BrowserModifier is a malicious program programmed to divert users’ traffic to affiliated sites

BrowserModifier is a term used to describe an aggressive type of adware and browser hijacking programs

BrowserModifier is a heuristic name given to a type of potentially unwanted programs[1] that focus on browser hijacking activities on Google Chrome, Safari, Mozilla Firefox, Internet Explorer, etc. Most of such programs are developed and shipped to users via bundled software packages, which results in an unintentional installation, as optional components are often hidden within the installer deliberately.

BrowserModifier virus represents a large variety of computer infections, ranging from relatively harmless adware browser extensions to such malicious threats like BrowserModifier:Win32/Foniad, which acts as a Trojan and installs cryptojacking malware on the system. Therefore, if your anti-malware software was triggered by a BrowserModifier alert, you should definitely not ignore it, as it may be a huge security risk to you and your computer.

Name BrowserModifier
Type Malware, adware
Description BrowserModifier is a generic description used to identify a potentially unwanted program or malware, some of which can be particularly dangerous
Infiltration Most of the potentially unwanted programs are installed through software bundle packages or after being tricked by an attractive ad, as well as a fake update prompt. Some variants of this threat were spotted being injected via a Trojan downloader that is already present on the system
Associated risks Some versions of the virus might install other PUPs or malware, steal personal information, divert traffic to malicious domains, etc. Consequently, users may lose money to scams, disclose sensitive data to threat actors or even face identity theft
Symptoms  Intrusive advertisements show up on all sites that you visit, homepage and new tab URL altered, sponsored links appear in search results, suspicious browser extensions installed without permission, etc. Note that symptoms may vary based on the BrowserModifier version
Termination  Potentially unwanted programs can usually be removed manually via the Control Panel; however, BrowserModifier can represent malware infection – in such a case a scan with a reputable anti-malware software like SpyHunter 5Combo Cleaner or Malwarebytes is required
Recovery & optimization If you have been infected with malware, altered registry entries, as well as other settings, might corrupt your Windows OS, resulting in persistent crashes and errors. To fix the damage done by the virus, you can scan your machine with Reimage Reimage Cleaner

The main purpose of BrowserModifier malware is to infect as many users as possible and then direct the HTTP traffic to affiliated websites and generate revenue. This way, third parties generate income via the pay-per-click system and can increase the ranking of these websites. That’s because every advertisement brought by this domain may include a link to a third-party website, such as a dubious online shopping, certain service offerings, gaming portal, etc. However, intrusive ads and redirects are not the only reason to remove BrowserModifier from your machine as soon as possible.

As already mentioned, BrowserModifier can represent thousands of threats luring in the world wide web. Therefore, the infection routine, the symptoms, the activities, as well as the impact on the host machine, can vary greatly. However, users can usually spot a potentially unwanted program by the following symptoms:

  • Intrusive ads appear on all sites that you browser;
  • Suspicious browser extensions installed without your permission;
  • Search results are filled with hyperlinks;
  • Random redirects lead to suspicious websites;
  • New Windows registry keys,  scheduled tasks, processes and files are present on the system.

Note that some BrowserModifier variants can be programmed to perform a variety of background activities that are completely invisible to users’ eyes, and finding them would require advanced computer knowledge. For that reason, the best remedy for BrowserModifier ads is anti-malware software, although some versions can also be eliminated manually as per our instructions below.

BrowserModifier virus
BrowserModifier is a type of computer infection which goal is to show users intrusive ads and divert traffic to affiliated sites

Security experts also recommend resetting all the installed web browsers and scanning the machine with Reimage Reimage Cleaner after BrowserModifier removal. If the browser reset is not performed, the unwanted pop-ups, banners, deals, offers, coupons, and other ads might still be present.

BrowserModifier versions

As there are thousands of malware that can be flagged as BrowserModifier, we will look over the most prolific versions of this virus. Here are some examples of this threat:

  • BrowserModifier:Win32/Foniad
  • BrowserModifier:Win32/Diplugem
  • BrowserModifier:Win32/KipodToolsCby
  • BrowserModifier:Win32/Zwangi
  • BrowserModifier:Win32/Prifou
  • BrowserModifier:Win32/Pokki
  • BrowserModifier:Win32/Foxiebro
  • BrowserModifier.KeenValue PerfectNav
  • BrowserModifier: Win32/Xiazai
  • BrowserModifier: Win32/Riccietex
  • BrowserModifier:Win32/Poltecl
  • BrowserModifier:Win32/Xeelyak, etc.

Note, some variants, such as BrowserModifier:Win32/Pokki, are no longer recognized by most anti-malware engines[2] and are considered to be safe to use since November 2015.[3]


BrowserModifier:Win32/Foniad was first spotted by Microsoft security researchers in April 2018.[4] The security intelligence noticed hundreds of thousands of hits by this malware that tries to reinfect its targets once removal is initiated with the help of a scheduled task that is set up during the infection routine. Security researchers said that they spotted “several millions” of versions of this malware.

Foniad is an extremely aggressive form of BrowserModifier virus – it is usually distributed with the help of a trojan downloader and also installs other malware on the system

BrowserModifier infection means were traced to a Trojan downloader – a poisoned peer-to-peer application that was installed on thousands of computers. The malware uses xsetup.exe executable for the initial installation and the performance of other tasks on the infected machine. Once installed, BrowserModifier:Win32/Foniad launches the default web browser and visits several predetermined URLs, continually repeating this routine. Additionally, it also modifies Chrome settings so that desktop notifications can be shown to users without their permission.

BrowserModifier:Win32/Foniad also changes the DNS settings to divert online traffic, and installs a cryptominer that generates cryptocurrency to malicious actors.


BrowserModifier:Win32/Zwangi is a potentially unwanted program that is also known as Zwangi 1.0 build 127. First detected in 2009, this program was modified several times by its developers, names of which also changed – the app is known as QueryExplorer, SeekService, Findbasic, etc. Researchers found that it was engineered to run on the following browsers:

  • Firefox 3.6
  • Google Chrome Beta
  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8

Once installed, BrowserModifier:Win32/Zwangi creates a scheduled task, modifies the Windows registry, and drops hundreds of .dll and .exe files into %APPDATA% and %ProgramFiles% folders. This allows the program to act on its own: display intrusive pop-up messages related to predetermined keywords, divert search results to,, and, override the default error page notice 404, take screenshots without permission, etc.

Zwangi is one of the older versions of BrowserModifier versions


BrowserModifier:Win32/Prifou is considered a high-level threat to users’ PCs. Typically distributed via unsafe third-party websites or software bundles, this threat installs a standalone application called PriceFountain, as well as an add-on, a browser helper object (BHO), or a browser extension to Google Chrome, Mozilla Firefox, or Internet Explorer. Microsoft security researchers spotted around 6.8 million infections in two months since its release, most of which were located in the USA and Europe.[5]

After a successful installation, BrowserModifier:Win32/Prifou virus modifies web browser settings or makes use of the rundll32.exe process to infect its malicious DLL into the browser in order to display intrusive ads on all sites that users visit. In most of the cases, these ads are marked with its own markings, such as “Ads by PriceFountain,” “Brought to you by PriceFountain,” “PriceFountain ads,” etc. Due to intrusive advertisements this PUP displays, many users can notice browser slowdowns, as well as crashes.

BrowserModifier Prifou
Prifou is one of the versions of BrowserModifier – it infected 6.8 million users just two months after its release

Avoid browser-poisoning programs by following these tips

As soon as online advertising was discovered to be a gold mine back in 1994,[6] many rushed to earn quick revenue. Initially, ads were considered as means to earn ads and were embedded into websites that users used to visit. However, many parties realized that apps could be created in order to proliferate these ads into thousands of users’ computers, resulting in quick demonetization based on clicks, as well as installs. In some cases, malware can also be installed on compromised machines to generate background traffic to predetermined sites.

As means for distribution, potentially unwanted programs are mostly spread with the help of software bundles – the method proved to be extremely effective, as many users tend not to pay attention to the installation process of new apps. These bundled installers are often placed on third-party sites – some might be trusted, while others might be shady. Therefore, users are always advised to choose official sources for their downloads and avoid potentially dangerous sites that host pirated software or cracks.

Therefore, you should always be careful when installing apps from third-party sites, as developers often hide optional components withing installers deliberately and use such tricks as pre-ticked boxes, fine print, misleading deals/offers, misplaced buttons, etc. Additionally, you should also always opt for Advanced/Custom settings if the opportunity is given.

Get rid of BrowserModifier virus

In some cases, BrowserModifier removal can be performed by accessing the installed program list via the Control panel – we provide detailed instructions below. However, some versions of this threat can be persistent – lack the uninstallation file, not be present in the installed program list, or reinstall itself due to dropped malicious files during the initial infection process.

In such a case, it is best to remove BrowserModifier virus with the help of a powerful anti-malware program, as it will locate all the malicious entries automatically and delete files that could result in threats’ repeated installation. Additionally, because the PUP tends to modify web browser settings and install extensions, add-ons and browser helper objects, it is best to reset all the installed browsers for the unwanted activity not to reoccur.

You may remove virus damage with a help of Reimage Reimage Cleaner . SpyHunter 5Combo Cleaner and Malwarebytes are recommended to detect potentially unwanted programs and viruses with all their files and registry entries that are related to them.

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-01-10 at 06:19 and is filed under Adware, Malware, Viruses.