Adware.BrowserSafer

Short bio
Adware.BrowserSafer is Malwarebytes’ detection name for adwarefrom browsersafer.com, which claims it will protect users while browsing the web but really serves up advertisements.
Symptoms

BrowserSafer sets a proxy
Type and source of infection

BrowserSafer website
Protection

Malwarebytes blocks Adware.Browsersafer
Remediation
Malwarebytes can detect and remove Adware.BrowserSafer without further user interaction.
- Please download Malwarebytesto your desktop.
- Double-click MBSetup.exeand follow the prompts to install the program.
- When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
- Click on the Get started button.
- Click Scan to start a Threat Scan.
- Click Quarantineto remove the found threats.
- Reboot the system if prompted to complete the removal process.
Malwarebytes removal log
A Malwarebytes log of removal will look similar to this:Malwarebyteswww.malwarebytes.com-Log Details-Scan Date: 4/20/18Scan Time: 9:01 AMLog File: af5ae79a-4468-11e8-aefd-080027235d76.jsonAdministrator: Yes-Software Information-Version: 3.3.1.2183Components Version: 1.0.262Update Package Version: 1.0.4808License: Premium-System Information-OS: Windows 7 Service Pack 1CPU: x64File System: NTFSUser:{computername}\{username}-Scan Summary-Scan Type: Threat ScanResult: CompletedObjects Scanned: 246055Threats Detected: 10Threats Quarantined: 10Time Elapsed: 3 min, 5 sec-Scan Options-Memory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledHeuristics: EnabledPUP: DetectPUM: Detect-Scan Details-Process: 2PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808Module: 2PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808Registry Key: 0(No malicious items detected)Registry Value: 1PUP.Optional.BrowserSafer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BrowseSafer, Quarantined, [12681], [512678],1.0.4808Registry Data: 0(No malicious items detected)Data Stream: 0(No malicious items detected)Folder: 1Adware.BrowserSafer, C:\PROGRAMDATA\BROWSERSAFER, Quarantined, [754], [432146],1.0.4808File: 4Adware.BrowserSafer, C:\ProgramData\BrowserSafer\Backup.dat, Quarantined, [754], [432146],1.0.4808PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808PUP.Optional.BrowserSafer, C:\DOWNLOADS\CPPINSTALLER.EXE, Quarantined, [12681], [512676],1.0.4808Physical Sector: 0(No malicious items detected)(end)
Traces/IOCs
You may see these entries in FRST logs:
() C:\Program Files (x86)\BrowseSafer\BrowserSafer.exe (InstallerTech Co.) C:\Program Files (x86)\BrowseSafer\BrowserSaferMngr.exe HKLM\...\Run: [BrowseSafer]=> "C:\Program Files\BrowseSafer\BrowserSaferMngr.exe" HKLM-x32\...\Run: [BrowseSafer]=> C:\Program Files (x86)\BrowseSafer\BrowserSaferMngr.exe [3008928 2018-03-09] (InstallerTech Co.) ProxyEnable: [.DEFAULT]=> Proxy is enabled. ProxyServer: [.DEFAULT]=> http=127.0.0.1:13101 ProxyEnable: [S-1-5-21-1350903546-318028887-1286703239-1003]=> Proxy is enabled. ProxyServer: [S-1-5-21-1350903546-318028887-1286703239-1003]=> http=127.0.0.1:13101 ManualProxies: 1http=127.0.0.1:13101 R2 BrowserSafer; C:\Program Files (x86)\BrowseSafer\BrowserSafer.exe [4137376 2018-03-09] () [File not signed] C:\ProgramData\boost_interprocess C:\ProgramData\BrowserSafer C:\Program Files (x86)\BrowseSaferBrowserSafer (HKLM-x32\...\BrowserSafer) (Version: 2.0.2.4 - BrowserSafer Co ©)
Associated files and folders:BrowserSaferMngr.exe%APPDATA%BrowserSafer%PROGRAMFILES%BrowserSafer
Associated threats
- PUP.Optional.BrowserSafer
- PUP.Optional.SpecialSearchOffer