PUP.Optional.BrowseFox is Malwarebytes’ detection name for a large family of adware that uses different methods of browser hijacking and monetizing to get their message across.
BrowseFox adware is usually installed by a bundler, but they do create sites and offer them as separate downloads. The bundled installer is usually different from the official one. The bundled installers require arguments for a full installation and are sometimes even aware of running on a virtual machine, both to hinder researchers.
Malwarebytes protects users from PUP.Optional.BrowseFox by using real-time protection.
Malwarebytes blocks PUP.Optional.BrowseFox
Malwarebytes can detect and remove PUP.Optional.BrowseFox without further user interaction.
A Malwarebytes log of removal will look similar to this:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 5/13/2016 Scan Time: 9:10 AM Logfile: mbamSearchExpanse.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.05.13.02 Rootkit Database: v2016.05.06.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 310877 Time Elapsed: 8 min, 8 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 6 PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{99415057-7C50-439D-AA20-02D83C071B61}, Quarantined, [91d58154adec1026ab21fb4e9a68ac54], PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{99415057-7C50-439D-AA20-02D83C071B61}, Quarantined, [91d58154adec1026ab21fb4e9a68ac54], PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}, Quarantined, [a0c6884d8c0d9a9cb815a3a646bc4db3], PUP.Optional.Yontoo, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}, Quarantined, [a0c6884d8c0d9a9cb815a3a646bc4db3], PUP.Optional.BrowseFox, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Search Expanse, Quarantined, [6cfa72636a2fc2749854903b59a8e818], PUP.Optional.Yontoo, HKLM\SOFTWARE\WOW6432NODE\SearchExpanse, Quarantined, [26402ca9b5e4310585ab557e33d02ed2], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.Yontoo, C:\Program Files (x86)\Search Expanse, Quarantined, [8ed832a39efb49edfdf99c049072956b], PUP.Optional.Yontoo, C:\Program Files (x86)\Search Expanse\Extensions, Quarantined, [8ed832a39efb49edfdf99c049072956b], Files: 4 PUP.Optional.BrowseFox, C:\Users\{username}\Desktop\SearchExpance.exe, Quarantined, [f86e24b19108d85efeee9d2e08f9a65a], PUP.Optional.BrowseFox, C:\Program Files (x86)\Search Expanse\Uninstaller.exe, Quarantined, [6cfa72636a2fc2749854903b59a8e818], PUP.Optional.Yontoo, C:\Program Files (x86)\Search Expanse\7za.exe, Quarantined, [8ed832a39efb49edfdf99c049072956b], PUP.Optional.Yontoo, C:\Program Files (x86)\Search Expanse\Extensions\firefox@www.searchexpanse.com.xpi, Quarantined, [8ed832a39efb49edfdf99c049072956b], Physical Sectors: 0 (No malicious items detected) (end)
Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.
If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use the Browse button to select the file you wish to grant access.
Select your language