Remove the BrowserMe.exe or Chrome_Font.exe Fleercivet Ad Clicker Trojan

Click here to visit Original posting

Remove the BrowserMe.exe or Chrome_Font.exe Fleercivet Ad Clicker Trojan

  • Thu, 19 Jan 2017 10:00:11 EST
  • Read 439 times

The BrowserMe or Chrome_Font.exe Trojan is a computer infection that only targets users of the Chrome browser. When running it will quietly run in the background while opening hidden web browser windows in order to generate advertisement revenue. Known as an Ad Clicker, the BrowserMe Trojan will constantly open hidden Chrome windows to various web sites that contain advertisements. When these advertisements are displayed they will generate advertising revenue for the malware developer.

You can see an example of the constant network traffic generated by this Trojan below:

Unfortunately, it is not easy to detect these types of infections because they do not display any Windows or outward signs of malicious behavior. A easy way to spot if you are infected with the BrowserMe Trojan is to open Task Manager and check under the processes tab for multiple Chrome.exe processes running, but no browser windows being displayed on the Desktop.

Multiple Chrome Processes
Multiple Chrome Processes running without Browser Windows

You can also check the Applications tab of the Windows Task Manager and see if you see Chrome processes constantly being launched to various sites. The URL is currently being used as the first site connected to by the BrowserMe infection. An example of this behavior can be seen below.

Chrome launching Various Web Sites
Chrome launching Various Web Sites

Finally, other symptoms that may be shown are:

  • A general slow down of the computer
  • Internet browsing becomes slow due to the use of your network bandwidth
  • The processor utilization jumping between 70 and 100%.
  • Many Chrome.exe processes running, but no Chrome browser windows are displayed.
  • Processes called BrowserMe.exe and Chrome_Font.exe running in Task Manager. This may change as new versions are released.

Finally, the BrowserMe is commonly detected by anti-virus programs as Trojan:Win32/Fleercivet, Backdoor.Andromeda, or Win32.Trojan.Scar.Wpad.

How did the Chrome_Font.exe or BrowserMe Trojan get on my computer?

This infection was discovered by ProofPoint security researcher Kafeine being installed through compromised web sites that target visitors using the Chrome browser. When a visitor using Chrome visits one of these compromised web sites, a malicious script will rewrite the page to make it unreadable.

The victim will then be prompted to download a updated font that supposedly will make the page readable again. You can see an example of the alert prompting the user to download this font.

Fake Chrome Font Prompt
Fake Chrome Font Prompt

When the user clicks on the Update button, the Chrome_Font.exe file will be downloaded to the computer. If the user then opens this file, the BrowserMe/Fleercivet infection will be installed on the computer.

Without a doubt, this Trojan is not something anyone would want on their computer. Not only does it cause serious performance issues for the computer, but it is also performing advertising fraud. To remove the BrowserMe, Chrome_Font.exe, or Fleercivet Trojan from a computer you can use the guide below to remove it for free.

View Associated BrowserMe Ad Clicker Trojan Files

C:\ProgramData\@000001.dat C:\ProgramData\@system3.att %UserProfile%\AppData\Roaming\BrowserMe\ %UserProfile%\AppData\Roaming\BrowserMe\ChromeUpdate.exe %UserProfile%\Chrome_Font.exe

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7/8, and c:\winnt\profiles\<Current User> for Windows NT.

View Associated BrowserMe Ad Clicker Trojan Registry Information

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BrowserMe %UserProfile%\AppData\Roaming\BrowserMe\ChromeUpdate.exe