Security researchers have received multiple complaints regarding a program that has been detected as PUP.Optional.WeWatcherProxy.A. WeWatcher is adware but it may be more dangerous than the average ad-supported program.
|Type||LSP Browser Hijacker, Adware, PUP|
|Short Description||The program may have entered the system in a silent manner.|
|Symptoms||The user may see intrusive advertisements. He may also experience Internet connectivity issues.|
|Distribution Method||Bundling, freeware installers.|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected By WeWatcherProxy|
According to researchers at MalwareBytes, WeWatcher has rookit capabilities and is classified as a LSP (Layered Service Provider) hijacker. LSP hijacking may intercept the connection between an important application and the Internet. In general, the user’s PC may be ‘suffering’ from Internet connectivity problems. Using powerful AV software that detects and removes rootkits is considered the quickest and safest way to remove WeWatcher and LSP hijackers.
PUP.Optional.WeWatcherProxy.A Technical Review & Distribution
The WeWatcherProxy program may have been included in numerous freeware installers. This method is known as bundling and is considered a primary culprit of adware distribution. To paraphrase, WeWatcherProxy was downloaded alongside another program available on freeware and shareware pages. WeWatcherProxy may have been mentioned in the Download Agreement. However, WeWatcherProxy has rootkit capabilities and can be quite troublesome, and it may have sneaked into the system via a silent or unattended installation. Those kinds of installation require little or no user interaction. Such installers can easily be deployed to spread malicious code.
According to researchers at HerdProtect, WeWatcherProxy has been created by P4hostcom – a company that developes and distributes adware. WeWatcherProxy is often distributed with other ad-supported and potentially unwanted programs. The program may drop its own files onto the system, or may take over other processes.
Here is a list of files and processes that originate from WeWatcherProxy:
- WeWatcherLSP.dll, located in C:\windows\syswow64\wewatcherlsp.dll
- wewatcherproxy.exe, located in C:\Program Files\sysfiles\wewatcherproxy.exe
- wewatcherlsp64.exe (WeWatcherLSP64.exe by WeWatcher)
- wewatcherlsp.exe (WeWatcherLSP.exe by WeWatcher)
- wewatcherproxy.exe (WeWatcherProxy.exe by WeWatcher)
- wewatchercert.dll (WeWatcherCert.dll by WeWatcher)
Here is a list of probable detections by AV software providers:
- Reason Heuristics detects it as PUP.P4hostcom (M)
- Dr. Web detects it as Adware.Superfish.217
- PUP.Optional.Winsock.HijackBoot, Rootkit.WeWatcher.PUP
- McAfee detects it as BehavesLike.Win32.Suspicious.rc
PUP.Optional.WeWatcherProxy.A Removal Steps
LSP hijackers may be quite tricky to remove. Since they may intercept the Internet connection, downloading and running an AV scanner to detect and remove them may be impossible. If this is your case, you can try the following steps, provided by researchers at EnigmaSoftware:
- Use an alternative browser. If you’re using Mozilla Firefox, and having problems downloading an anti-malware program, you may try and open Chrome or Safari instead.
- Use removable media. Then, download the AV program of your choice on a clean computer, and burn it to a USB flash drive, DVD/CD, orother removable media. Install it on the infected machine and scan it.
- Start Windows in Safe Mode. If for any reason you can’t access your desktop, try rebooting your computer in ‘Safe Mode with Networking’ and install the AV solution in Safe Mode.
Attention! Internet Explorer Users!
Please, make sure to disable proxy server for IE. Malware can modify your Windows settings and employ a proxy server to prevent you from browsing with Internet Exlporer.
You can also check our removal tutorial created especially for browser hijackers. After you have completed it, you should consider running an AV scanner.
Step 1: Remove/Uninstall WeWatcherProxy in Windows
Here is a method in few easy steps to remove that program. No matter if you are using Windows 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program get left behind, and that can lead to unstable work of your PC, mistakes with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it.
Select the program that you want to remove, and press “Uninstall” (fig.3).
Follow the instructions above and you will successfully uninstall WeWatcherProxy.
Step 2: Remove WeWatcherProxy from your browser
Select the “Add-ons” icon from the menu
Select WeWatcherProxy and click “Remove”
After WeWatcherProxy is removed, restart Mozilla Firefox by closing it from the red “X” in the top right corner and start it again.
Select WeWatcherProxy to remove, and then click ‘Disable’. A pop-up window will appear to inform you that you are about to disable the selected toolbar, and some additional toolbars might be disabled as well. Leave all the boxes checked, and click ‘Disable’.
After WeWatcherProxy has been removed, restart Internet Explorer by closing it from the red ‘X’ in the top right corner and start it again.
From the drop menu select ‘Preferences’
In the new window select ‘Extensions’
Click once on WeWatcherProxy
A pop-up window will appear asking for confirmation to uninstall WeWatcherProxy. Select ‘Uninstall’ again, and the WeWatcherProxy will be removed.
In order to remove any associated objects that are left after uninstall and detect any other threats, you should:
Step 3: Start Your PC in Safe Mode to Remove WeWatcherProxy.
Removing WeWatcherProxy from Windows XP, Vista, 7 systems:
1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
– For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.
– For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.
3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account
While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.
Removing WeWatcherProxy from Windows 8, 8.1 and 10 systems:
Whilst holding down Shift button, click on Power and then click on Restart.
A menu will appear upon reboot. You should choose Safe Mode by pressing its corresponding number and the machine will restart and boot into Safe Mode so you can scan for and remove WeWatcherProxy.
Step 4: Remove WeWatcherProxy automatically by downloading an advanced anti-malware program.
To clean your computer you should download an updated anti-malware program on a safe PC and then install it on the affected computer in offline mode. After that you should boot into safe mode and scan your computer to remove all WeWatcherProxy associated objects.