Adware.BrowserSafer

Short bio

BrowserSafer is Malwarebytes’ detection name for adware from browsersafer.com, which claims it will protect users while browsing the web but really serves up advertisements.

Symptoms

Adware.BrowserSafer shows the user advertisements in every conceivable form, such as pop-up windows, banners, and on-site ad replacement. It uses a proxy and a service to accomplish control over the content.

BrowserSafer proxy

BrowserSafer sets a proxy

Type and source of infection

This adware is often seen in bundlers but is also offered for download on the company’s website.

BrowserSafer website

BrowserSafer website

Protection

Malwarebytes blocks the install of Adware.BrowserSafer by using real-time protection.

block Adware.Browsersafer

Malwarebytes blocks Adware.Browsersafer

Remediation

Malwarebytes can detect and remove Adware.BrowserSafer without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/20/18
Scan Time: 9:01 AM
Log File: af5ae79a-4468-11e8-aefd-080027235d76.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.4808
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 246055
Threats Detected: 10
Threats Quarantined: 10
Time Elapsed: 3 min, 5 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 2
PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808
PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808

Module: 2
PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808
PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808

Registry Key: 0
(No malicious items detected)

Registry Value: 1
PUP.Optional.BrowserSafer, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BrowseSafer, Quarantined, [12681], [512678],1.0.4808

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.BrowserSafer, C:\PROGRAMDATA\BROWSERSAFER, Quarantined, [754], [432146],1.0.4808

File: 4
Adware.BrowserSafer, C:\ProgramData\BrowserSafer\Backup.dat, Quarantined, [754], [432146],1.0.4808
PUP.Optional.SpecialSearchOffer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFER.EXE, Quarantined, [1679], [512255],1.0.4808
PUP.Optional.BrowserSafer, C:\PROGRAM FILES (X86)\BROWSESAFER\BROWSERSAFERMNGR.EXE, Quarantined, [12681], [512678],1.0.4808
PUP.Optional.BrowserSafer, C:\DOWNLOADS\CPPINSTALLER.EXE, Quarantined, [12681], [512676],1.0.4808

Physical Sector: 0
(No malicious items detected)

(end)

Traces/IOCs

You may see these entries in FRST logs:

() C:\Program Files (x86)\BrowseSafer\BrowserSafer.exe
 (InstallerTech Co.) C:\Program Files (x86)\BrowseSafer\BrowserSaferMngr.exe
 HKLM\...\Run: [BrowseSafer] => "C:\Program Files\BrowseSafer\BrowserSaferMngr.exe"
 HKLM-x32\...\Run: [BrowseSafer] => C:\Program Files (x86)\BrowseSafer\BrowserSaferMngr.exe [3008928 2018-03-09] (InstallerTech Co.)
 ProxyEnable: [.DEFAULT] => Proxy is enabled.
 ProxyServer: [.DEFAULT] => http=127.0.0.1:13101
 ProxyEnable: [S-1-5-21-1350903546-318028887-1286703239-1003] => Proxy is enabled.
 ProxyServer: [S-1-5-21-1350903546-318028887-1286703239-1003] => http=127.0.0.1:13101
 ManualProxies: 1http=127.0.0.1:13101
 R2 BrowserSafer; C:\Program Files (x86)\BrowseSafer\BrowserSafer.exe [4137376 2018-03-09] () [File not signed]
 C:\ProgramData\boost_interprocess
 C:\ProgramData\BrowserSafer
 C:\Program Files (x86)\BrowseSafer

BrowserSafer (HKLM-x32\...\BrowserSafer) (Version: 2.0.2.4 - BrowserSafer Co ©)

Associated files and folders:

BrowserSaferMngr.exe

%APPDATA%\BrowserSafer

%PROGRAMFILES%\BrowserSafer

Associated threats

  • PUP.Optional.BrowserSafer
  • PUP.Optional.SpecialSearchOffer

Related blog content

How to remove adware from your PC

Adware the series, part 3 (uninstall)

Select your language