Summary-Scan Type: Threat ScanResult: CompletedObjects Scanned: 246055Threats Detected: 10Threats Quarantined: 10Time Elapsed: 3 min, 5 sec-Scan Options-Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: DetectPUM: Detect-Scan Details-Process: 2PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808Module: 2PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808Registry Key: 0(No malicious items detected)Registry Value: 1PUP.Optional.BrowserSafer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BrowseSafer, Quarantined, [12681], [512678],1.0.4808Registry Data: 0(No malicious items detected)Data Stream: 0(No malicious items detected)Folder: 1Adware.BrowserSafer, C:\PROGRAMDATA\BROWSERSAFER, Quarantined, [754], [432146],1.0.4808File: 4Adware.BrowserSafer, C:\ProgramData\BrowserSafer\Backup.dat, Quarantined, [754], [432146],1.0.4808PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808PUP.Optional.BrowserSafer, C:\DOWNLOADS\CPPINSTALLER.EXE, Quarantined, [12681], [512676],1.0.4808Physical Sector: 0(No malicious items detected)(end)

Traces/IOCs

You may see these entries in FRST logs:

() C:\Program Files (x86)\BrowseSafer\BrowserSafer.exe (InstallerTech Co.) C:\Program Files (x86)\BrowseSafer\BrowserSaferMngr.exe HKLM\...\Run: [BrowseSafer]=> "C:\Program Files\BrowseSafer\BrowserSaferMngr.exe" HKLM-x32\...\Run: [BrowseSafer]=> C:\Program Files (x86)\BrowseSafer\BrowserSaferMngr.exe [3008928 2018-03-09] (InstallerTech Co.) ProxyEnable: [.DEFAULT]=> Proxy is enabled. ProxyServer: [.DEFAULT]=> http=127.0.0.1:13101 ProxyEnable: [S-1-5-21-1350903546-318028887-1286703239-1003]=> Proxy is enabled. ProxyServer: [S-1-5-21-1350903546-318028887-1286703239-1003]=> http=127.0.0.1:13101 ManualProxies: 1http=127.0.0.1:13101 R2 BrowserSafer; C:\Program Files (x86)\BrowseSafer\BrowserSafer.exe [4137376 2018-03-09] () [File not signed] C:\ProgramData\boost_interprocess C:\ProgramData\BrowserSafer C:\Program Files (x86)\BrowseSaferBrowserSafer (HKLM-x32\...\BrowserSafer) (Version: 2.0.2.4 - BrowserSafer Co ©)

Associated files and folders:BrowserSaferMngr.exe%APPDATA%BrowserSafer%PROGRAMFILES%BrowserSafer

Associated threats

• PUP.Optional.BrowserSafer
• PUP.Optional.SpecialSearchOffer