Jump to content

Removal instructions for BrowseForTheCause

Metallica
 Share

Recommended Posts

  • Staff
Metallica

Metallica

Posted
  • Staff
Posted (edited)
What is BrowseForTheCause?

The Malwarebytes research team has determined that BrowseForTheCause is a DNS hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your DNS servers, so that the affected browser visits their site or one of their choice.

How do I know if my computer is affected by BrowseForTheCause?

You may see this entry in your list of installed software:

warning4.png

How did BrowseForTheCause get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove BrowseForTheCause?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to:
    Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • If an update is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of BrowseForTheCause?
  • No, Malwarebytes' Anti-Malware removes BrowseForTheCause completely.
  • You may have to reset or change your DNS settings. This blog article has some great tips.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the BrowseForTheCause hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

 

protection1.png


Technical details for experts

Possible signs in FRST logs:

  
 (Microsoft) C:\Program Files (x86)\BrowseForTheCause\BrowseForTheCause.exe
 Tcpip\..\Interfaces\{EDB0D6D8-B1F7-496F-A023-44DF7155F1CD}: [NameServer] 76.73.6.113,50.7.75.37
 R2 BrowseForTheCause; C:\Program Files (x86)\BrowseForTheCause\BrowseForTheCause.exe [281832 2016-11-01] (Microsoft)
 C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowseForTheCause
 C:\Program Files (x86)\BrowseForTheCause

BrowseForTheCause (HKLM-x32\...\{5D12FF9B-6BFA-4CF0-A808-776ECC9E9FAE}) (Version: 1.0.0.0 - BrowseForTheCause)
DNS Servers: 76.73.6.113 - 50.7.75.37
Alterations made by the installer:
  
File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\BrowseForTheCause
       Adds the file app.ico"="9/5/2015 10:36 AM, 114352 bytes, A
       Adds the file application.log"="11/7/2016 9:27 AM, 2558 bytes, A
       Adds the file BrowseForTheCause.exe"="11/1/2016 1:48 AM, 281832 bytes, A
       Adds the file BrowseForTheCause.InstallLog"="11/7/2016 9:26 AM, 768 bytes, A
       Adds the file BrowseForTheCause.InstallState"="11/7/2016 9:26 AM, 7466 bytes, A
       Adds the file log4net.dll"="8/22/2014 1:49 PM, 311296 bytes, A
       Adds the file Newtonsoft.Json.dll"="8/22/2014 1:49 PM, 428544 bytes, A
       Adds the file Uninstall BrowseForTheCause.lnk"="11/7/2016 9:26 AM, 954 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowseForTheCause
       Adds the file Uninstall BrowseForTheCause.lnk"="11/7/2016 9:26 AM, 996 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
       "C:\Program Files (x86)\BrowseForTheCause\"="REG_SZ", ""
       "C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowseForTheCause\"="REG_SZ", ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{userID}\Products\B9FF21D5AFB60FC48A8077E6CCE9F9EA\InstallProperties]
       "AuthorizedCDFPrefix"="REG_SZ", ""
       "Comments"="REG_SZ", ""
       "Contact"="REG_SZ", ""
       "DisplayName"="REG_SZ", "BrowseForTheCause"
       "DisplayVersion"="REG_SZ", "1.0.0.0"
       "EstimatedSize"="REG_DWORD", 1102
       "HelpLink"="REG_SZ", ""
       "HelpTelephone"="REG_SZ", ""
       "InstallDate"="REG_SZ", "20161107"
       "InstallLocation"="REG_SZ", "C:\Program Files (x86)\BrowseForTheCause\"
       "InstallSource"="REG_SZ", "C:\Users\{username}1\AppData\Local\Temp\RarSFX0\"
       "Language"="REG_DWORD", 1033
       "LocalPackage"="REG_SZ", "C:\Windows\Installer\4db8be.msi"
       "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /X{5D12FF9B-6BFA-4CF0-A808-776ECC9E9FAE}"
       "NoModify"="REG_DWORD", 1
       "Publisher"="REG_SZ", "BrowseForTheCause"
       "Readme"="REG_SZ", ""
       "Size"="REG_SZ", ""
       "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /X{5D12FF9B-6BFA-4CF0-A808-776ECC9E9FAE}"
       "URLInfoAbout"="REG_SZ", ""
       "URLUpdateInfo"="REG_SZ", ""
       "Version"="REG_DWORD", 16777216
       "VersionMajor"="REG_DWORD", 1
       "VersionMinor"="REG_DWORD", 0
       "WindowsInstaller"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BrowseForTheCause]
       "CheckFrequency"="REG_SZ", "360"
       "DNS"="REG_SZ", "76.73.6.113, 50.7.75.37"
       "DNSOrig"="REG_SZ", "{machinespecific}"
       "InstallationFlag"="REG_SZ", "0"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5D12FF9B-6BFA-4CF0-A808-776ECC9E9FAE}]
       "AuthorizedCDFPrefix"="REG_SZ", ""
       "Comments"="REG_SZ", ""
       "Contact"="REG_SZ", ""
       "DisplayName"="REG_SZ", "BrowseForTheCause"
       "DisplayVersion"="REG_SZ", "1.0.0.0"
       "EstimatedSize"="REG_DWORD", 1102
       "HelpLink"="REG_SZ", ""
       "HelpTelephone"="REG_SZ", ""
       "InstallDate"="REG_SZ", "20161107"
       "InstallLocation"="REG_SZ", "C:\Program Files (x86)\BrowseForTheCause\"
       "InstallSource"="REG_SZ", "C:\Users\{username}1\AppData\Local\Temp\RarSFX0\"
       "Language"="REG_DWORD", 1033
       "ModifyPath"="REG_EXPAND_SZ, "MsiExec.exe /X{5D12FF9B-6BFA-4CF0-A808-776ECC9E9FAE}"
       "NoModify"="REG_DWORD", 1
       "Publisher"="REG_SZ", "BrowseForTheCause"
       "Readme"="REG_SZ", ""
       "Size"="REG_SZ", ""
       "UninstallString"="REG_EXPAND_SZ, "MsiExec.exe /X{5D12FF9B-6BFA-4CF0-A808-776ECC9E9FAE}"
       "URLInfoAbout"="REG_SZ", ""
       "URLUpdateInfo"="REG_SZ", ""
       "Version"="REG_DWORD", 16777216
       "VersionMajor"="REG_DWORD", 1
       "VersionMinor"="REG_DWORD", 0
       "WindowsInstaller"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BrowseForTheCause]
       "DelayedAutostart"="REG_DWORD", 0
       "Description"="REG_SZ", "Update nameservers on computer according to DNS servers info"
       "DisplayName"="REG_SZ", "BrowseForTheCause"
       "ErrorControl"="REG_DWORD", 1
       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\BrowseForTheCause\BrowseForTheCause.exe""
       "ObjectName"="REG_SZ", "LocalSystem"
       "Start"="REG_DWORD", 2
       "Type"="REG_DWORD", 16
       "WOW64"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\BrowseForTheCause]
       "EventMessageFile"="REG_EXPAND_SZ, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll"
Malwarebytes Anti-Malware log:
  
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/7/2016
Scan Time: 10:30 AM
Logfile: mbamBrowseForTheCause.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.07.04
Rootkit Database: v2016.10.31.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327571
Time Elapsed: 9 min, 22 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\BrowseForTheCause.exe, 1356, Delete-on-Reboot, [0b65e4d91d7d73c381f28d9be025d828]

Modules: 0
(No malicious items detected)

Registry Keys: 6
PUP.Optional.BrowseForTheCause, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BrowseForTheCause, Quarantined, [0b65e4d91d7d73c381f28d9be025d828], 
PUP.Optional.BrowseForTheCause, HKLM\SOFTWARE\MICROSOFT\TRACING\BrowseForTheCause_RASAPI32, Quarantined, [c1af0eaf3763fd39770b0f15e124748c], 
PUP.Optional.BrowseForTheCause, HKLM\SOFTWARE\MICROSOFT\TRACING\BrowseForTheCause_RASMANCS, Quarantined, [9dd3dbe2049653e38ff39d8764a1bc44], 
PUP.Optional.BrowseForTheCause, HKLM\SOFTWARE\WOW6432NODE\BrowseForTheCause, Quarantined, [ec84f9c42a702a0c943612c2d929e61a], 
PUP.Optional.BrowseForTheCause, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{5D12FF9B-6BFA-4CF0-A808-776ECC9E9FAE}, Quarantined, [5d13d3ea09910a2c9bf153d1f90cc040], 
PUP.Optional.BrowseForTheCause, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\BrowseForTheCause, Quarantined, [77f95667bcdef4426d1c83a1f90c45bb], 

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.BrowseForTheCause, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowseForTheCause, Quarantined, [86ea9726316903333348c75db94c06fa], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause, Delete-on-Reboot, [8de32796b6e45adc3a6a8242689a35cb], 

Files: 10
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\BrowseForTheCause.exe, Delete-on-Reboot, [0b65e4d91d7d73c381f28d9be025d828], 
PUP.Optional.BrowseForTheCause, C:\Windows\Installer\4db8be.msi, Quarantined, [90e0407d8812ee486f045eca976e1fe1], 
PUP.Optional.BrowseForTheCause, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BrowseForTheCause\Uninstall BrowseForTheCause.lnk, Quarantined, [86ea9726316903333348c75db94c06fa], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\app.ico, Quarantined, [8de32796b6e45adc3a6a8242689a35cb], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\application.log, Quarantined, [8de32796b6e45adc3a6a8242689a35cb], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\BrowseForTheCause.InstallLog, Quarantined, [8de32796b6e45adc3a6a8242689a35cb], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\BrowseForTheCause.InstallState, Quarantined, [8de32796b6e45adc3a6a8242689a35cb], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\log4net.dll, Delete-on-Reboot, [8de32796b6e45adc3a6a8242689a35cb], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\Newtonsoft.Json.dll, Delete-on-Reboot, [8de32796b6e45adc3a6a8242689a35cb], 
PUP.Optional.BrowseForTheCause, C:\Program Files (x86)\BrowseForTheCause\Uninstall BrowseForTheCause.lnk, Quarantined, [8de32796b6e45adc3a6a8242689a35cb], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Edited by Metallica
Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.