Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.


For this week’s PUP Friday post, we’re going to take a look at Safesoft Protector, a variant belonging to the TechSnab family.

An overview on TechSnab

Like any potentially unwanted program, TechSnab usually arrives on a system bundled with free, third-party Windows applications. It installs itself as a browser add-on or extension on Firefox and Chrome (respectively), and as a Browser Helper Object (BHO) on Internet Explorer. Users can only find out that their systems are affected once they begin seeing a number of marked ads in the form of pop-ups, pop-unders, banners, in-text, pre- and post-video ads, coupons and “special deal” offers (among others) on websites they normally wouldn’t see. These are usually marked saying “TechSnab Ads”, “Brought to you by TechSnab”, “Brought by TechSnab”, “Ads by TechSnab”, “Powered by TechSnab”, or “You’ve received a premium offer from TechSnab”.

TechSnab also alters the user’s browser settings. It may also drop other add-ons and extensions that may manipulate search engine results.

People who have attempted to remove TechSnab from their machines have found out that it’s difficult to do so manually. Unfortunately, we can say the same for Safesoft Protector.

SafeSoft Protector: Made for ads

SafeSoft Protector, being a member of the TechSnab family, is an adware that exhibits characteristics we’ve mentioned earlier. Once installed, it hijacks the proxy settings of the user’s browser to reflect the following changes:

warning1

It does this to coincide with the Privoxy configuration. This is significant because SafeSoft Protector abuses Privoxy—a legitimate, open source Web proxy software—to fetch the advertisement it displays to affected users. In other words, the persons behind this adware configured the proxy service for their own benefit. Ads are observed to be marked as “Ads by SafeSoft Protector”, “Powered by SafeSoft Protector”, “Brought to you by SafeSoft Protector”, and “You received a premium offer from SafeSoft Protector”.

This adware also creates the following tasks in Windows Task Scheduler:

sched-task

It does this as part of its re-infection/reinstallation mechanism if its removal from a system is incomplete.

Apart from ads containing discount offers, coupons, and the like, other sources reveal that some ads by SafeSoft Protector promote the installation of other software, such as toolbars, utilities, and updates. Such ads are questionable, yes, thus extreme care must be exercised before deciding to click them as they may lead to destinations that are malicious.


Read: Registry Cleaners: Digital Snake Oil; Driver Updaters: Digital Snake Oil, Part 2, PUP makers, Digital Snake Oil Part 3


Of course, these ads are not really there to enhance the browsing experience of their “target audience” but to primarily generate pay-per-click revenue for creators.

If you suspect that your system is affected by SafeSoft Protector, it is important that you get your system cleaned up as soon as possible. We have detailed some steps for you to follow in this forum post to help you get rid of this adware.

Stay safe, everyone!

Other post(s):

Jovi Umawing