WebSearcher is an adware application brought to you by “Web Fox” and usually comes bundled with “extremely useful” applications like “Video Codex” and “Video Player”. WebSearcher uses a proxy to insert the advertisements into your normal web experience.
What makes this one different?
What makes this one different is that it uses a set of permissions to get the three most popular browsers to use the proxy it has set. If you look in Internet Explorer (IE) under “Internet Options” on the “Connections” tab and click on “LAN settings” you will see this form with all the user options “greyed out”. Note the announcement you can see on the “Connections” tab that I highlighted.
pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg");This locks down the settings in Firefox and tells the browser to look in the file “mozilla.cfg” for the configuration. Looking at that file we will find this line:
lockPref("network.proxy.type", 5);The value 5 for “network.proxy.type” tells Firefox to use the proxy set for “system” (see above).
Extra word of warning
This adware abuses two libraries of the legitimate web debugging proxy Fiddler (FiddlerCore.dll and FiddlerCoreWrapper.dll) and the DO_NOT_TRUST_FiddlerRoot certificate, which has been known to sometimes cause slowdowns and errors on systems where the proxy is no longer present. If you experience these problems and want to check for and/or remove the certificate.
Use Winkey + R to open the Run box.
Type or Copy & paste certmgr.msc
Click ok to execute the command and the Certification Manager Window will open.
Select the Trusted Root Certification Authorities > Certificates and you should see something like the screenshot below.
You can delete certificates from this list by right-clicking on them and then choose Delete.
Malwarebytes Anti-Malware detects and removes WebSearcher as PUP.Optional.WebSearcher. A removal guide can be found on our forums.