Jump to content

Search the Community

Showing results for tags 'pup.optional.mindspark'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3 Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 59 results

  1. What is LearnTheLyrics?The Malwarebytes research team has determined that LearnTheLyrics is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.LearnTheLyrics is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by LearnTheLyrics?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did LearnTheLyrics get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove LearnTheLyrics?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of LearnTheLyrics? No, Malwarebytes' Anti-Malware removes LearnTheLyrics completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the LearnTheLyrics hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/learnthelyrics/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_rnMembers_@free.learnthelyrics.com.xpi [2018-12-05] CHR Extension: (LearnTheLyrics) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf [2018-12-05] C:\Users\{username}\AppData\Local\LearntheLyricsTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\learnthelyrics.exe LearntheLyrics Internet Explorer Homepage and New Tab (HKCU\...\LearntheLyricsTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0 Adds the file manifest.json"="12/5/2018 9:00 AM, 2498 bytes, A Adds the file newtabproduct.html"="8/20/2018 2:38 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\_metadata Adds the file computed_hashes.json"="12/5/2018 9:00 AM, 4346 bytes, A Adds the file verified_contents.json"="8/20/2018 2:38 PM, 5148 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\config Adds the file config.json"="8/20/2018 2:38 PM, 1756 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\icons Adds the file icon128.png"="12/5/2018 9:00 AM, 5866 bytes, A Adds the file icon16.png"="8/20/2018 2:38 PM, 1575 bytes, A Adds the file icon19disabled.png"="8/20/2018 2:38 PM, 1537 bytes, A Adds the file icon19on.png"="12/5/2018 9:00 AM, 735 bytes, A Adds the file icon48.png"="12/5/2018 9:00 AM, 1952 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js Adds the file ajax.js"="8/20/2018 2:38 PM, 2218 bytes, A Adds the file background.js"="8/20/2018 2:38 PM, 21378 bytes, A Adds the file browserUtils.js"="8/20/2018 2:38 PM, 912 bytes, A Adds the file chrome.js"="8/20/2018 2:38 PM, 146 bytes, A Adds the file content_script.js"="8/20/2018 2:38 PM, 2151 bytes, A Adds the file dlp.js"="8/20/2018 2:38 PM, 5659 bytes, A Adds the file dlpHelper.js"="8/20/2018 2:38 PM, 1799 bytes, A Adds the file extension_detect.js"="8/20/2018 2:38 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="8/20/2018 2:38 PM, 2855 bytes, A Adds the file index.js"="8/20/2018 2:38 PM, 49 bytes, A Adds the file initOfferCEF.js"="8/20/2018 2:38 PM, 8802 bytes, A Adds the file logger.js"="8/20/2018 2:38 PM, 541 bytes, A Adds the file offerService.js"="8/20/2018 2:38 PM, 10337 bytes, A Adds the file pageUtils.js"="8/20/2018 2:38 PM, 2805 bytes, A Adds the file PartnerId.js"="8/20/2018 2:38 PM, 16402 bytes, A Adds the file product.js"="8/20/2018 2:38 PM, 8403 bytes, A Adds the file splashPageRedirectHandler.js"="8/20/2018 2:38 PM, 2868 bytes, A Adds the file storage.js"="8/20/2018 2:38 PM, 1640 bytes, A Adds the file TabManager.js"="8/20/2018 2:38 PM, 151 bytes, A Adds the file TemplateParser.js"="8/20/2018 2:38 PM, 3038 bytes, A Adds the file ul.js"="8/20/2018 2:38 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="8/20/2018 2:38 PM, 1825 bytes, A Adds the file urlUtils.js"="8/20/2018 2:38 PM, 5349 bytes, A Adds the file util.js"="8/20/2018 2:38 PM, 2184 bytes, A Adds the file webtooltabAPI.js"="8/20/2018 2:38 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="8/20/2018 2:38 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf Adds the file 000003.log"="12/5/2018 9:01 AM, 5689 bytes, A Adds the file CURRENT"="12/5/2018 9:00 AM, 16 bytes, A Adds the file LOCK"="12/5/2018 9:00 AM, 0 bytes, A Adds the file LOG"="12/5/2018 9:01 AM, 412 bytes, A Adds the file LOG.old"="12/5/2018 9:00 AM, 185 bytes, A Adds the file MANIFEST-000001"="12/5/2018 9:00 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\LearntheLyricsTooltab Adds the file TooltabExtension.dll"="6/28/2018 11:23 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_rnMembers_@free.learnthelyrics.com Adds the file storage.js"="12/5/2018 9:01 AM, 2793 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _rnMembers_@free.learnthelyrics.com.xpi"="12/5/2018 8:56 AM, 60499 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "iekdaegkmghillhfecnncgepaapdfcgf"="REG_SZ", "655165ADF28A80A4BC2F03F3F8D43DE92F1A394253F199218E26511558C32B1D" [HKEY_CURRENT_USER\Software\LearntheLyrics] "Start Page"="REG_SZ", "http://hp.myway.com/learnthelyrics/ttab02/index.html?n={n}&p2=^CZS^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3D{ptb2}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/learnthelyrics/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\LearntheLyricsTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "LearntheLyrics Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\LearntheLyricsTooltab\TooltabExtension.dll" U uninstall:LearntheLyrics" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/5/18 Scan Time: 9:08 AM Log File: e98e106c-f864-11e8-aa71-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8173 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 237463 Threats Detected: 64 Threats Quarantined: 64 Time Elapsed: 2 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\LearntheLyricsTooltab\TooltabExtension.dll, Quarantined, [1711], [356944],1.0.8173 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\LearntheLyricsTooltab Uninstall Internet Explorer, Quarantined, [1711], [356944],1.0.8173 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\LearntheLyrics, Quarantined, [1711], [444113],1.0.8173 Registry Value: 3 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\LearntheLyrics|START PAGE, Quarantined, [1711], [444113],1.0.8173 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\LearntheLyricsTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [577], [352442],1.0.8173 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|iekdaegkmghillhfecnncgepaapdfcgf, Quarantined, [1711], [456843],1.0.8173 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [577], [293497],1.0.8173 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\LearntheLyricsTooltab, Quarantined, [1711], [356944],1.0.8173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\60L2DG92.DEFAULT-1519559592148\BROWSER-EXTENSION-DATA\_rnMembers_@free.learnthelyrics.com, Quarantined, [1711], [468075],1.0.8173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\_metadata, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\config, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\icons, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IEKDAEGKMGHILLHFECNNCGEPAAPDFCGF, Quarantined, [1711], [456843],1.0.8173 File: 48 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\LearntheLyricsTooltab\TooltabExtension.dll, Quarantined, [1711], [356944],1.0.8173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\60L2DG92.DEFAULT-1519559592148\EXTENSIONS\_rnMembers_@free.learnthelyrics.com.xpi, Quarantined, [1711], [457930],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\60l2dg92.default-1519559592148\browser-extension-data\_rnMembers_@free.learnthelyrics.com\storage.js, Quarantined, [1711], [468075],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf\000003.log, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf\CURRENT, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf\LOCK, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf\LOG, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf\LOG.old, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\iekdaegkmghillhfecnncgepaapdfcgf\MANIFEST-000001, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IEKDAEGKMGHILLHFECNNCGEPAAPDFCGF\13.781.13.57290_0\MANIFEST.JSON, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\config\config.json, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\icons\icon128.png, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\icons\icon16.png, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\icons\icon19disabled.png, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\icons\icon19on.png, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\icons\icon48.png, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\pageUtils.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\ajax.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\background.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\browserUtils.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\chrome.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\content_script.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\dlp.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\dlpHelper.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\extension_detect.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\genericLoadRemoteSettings.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\index.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\initOfferCEF.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\logger.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\offerService.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\PartnerId.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\product.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\splashPageRedirectHandler.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\storage.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\TabManager.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\TemplateParser.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\ul.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\urlFragmentActions.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\urlUtils.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\util.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\webtooltabAPI.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\js\webTooltabAPIProxy.js, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\_metadata\computed_hashes.json, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\_metadata\verified_contents.json, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\iekdaegkmghillhfecnncgepaapdfcgf\13.781.13.57290_0\newtabproduct.html, Quarantined, [1711], [456843],1.0.8173 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\LEARNTHELYRICS.EXE, Quarantined, [577], [365288],1.0.8173 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is CalendarSpark?The Malwarebytes research team has determined that CalendarSpark is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.CalendarSpark is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by CalendarSpark?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage/newtabpage in the affected browsers:How did CalendarSpark get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was available in the webstore:How do I remove CalendarSpark?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CalendarSpark? No, Malwarebytes' Anti-Malware removes CalendarSpark completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the CalendarSpark hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/calendarspark/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&si={si}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_h2Members_@free.calendarspark.com.xpi [2018-11-26] CHR Extension: (CalendarSpark) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj [2018-11-26] C:\Users\{username}\AppData\Local\CalendarSparkTooltab Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\CalendarSparkTooltab Adds the file TooltabExtension.dll"="5/17/2018 11:17 PM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0 Adds the file manifest.json"="11/26/2018 9:10 AM, 2467 bytes, A Adds the file newtabproduct.html"="8/30/2018 5:38 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_metadata Adds the file computed_hashes.json"="11/26/2018 9:10 AM, 4346 bytes, A Adds the file verified_contents.json"="8/30/2018 5:38 PM, 6299 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\config Adds the file config.json"="8/30/2018 5:38 PM, 1680 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\icons Adds the file icon128.png"="11/26/2018 9:10 AM, 8445 bytes, A Adds the file icon16.png"="8/30/2018 5:38 PM, 659 bytes, A Adds the file icon19disabled.png"="8/30/2018 5:38 PM, 714 bytes, A Adds the file icon19on.png"="11/26/2018 9:10 AM, 760 bytes, A Adds the file icon48.png"="11/26/2018 9:10 AM, 2783 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js Adds the file ajax.js"="8/30/2018 5:38 PM, 2218 bytes, A Adds the file background.js"="8/30/2018 5:38 PM, 21378 bytes, A Adds the file browserUtils.js"="8/30/2018 5:38 PM, 912 bytes, A Adds the file chrome.js"="8/30/2018 5:38 PM, 146 bytes, A Adds the file content_script.js"="8/30/2018 5:38 PM, 2151 bytes, A Adds the file dlp.js"="8/30/2018 5:38 PM, 5659 bytes, A Adds the file dlpHelper.js"="8/30/2018 5:38 PM, 1799 bytes, A Adds the file extension_detect.js"="8/30/2018 5:38 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="8/30/2018 5:38 PM, 2855 bytes, A Adds the file index.js"="8/30/2018 5:38 PM, 49 bytes, A Adds the file initOfferCEF.js"="8/30/2018 5:38 PM, 8802 bytes, A Adds the file logger.js"="8/30/2018 5:38 PM, 541 bytes, A Adds the file offerService.js"="8/30/2018 5:38 PM, 10337 bytes, A Adds the file pageUtils.js"="8/30/2018 5:38 PM, 2805 bytes, A Adds the file PartnerId.js"="8/30/2018 5:38 PM, 16402 bytes, A Adds the file product.js"="8/30/2018 5:38 PM, 8403 bytes, A Adds the file splashPageRedirectHandler.js"="8/30/2018 5:38 PM, 2868 bytes, A Adds the file storage.js"="8/30/2018 5:38 PM, 1640 bytes, A Adds the file TabManager.js"="8/30/2018 5:38 PM, 151 bytes, A Adds the file TemplateParser.js"="8/30/2018 5:38 PM, 3038 bytes, A Adds the file ul.js"="8/30/2018 5:38 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="8/30/2018 5:38 PM, 1825 bytes, A Adds the file urlUtils.js"="8/30/2018 5:38 PM, 5349 bytes, A Adds the file util.js"="8/30/2018 5:38 PM, 2184 bytes, A Adds the file webtooltabAPI.js"="8/30/2018 5:38 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="8/30/2018 5:38 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj Adds the file 000003.log"="11/26/2018 9:14 AM, 5810 bytes, A Adds the file CURRENT"="11/26/2018 9:10 AM, 16 bytes, A Adds the file LOCK"="11/26/2018 9:10 AM, 0 bytes, A Adds the file LOG"="11/26/2018 9:14 AM, 412 bytes, A Adds the file LOG.old"="11/26/2018 9:13 AM, 412 bytes, A Adds the file MANIFEST-000001"="11/26/2018 9:10 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_h2Members_@free.calendarspark.com Adds the file storage.js"="11/26/2018 9:13 AM, 2851 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _h2Members_@free.calendarspark.com.xpi"="11/26/2018 9:08 AM, 58408 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\CalendarSpark] "Start Page"="REG_SZ", "http://hp.myway.com/calendarspark/ttab02/index.html?n={n}&p2=^CEQ^xdm675^TTAB02^us&ptb={ptb}&si={si}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3D" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jipigdjcibdknnacmomcjkdeildkdkaj"="REG_SZ", "C9427DA16D73DD37F350EB7FE1167EC8D522F1952B6570E04AD2C3B6C85247D7" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/calendarspark/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&si={si}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CalendarSparkTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "CalendarSpark Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\CalendarSparkTooltab\TooltabExtension.dll" U uninstall:CalendarSpark" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/26/18 Scan Time: 9:18 AM Log File: eb8ba77a-f153-11e8-aa59-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.8021 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 237781 Threats Detected: 83 Threats Quarantined: 83 Time Elapsed: 3 min, 22 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\CalendarSparkTooltab\TooltabExtension.dll, Quarantined, [576], [182279],1.0.8021 Registry Key: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CalendarSparkTooltab Uninstall Internet Explorer, Quarantined, [576], [182279],1.0.8021 PUP.Optional.MindSpark, HKCU\SOFTWARE\CalendarSpark, Quarantined, [576], [260158],1.0.8021 Registry Value: 3 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CalendarSpark|START PAGE, Quarantined, [1714], [444113],1.0.8021 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CalendarSparkTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [576], [352442],1.0.8021 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jipigdjcibdknnacmomcjkdeildkdkaj, Quarantined, [1714], [456843],1.0.8021 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [576], [293497],1.0.8021 Data Stream: 0 (No malicious items detected) Folder: 19 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\CALENDARSPARKTOOLTAB, Quarantined, [576], [182279],1.0.8021 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_h2Members_@free.calendarspark.com, Quarantined, [1714], [468075],1.0.8021 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\es_419, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\pt_BR, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\pt_PT, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\de, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\en, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\es, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\fr, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\it, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\ja, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_metadata, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\config, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\icons, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JIPIGDJCIBDKNNACMOMCJKDEILDKDKAJ, Quarantined, [1714], [456843],1.0.8021 File: 57 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\CalendarSparkTooltab\TooltabExtension.dll, Quarantined, [576], [182279],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_h2Members_@free.calendarspark.com\storage.js, Quarantined, [1714], [468075],1.0.8021 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_h2Members_@free.calendarspark.com.xpi, Quarantined, [1714], [457930],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj\000003.log, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj\CURRENT, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj\LOCK, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj\LOG, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj\LOG.old, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jipigdjcibdknnacmomcjkdeildkdkaj\MANIFEST-000001, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JIPIGDJCIBDKNNACMOMCJKDEILDKDKAJ\13.803.14.896_0\MANIFEST.JSON, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\config\config.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\icons\icon128.png, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\icons\icon16.png, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\icons\icon19disabled.png, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\icons\icon19on.png, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\icons\icon48.png, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\pageUtils.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\ajax.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\background.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\browserUtils.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\chrome.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\content_script.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\dlp.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\dlpHelper.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\extension_detect.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\genericLoadRemoteSettings.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\index.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\initOfferCEF.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\logger.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\offerService.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\PartnerId.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\product.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\splashPageRedirectHandler.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\storage.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\TabManager.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\TemplateParser.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\ul.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\urlFragmentActions.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\urlUtils.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\util.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\webtooltabAPI.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\js\webTooltabAPIProxy.js, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\de\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\en\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\es\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\es_419\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\fr\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\it\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\ja\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\pt_BR\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_locales\pt_PT\messages.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_metadata\computed_hashes.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\_metadata\verified_contents.json, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jipigdjcibdknnacmomcjkdeildkdkaj\13.803.14.896_0\newtabproduct.html, Quarantined, [1714], [456843],1.0.8021 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\CALENDARSPARK.{coid}.EXE, Quarantined, [576], [365288],1.0.8021 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is FindMeFreebies?The Malwarebytes research team has determined that FindMeFreebies is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.FindMeFreebies is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by FindMeFreebies?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this newtab page in the affected browsers:How did FindMeFreebies get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and for the Chrome extension it redirected to the webstore.How do I remove FindMeFreebies?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FindMeFreebies? No, Malwarebytes' Anti-Malware removes FindMeFreebies completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the FindMeFreebies hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page"="hxxp://hp.myway.com/findmefreebies/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_9eMembers_@free.findmefreebies.com.xpi [2018-11-19] CHR Extension: (FindMeFreebies) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei [2018-11-19] C:\Users\{username}\AppData\Local\FindMeFreebiesTooltab Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\FindMeFreebiesTooltab Adds the file TooltabExtension.dll"="5/18/2018 1:07 AM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0 Adds the file manifest.json"="11/19/2018 8:55 AM, 2474 bytes, A Adds the file newtabproduct.html"="9/4/2018 3:49 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_metadata Adds the file computed_hashes.json"="11/19/2018 8:55 AM, 4346 bytes, A Adds the file verified_contents.json"="9/4/2018 3:49 PM, 6300 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\config Adds the file config.json"="9/4/2018 3:49 PM, 1693 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\icons Adds the file icon128.png"="11/19/2018 8:55 AM, 11418 bytes, A Adds the file icon16.png"="9/4/2018 3:49 PM, 1596 bytes, A Adds the file icon19disabled.png"="9/4/2018 3:49 PM, 1415 bytes, A Adds the file icon19on.png"="11/19/2018 8:55 AM, 703 bytes, A Adds the file icon48.png"="11/19/2018 8:55 AM, 3577 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js Adds the file ajax.js"="9/4/2018 3:49 PM, 2218 bytes, A Adds the file background.js"="9/4/2018 3:49 PM, 21378 bytes, A Adds the file browserUtils.js"="9/4/2018 3:49 PM, 912 bytes, A Adds the file chrome.js"="9/4/2018 3:49 PM, 146 bytes, A Adds the file content_script.js"="9/4/2018 3:49 PM, 2151 bytes, A Adds the file dlp.js"="9/4/2018 3:49 PM, 5659 bytes, A Adds the file dlpHelper.js"="9/4/2018 3:49 PM, 1799 bytes, A Adds the file extension_detect.js"="9/4/2018 3:49 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="9/4/2018 3:49 PM, 2855 bytes, A Adds the file index.js"="9/4/2018 3:49 PM, 49 bytes, A Adds the file initOfferCEF.js"="9/4/2018 3:49 PM, 8802 bytes, A Adds the file logger.js"="9/4/2018 3:49 PM, 541 bytes, A Adds the file offerService.js"="9/4/2018 3:49 PM, 10337 bytes, A Adds the file pageUtils.js"="9/4/2018 3:49 PM, 2805 bytes, A Adds the file PartnerId.js"="9/4/2018 3:49 PM, 16402 bytes, A Adds the file product.js"="9/4/2018 3:49 PM, 8403 bytes, A Adds the file splashPageRedirectHandler.js"="9/4/2018 3:49 PM, 2868 bytes, A Adds the file storage.js"="9/4/2018 3:49 PM, 1640 bytes, A Adds the file TabManager.js"="9/4/2018 3:49 PM, 151 bytes, A Adds the file TemplateParser.js"="9/4/2018 3:49 PM, 3038 bytes, A Adds the file ul.js"="9/4/2018 3:49 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="9/4/2018 3:49 PM, 1825 bytes, A Adds the file urlUtils.js"="9/4/2018 3:49 PM, 5349 bytes, A Adds the file util.js"="9/4/2018 3:49 PM, 2184 bytes, A Adds the file webtooltabAPI.js"="9/4/2018 3:49 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="9/4/2018 3:49 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei Adds the file 000003.log"="11/19/2018 8:57 AM, 5000 bytes, A Adds the file CURRENT"="11/19/2018 8:55 AM, 16 bytes, A Adds the file LOCK"="11/19/2018 8:55 AM, 0 bytes, A Adds the file LOG"="11/19/2018 8:57 AM, 412 bytes, A Adds the file LOG.old"="11/19/2018 8:56 AM, 409 bytes, A Adds the file MANIFEST-000001"="11/19/2018 8:55 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_9eMembers_@free.findmefreebies.com Adds the file storage.js"="11/19/2018 8:56 AM, 2351 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _9eMembers_@free.findmefreebies.com.xpi"="11/19/2018 8:53 AM, 67078 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\FindMeFreebies] "Start Page"="REG_SZ", "http://hp.myway.com/findmefreebies/ttab02/index.html?n={n}&p2=^B5K^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3D{ptb}%26ptb%3D [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "komglhdcfhkhnocdfclghlgnfjmpabei"="REG_SZ", "59D84CD35D26E75C0EC04C5276DD699125F4A03E899F6EABB904CE49F3360735" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/findmefreebies/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FindMeFreebiesTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "FindMeFreebies Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\FindMeFreebiesTooltab\TooltabExtension.dll" U uninstall:FindMeFreebies" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/19/18 Scan Time: 9:02 AM Log File: 80f81aba-ebd1-11e8-9c60-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.7911 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 237784 Threats Detected: 83 Threats Quarantined: 83 Time Elapsed: 2 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FindMeFreebiesTooltab\TooltabExtension.dll, Quarantined, [1710], [356944],1.0.7911 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FindMeFreebiesTooltab Uninstall Internet Explorer, Quarantined, [1710], [356944],1.0.7911 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FindMeFreebies, Quarantined, [1710], [444113],1.0.7911 Registry Value: 3 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FindMeFreebiesTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [570], [352442],1.0.7911 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FindMeFreebies|START PAGE, Quarantined, [1710], [444113],1.0.7911 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|komglhdcfhkhnocdfclghlgnfjmpabei, Quarantined, [1710], [456842],1.0.7911 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [570], [293497],1.0.7911 Data Stream: 0 (No malicious items detected) Folder: 19 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FindMeFreebiesTooltab, Quarantined, [1710], [356944],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_9eMembers_@free.findmefreebies.com, Quarantined, [1710], [468075],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\es_419, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\pt_BR, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\pt_PT, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\de, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\en, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\es, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\fr, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\it, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\ja, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_metadata, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\config, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\icons, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KOMGLHDCFHKHNOCDFCLGHLGNFJMPABEI\13.803.14.2528_0, Quarantined, [1710], [456842],1.0.7911 File: 57 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FindMeFreebiesTooltab\TooltabExtension.dll, Quarantined, [1710], [356944],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_9eMembers_@free.findmefreebies.com.xpi, Quarantined, [1710], [457930],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_9eMembers_@free.findmefreebies.com\storage.js, Quarantined, [1710], [468075],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei\000003.log, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei\CURRENT, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei\LOCK, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei\LOG, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei\LOG.old, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\komglhdcfhkhnocdfclghlgnfjmpabei\MANIFEST-000001, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KOMGLHDCFHKHNOCDFCLGHLGNFJMPABEI\13.803.14.2528_0\CONFIG\CONFIG.JSON, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\icons\icon128.png, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\icons\icon16.png, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\icons\icon19disabled.png, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\icons\icon19on.png, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\icons\icon48.png, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\pageUtils.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\ajax.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\background.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\browserUtils.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\chrome.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\content_script.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\dlp.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\dlpHelper.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\extension_detect.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\genericLoadRemoteSettings.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\index.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\initOfferCEF.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\logger.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\offerService.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\PartnerId.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\product.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\splashPageRedirectHandler.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\storage.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\TabManager.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\TemplateParser.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\ul.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\urlFragmentActions.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\urlUtils.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\util.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\webtooltabAPI.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\js\webTooltabAPIProxy.js, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\de\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\en\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\es\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\es_419\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\fr\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\it\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\ja\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\pt_BR\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_locales\pt_PT\messages.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_metadata\computed_hashes.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\_metadata\verified_contents.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\manifest.json, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\komglhdcfhkhnocdfclghlgnfjmpabei\13.803.14.2528_0\newtabproduct.html, Quarantined, [1710], [456842],1.0.7911 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FINDMEFREEBIES.EXE, Quarantined, [570], [365288],1.0.7911 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is AudioToAudio?The Malwarebytes research team has determined that AudioToAudio is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.AudioToAudio is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by AudioToAudio?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:this icon in the menu-bar of some of the affected browsers:and this new homepage in the affected browsers:https://static-cdn.m...tartpage.png[/iHow did AudioToAudio get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove AudioToAudio?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of AudioToAudio? No, Malwarebytes' Anti-Malware removes AudioToAudio completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the AudioToAudio hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/audiotoaudio/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_8iMembers_@download.audiotoaudio.com.xpi [2018-10-31] CHR Extension: (AudioToAudio) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj [2018-10-31] C:\Users\{username}\AppData\Local\AudioToAudioTooltab AudioToAudio Internet Explorer Homepage and New Tab (HKCU\...\AudioToAudioTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\AudioToAudioTooltab Adds the file TooltabExtension.dll"="5/17/2018 11:10 PM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0 Adds the file manifest.json"="10/31/2018 9:16 AM, 2467 bytes, A Adds the file newtabproduct.html"="8/29/2018 4:52 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_metadata Adds the file computed_hashes.json"="10/31/2018 9:16 AM, 4346 bytes, A Adds the file verified_contents.json"="8/29/2018 4:52 PM, 6301 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\config Adds the file config.json"="8/29/2018 4:52 PM, 1695 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js Adds the file ajax.js"="8/29/2018 4:52 PM, 2218 bytes, A Adds the file background.js"="8/29/2018 4:52 PM, 21378 bytes, A Adds the file browserUtils.js"="8/29/2018 4:52 PM, 912 bytes, A Adds the file chrome.js"="8/29/2018 4:52 PM, 146 bytes, A Adds the file content_script.js"="8/29/2018 4:52 PM, 2151 bytes, A Adds the file dlp.js"="8/29/2018 4:52 PM, 5659 bytes, A Adds the file dlpHelper.js"="8/29/2018 4:52 PM, 1799 bytes, A Adds the file extension_detect.js"="8/29/2018 4:52 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="8/29/2018 4:52 PM, 2855 bytes, A Adds the file index.js"="8/29/2018 4:52 PM, 49 bytes, A Adds the file initOfferCEF.js"="8/29/2018 4:52 PM, 8802 bytes, A Adds the file logger.js"="8/29/2018 4:52 PM, 541 bytes, A Adds the file offerService.js"="8/29/2018 4:52 PM, 10337 bytes, A Adds the file pageUtils.js"="8/29/2018 4:52 PM, 2805 bytes, A Adds the file PartnerId.js"="8/29/2018 4:52 PM, 16402 bytes, A Adds the file product.js"="8/29/2018 4:52 PM, 8403 bytes, A Adds the file splashPageRedirectHandler.js"="8/29/2018 4:52 PM, 2868 bytes, A Adds the file storage.js"="8/29/2018 4:52 PM, 1640 bytes, A Adds the file TabManager.js"="8/29/2018 4:52 PM, 151 bytes, A Adds the file TemplateParser.js"="8/29/2018 4:52 PM, 3038 bytes, A Adds the file ul.js"="8/29/2018 4:52 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="8/29/2018 4:52 PM, 1825 bytes, A Adds the file urlUtils.js"="8/29/2018 4:52 PM, 5349 bytes, A Adds the file util.js"="8/29/2018 4:52 PM, 2184 bytes, A Adds the file webtooltabAPI.js"="8/29/2018 4:52 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="8/29/2018 4:52 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj Adds the file 000003.log"="10/31/2018 9:18 AM, 4913 bytes, A Adds the file CURRENT"="10/31/2018 9:16 AM, 16 bytes, A Adds the file LOCK"="10/31/2018 9:16 AM, 0 bytes, A Adds the file LOG"="10/31/2018 9:18 AM, 412 bytes, A Adds the file LOG.old"="10/31/2018 9:16 AM, 185 bytes, A Adds the file MANIFEST-000001"="10/31/2018 9:16 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_8iMembers_@download.audiotoaudio.com Adds the file storage.js"="10/31/2018 9:18 AM, 2389 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _8iMembers_@download.audiotoaudio.com.xpi"="10/31/2018 9:13 AM, 65918 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\AudioToAudio] "Start Page"="REG_SZ", "http://hp.myway.com/audiotoaudio/ttab02/index.html?n={n}&p2=^AYZ^yyyyyy^TTAB02^nl&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3D{ptb}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fmgkbbgmfadinoembkciofacghellcmj"="REG_SZ", "EA017AD2D00ED7D965C18964373286767C3C79E49C0D62ED160A05E2C11C2154" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/audiotoaudio/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\AudioToAudioTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "AudioToAudio Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\AudioToAudioTooltab\TooltabExtension.dll" U uninstall:AudioToAudio" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/31/18 Scan Time: 9:24 AM Log File: 5902fbbe-dce6-11e8-8f0e-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.463 Update Package Version: 1.0.7621 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 238138 Threats Detected: 83 Threats Quarantined: 83 Time Elapsed: 3 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\AudioToAudioTooltab\TooltabExtension.dll, Quarantined, [1706], [356944],1.0.7621 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AudioToAudioTooltab Uninstall Internet Explorer, Quarantined, [1706], [356944],1.0.7621 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\AudioToAudio, Quarantined, [1706], [444113],1.0.7621 Registry Value: 3 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AudioToAudioTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [564], [352442],1.0.7621 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\AudioToAudio|START PAGE, Quarantined, [1706], [444113],1.0.7621 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|fmgkbbgmfadinoembkciofacghellcmj, Quarantined, [1706], [467555],1.0.7621 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [564], [293497],1.0.7621 Data Stream: 0 (No malicious items detected) Folder: 19 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\AudioToAudioTooltab, Quarantined, [1706], [356944],1.0.7621 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\60L2DG92.DEFAULT-1519559592148\BROWSER-EXTENSION-DATA\_8iMembers_@download.audiotoaudio.com, Quarantined, [1706], [468075],1.0.7621 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\es_419, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\pt_BR, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\pt_PT, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\de, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\en, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\es, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\fr, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\it, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\ja, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_metadata, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\config, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\icons, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FMGKBBGMFADINOEMBKCIOFACGHELLCMJ, Quarantined, [1706], [467555],1.0.7621 File: 57 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\AudioToAudioTooltab\TooltabExtension.dll, Quarantined, [1706], [356944],1.0.7621 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\60L2DG92.DEFAULT-1519559592148\EXTENSIONS\_8iMembers_@download.audiotoaudio.com.xpi, Quarantined, [1706], [457930],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\60l2dg92.default-1519559592148\browser-extension-data\_8iMembers_@download.audiotoaudio.com\storage.js, Quarantined, [1706], [468075],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj\000003.log, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj\CURRENT, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj\LOCK, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj\LOG, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj\LOG.old, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmgkbbgmfadinoembkciofacghellcmj\MANIFEST-000001, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FMGKBBGMFADINOEMBKCIOFACGHELLCMJ\13.803.13.65273_0\MANIFEST.JSON, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\config\config.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\icons\icon128.png, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\icons\icon16.png, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\icons\icon19disabled.png, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\icons\icon19on.png, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\icons\icon48.png, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\pageUtils.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\ajax.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\background.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\browserUtils.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\chrome.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\content_script.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\dlp.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\dlpHelper.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\extension_detect.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\genericLoadRemoteSettings.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\index.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\initOfferCEF.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\logger.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\offerService.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\PartnerId.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\product.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\splashPageRedirectHandler.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\storage.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\TabManager.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\TemplateParser.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\ul.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\urlFragmentActions.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\urlUtils.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\util.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\webtooltabAPI.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\js\webTooltabAPIProxy.js, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\de\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\en\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\es\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\es_419\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\fr\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\it\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\ja\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\pt_BR\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_locales\pt_PT\messages.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_metadata\computed_hashes.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\_metadata\verified_contents.json, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmgkbbgmfadinoembkciofacghellcmj\13.803.13.65273_0\newtabproduct.html, Quarantined, [1706], [467555],1.0.7621 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\AUDIOTOAUDIO.4FE395273CB54708ABFD182521E8EEA2.EXE, Quarantined, [564], [365288],1.0.7621 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Steam Frenzy?The Malwarebytes research team has determined that Steam Frenzy is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Steam Frenzy is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by Steam Frenzy?You may see this browser extension:these warnings during install:You may see this changed setting:and this newtab-page in the affected browsers:How did Steam Frenzy get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was promoted by their website:and the Chrome extension was downloaded from the webstore:How do I remove Steam Frenzy?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Steam Frenzy? No, Malwarebytes' Anti-Malware removes Steam Frenzy completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Steam Frenzy hijacker. It would have blocked traffic to their domains: Technical details for expertsPossible signs in a FRST log: CHR Extension: (StreamFrenzy) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb [2018-10-12] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0 Adds the file manifest.json"="10/12/2018 10:34 AM, 2490 bytes, A Adds the file newtabproduct.html"="9/5/2018 10:47 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_locales\en Adds the file messages.json"="10/12/2018 10:34 AM, 230 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_metadata Adds the file computed_hashes.json"="10/12/2018 10:34 AM, 4688 bytes, A Adds the file verified_contents.json"="9/6/2018 5:35 PM, 5540 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\config Adds the file config.json"="9/6/2018 5:35 PM, 2050 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\icons Adds the file icon128.png"="10/12/2018 10:34 AM, 9147 bytes, A Adds the file icon16.png"="9/5/2018 10:47 PM, 798 bytes, A Adds the file icon19disabled.png"="9/5/2018 10:47 PM, 554 bytes, A Adds the file icon19on.png"="10/12/2018 10:34 AM, 1152 bytes, A Adds the file icon48.png"="10/12/2018 10:34 AM, 4938 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js Adds the file ajax.js"="9/5/2018 10:47 PM, 2218 bytes, A Adds the file b2b-partner-tracking.js"="9/5/2018 10:47 PM, 11186 bytes, A Adds the file background.js"="9/6/2018 5:34 PM, 23420 bytes, A Adds the file browserUtils.js"="9/5/2018 10:47 PM, 912 bytes, A Adds the file chrome.js"="9/5/2018 10:47 PM, 146 bytes, A Adds the file content_script.js"="9/5/2018 10:47 PM, 2151 bytes, A Adds the file dlp.js"="9/5/2018 10:47 PM, 5659 bytes, A Adds the file dlpHelper.js"="9/5/2018 10:47 PM, 1799 bytes, A Adds the file extension_detect.js"="9/5/2018 10:47 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="9/5/2018 10:47 PM, 2855 bytes, A Adds the file index.js"="9/5/2018 10:47 PM, 49 bytes, A Adds the file initOfferCEF.js"="9/5/2018 10:47 PM, 8802 bytes, A Adds the file logger.js"="9/5/2018 10:47 PM, 541 bytes, A Adds the file offerService.js"="9/5/2018 10:47 PM, 10337 bytes, A Adds the file pageUtils.js"="9/5/2018 10:47 PM, 2805 bytes, A Adds the file PartnerId.js"="9/5/2018 10:47 PM, 16402 bytes, A Adds the file product.js"="9/5/2018 10:47 PM, 8403 bytes, A Adds the file splashPageLocalStorageSetter.js"="9/5/2018 10:47 PM, 88 bytes, A Adds the file splashPageRedirectHandler.js"="9/5/2018 10:47 PM, 2868 bytes, A Adds the file storage.js"="9/5/2018 10:47 PM, 1640 bytes, A Adds the file TabManager.js"="9/5/2018 10:47 PM, 151 bytes, A Adds the file TemplateParser.js"="9/5/2018 10:47 PM, 3038 bytes, A Adds the file ul.js"="9/5/2018 10:47 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="9/5/2018 10:47 PM, 1631 bytes, A Adds the file urlUtils.js"="9/5/2018 10:47 PM, 5349 bytes, A Adds the file util.js"="9/5/2018 10:47 PM, 3004 bytes, A Adds the file webtooltabAPI.js"="9/5/2018 10:47 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="9/5/2018 10:47 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb Adds the file 000003.log"="10/12/2018 10:40 AM, 4930 bytes, A Adds the file CURRENT"="10/12/2018 10:34 AM, 16 bytes, A Adds the file LOCK"="10/12/2018 10:34 AM, 0 bytes, A Adds the file LOG"="10/12/2018 10:36 AM, 412 bytes, A Adds the file LOG.old"="10/12/2018 10:34 AM, 185 bytes, A Adds the file MANIFEST-000001"="10/12/2018 10:34 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fmpkhjobgenhkejocohgfcgigbfnhakb"="REG_SZ", "12D42DAD42B9D7413AAF12C538CFE073F2BACB906A2476599A119FCDED1AC4B4" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/12/18 Scan Time: 10:43 AM Log File: e69b85b9-cdfa-11e8-a26e-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.463 Update Package Version: 1.0.7309 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 238437 Threats Detected: 58 Threats Quarantined: 58 Time Elapsed: 2 min, 50 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_locales\en, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_metadata, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_locales, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\config, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\icons, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FMPKHJOBGENHKEJOCOHGFCGIGBFNHAKB, Quarantined, [1700], [467555],1.0.7309 File: 47 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb\000003.log, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb\CURRENT, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb\LOCK, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb\LOG, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb\LOG.old, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmpkhjobgenhkejocohgfcgigbfnhakb\MANIFEST-000001, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FMPKHJOBGENHKEJOCOHGFCGIGBFNHAKB\13.809.15.2824_0\MANIFEST.JSON, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\config\config.json, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\icons\icon128.png, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\icons\icon16.png, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\icons\icon19disabled.png, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\icons\icon19on.png, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\icons\icon48.png, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\logger.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\ajax.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\b2b-partner-tracking.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\background.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\browserUtils.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\chrome.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\content_script.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\dlp.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\dlpHelper.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\extension_detect.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\genericLoadRemoteSettings.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\index.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\initOfferCEF.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\offerService.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\pageUtils.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\PartnerId.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\product.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\splashPageLocalStorageSetter.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\splashPageRedirectHandler.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\storage.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\TabManager.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\TemplateParser.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\ul.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\urlFragmentActions.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\urlUtils.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\util.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\webtooltabAPI.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\js\webTooltabAPIProxy.js, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_locales\en\messages.json, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_metadata\computed_hashes.json, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\_metadata\verified_contents.json, Quarantined, [1700], [467555],1.0.7309 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmpkhjobgenhkejocohgfcgigbfnhakb\13.809.15.2824_0\newtabproduct.html, Quarantined, [1700], [467555],1.0.7309 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Sports Addict?The Malwarebytes research team has determined that Sports Addict is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Sports Addict is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by Sports Addict?You may see these browser extensions/add-ons:these warnings during install:and this new setting:You will see this icon in your browsers menu-bar:and this new homepage in the affected browsers:How did Sports Addict get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their websiteand the Chrome extension was also available in the webstore:How do I remove Sports Addict?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Sports Addict? No, Malwarebytes' Anti-Malware removes Sports Addict completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Sports Addict hijacker. It would have blocked traffic to their domains: Technical details for expertsPossible signs in a FRST log: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_oqMembers_@sportsaddict.thewhizproducts.com.xpi [2018-10-08] CHR Extension: (Sports Addict) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal [2018-10-08] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0 Adds the file dynamicNewTab.html"="4/10/2018 9:22 AM, 1136 bytes, A Adds the file manifest.json"="10/8/2018 10:17 AM, 2594 bytes, A Adds the file productnewtab.html"="4/10/2018 9:22 AM, 1136 bytes, A Adds the file stubby.html"="4/10/2018 9:22 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\_metadata Adds the file computed_hashes.json"="10/8/2018 10:17 AM, 4670 bytes, A Adds the file verified_contents.json"="4/10/2018 9:22 AM, 5391 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\config Adds the file config.json"="4/10/2018 9:22 AM, 1972 bytes, A Adds the file extension-config.json"="4/10/2018 9:22 AM, 1114 bytes, A Adds the file extension-dev-config.json"="4/10/2018 9:22 AM, 1236 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\icons Adds the file icon128.png"="10/8/2018 10:17 AM, 4217 bytes, A Adds the file icon16.png"="4/10/2018 9:22 AM, 562 bytes, A Adds the file icon19disabled.png"="4/10/2018 9:22 AM, 344 bytes, A Adds the file icon19on.png"="10/8/2018 10:17 AM, 715 bytes, A Adds the file icon48.png"="10/8/2018 10:17 AM, 2108 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js Adds the file ajax.js"="4/10/2018 9:22 AM, 2250 bytes, A Adds the file b2b-partner-tracking.js"="4/10/2018 9:22 AM, 11023 bytes, A Adds the file background.js"="4/10/2018 9:22 AM, 21158 bytes, A Adds the file chrome.js"="4/10/2018 9:22 AM, 180 bytes, A Adds the file content_script.js"="4/10/2018 9:22 AM, 5815 bytes, A Adds the file dlp.js"="4/10/2018 9:22 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/10/2018 9:22 AM, 1836 bytes, A Adds the file extension_detect.js"="4/10/2018 9:22 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/10/2018 9:22 AM, 2908 bytes, A Adds the file index.js"="4/10/2018 9:22 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/10/2018 9:22 AM, 8991 bytes, A Adds the file logger.js"="4/10/2018 9:22 AM, 575 bytes, A Adds the file offerService.js"="4/10/2018 9:22 AM, 13159 bytes, A Adds the file pageUtils.js"="4/10/2018 9:22 AM, 1811 bytes, A Adds the file PartnerId.js"="4/10/2018 9:22 AM, 16439 bytes, A Adds the file product.js"="4/10/2018 9:22 AM, 4511 bytes, A Adds the file storage.js"="4/10/2018 9:22 AM, 1675 bytes, A Adds the file TabManager.js"="4/10/2018 9:22 AM, 189 bytes, A Adds the file TemplateParser.js"="4/10/2018 9:22 AM, 3080 bytes, A Adds the file ul.js"="4/10/2018 9:22 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/10/2018 9:22 AM, 2521 bytes, A Adds the file urlUtils.js"="4/10/2018 9:22 AM, 5385 bytes, A Adds the file util.js"="4/10/2018 9:22 AM, 4027 bytes, A Adds the file webtooltabAPI.js"="4/10/2018 9:22 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ophjmddaoidnhjpfjiipefgmjcjfbgal Adds the file 000003.log"="10/8/2018 10:18 AM, 5584 bytes, A Adds the file CURRENT"="10/8/2018 10:17 AM, 16 bytes, A Adds the file LOCK"="10/8/2018 10:17 AM, 0 bytes, A Adds the file LOG"="10/8/2018 10:18 AM, 412 bytes, A Adds the file LOG.old"="10/8/2018 10:17 AM, 185 bytes, A Adds the file MANIFEST-000001"="10/8/2018 10:17 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_oqMembers_@sportsaddict.thewhizproducts.com Adds the file storage.js"="10/8/2018 10:18 AM, 2717 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _oqMembers_@sportsaddict.thewhizproducts.com.xpi"="10/8/2018 10:17 AM, 50256 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ophjmddaoidnhjpfjiipefgmjcjfbgal"="REG_SZ", "59B5791C85F86789C627FFC406FAAE922720796DF74BB66E59718503E133833A" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/8/18 Scan Time: 10:08 AM Log File: 46094d32-cad1-11e8-ad3f-00ffdcc6fdfc.json -Software Information- Version: 3.5.1.2522 Components Version: 1.0.441 Update Package Version: 1.0.7239 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 238649 Threats Detected: 55 Threats Quarantined: 55 Time Elapsed: 2 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_oqMembers_@sportsaddict.thewhizproducts.com, Quarantined, [1702], [468075],1.0.7239 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\ophjmddaoidnhjpfjiipefgmjcjfbgal, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\_metadata, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\config, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\icons, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OPHJMDDAOIDNHJPFJIIPEFGMJCJFBGAL, Quarantined, [1702], [467555],1.0.7239 File: 47 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_oqMembers_@sportsaddict.thewhizproducts.com.xpi, Quarantined, [1702], [457930],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_oqMembers_@sportsaddict.thewhizproducts.com\storage.js, Quarantined, [1702], [468075],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ophjmddaoidnhjpfjiipefgmjcjfbgal\000003.log, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ophjmddaoidnhjpfjiipefgmjcjfbgal\CURRENT, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ophjmddaoidnhjpfjiipefgmjcjfbgal\LOCK, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ophjmddaoidnhjpfjiipefgmjcjfbgal\LOG, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ophjmddaoidnhjpfjiipefgmjcjfbgal\MANIFEST-000001, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OPHJMDDAOIDNHJPFJIIPEFGMJCJFBGAL\13.421.12.64295_0\MANIFEST.JSON, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\config\config.json, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\config\extension-config.json, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\config\extension-dev-config.json, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\icons\icon128.png, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\icons\icon16.png, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\icons\icon19disabled.png, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\icons\icon19on.png, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\icons\icon48.png, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\logger.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\ajax.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\b2b-partner-tracking.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\background.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\chrome.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\content_script.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\dlp.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\dlpHelper.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\extension_detect.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\genericLoadRemoteSettings.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\index.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\initOfferCEF.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\offerService.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\pageUtils.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\PartnerId.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\product.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\storage.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\TabManager.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\TemplateParser.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\ul.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\urlFragmentActions.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\urlUtils.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\util.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\js\webtooltabAPI.js, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\_metadata\computed_hashes.json, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\_metadata\verified_contents.json, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\dynamicNewTab.html, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\productnewtab.html, Quarantined, [1702], [467555],1.0.7239 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ophjmddaoidnhjpfjiipefgmjcjfbgal\13.421.12.64295_0\stubby.html, Quarantined, [1702], [467555],1.0.7239 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Your Daily Trailer?The Malwarebytes research team has determined that Your Daily Trailer is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Your Daily Trailer is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by Your Daily Trailer?You may see these browser extensions/add-ons:these warnings during install:and this new homepage in the affected browsers:How did Your Daily Trailer get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove Your Daily Trailer?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Daily Trailer? No, Malwarebytes' Anti-Malware removes Your Daily Trailer completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Your Daily Trailer hijacker. It would have blocked traffic to their domains: Technical details for expertsPossible signs in a FRST log: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_ooMembers_@yourdailytrailer.yournewtab.com.xpi [2018-10-04] CHR Extension: (Your Daily Trailer) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj [2018-10-04] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0 Adds the file manifest.json"="10/4/2018 8:44 AM, 2472 bytes, A Adds the file newtabproduct.html"="9/25/2018 4:02 PM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_locales\en Adds the file messages.json"="10/4/2018 8:44 AM, 213 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_metadata Adds the file computed_hashes.json"="10/4/2018 8:44 AM, 4688 bytes, A Adds the file verified_contents.json"="9/25/2018 4:02 PM, 5540 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\config Adds the file config.json"="9/25/2018 4:02 PM, 1999 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\icons Adds the file icon128.png"="10/4/2018 8:44 AM, 19835 bytes, A Adds the file icon16.png"="9/25/2018 4:02 PM, 847 bytes, A Adds the file icon19disabled.png"="9/25/2018 4:02 PM, 579 bytes, A Adds the file icon19on.png"="10/4/2018 8:44 AM, 1232 bytes, A Adds the file icon48.png"="10/4/2018 8:44 AM, 5688 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js Adds the file ajax.js"="9/25/2018 4:02 PM, 2218 bytes, A Adds the file b2b-partner-tracking.js"="9/25/2018 4:02 PM, 11186 bytes, A Adds the file background.js"="9/25/2018 4:02 PM, 23425 bytes, A Adds the file browserUtils.js"="9/25/2018 4:02 PM, 912 bytes, A Adds the file chrome.js"="9/25/2018 4:02 PM, 146 bytes, A Adds the file content_script.js"="9/25/2018 4:02 PM, 2151 bytes, A Adds the file dlp.js"="9/25/2018 4:02 PM, 5659 bytes, A Adds the file dlpHelper.js"="9/25/2018 4:02 PM, 1799 bytes, A Adds the file extension_detect.js"="9/25/2018 4:02 PM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="9/25/2018 4:02 PM, 2855 bytes, A Adds the file index.js"="9/25/2018 4:02 PM, 49 bytes, A Adds the file initOfferCEF.js"="9/25/2018 4:02 PM, 8802 bytes, A Adds the file logger.js"="9/25/2018 4:02 PM, 541 bytes, A Adds the file offerService.js"="9/25/2018 4:02 PM, 10337 bytes, A Adds the file pageUtils.js"="9/25/2018 4:02 PM, 2805 bytes, A Adds the file PartnerId.js"="9/25/2018 4:02 PM, 16402 bytes, A Adds the file product.js"="9/25/2018 4:02 PM, 8403 bytes, A Adds the file splashPageLocalStorageSetter.js"="9/25/2018 4:02 PM, 88 bytes, A Adds the file splashPageRedirectHandler.js"="9/25/2018 4:02 PM, 2868 bytes, A Adds the file storage.js"="9/25/2018 4:02 PM, 1640 bytes, A Adds the file TabManager.js"="9/25/2018 4:02 PM, 151 bytes, A Adds the file TemplateParser.js"="9/25/2018 4:02 PM, 3038 bytes, A Adds the file ul.js"="9/25/2018 4:02 PM, 3832 bytes, A Adds the file urlFragmentActions.js"="9/25/2018 4:02 PM, 1631 bytes, A Adds the file urlUtils.js"="9/25/2018 4:02 PM, 5349 bytes, A Adds the file util.js"="9/25/2018 4:02 PM, 3004 bytes, A Adds the file webtooltabAPI.js"="9/25/2018 4:02 PM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="9/25/2018 4:02 PM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj Adds the file 000003.log"="10/4/2018 8:47 AM, 5680 bytes, A Adds the file CURRENT"="10/4/2018 8:44 AM, 16 bytes, A Adds the file LOCK"="10/4/2018 8:44 AM, 0 bytes, A Adds the file LOG"="10/4/2018 8:45 AM, 412 bytes, A Adds the file LOG.old"="10/4/2018 8:44 AM, 185 bytes, A Adds the file MANIFEST-000001"="10/4/2018 8:44 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_ooMembers_@yourdailytrailer.yournewtab.com Adds the file storage.js"="10/4/2018 8:52 AM, 2739 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _ooMembers_@yourdailytrailer.yournewtab.com.xpi"="10/4/2018 8:49 AM, 66631 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "olnecppbhecjfoffhlfekoeombkegcjj"="REG_SZ", "16DB6B07070DF02BA82DE57047E1C1A3C8D1A6E775FD727332730814FB5C4A82" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/4/18 Scan Time: 8:56 AM Log File: 968571c8-c7a2-11e8-b806-00ffdcc6fdfc.json -Software Information- Version: 3.5.1.2522 Components Version: 1.0.441 Update Package Version: 1.0.7173 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 239013 Threats Detected: 59 Threats Quarantined: 59 Time Elapsed: 2 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_ooMembers_@yourdailytrailer.yournewtab.com, Quarantined, [1703], [468075],1.0.7173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_locales\en, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_metadata, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_locales, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\config, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\icons, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLNECPPBHECJFOFFHLFEKOEOMBKEGCJJ, Quarantined, [1703], [467555],1.0.7173 File: 49 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_ooMembers_@yourdailytrailer.yournewtab.com.xpi, Quarantined, [1703], [457930],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_ooMembers_@yourdailytrailer.yournewtab.com\storage.js, Quarantined, [1703], [468075],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj\000003.log, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj\CURRENT, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj\LOCK, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj\LOG, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj\LOG.old, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\olnecppbhecjfoffhlfekoeombkegcjj\MANIFEST-000001, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OLNECPPBHECJFOFFHLFEKOEOMBKEGCJJ\13.809.14.8557_0\MANIFEST.JSON, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\config\config.json, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\icons\icon128.png, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\icons\icon16.png, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\icons\icon19disabled.png, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\icons\icon19on.png, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\icons\icon48.png, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\initOfferCEF.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\ajax.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\b2b-partner-tracking.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\background.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\browserUtils.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\chrome.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\content_script.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\dlp.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\dlpHelper.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\extension_detect.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\genericLoadRemoteSettings.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\index.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\logger.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\offerService.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\pageUtils.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\PartnerId.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\product.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\splashPageLocalStorageSetter.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\splashPageRedirectHandler.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\storage.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\TabManager.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\TemplateParser.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\ul.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\urlFragmentActions.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\urlUtils.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\util.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\webtooltabAPI.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\js\webTooltabAPIProxy.js, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_locales\en\messages.json, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_metadata\computed_hashes.json, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\_metadata\verified_contents.json, Quarantined, [1703], [467555],1.0.7173 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\olnecppbhecjfoffhlfekoeombkegcjj\13.809.14.8557_0\newtabproduct.html, Quarantined, [1703], [467555],1.0.7173 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. What is SimpleHolidayRecipes?The Malwarebytes research team has determined that SimpleHolidayRecipes is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.SimpleHolidayRecipes is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by SimpleHolidayRecipes?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did SimpleHolidayRecipes get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.and the Chrome extension was also available in the webstore:How do I remove SimpleHolidayRecipes?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of SimpleHolidayRecipes? No, Malwarebytes' Anti-Malware removes SimpleHolidayRecipes completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the SimpleHolidayRecipes hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/simpleholidayrecipes/ttab02/index.html?n={n1}&p2={p2}5ETTAB02&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_reMembers_@www.simpleholidayrecipes.com.xpi [2018-08-30] CHR Extension: (SimpleHolidayRecipes) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc [2018-08-30] C:\Users\{username}\AppData\Local\SimpleHolidayRecipesTooltab SimpleHolidayRecipes Internet Explorer Homepage and New Tab (HKCU\...\SimpleHolidayRecipesTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0 Adds the file manifest.json"="8/30/2018 8:59 AM, 2549 bytes, A Adds the file newtabproduct.html"="8/21/2018 9:47 AM, 1210 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\_metadata Adds the file computed_hashes.json"="8/30/2018 8:59 AM, 4346 bytes, A Adds the file verified_contents.json"="8/21/2018 9:47 AM, 5148 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\config Adds the file config.json"="8/21/2018 9:47 AM, 1809 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\icons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js Adds the file ajax.js"="8/21/2018 9:47 AM, 2218 bytes, A Adds the file background.js"="8/21/2018 9:47 AM, 21378 bytes, A Adds the file browserUtils.js"="8/21/2018 9:47 AM, 912 bytes, A Adds the file chrome.js"="8/21/2018 9:47 AM, 146 bytes, A Adds the file content_script.js"="8/21/2018 9:47 AM, 2151 bytes, A Adds the file dlp.js"="8/21/2018 9:47 AM, 5659 bytes, A Adds the file dlpHelper.js"="8/21/2018 9:47 AM, 1799 bytes, A Adds the file extension_detect.js"="8/21/2018 9:47 AM, 4299 bytes, A Adds the file genericLoadRemoteSettings.js"="8/21/2018 9:47 AM, 2855 bytes, A Adds the file index.js"="8/21/2018 9:47 AM, 49 bytes, A Adds the file initOfferCEF.js"="8/21/2018 9:47 AM, 8802 bytes, A Adds the file logger.js"="8/21/2018 9:47 AM, 541 bytes, A Adds the file offerService.js"="8/21/2018 9:47 AM, 10337 bytes, A Adds the file pageUtils.js"="8/21/2018 9:47 AM, 2805 bytes, A Adds the file PartnerId.js"="8/21/2018 9:47 AM, 16402 bytes, A Adds the file product.js"="8/21/2018 9:47 AM, 8403 bytes, A Adds the file splashPageRedirectHandler.js"="8/21/2018 9:47 AM, 2868 bytes, A Adds the file storage.js"="8/21/2018 9:47 AM, 1640 bytes, A Adds the file TabManager.js"="8/21/2018 9:47 AM, 151 bytes, A Adds the file TemplateParser.js"="8/21/2018 9:47 AM, 3038 bytes, A Adds the file ul.js"="8/21/2018 9:47 AM, 3832 bytes, A Adds the file urlFragmentActions.js"="8/21/2018 9:47 AM, 1825 bytes, A Adds the file urlUtils.js"="8/21/2018 9:47 AM, 5349 bytes, A Adds the file util.js"="8/21/2018 9:47 AM, 2184 bytes, A Adds the file webtooltabAPI.js"="8/21/2018 9:47 AM, 8721 bytes, A Adds the file webTooltabAPIProxy.js"="8/21/2018 9:47 AM, 5445 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc Adds the file 000003.log"="8/30/2018 9:02 AM, 4912 bytes, A Adds the file CURRENT"="8/30/2018 8:59 AM, 16 bytes, A Adds the file LOCK"="8/30/2018 8:59 AM, 0 bytes, A Adds the file LOG"="8/30/2018 9:01 AM, 412 bytes, A Adds the file LOG.old"="8/30/2018 9:00 AM, 412 bytes, A Adds the file MANIFEST-000001"="8/30/2018 8:59 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\SimpleHolidayRecipesTooltab Adds the file TooltabExtension.dll"="5/16/2018 9:30 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_reMembers_@www.simpleholidayrecipes.com Adds the file storage.js"="8/30/2018 9:01 AM, 2395 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _reMembers_@www.simpleholidayrecipes.com.xpi"="8/30/2018 8:56 AM, 66911 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "blalapdaiabdaclcbmjnlonbocmjllbc"="REG_SZ", "45ADB13A1CE95EE39B497B65F0AAD2C6B800F0261C1DC858B98ACB8737149DF6" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/simpleholidayrecipes/ttab02/index.html?n=n1&p2={p2}5ETTAB02&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\SimpleHolidayRecipesTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "SimpleHolidayRecipes Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\SimpleHolidayRecipesTooltab\TooltabExtension.dll" U uninstall:SimpleHolidayRecipes" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\SimpleHolidayRecipes] "Start Page"="REG_SZ", "http://hp.myway.com/simpleholidayrecipes/ttab02/index.html?n=n1&p2={p22}TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3D{ptb}%26ptb%3D{p22}TTAB02" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/30/18 Scan Time: 9:09 AM Log File: 9317e6bf-ac23-11e8-b61b-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.6563 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 252412 Threats Detected: 63 Threats Quarantined: 63 Time Elapsed: 3 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\SimpleHolidayRecipesTooltab\TooltabExtension.dll, Quarantined, [1695], [356944],1.0.6563 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SimpleHolidayRecipesTooltab Uninstall Internet Explorer, Quarantined, [1695], [356944],1.0.6563 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\SimpleHolidayRecipes, Quarantined, [1695], [444113],1.0.6563 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SimpleHolidayRecipesTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [546], [352442],1.0.6563 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\SimpleHolidayRecipes|START PAGE, Quarantined, [1695], [444113],1.0.6563 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [546], [293497],1.0.6563 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\SimpleHolidayRecipesTooltab, Quarantined, [1695], [356944],1.0.6563 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_reMembers_@www.simpleholidayrecipes.com, Quarantined, [1695], [468075],1.0.6563 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\_metadata, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\config, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\icons, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLALAPDAIABDACLCBMJNLONBOCMJLLBC, Quarantined, [1695], [467555],1.0.6563 File: 48 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_reMembers_@www.simpleholidayrecipes.com.xpi, Quarantined, [1695], [457930],1.0.6563 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\SimpleHolidayRecipesTooltab\TooltabExtension.dll, Quarantined, [1695], [356944],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_reMembers_@www.simpleholidayrecipes.com\storage.js, Quarantined, [1695], [468075],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc\000003.log, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc\CURRENT, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc\LOCK, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc\LOG, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc\LOG.old, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blalapdaiabdaclcbmjnlonbocmjllbc\MANIFEST-000001, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BLALAPDAIABDACLCBMJNLONBOCMJLLBC\13.781.13.59100_0\MANIFEST.JSON, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\config\config.json, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\icons\icon128.png, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\icons\icon16.png, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\icons\icon19disabled.png, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\icons\icon19on.png, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\icons\icon48.png, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\pageUtils.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\ajax.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\background.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\browserUtils.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\chrome.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\content_script.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\dlp.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\dlpHelper.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\extension_detect.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\genericLoadRemoteSettings.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\index.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\initOfferCEF.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\logger.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\offerService.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\PartnerId.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\product.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\splashPageRedirectHandler.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\storage.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\TabManager.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\TemplateParser.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\ul.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\urlFragmentActions.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\urlUtils.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\util.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\webtooltabAPI.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\js\webTooltabAPIProxy.js, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\_metadata\computed_hashes.json, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\_metadata\verified_contents.json, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\blalapdaiabdaclcbmjnlonbocmjllbc\13.781.13.59100_0\newtabproduct.html, Quarantined, [1695], [467555],1.0.6563 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\SIMPLEHOLIDAYRECIPES.EXE, Quarantined, [546], [365288],1.0.6563 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. What is MapsGalaxy?The Malwarebytes research team has determined that MapsGalaxy is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.MapsGalaxy is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by MapsGalaxy?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did MapsGalaxy get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove MapsGalaxy?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MapsGalaxy? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the MapsGalaxy entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MapsGalaxy hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/mapsgalaxy/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Homepage: moz-extension://a7a4f4e0-d8bc-4b9b-b0ba-1639bf175198/dynamicHomePage.html FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_39Members_@www.mapsgalaxy.com.xpi [2018-08-07] CHR Extension: (MapsGalaxy) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm [2018-08-07] C:\Users\{username}\AppData\Local\MapsGalaxyTooltab MapsGalaxy Internet Explorer Homepage and New Tab (HKCU\...\MapsGalaxyTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0 Adds the file manifest.json"="8/7/2018 10:47 AM, 2458 bytes, A Adds the file newtabproduct.html"="6/7/2018 10:22 AM, 1136 bytes, A Adds the file stubby.html"="6/7/2018 10:22 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\_metadata Adds the file computed_hashes.json"="8/7/2018 10:47 AM, 4096 bytes, A Adds the file verified_contents.json"="6/7/2018 10:22 AM, 4879 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\config Adds the file config.json"="6/7/2018 10:22 AM, 1733 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\icons Adds the file icon128.png"="8/7/2018 10:47 AM, 21746 bytes, A Adds the file icon16.png"="6/7/2018 10:22 AM, 1315 bytes, A Adds the file icon19disabled.png"="6/7/2018 10:22 AM, 1388 bytes, A Adds the file icon19on.png"="8/7/2018 10:47 AM, 961 bytes, A Adds the file icon48.png"="8/7/2018 10:47 AM, 5280 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js Adds the file ajax.js"="6/7/2018 10:22 AM, 2250 bytes, A Adds the file background.js"="6/7/2018 10:22 AM, 21002 bytes, A Adds the file chrome.js"="6/7/2018 10:22 AM, 180 bytes, A Adds the file content_script.js"="6/7/2018 10:22 AM, 5815 bytes, A Adds the file dlp.js"="6/7/2018 10:22 AM, 5690 bytes, A Adds the file dlpHelper.js"="6/7/2018 10:22 AM, 1836 bytes, A Adds the file extension_detect.js"="6/7/2018 10:22 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="6/7/2018 10:22 AM, 2908 bytes, A Adds the file index.js"="6/7/2018 10:22 AM, 82 bytes, A Adds the file initOfferCEF.js"="6/7/2018 10:22 AM, 8842 bytes, A Adds the file logger.js"="6/7/2018 10:22 AM, 575 bytes, A Adds the file offerService.js"="6/7/2018 10:22 AM, 13159 bytes, A Adds the file pageUtils.js"="6/7/2018 10:22 AM, 1811 bytes, A Adds the file PartnerId.js"="6/7/2018 10:22 AM, 16439 bytes, A Adds the file product.js"="6/7/2018 10:22 AM, 4511 bytes, A Adds the file storage.js"="6/7/2018 10:22 AM, 1675 bytes, A Adds the file TabManager.js"="6/7/2018 10:22 AM, 189 bytes, A Adds the file TemplateParser.js"="6/7/2018 10:22 AM, 3080 bytes, A Adds the file ul.js"="6/7/2018 10:22 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="6/7/2018 10:22 AM, 2521 bytes, A Adds the file urlUtils.js"="6/7/2018 10:22 AM, 5385 bytes, A Adds the file util.js"="6/7/2018 10:22 AM, 3235 bytes, A Adds the file webtooltabAPI.js"="6/7/2018 10:22 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm Adds the file 000003.log"="8/7/2018 10:51 AM, 5065 bytes, A Adds the file CURRENT"="8/7/2018 10:47 AM, 16 bytes, A Adds the file LOCK"="8/7/2018 10:47 AM, 0 bytes, A Adds the file LOG"="8/7/2018 10:51 AM, 412 bytes, A Adds the file LOG.old"="8/7/2018 10:47 AM, 185 bytes, A Adds the file MANIFEST-000001"="8/7/2018 10:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MapsGalaxyTooltab Adds the file TooltabExtension.dll"="5/18/2018 2:48 AM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_39Members_@www.mapsgalaxy.com Adds the file storage.js"="8/7/2018 10:51 AM, 2465 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _39Members_@www.mapsgalaxy.com.xpi"="8/7/2018 10:46 AM, 76061 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cpjbkhbhimkbbekiaelopeddeheljabm"="REG_SZ", "1B5E475DC1D93D437EF5C57355445F2BAC569314B2518A5E2DD35F096B2D9275" [HKEY_CURRENT_USER\Software\MapsGalaxy] "Start Page"="REG_SZ", "http://hp.myway.com/mapsgalaxy/ttab02/index.html?n={n}&p2={ptb1}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=https%3A%2F%2Fwww.research.net%2Fr%2FZC5XFLJ%3Fc%3D{ptb}%26ptb%3D{ptb1}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/mapsgalaxy/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MapsGalaxyTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "MapsGalaxy Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\MapsGalaxyTooltab\TooltabExtension.dll" U uninstall:MapsGalaxy" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/7/18 Scan Time: 10:57 AM Log File: e1ed92d7-9a1f-11e8-ae50-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.6235 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 252250 Threats Detected: 62 Threats Quarantined: 62 Time Elapsed: 3 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MapsGalaxyTooltab\TooltabExtension.dll, Quarantined, [1688], [356944],1.0.6235 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MapsGalaxyTooltab Uninstall Internet Explorer, Quarantined, [1688], [356944],1.0.6235 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MapsGalaxy, Quarantined, [1688], [444113],1.0.6235 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MapsGalaxyTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [541], [352442],1.0.6235 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MapsGalaxy|START PAGE, Quarantined, [1688], [444113],1.0.6235 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [541], [293497],1.0.6235 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MapsGalaxyTooltab, Quarantined, [1688], [356944],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_39Members_@www.mapsgalaxy.com, Quarantined, [1688], [468075],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\_metadata, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\config, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\icons, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPJBKHBHIMKBBEKIAELOPEDDEHELJABM\13.651.13.21587_0, Quarantined, [1688], [456842],1.0.6235 File: 47 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MapsGalaxyTooltab\TooltabExtension.dll, Quarantined, [1688], [356944],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_39Members_@www.mapsgalaxy.com.xpi, Quarantined, [1688], [457930],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_39Members_@www.mapsgalaxy.com\storage.js, Quarantined, [1688], [468075],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm\000003.log, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm\CURRENT, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm\LOCK, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm\LOG, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm\LOG.old, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpjbkhbhimkbbekiaelopeddeheljabm\MANIFEST-000001, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CPJBKHBHIMKBBEKIAELOPEDDEHELJABM\13.651.13.21587_0\CONFIG\CONFIG.JSON, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\icons\icon128.png, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\icons\icon16.png, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\icons\icon19disabled.png, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\icons\icon19on.png, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\icons\icon48.png, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\ajax.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\background.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\chrome.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\content_script.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\dlp.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\dlpHelper.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\extension_detect.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\genericLoadRemoteSettings.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\index.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\initOfferCEF.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\logger.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\offerService.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\pageUtils.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\PartnerId.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\product.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\storage.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\TabManager.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\TemplateParser.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\ul.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\urlFragmentActions.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\urlUtils.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\util.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\js\webtooltabAPI.js, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\_metadata\computed_hashes.json, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\_metadata\verified_contents.json, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\manifest.json, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\newtabproduct.html, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cpjbkhbhimkbbekiaelopeddeheljabm\13.651.13.21587_0\stubby.html, Quarantined, [1688], [456842],1.0.6235 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\MAPSGALAXY.EXE, Quarantined, [541], [365288],1.0.6235 PUP.Optional.MindSpark, C:\DOWNLOADS\MAPSGALAXY.EXE, Quarantined, [541], [365288],1.0.6235 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is ReadingFanatic?The Malwarebytes research team has determined that ReadingFanatic is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.ReadingFanatic is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by ReadingFanatic?You may see these browser extensions/add-ons:these warnings during install:and these changed settings:and this new homepage in the affected browsers:How did ReadingFanatic get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove ReadingFanatic?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ReadingFanatic? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the ReadingFanatic entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the ReadingFanatic hijacker. It would have blocked traffic to their domains: Technical details for expertsPossible signs in a FRST log: FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_6xMembers_@www.readingfanatic.com.xpi [2018-06-28] CHR Extension: (ReadingFanatic) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf [2018-06-28] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0 Adds the file manifest.json"="6/28/2018 8:44 AM, 2569 bytes, A Adds the file newtabproduct.html"="4/7/2018 3:31 AM, 1136 bytes, A Adds the file stubby.html"="4/7/2018 3:31 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\_metadata Adds the file computed_hashes.json"="6/28/2018 8:44 AM, 4096 bytes, A Adds the file verified_contents.json"="4/7/2018 3:31 AM, 4877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\config Adds the file config.json"="4/7/2018 3:31 AM, 1754 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\icons Adds the file icon128.png"="6/28/2018 8:44 AM, 6810 bytes, A Adds the file icon16.png"="4/7/2018 3:31 AM, 1424 bytes, A Adds the file icon19disabled.png"="4/7/2018 3:31 AM, 1388 bytes, A Adds the file icon19on.png"="6/28/2018 8:44 AM, 622 bytes, A Adds the file icon48.png"="6/28/2018 8:44 AM, 2259 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js Adds the file ajax.js"="4/7/2018 3:31 AM, 2250 bytes, A Adds the file background.js"="4/7/2018 3:31 AM, 21002 bytes, A Adds the file chrome.js"="4/7/2018 3:31 AM, 180 bytes, A Adds the file content_script.js"="4/7/2018 3:31 AM, 5815 bytes, A Adds the file dlp.js"="4/7/2018 3:31 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/7/2018 3:31 AM, 1836 bytes, A Adds the file extension_detect.js"="4/7/2018 3:31 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/7/2018 3:31 AM, 2908 bytes, A Adds the file index.js"="4/7/2018 3:31 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/7/2018 3:31 AM, 8842 bytes, A Adds the file logger.js"="4/7/2018 3:31 AM, 575 bytes, A Adds the file offerService.js"="4/7/2018 3:31 AM, 13159 bytes, A Adds the file pageUtils.js"="4/7/2018 3:31 AM, 1811 bytes, A Adds the file PartnerId.js"="4/7/2018 3:31 AM, 16439 bytes, A Adds the file product.js"="4/7/2018 3:31 AM, 4511 bytes, A Adds the file storage.js"="4/7/2018 3:31 AM, 1675 bytes, A Adds the file TabManager.js"="4/7/2018 3:31 AM, 189 bytes, A Adds the file TemplateParser.js"="4/7/2018 3:31 AM, 3080 bytes, A Adds the file ul.js"="4/7/2018 3:31 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/7/2018 3:31 AM, 2521 bytes, A Adds the file urlUtils.js"="4/7/2018 3:31 AM, 5385 bytes, A Adds the file util.js"="4/7/2018 3:31 AM, 3235 bytes, A Adds the file webtooltabAPI.js"="4/7/2018 3:31 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf Adds the file 000003.log"="6/28/2018 8:51 AM, 4803 bytes, A Adds the file CURRENT"="6/28/2018 8:44 AM, 16 bytes, A Adds the file LOCK"="6/28/2018 8:44 AM, 0 bytes, A Adds the file LOG"="6/28/2018 8:50 AM, 412 bytes, A Adds the file LOG.old"="6/28/2018 8:44 AM, 185 bytes, A Adds the file MANIFEST-000001"="6/28/2018 8:44 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_6xMembers_@www.readingfanatic.com Adds the file storage.js"="6/28/2018 8:48 AM, 2351 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _6xMembers_@www.readingfanatic.com.xpi"="6/28/2018 8:48 AM, 58383 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bmmbajpcfedaechekcachdldkdfaalbf"="REG_SZ", "B549BAA9009D3E7111F3FBB1FB6E471F5A91115689FDC3D9C60436FA632E4DA1" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/28/18 Scan Time: 8:55 AM Log File: 30240402-7aa0-11e8-b1b2-080027235d76.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.365 Update Package Version: 1.0.5663 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 251542 Threats Detected: 52 Threats Quarantined: 52 Time Elapsed: 4 min, 30 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\_metadata, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\config, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\icons, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL EXTENSION SETTINGS\BMMBAJPCFEDAECHEKCACHDLDKDFAALBF, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_6xMembers_@www.readingfanatic.com, Quarantined, [1680], [468075],1.0.5663 File: 44 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_6xMembers_@www.readingfanatic.com.xpi, Quarantined, [1680], [457930],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf\000003.log, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf\CURRENT, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf\LOCK, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf\LOG, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf\LOG.old, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmmbajpcfedaechekcachdldkdfaalbf\MANIFEST-000001, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\config\config.json, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\icons\icon128.png, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\icons\icon16.png, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\icons\icon19disabled.png, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\icons\icon19on.png, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\icons\icon48.png, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\ajax.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\background.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\chrome.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\content_script.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\dlp.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\dlpHelper.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\extension_detect.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\genericLoadRemoteSettings.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\index.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\initOfferCEF.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\logger.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\offerService.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\pageUtils.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\PartnerId.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\product.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\storage.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\TabManager.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\TemplateParser.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\ul.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\urlFragmentActions.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\urlUtils.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\util.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\js\webtooltabAPI.js, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\_metadata\computed_hashes.json, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\_metadata\verified_contents.json, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\manifest.json, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\newtabproduct.html, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmbajpcfedaechekcachdldkdfaalbf\13.611.13.3362_0\stubby.html, Quarantined, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [533], [383822],1.0.5663 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [533], [383822],1.0.5663 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_6xMembers_@www.readingfanatic.com\storage.js, Quarantined, [1680], [468075],1.0.5663 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is Screen Watch?The Malwarebytes research team has determined that Screen Watch is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Screen Watch is a member of the Mindspark/Ask family now known as APN applications.How do I know if my computer is affected by Screen Watch?You may see this Chrome browser extension:these warnings during install:this icon in the Chrome menu-bar:and this newtab-page in the affected browsers:How did Screen Watch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove Screen Watch?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Screen Watch? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the Screen Watch entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Screen Watch hijacker, by blocking traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: CHR Extension: (Screen Watch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep [2018-06-20] Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0 Adds the file dynamicNewTab.html"="4/10/2018 9:22 AM, 1136 bytes, A Adds the file manifest.json"="6/20/2018 8:43 AM, 2535 bytes, A Adds the file productnewtab.html"="4/10/2018 9:22 AM, 1136 bytes, A Adds the file stubby.html"="4/10/2018 9:22 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\_metadata Adds the file computed_hashes.json"="6/20/2018 8:43 AM, 4670 bytes, A Adds the file verified_contents.json"="4/10/2018 9:22 AM, 5391 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\config Adds the file config.json"="4/10/2018 9:22 AM, 1950 bytes, A Adds the file extension-config.json"="4/10/2018 9:22 AM, 1114 bytes, A Adds the file extension-dev-config.json"="4/10/2018 9:22 AM, 1236 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\icons Adds the file icon128.png"="6/20/2018 8:43 AM, 1568 bytes, A Adds the file icon16.png"="4/10/2018 9:22 AM, 165 bytes, A Adds the file icon19disabled.png"="4/10/2018 9:22 AM, 152 bytes, A Adds the file icon19on.png"="6/20/2018 8:43 AM, 286 bytes, A Adds the file icon48.png"="6/20/2018 8:43 AM, 689 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js Adds the file ajax.js"="4/10/2018 9:22 AM, 2250 bytes, A Adds the file b2b-partner-tracking.js"="4/10/2018 9:22 AM, 11023 bytes, A Adds the file background.js"="4/10/2018 9:22 AM, 21158 bytes, A Adds the file chrome.js"="4/10/2018 9:22 AM, 180 bytes, A Adds the file content_script.js"="4/10/2018 9:22 AM, 5815 bytes, A Adds the file dlp.js"="4/10/2018 9:22 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/10/2018 9:22 AM, 1836 bytes, A Adds the file extension_detect.js"="4/10/2018 9:22 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/10/2018 9:22 AM, 2908 bytes, A Adds the file index.js"="4/10/2018 9:22 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/10/2018 9:22 AM, 8991 bytes, A Adds the file logger.js"="4/10/2018 9:22 AM, 575 bytes, A Adds the file offerService.js"="4/10/2018 9:22 AM, 13159 bytes, A Adds the file pageUtils.js"="4/10/2018 9:22 AM, 1811 bytes, A Adds the file PartnerId.js"="4/10/2018 9:22 AM, 16439 bytes, A Adds the file product.js"="4/10/2018 9:22 AM, 4511 bytes, A Adds the file storage.js"="4/10/2018 9:22 AM, 1675 bytes, A Adds the file TabManager.js"="4/10/2018 9:22 AM, 189 bytes, A Adds the file TemplateParser.js"="4/10/2018 9:22 AM, 3080 bytes, A Adds the file ul.js"="4/10/2018 9:22 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/10/2018 9:22 AM, 2521 bytes, A Adds the file urlUtils.js"="4/10/2018 9:22 AM, 5385 bytes, A Adds the file util.js"="4/10/2018 9:22 AM, 4027 bytes, A Adds the file webtooltabAPI.js"="4/10/2018 9:22 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkmjlcbkppjpiianckgofgolfojkdeep Adds the file 000003.log"="6/20/2018 8:43 AM, 0 bytes, A Adds the file CURRENT"="6/20/2018 8:43 AM, 16 bytes, A Adds the file LOCK"="6/20/2018 8:43 AM, 0 bytes, A Adds the file LOG"="6/20/2018 8:43 AM, 0 bytes, A Adds the file MANIFEST-000001"="6/20/2018 8:43 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bkmjlcbkppjpiianckgofgolfojkdeep"="REG_SZ", "831597C8713E92ECCA4C09E2F5E0F2139F33637C234A47CB97F7BA7A4F2E007C" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/20/18 Scan Time: 8:54 AM Log File: d80905a0-7456-11e8-b181-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5550 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238612 Threats Detected: 52 Threats Quarantined: 52 Time Elapsed: 2 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 7 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkmjlcbkppjpiianckgofgolfojkdeep, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\_metadata, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\config, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\icons, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKMJLCBKPPJPIIANCKGOFGOLFOJKDEEP, Quarantined, [1683], [467555],1.0.5550 File: 45 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkmjlcbkppjpiianckgofgolfojkdeep\000003.log, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkmjlcbkppjpiianckgofgolfojkdeep\CURRENT, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkmjlcbkppjpiianckgofgolfojkdeep\LOCK, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkmjlcbkppjpiianckgofgolfojkdeep\LOG, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bkmjlcbkppjpiianckgofgolfojkdeep\MANIFEST-000001, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BKMJLCBKPPJPIIANCKGOFGOLFOJKDEEP\13.421.12.64284_0\MANIFEST.JSON, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\config\config.json, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\config\extension-config.json, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\config\extension-dev-config.json, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\icons\icon128.png, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\icons\icon16.png, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\icons\icon19disabled.png, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\icons\icon19on.png, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\icons\icon48.png, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\logger.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\ajax.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\b2b-partner-tracking.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\background.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\chrome.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\content_script.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\dlp.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\dlpHelper.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\extension_detect.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\genericLoadRemoteSettings.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\index.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\initOfferCEF.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\offerService.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\pageUtils.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\PartnerId.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\product.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\storage.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\TabManager.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\TemplateParser.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\ul.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\urlFragmentActions.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\urlUtils.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\util.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\js\webtooltabAPI.js, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\_metadata\computed_hashes.json, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\_metadata\verified_contents.json, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\dynamicNewTab.html, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\productnewtab.html, Quarantined, [1683], [467555],1.0.5550 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkmjlcbkppjpiianckgofgolfojkdeep\13.421.12.64284_0\stubby.html, Quarantined, [1683], [467555],1.0.5550 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is FilmFanatic?The Malwarebytes research team has determined that FilmFanatic is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.FilmFanatic is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by FilmFanatic?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did FilmFanatic get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove FilmFanatic?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FilmFanatic? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the FilmFanatic entry and confirm Removein the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the FilmFanatic hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/filmfanatic/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_paMembers_@www.filmfanatic.com.xpi [2018-06-08] CHR Extension: (FilmFanatic) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim [2018-06-08] C:\Users\{username}\AppData\Local\FilmFanaticTooltab FilmFanatic Internet Explorer Homepage and New Tab (HKCU\...\FilmFanaticTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\FilmFanaticTooltab Adds the file TooltabExtension.dll"="5/18/2018 1:07 AM, 273008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0 Adds the file manifest.json"="6/8/2018 1:06 PM, 2577 bytes, A Adds the file newtabproduct.html"="4/7/2018 1:22 AM, 1136 bytes, A Adds the file stubby.html"="4/7/2018 1:22 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata Adds the file computed_hashes.json"="6/8/2018 1:06 PM, 4096 bytes, A Adds the file verified_contents.json"="4/7/2018 1:22 AM, 4877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\config Adds the file config.json"="4/7/2018 1:22 AM, 1725 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons Adds the file icon128.png"="6/8/2018 1:06 PM, 8895 bytes, A Adds the file icon16.png"="4/7/2018 1:22 AM, 1476 bytes, A Adds the file icon19disabled.png"="4/7/2018 1:22 AM, 1256 bytes, A Adds the file icon19on.png"="6/8/2018 1:06 PM, 484 bytes, A Adds the file icon48.png"="6/8/2018 1:06 PM, 2461 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js Adds the file ajax.js"="4/7/2018 1:22 AM, 2250 bytes, A Adds the file background.js"="4/7/2018 1:22 AM, 21002 bytes, A Adds the file chrome.js"="4/7/2018 1:22 AM, 180 bytes, A Adds the file content_script.js"="4/7/2018 1:22 AM, 5815 bytes, A Adds the file dlp.js"="4/7/2018 1:22 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/7/2018 1:22 AM, 1836 bytes, A Adds the file extension_detect.js"="4/7/2018 1:22 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/7/2018 1:22 AM, 2908 bytes, A Adds the file index.js"="4/7/2018 1:22 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/7/2018 1:22 AM, 8842 bytes, A Adds the file logger.js"="4/7/2018 1:22 AM, 575 bytes, A Adds the file offerService.js"="4/7/2018 1:22 AM, 13159 bytes, A Adds the file pageUtils.js"="4/7/2018 1:22 AM, 1811 bytes, A Adds the file PartnerId.js"="4/7/2018 1:22 AM, 16439 bytes, A Adds the file product.js"="4/7/2018 1:22 AM, 4511 bytes, A Adds the file storage.js"="4/7/2018 1:22 AM, 1675 bytes, A Adds the file TabManager.js"="4/7/2018 1:22 AM, 189 bytes, A Adds the file TemplateParser.js"="4/7/2018 1:22 AM, 3080 bytes, A Adds the file ul.js"="4/7/2018 1:22 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/7/2018 1:22 AM, 2521 bytes, A Adds the file urlUtils.js"="4/7/2018 1:22 AM, 5385 bytes, A Adds the file util.js"="4/7/2018 1:22 AM, 3235 bytes, A Adds the file webtooltabAPI.js"="4/7/2018 1:22 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim Adds the file 000003.log"="6/8/2018 1:13 PM, 4769 bytes, A Adds the file CURRENT"="6/8/2018 1:06 PM, 16 bytes, A Adds the file LOCK"="6/8/2018 1:06 PM, 0 bytes, A Adds the file LOG"="6/8/2018 1:12 PM, 412 bytes, A Adds the file LOG.old"="6/8/2018 1:06 PM, 185 bytes, A Adds the file MANIFEST-000001"="6/8/2018 1:06 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_paMembers_@www.filmfanatic.com Adds the file storage.js"="6/8/2018 1:12 PM, 2307 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _paMembers_@www.filmfanatic.com.xpi"="6/8/2018 1:07 PM, 53941 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\FilmFanatic] "Start Page"="REG_SZ", "http://hp.myway.com/filmfanatic/ttab02/index.html?n={n}&p2=^Z1^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3DTTAB02" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "igceeampmlmiikgbceecfkfdeeeehoim"="REG_SZ", "7CCD9F2E28F5A28FE8A816170FFAB5BA2E1BC0872CA9CC9C02A26E589A47DF78" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/filmfanatic/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FilmFanaticTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "FilmFanatic Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\FilmFanaticTooltab\TooltabExtension.dll" U uninstall:FilmFanatic" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/8/18 Scan Time: 1:21 PM Log File: 0e298a8a-6b0e-11e8-9338-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5402 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238776 Threats Detected: 61 Threats Quarantined: 61 Time Elapsed: 2 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FilmFanaticTooltab\TooltabExtension.dll, Quarantined, [1683], [356944],1.0.5402 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FilmFanaticTooltab Uninstall Internet Explorer, Quarantined, [1683], [356944],1.0.5402 PUP.Optional.MindSpark, HKCU\SOFTWARE\FilmFanatic, Quarantined, [532], [240576],1.0.5402 Registry Value: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\FilmFanatic|START PAGE, Quarantined, [1683], [444113],1.0.5402 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FilmFanaticTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [532], [352442],1.0.5402 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [532], [293497],1.0.5402 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FilmFanaticTooltab, Quarantined, [1683], [356944],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_paMembers_@www.filmfanatic.com, Quarantined, [1683], [468075],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\config, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGCEEAMPMLMIIKGBCEECFKFDEEEEHOIM, Quarantined, [1683], [467555],1.0.5402 File: 46 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FilmFanaticTooltab\TooltabExtension.dll, Quarantined, [1683], [356944],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_paMembers_@www.filmfanatic.com.xpi, Quarantined, [1683], [457930],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_paMembers_@www.filmfanatic.com\storage.js, Quarantined, [1683], [468075],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\000003.log, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\CURRENT, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\LOCK, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\LOG, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\LOG.old, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igceeampmlmiikgbceecfkfdeeeehoim\MANIFEST-000001, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IGCEEAMPMLMIIKGBCEECFKFDEEEEHOIM\13.611.13.2756_0\MANIFEST.JSON, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\config\config.json, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon128.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon16.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon19disabled.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon19on.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\icons\icon48.png, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\ajax.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\background.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\chrome.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\content_script.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\dlp.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\dlpHelper.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\extension_detect.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\genericLoadRemoteSettings.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\index.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\initOfferCEF.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\logger.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\offerService.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\pageUtils.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\PartnerId.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\product.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\storage.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\TabManager.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\TemplateParser.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\ul.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\urlFragmentActions.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\urlUtils.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\util.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\js\webtooltabAPI.js, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata\computed_hashes.json, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\_metadata\verified_contents.json, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\newtabproduct.html, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\igceeampmlmiikgbceecfkfdeeeehoim\13.611.13.2756_0\stubby.html, Quarantined, [1683], [467555],1.0.5402 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FILMFANATIC.EXE, Quarantined, [532], [365288],1.0.5402 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is CryptoPriceResearch?The Malwarebytes research team has determined that CryptoPriceResearch is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.CryptoPriceResearch is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by CryptoPriceResearch?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did CryptoPriceResearch get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove CryptoPriceResearch?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of CryptoPriceResearch? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the CryptoPriceResearch entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the CryptoPriceResearch hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/cryptopricesearch/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_qlMembers_@free.cryptopricesearch.com.xpi [2018-06-04] CHR Extension: (CryptoPriceSearch) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph [2018-06-04] C:\Users\{username}\AppData\Local\CryptoPriceSearchTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\cryptopricesearch.exe CryptoPriceSearch Internet Explorer Homepage and New Tab (HKCU\...\CryptoPriceSearchTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\CryptoPriceSearchTooltab Adds the file TooltabExtension.dll"="4/13/2018 11:03 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0 Adds the file manifest.json"="6/4/2018 8:42 AM, 2607 bytes, A Adds the file newtabproduct.html"="4/7/2018 1:10 AM, 1136 bytes, A Adds the file stubby.html"="4/7/2018 1:10 AM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata Adds the file computed_hashes.json"="6/4/2018 8:42 AM, 4096 bytes, A Adds the file verified_contents.json"="4/7/2018 1:10 AM, 4877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\config Adds the file config.json"="4/7/2018 1:10 AM, 1782 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons Adds the file icon128.png"="6/4/2018 8:42 AM, 16333 bytes, A Adds the file icon16.png"="4/7/2018 1:10 AM, 1640 bytes, A Adds the file icon19disabled.png"="4/7/2018 1:10 AM, 1787 bytes, A Adds the file icon19on.png"="6/4/2018 8:42 AM, 974 bytes, A Adds the file icon48.png"="6/4/2018 8:42 AM, 4230 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js Adds the file ajax.js"="4/7/2018 1:10 AM, 2250 bytes, A Adds the file background.js"="4/7/2018 1:10 AM, 21002 bytes, A Adds the file chrome.js"="4/7/2018 1:10 AM, 180 bytes, A Adds the file content_script.js"="4/7/2018 1:10 AM, 5815 bytes, A Adds the file dlp.js"="4/7/2018 1:10 AM, 5690 bytes, A Adds the file dlpHelper.js"="4/7/2018 1:10 AM, 1836 bytes, A Adds the file extension_detect.js"="4/7/2018 1:10 AM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/7/2018 1:10 AM, 2908 bytes, A Adds the file index.js"="4/7/2018 1:10 AM, 82 bytes, A Adds the file initOfferCEF.js"="4/7/2018 1:10 AM, 8842 bytes, A Adds the file logger.js"="4/7/2018 1:10 AM, 575 bytes, A Adds the file offerService.js"="4/7/2018 1:10 AM, 13159 bytes, A Adds the file pageUtils.js"="4/7/2018 1:10 AM, 1811 bytes, A Adds the file PartnerId.js"="4/7/2018 1:10 AM, 16439 bytes, A Adds the file product.js"="4/7/2018 1:10 AM, 4511 bytes, A Adds the file storage.js"="4/7/2018 1:10 AM, 1675 bytes, A Adds the file TabManager.js"="4/7/2018 1:10 AM, 189 bytes, A Adds the file TemplateParser.js"="4/7/2018 1:10 AM, 3080 bytes, A Adds the file ul.js"="4/7/2018 1:10 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/7/2018 1:10 AM, 2521 bytes, A Adds the file urlUtils.js"="4/7/2018 1:10 AM, 5385 bytes, A Adds the file util.js"="4/7/2018 1:10 AM, 3235 bytes, A Adds the file webtooltabAPI.js"="4/7/2018 1:10 AM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_qlMembers_@free.cryptopricesearch.com Adds the file storage.js"="6/4/2018 8:43 AM, 2460 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _qlMembers_@free.cryptopricesearch.com.xpi"="6/4/2018 8:39 AM, 64468 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\CryptoPriceSearch] "Start Page"="REG_SZ", "http://hp.myway.com/cryptopricesearch/ttab02/index.html?n={n1}&p2=^CXO^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3DTTAB02" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kjpnaeadmoccngapfbecpnllbcefklph"="REG_SZ", "A6C07D2817C6DAD3F28F7194DB912BDDBB0DFACE13E515F1CE5DE180AA5A385F" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/cryptopricesearch/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CryptoPriceSearchTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "CryptoPriceSearch Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\CryptoPriceSearchTooltab\TooltabExtension.dll" U uninstall:CryptoPriceSearch" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/4/18 Scan Time: 8:49 AM Log File: 7f4ef857-67c3-11e8-a7d3-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5350 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 240986 Threats Detected: 61 Threats Quarantined: 61 Time Elapsed: 3 min, 18 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CryptoPriceSearchTooltab\TooltabExtension.dll, Quarantined, [1694], [356944],1.0.5350 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CryptoPriceSearchTooltab Uninstall Internet Explorer, Quarantined, [1694], [356944],1.0.5350 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CryptoPriceSearch, Quarantined, [1694], [444113],1.0.5350 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CryptoPriceSearchTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [531], [352442],1.0.5350 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\CryptoPriceSearch|START PAGE, Quarantined, [1694], [444113],1.0.5350 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [531], [293497],1.0.5350 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CryptoPriceSearchTooltab, Quarantined, [1694], [356944],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_qlMembers_@free.cryptopricesearch.com, Quarantined, [1694], [468075],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\config, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPNAEADMOCCNGAPFBECPNLLBCEFKLPH, Quarantined, [1694], [456843],1.0.5350 File: 46 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\CryptoPriceSearchTooltab\TooltabExtension.dll, Quarantined, [1694], [356944],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_qlMembers_@free.cryptopricesearch.com.xpi, Quarantined, [1694], [457930],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_qlMembers_@free.cryptopricesearch.com\storage.js, Quarantined, [1694], [468075],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\000003.log, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\CURRENT, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\LOCK, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\LOG, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\LOG.old, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjpnaeadmoccngapfbecpnllbcefklph\MANIFEST-000001, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KJPNAEADMOCCNGAPFBECPNLLBCEFKLPH\13.611.13.2691_0\MANIFEST.JSON, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\config\config.json, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon128.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon16.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon19disabled.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon19on.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\icons\icon48.png, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\ajax.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\background.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\chrome.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\content_script.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\dlp.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\dlpHelper.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\extension_detect.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\genericLoadRemoteSettings.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\index.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\initOfferCEF.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\logger.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\offerService.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\pageUtils.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\PartnerId.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\product.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\storage.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\TabManager.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\TemplateParser.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\ul.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\urlFragmentActions.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\urlUtils.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\util.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\js\webtooltabAPI.js, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata\computed_hashes.json, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\_metadata\verified_contents.json, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\newtabproduct.html, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjpnaeadmoccngapfbecpnllbcefklph\13.611.13.2691_0\stubby.html, Quarantined, [1694], [456843],1.0.5350 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\CRYPTOPRICESEARCH.EXE, Quarantined, [531], [365288],1.0.5350 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  14. What is OnTargetYoga?The Malwarebytes research team has determined that OnTargetYoga is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.OnTargetYoga is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by OnTargetYoga?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did OnTargetYoga get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove OnTargetYoga?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of OnTargetYoga? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the OnTargetYoga entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the OnTargetYoga hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/ontargetyoga/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_qmMembers_@free.ontargetyoga.com.xpi [2018-05-28] CHR Extension: (OnTargetYoga) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm [2018-05-28] C:\Users\{username}\AppData\Local\OnTargetYogaTooltab OnTargetYoga Internet Explorer Homepage and New Tab (HKCU\...\OnTargetYogaTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0 Adds the file manifest.json"="5/28/2018 8:29 AM, 2487 bytes, A Adds the file newtabproduct.html"="4/9/2018 7:37 PM, 1136 bytes, A Adds the file stubby.html"="4/9/2018 7:37 PM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\_metadata Adds the file computed_hashes.json"="5/28/2018 8:29 AM, 4096 bytes, A Adds the file verified_contents.json"="4/9/2018 7:37 PM, 4877 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\config Adds the file config.json"="4/9/2018 7:37 PM, 1737 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\icons Adds the file icon128.png"="5/28/2018 8:29 AM, 10656 bytes, A Adds the file icon16.png"="4/9/2018 7:37 PM, 1638 bytes, A Adds the file icon19disabled.png"="4/9/2018 7:37 PM, 1800 bytes, A Adds the file icon19on.png"="5/28/2018 8:29 AM, 1109 bytes, A Adds the file icon48.png"="5/28/2018 8:29 AM, 3673 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js Adds the file ajax.js"="4/9/2018 7:37 PM, 2250 bytes, A Adds the file background.js"="4/9/2018 7:37 PM, 21002 bytes, A Adds the file chrome.js"="4/9/2018 7:37 PM, 180 bytes, A Adds the file content_script.js"="4/9/2018 7:37 PM, 5815 bytes, A Adds the file dlp.js"="4/9/2018 7:37 PM, 5690 bytes, A Adds the file dlpHelper.js"="4/9/2018 7:37 PM, 1836 bytes, A Adds the file extension_detect.js"="4/9/2018 7:37 PM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="4/9/2018 7:37 PM, 2908 bytes, A Adds the file index.js"="4/9/2018 7:37 PM, 82 bytes, A Adds the file initOfferCEF.js"="4/9/2018 7:37 PM, 8842 bytes, A Adds the file logger.js"="4/9/2018 7:37 PM, 575 bytes, A Adds the file offerService.js"="4/9/2018 7:37 PM, 13159 bytes, A Adds the file pageUtils.js"="4/9/2018 7:37 PM, 1811 bytes, A Adds the file PartnerId.js"="4/9/2018 7:37 PM, 16439 bytes, A Adds the file product.js"="4/9/2018 7:37 PM, 4511 bytes, A Adds the file storage.js"="4/9/2018 7:37 PM, 1675 bytes, A Adds the file TabManager.js"="4/9/2018 7:37 PM, 189 bytes, A Adds the file TemplateParser.js"="4/9/2018 7:37 PM, 3080 bytes, A Adds the file ul.js"="4/9/2018 7:37 PM, 3862 bytes, A Adds the file urlFragmentActions.js"="4/9/2018 7:37 PM, 2521 bytes, A Adds the file urlUtils.js"="4/9/2018 7:37 PM, 5385 bytes, A Adds the file util.js"="4/9/2018 7:37 PM, 3235 bytes, A Adds the file webtooltabAPI.js"="4/9/2018 7:37 PM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm Adds the file 000003.log"="5/28/2018 8:33 AM, 4739 bytes, A Adds the file CURRENT"="5/28/2018 8:29 AM, 16 bytes, A Adds the file LOCK"="5/28/2018 8:29 AM, 0 bytes, A Adds the file LOG"="5/28/2018 8:31 AM, 412 bytes, A Adds the file LOG.old"="5/28/2018 8:29 AM, 185 bytes, A Adds the file MANIFEST-000001"="5/28/2018 8:29 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\OnTargetYogaTooltab Adds the file TooltabExtension.dll"="2/13/2018 9:14 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_qmMembers_@free.ontargetyoga.com Adds the file storage.js"="5/28/2018 8:31 AM, 2292 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _qmMembers_@free.ontargetyoga.com.xpi"="5/28/2018 8:27 AM, 57135 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "bmjgcbjkkidfnefbipkbgjmddcfllbkm"="REG_SZ", "55A8F01FBA885177A06A93A93A9BC71F366F1211205979D9820FD2FCEFB64499" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/ontargetyoga/ttab02/index.html?n={n1}&p2={p21}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\OnTargetYogaTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "OnTargetYoga Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\OnTargetYogaTooltab\TooltabExtension.dll" U uninstall:OnTargetYoga" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\OnTargetYoga] "Start Page"="REG_SZ", "http://hp.myway.com/ontargetyoga/ttab02/index.html?n={n1}&p2=^CXY^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2F%3Fc%3D{ptb}%26ptb%3D" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/28/18 Scan Time: 8:37 AM Log File: a56b8c49-6241-11e8-ac9a-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5274 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 240474 Threats Detected: 61 Threats Quarantined: 61 Time Elapsed: 3 min, 58 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\OnTargetYogaTooltab\TooltabExtension.dll, Quarantined, [1687], [356944],1.0.5274 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\OnTargetYogaTooltab Uninstall Internet Explorer, Quarantined, [1687], [356944],1.0.5274 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\OnTargetYoga, Quarantined, [1687], [444113],1.0.5274 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\OnTargetYogaTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [526], [352442],1.0.5274 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\OnTargetYoga|START PAGE, Quarantined, [1687], [444113],1.0.5274 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [526], [293497],1.0.5274 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\OnTargetYogaTooltab, Quarantined, [1687], [356944],1.0.5274 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_qmMembers_@free.ontargetyoga.com, Quarantined, [1687], [468075],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\_metadata, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\config, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\icons, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BMJGCBJKKIDFNEFBIPKBGJMDDCFLLBKM, Quarantined, [1687], [456843],1.0.5274 File: 46 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\OnTargetYogaTooltab\TooltabExtension.dll, Quarantined, [1687], [356944],1.0.5274 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_qmMembers_@free.ontargetyoga.com.xpi, Quarantined, [1687], [457930],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_qmMembers_@free.ontargetyoga.com\storage.js, Quarantined, [1687], [468075],1.0.5274 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm\000003.log, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm\CURRENT, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm\LOCK, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm\LOG, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm\LOG.old, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmjgcbjkkidfnefbipkbgjmddcfllbkm\MANIFEST-000001, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BMJGCBJKKIDFNEFBIPKBGJMDDCFLLBKM\13.611.13.4339_0\MANIFEST.JSON, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\config\config.json, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\icons\icon128.png, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\icons\icon16.png, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\icons\icon19disabled.png, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\icons\icon19on.png, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\icons\icon48.png, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\ajax.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\background.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\chrome.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\content_script.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\dlp.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\dlpHelper.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\extension_detect.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\genericLoadRemoteSettings.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\index.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\initOfferCEF.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\logger.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\offerService.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\pageUtils.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\PartnerId.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\product.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\storage.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\TabManager.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\TemplateParser.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\ul.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\urlFragmentActions.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\urlUtils.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\util.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\js\webtooltabAPI.js, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\_metadata\computed_hashes.json, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\_metadata\verified_contents.json, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\newtabproduct.html, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmjgcbjkkidfnefbipkbgjmddcfllbkm\13.611.13.4339_0\stubby.html, Quarantined, [1687], [456843],1.0.5274 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\ONTARGETYOGA.EXE, Quarantined, [526], [365288],1.0.5274 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is MyVideoTab?The Malwarebytes research team has determined that MyVideoTab is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.MyVideoTab is a member of the APN family also known as Mindspark/IAC Applications.How do I know if my computer is affected by MyVideoTab?You may see this Chrome extension:these warnings during install:and this newtab page in the affected browser:How did MyVideoTab get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.but it is also available in the webstore:How do I remove MyVideoTab?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MyVideoTab? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the MyVideoTab entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MyVideoTab hijacker. It would have blocked the website before install: Technical details for expertsPossible signs in a FRST log: CHR Extension: (MyVideoTab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj [2018-03-16] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0 Adds the file dynamicNewTab.html"="11/9/2017 9:29 PM, 932 bytes, A Adds the file manifest.json"="3/16/2018 8:15 AM, 2531 bytes, A Adds the file product.html"="11/9/2017 9:29 PM, 932 bytes, A Adds the file stubby.html"="11/9/2017 9:29 PM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\_metadata Adds the file computed_hashes.json"="3/16/2018 8:15 AM, 3881 bytes, A Adds the file verified_contents.json"="11/15/2017 11:26 AM, 4749 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\config Adds the file config.json"="11/15/2017 11:26 AM, 1806 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\icons Adds the file icon128.png"="3/16/2018 8:15 AM, 5435 bytes, A Adds the file icon16.png"="11/9/2017 9:29 PM, 555 bytes, A Adds the file icon19disabled.png"="11/9/2017 9:29 PM, 426 bytes, A Adds the file icon19on.png"="3/16/2018 8:15 AM, 796 bytes, A Adds the file icon48.png"="3/16/2018 8:15 AM, 2222 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js Adds the file ajax.js"="11/9/2017 9:29 PM, 2250 bytes, A Adds the file b2b-partner-tracking.js"="11/15/2017 11:26 AM, 11050 bytes, A Adds the file background.js"="11/15/2017 11:26 AM, 19852 bytes, A Adds the file chrome.js"="11/9/2017 9:29 PM, 180 bytes, A Adds the file content_script.js"="11/9/2017 9:29 PM, 5917 bytes, A Adds the file dlp.js"="11/9/2017 9:29 PM, 5690 bytes, A Adds the file dlpHelper.js"="11/9/2017 9:29 PM, 1836 bytes, A Adds the file extension_detect.js"="11/9/2017 9:29 PM, 4343 bytes, A Adds the file index.js"="11/9/2017 9:29 PM, 82 bytes, A Adds the file logger.js"="11/9/2017 9:29 PM, 575 bytes, A Adds the file pageUtils.js"="11/9/2017 9:29 PM, 2241 bytes, A Adds the file product.js"="11/9/2017 9:29 PM, 4434 bytes, A Adds the file storage.js"="11/9/2017 9:29 PM, 1675 bytes, A Adds the file TabManager.js"="11/9/2017 9:29 PM, 189 bytes, A Adds the file TemplateParser.js"="11/9/2017 9:29 PM, 3080 bytes, A Adds the file ul.js"="11/15/2017 11:26 AM, 3862 bytes, A Adds the file urlFragmentActions.js"="11/9/2017 9:29 PM, 2521 bytes, A Adds the file urlUtils.js"="11/9/2017 9:29 PM, 5385 bytes, A Adds the file util.js"="11/15/2017 11:26 AM, 4877 bytes, A Adds the file webtooltabAPI.js"="11/9/2017 9:29 PM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\libs Adds the file PartnerId.js"="11/9/2017 9:29 PM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj Adds the file 000003.log"="3/16/2018 8:15 AM, 5280 bytes, A Adds the file CURRENT"="3/16/2018 8:15 AM, 16 bytes, A Adds the file LOCK"="3/16/2018 8:15 AM, 0 bytes, A Adds the file LOG"="3/16/2018 8:15 AM, 185 bytes, A Adds the file MANIFEST-000001"="3/16/2018 8:15 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "efmhmejgapadjdcoobekoelcifiedidj"="REG_SZ", "8774AB42B6265362F3CA5930A1FC56B6DD17B7C59CA86E6A3B4BD79790A25E6E" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/16/18 Scan Time: 8:26 AM Log File: 5a07bf41-28eb-11e8-a022-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4378 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243759 Threats Detected: 49 Threats Quarantined: 49 Time Elapsed: 2 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 8 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\_metadata, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\config, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\icons, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\libs, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EFMHMEJGAPADJDCOOBEKOELCIFIEDIDJ, Quarantined, [1404], [467555],1.0.4378 File: 41 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj\000003.log, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj\CURRENT, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj\LOCK, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj\LOG, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj\LOG.old, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efmhmejgapadjdcoobekoelcifiedidj\MANIFEST-000001, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EFMHMEJGAPADJDCOOBEKOELCIFIEDIDJ\13.321.12.20379_0\MANIFEST.JSON, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\config\config.json, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\icons\icon128.png, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\icons\icon16.png, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\icons\icon19disabled.png, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\icons\icon19on.png, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\icons\icon48.png, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\ajax.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\b2b-partner-tracking.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\background.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\chrome.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\content_script.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\dlp.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\dlpHelper.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\extension_detect.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\index.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\logger.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\pageUtils.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\product.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\storage.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\TabManager.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\TemplateParser.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\ul.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\urlFragmentActions.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\urlUtils.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\util.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\js\webtooltabAPI.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\libs\PartnerId.js, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\_metadata\computed_hashes.json, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\_metadata\verified_contents.json, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\dynamicNewTab.html, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\product.html, Quarantined, [1404], [467555],1.0.4378 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\efmhmejgapadjdcoobekoelcifiedidj\13.321.12.20379_0\stubby.html, Quarantined, [1404], [467555],1.0.4378 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is MyTransitGuide?The Malwarebytes research team has determined that MyTransitGuide is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.MyTransitGuide is a member of the Mindspark/Ask family now known as IAC Applications.How do I know if my computer is affected by MyTransitGuide?You may see these browser extensions/add-ons:these warnings during install:You may see this entry in your list of installed software:and this new homepage in the affected browsers:How did MyTransitGuide get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove MyTransitGuide?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MyTransitGuide? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the MyTransitGuide entry and confirm Removein the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the MyTransitGuide hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/mytransitguide/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&si={si}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_b7Members_@free.mytransitguide.com.xpi [2018-03-06] CHR Extension: (MyTransitGuide) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng [2018-03-06] C:\Users\{username}\AppData\Local\MyTransitGuideTooltab MyTransitGuide Internet Explorer Homepage and New Tab (HKCU\...\MyTransitGuideTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0 Adds the file dynamicNewTab.html"="2/12/2018 12:03 PM, 1136 bytes, A Adds the file manifest.json"="3/6/2018 8:19 AM, 2512 bytes, A Adds the file productnewtab.html"="2/12/2018 12:03 PM, 1136 bytes, A Adds the file stubby.html"="2/12/2018 12:03 PM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\_metadata Adds the file computed_hashes.json"="3/6/2018 8:19 AM, 4456 bytes, A Adds the file verified_contents.json"="2/12/2018 12:03 PM, 5263 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\config Adds the file config.json"="2/12/2018 12:03 PM, 1751 bytes, A Adds the file extension-config.json"="2/12/2018 12:03 PM, 1114 bytes, A Adds the file extension-dev-config.json"="2/12/2018 12:03 PM, 1236 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\icons Adds the file icon128.png"="3/6/2018 8:19 AM, 6197 bytes, A Adds the file icon16.png"="2/12/2018 12:03 PM, 2070 bytes, A Adds the file icon19disabled.png"="2/12/2018 12:03 PM, 1650 bytes, A Adds the file icon19on.png"="3/6/2018 8:19 AM, 828 bytes, A Adds the file icon48.png"="3/6/2018 8:19 AM, 2333 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js Adds the file ajax.js"="2/12/2018 12:03 PM, 2250 bytes, A Adds the file background.js"="2/12/2018 12:03 PM, 21002 bytes, A Adds the file chrome.js"="2/12/2018 12:03 PM, 180 bytes, A Adds the file content_script.js"="2/12/2018 12:03 PM, 5815 bytes, A Adds the file dlp.js"="2/12/2018 12:03 PM, 5690 bytes, A Adds the file dlpHelper.js"="2/12/2018 12:03 PM, 1836 bytes, A Adds the file extension_detect.js"="2/12/2018 12:03 PM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="2/12/2018 12:03 PM, 2908 bytes, A Adds the file index.js"="2/12/2018 12:03 PM, 82 bytes, A Adds the file initOfferCEF.js"="2/12/2018 12:03 PM, 8991 bytes, A Adds the file logger.js"="2/12/2018 12:03 PM, 575 bytes, A Adds the file offerService.js"="2/12/2018 12:03 PM, 13159 bytes, A Adds the file pageUtils.js"="2/12/2018 12:03 PM, 1811 bytes, A Adds the file PartnerId.js"="2/12/2018 12:03 PM, 16439 bytes, A Adds the file product.js"="2/12/2018 12:03 PM, 4511 bytes, A Adds the file storage.js"="2/12/2018 12:03 PM, 1675 bytes, A Adds the file TabManager.js"="2/12/2018 12:03 PM, 189 bytes, A Adds the file TemplateParser.js"="2/12/2018 12:03 PM, 3080 bytes, A Adds the file ul.js"="2/12/2018 12:03 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="2/12/2018 12:03 PM, 2521 bytes, A Adds the file urlUtils.js"="2/12/2018 12:03 PM, 5385 bytes, A Adds the file util.js"="2/12/2018 12:03 PM, 3235 bytes, A Adds the file webtooltabAPI.js"="2/12/2018 12:03 PM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng Adds the file 000003.log"="3/6/2018 8:19 AM, 4950 bytes, A Adds the file CURRENT"="3/6/2018 8:19 AM, 16 bytes, A Adds the file LOCK"="3/6/2018 8:19 AM, 0 bytes, A Adds the file LOG"="3/6/2018 8:19 AM, 185 bytes, A Adds the file MANIFEST-000001"="3/6/2018 8:19 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MyTransitGuideTooltab Adds the file TooltabExtension.dll"="8/4/2017 8:02 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_b7Members_@free.mytransitguide.com Adds the file storage.js"="3/6/2018 8:17 AM, 2363 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _b7Members_@free.mytransitguide.com.xpi"="3/6/2018 8:17 AM, 50368 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "npmoikddpdgbhgbkjgjemncoegpojpng"="REG_SZ", "1A4EE8ECBA5AA52B11151C3D49FB117591FCD9F176641FC885CD28C952F932DB" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/mytransitguide/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&si={si}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyTransitGuideTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "MyTransitGuide Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\MyTransitGuideTooltab\TooltabExtension.dll" U uninstall:MyTransitGuide" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\MyTransitGuide] "Start Page"="REG_SZ", "http://hp.myway.com/mytransitguide/ttab02/index.html?n={n}&p2=^BNH^xpu261^TTAB02^nl&ptb={ptb}&si={si}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2Fc%3D{ptb}%26ptb%3&quot; The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/6/18 Scan Time: 8:27 AM Log File: ca45a29d-210f-11e8-bfe8-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4220 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244029 Threats Detected: 63 Threats Quarantined: 63 Time Elapsed: 2 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyTransitGuideTooltab\TooltabExtension.dll, Quarantined, [1401], [356944],1.0.4220 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MyTransitGuideTooltab Uninstall Internet Explorer, Quarantined, [1401], [356944],1.0.4220 PUP.Optional.MindSpark, HKCU\SOFTWARE\MYTRANSITGUIDE, Quarantined, [236], [334021],1.0.4220 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MYTRANSITGUIDE|START PAGE, Quarantined, [236], [334021],1.0.4220 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MyTransitGuideTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [236], [352442],1.0.4220 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [236], [293497],1.0.4220 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyTransitGuideTooltab, Quarantined, [1401], [356944],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\_metadata, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\config, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\icons, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL EXTENSION SETTINGS\NPMOIKDDPDGBHGBKJGJEMNCOEGPOJPNG, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_b7Members_@free.mytransitguide.com, Quarantined, [1401], [468075],1.0.4220 File: 48 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyTransitGuideTooltab\TooltabExtension.dll, Quarantined, [1401], [356944],1.0.4220 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_b7Members_@free.mytransitguide.com.xpi, Quarantined, [1401], [457930],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng\000003.log, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng\CURRENT, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng\LOCK, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng\LOG, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\npmoikddpdgbhgbkjgjemncoegpojpng\MANIFEST-000001, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\config\config.json, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\config\extension-config.json, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\config\extension-dev-config.json, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\icons\icon128.png, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\icons\icon16.png, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\icons\icon19disabled.png, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\icons\icon19on.png, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\icons\icon48.png, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\ajax.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\background.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\chrome.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\content_script.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\dlp.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\dlpHelper.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\extension_detect.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\genericLoadRemoteSettings.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\index.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\initOfferCEF.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\logger.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\offerService.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\pageUtils.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\PartnerId.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\product.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\storage.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\TabManager.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\TemplateParser.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\ul.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\urlFragmentActions.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\urlUtils.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\util.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\js\webtooltabAPI.js, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\_metadata\computed_hashes.json, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\_metadata\verified_contents.json, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\dynamicNewTab.html, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\manifest.json, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\productnewtab.html, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\npmoikddpdgbhgbkjgjemncoegpojpng\13.421.12.41196_0\stubby.html, Quarantined, [236], [389263],1.0.4220 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_b7Members_@free.mytransitguide.com\storage.js, Quarantined, [1401], [468075],1.0.4220 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\MYTRANSITGUIDE.{coid}.EXE, Quarantined, [236], [365288],1.0.4220 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is EasyPDFCombine? The Malwarebytes research team has determined that EasyPDFCombine is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. EasyPDFCombine is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by EasyPDFCombine? You may see these browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did EasyPDFCombine get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove EasyPDFCombine? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of EasyPDFCombine? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the EasyPDFCombine entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the EasyPDFCombine hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/easypdfcombine/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_ceMembers_@free.easypdfcombine.com.xpi [2018-01-30] CHR Extension: (EasyPDFCombine) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon [2018-01-30] C:\Users\{username}\AppData\Local\EasyPDFCombineTooltab EasyPDFCombine Internet Explorer Homepage and New Tab (HKCU\...\EasyPDFCombineTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\EasyPDFCombineTooltab Adds the file TooltabExtension.dll"="8/4/2017 4:22 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0 Adds the file dynamicNewTab.html"="1/11/2018 3:35 PM, 1136 bytes, A Adds the file manifest.json"="1/30/2018 9:18 AM, 2537 bytes, A Adds the file product.html"="1/11/2018 3:35 PM, 1136 bytes, A Adds the file stubby.html"="1/11/2018 3:35 PM, 1137 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\_metadata Adds the file computed_hashes.json"="1/30/2018 9:18 AM, 4450 bytes, A Adds the file verified_contents.json"="1/11/2018 3:35 PM, 5255 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\config Adds the file config.json"="1/11/2018 3:35 PM, 1751 bytes, A Adds the file extension-config.json"="1/11/2018 3:35 PM, 1114 bytes, A Adds the file extension-dev-config.json"="1/11/2018 3:35 PM, 1236 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\icons Adds the file icon128.png"="1/30/2018 9:18 AM, 7550 bytes, A Adds the file icon16.png"="1/11/2018 3:35 PM, 1998 bytes, A Adds the file icon19disabled.png"="1/11/2018 3:35 PM, 1703 bytes, A Adds the file icon19on.png"="1/30/2018 9:18 AM, 872 bytes, A Adds the file icon48.png"="1/30/2018 9:18 AM, 2648 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js Adds the file ajax.js"="1/11/2018 3:35 PM, 2250 bytes, A Adds the file background.js"="1/11/2018 3:35 PM, 21002 bytes, A Adds the file chrome.js"="1/11/2018 3:35 PM, 180 bytes, A Adds the file content_script.js"="1/11/2018 3:35 PM, 5815 bytes, A Adds the file dlp.js"="1/11/2018 3:35 PM, 5690 bytes, A Adds the file dlpHelper.js"="1/11/2018 3:35 PM, 1836 bytes, A Adds the file extension_detect.js"="1/11/2018 3:35 PM, 4343 bytes, A Adds the file genericLoadRemoteSettings.js"="1/11/2018 3:35 PM, 2908 bytes, A Adds the file index.js"="1/11/2018 3:35 PM, 82 bytes, A Adds the file initOfferCEF.js"="1/11/2018 3:35 PM, 8991 bytes, A Adds the file logger.js"="1/11/2018 3:35 PM, 575 bytes, A Adds the file offerService.js"="1/11/2018 3:35 PM, 13159 bytes, A Adds the file pageUtils.js"="1/11/2018 3:35 PM, 1811 bytes, A Adds the file PartnerId.js"="1/11/2018 3:35 PM, 16439 bytes, A Adds the file product.js"="1/11/2018 3:35 PM, 4511 bytes, A Adds the file storage.js"="1/11/2018 3:35 PM, 1675 bytes, A Adds the file TabManager.js"="1/11/2018 3:35 PM, 189 bytes, A Adds the file TemplateParser.js"="1/11/2018 3:35 PM, 3080 bytes, A Adds the file ul.js"="1/11/2018 3:35 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="1/11/2018 3:35 PM, 2521 bytes, A Adds the file urlUtils.js"="1/11/2018 3:35 PM, 5385 bytes, A Adds the file util.js"="1/11/2018 3:35 PM, 3235 bytes, A Adds the file webtooltabAPI.js"="1/11/2018 3:35 PM, 8762 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fncbkmmlcehhipmmofdhejcggdapcmon Adds the file 000003.log"="1/30/2018 9:18 AM, 4990 bytes, A Adds the file CURRENT"="1/30/2018 9:18 AM, 16 bytes, A Adds the file LOCK"="1/30/2018 9:18 AM, 0 bytes, A Adds the file LOG"="1/30/2018 9:18 AM, 185 bytes, A Adds the file MANIFEST-000001"="1/30/2018 9:18 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_ceMembers_@free.easypdfcombine.com Adds the file storage.js"="1/30/2018 9:16 AM, 2566 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _ceMembers_@free.easypdfcombine.com.xpi"="1/30/2018 9:16 AM, 58540 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\EasyPDFCombine] "Start Page"="REG_SZ", "http://hp.myway.com/easypdfcombine/ttab02/index.html?n={n}&p2=^BSB^mni000^TTAB02&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fncbkmmlcehhipmmofdhejcggdapcmon"="REG_SZ", "4080A565A8ED84AD9269FA1FB34AE312042E0359CB6EA6994AC2E5EE4DE939A8" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/easypdfcombine/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDFCombineTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "EasyPDFCombine Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\EasyPDFCombineTooltab\TooltabExtension.dll" U uninstall:EasyPDFCombine" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/30/18 Scan Time: 9:26 AM Log File: 39976200-0597-11e8-9439-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3818 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243186 Threats Detected: 63 Threats Quarantined: 63 Time Elapsed: 1 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\EasyPDFCombineTooltab\TooltabExtension.dll, Quarantined, [1384], [356944],1.0.3818 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EasyPDFCombineTooltab Uninstall Internet Explorer, Quarantined, [1384], [356944],1.0.3818 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\EasyPDFCombine, Quarantined, [1384], [444113],1.0.3818 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EasyPDFCombineTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [229], [352442],1.0.3818 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\EasyPDFCombine|START PAGE, Quarantined, [1384], [444113],1.0.3818 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [229], [293497],1.0.3818 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\EasyPDFCombineTooltab, Quarantined, [1384], [356944],1.0.3818 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_ceMembers_@free.easypdfcombine.com, Quarantined, [1384], [468075],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fncbkmmlcehhipmmofdhejcggdapcmon, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\_metadata, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\config, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\icons, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FNCBKMMLCEHHIPMMOFDHEJCGGDAPCMON, Quarantined, [1384], [456843],1.0.3818 File: 48 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\EasyPDFCombineTooltab\TooltabExtension.dll, Quarantined, [1384], [356944],1.0.3818 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_ceMembers_@free.easypdfcombine.com.xpi, Quarantined, [1384], [457930],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_ceMembers_@free.easypdfcombine.com\storage.js, Quarantined, [1384], [468075],1.0.3818 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fncbkmmlcehhipmmofdhejcggdapcmon\000003.log, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fncbkmmlcehhipmmofdhejcggdapcmon\CURRENT, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fncbkmmlcehhipmmofdhejcggdapcmon\LOCK, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fncbkmmlcehhipmmofdhejcggdapcmon\LOG, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fncbkmmlcehhipmmofdhejcggdapcmon\MANIFEST-000001, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FNCBKMMLCEHHIPMMOFDHEJCGGDAPCMON\13.401.12.30859_0\MANIFEST.JSON, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\config\config.json, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\config\extension-config.json, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\config\extension-dev-config.json, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\icons\icon128.png, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\icons\icon16.png, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\icons\icon19disabled.png, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\icons\icon19on.png, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\icons\icon48.png, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\ajax.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\background.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\chrome.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\content_script.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\dlp.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\dlpHelper.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\extension_detect.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\genericLoadRemoteSettings.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\index.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\initOfferCEF.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\logger.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\offerService.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\pageUtils.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\PartnerId.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\product.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\storage.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\TabManager.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\TemplateParser.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\ul.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\urlFragmentActions.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\urlUtils.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\util.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\js\webtooltabAPI.js, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\_metadata\computed_hashes.json, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\_metadata\verified_contents.json, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\dynamicNewTab.html, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\product.html, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fncbkmmlcehhipmmofdhejcggdapcmon\13.401.12.30859_0\stubby.html, Quarantined, [1384], [456843],1.0.3818 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\EASYPDFCOMBINE.EXE, Quarantined, [229], [365288],1.0.3818 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is MyMapsExpress? The Malwarebytes research team has determined that MyMapsExpress is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. MyMapsExpress is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by MyMapsExpress? You may see these browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did MyMapsExpress get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove MyMapsExpress? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of MyMapsExpress? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the MyMapsExpress entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the MyMapsExpress hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/mymapsexpress/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_k8Members_@www.mymapsexpress.com.xpi [2018-01-16] C:\Users\{username}\AppData\Local\MyMapsExpressTooltab MyMapsExpress Internet Explorer Homepage and New Tab (HKCU\...\MyMapsExpressTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Most signifiant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0 Adds the file dynamicNewTab.html"="11/9/2017 3:49 PM, 932 bytes, A Adds the file manifest.json"="1/16/2018 9:34 AM, 2482 bytes, A Adds the file product.html"="11/9/2017 3:49 PM, 932 bytes, A Adds the file stubby.html"="11/9/2017 3:49 PM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\_metadata Adds the file computed_hashes.json"="1/16/2018 9:34 AM, 3620 bytes, A Adds the file verified_contents.json"="11/9/2017 3:49 PM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\config Adds the file config.json"="11/9/2017 3:49 PM, 1530 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\icons Adds the file icon128.png"="1/16/2018 9:34 AM, 5516 bytes, A Adds the file icon16.png"="11/9/2017 3:49 PM, 894 bytes, A Adds the file icon19disabled.png"="11/9/2017 3:49 PM, 789 bytes, A Adds the file icon19on.png"="1/16/2018 9:34 AM, 561 bytes, A Adds the file icon48.png"="1/16/2018 9:34 AM, 1800 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js Adds the file ajax.js"="11/9/2017 3:49 PM, 2250 bytes, A Adds the file background.js"="11/9/2017 3:49 PM, 19608 bytes, A Adds the file chrome.js"="11/9/2017 3:49 PM, 180 bytes, A Adds the file content_script.js"="11/9/2017 3:49 PM, 5917 bytes, A Adds the file dlp.js"="11/9/2017 3:49 PM, 5690 bytes, A Adds the file dlpHelper.js"="11/9/2017 3:49 PM, 1836 bytes, A Adds the file extension_detect.js"="11/9/2017 3:49 PM, 4343 bytes, A Adds the file index.js"="11/9/2017 3:49 PM, 82 bytes, A Adds the file logger.js"="11/9/2017 3:49 PM, 575 bytes, A Adds the file pageUtils.js"="11/9/2017 3:49 PM, 2241 bytes, A Adds the file product.js"="11/9/2017 3:49 PM, 4434 bytes, A Adds the file storage.js"="11/9/2017 3:49 PM, 1675 bytes, A Adds the file TabManager.js"="11/9/2017 3:49 PM, 189 bytes, A Adds the file TemplateParser.js"="11/9/2017 3:49 PM, 3080 bytes, A Adds the file ul.js"="11/9/2017 3:49 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/9/2017 3:49 PM, 2521 bytes, A Adds the file urlUtils.js"="11/9/2017 3:49 PM, 5385 bytes, A Adds the file util.js"="11/9/2017 3:49 PM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/9/2017 3:49 PM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\libs Adds the file PartnerId.js"="11/9/2017 3:49 PM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd Adds the file 000003.log"="1/16/2018 9:34 AM, 4609 bytes, A Adds the file CURRENT"="1/16/2018 9:34 AM, 16 bytes, A Adds the file LOCK"="1/16/2018 9:34 AM, 0 bytes, A Adds the file LOG"="1/16/2018 9:36 AM, 412 bytes, A Adds the file LOG.old"="1/16/2018 9:36 AM, 412 bytes, A Adds the file MANIFEST-000001"="1/16/2018 9:34 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\MyMapsExpressTooltab Adds the file TooltabExtension.dll"="8/3/2017 11:30 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_k8Members_@www.mymapsexpress.com Adds the file storage.js"="1/16/2018 9:39 AM, 2279 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _k8Members_@www.mymapsexpress.com.xpi"="1/16/2018 9:37 AM, 46915 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "plljhbdegkhnpjnjbhodbjgdmdnnlbcd"="REG_SZ", "76ED3C314B2D2494829B8E65EA4D0CB1006D4A244382816508D0164ED5CDD80E" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/mymapsexpress/ttab02/index.html?n={n1}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyMapsExpressTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "MyMapsExpress Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\MyMapsExpressTooltab\TooltabExtension.dll" U uninstall:MyMapsExpress" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\MyMapsExpress] "Start Page"="REG_SZ", "http://hp.myway.com/mymapsexpress/ttab02/index.html?n={n1}&p2={p1}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F{n}%3Fc%3D{ptb}%26ptb%3D{ptb1}" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/16/18 Scan Time: 9:44 AM Log File: 7f68a311-fa99-11e7-b830-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3704 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 241129 Threats Detected: 60 Threats Quarantined: 60 Time Elapsed: 6 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyMapsExpressTooltab\TooltabExtension.dll, Quarantined, [1369], [356944],1.0.3704 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MyMapsExpressTooltab Uninstall Internet Explorer, Quarantined, [1369], [356944],1.0.3704 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MyMapsExpress, Quarantined, [1369], [444113],1.0.3704 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MyMapsExpressTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [228], [352442],1.0.3704 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MyMapsExpress|START PAGE, Quarantined, [1369], [444113],1.0.3704 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [228], [293497],1.0.3704 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyMapsExpressTooltab, Quarantined, [1369], [356944],1.0.3704 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_k8Members_@www.mymapsexpress.com, Quarantined, [1369], [468075],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\_metadata, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\config, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\icons, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\libs, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PLLJHBDEGKHNPJNJBHODBJGDMDNNLBCD, Quarantined, [1369], [467555],1.0.3704 File: 44 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\MyMapsExpressTooltab\TooltabExtension.dll, Quarantined, [1369], [356944],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_k8Members_@www.mymapsexpress.com\storage.js, Quarantined, [1369], [468075],1.0.3704 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_k8Members_@www.mymapsexpress.com.xpi, Quarantined, [1369], [457930],1.0.3704 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\000003.log, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\CURRENT, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\LOCK, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\LOG, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\LOG.old, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\MANIFEST-000001, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PLLJHBDEGKHNPJNJBHODBJGDMDNNLBCD\13.321.12.18585_0\MANIFEST.JSON, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\config\config.json, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\icons\icon128.png, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\icons\icon16.png, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\icons\icon19disabled.png, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\icons\icon19on.png, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\icons\icon48.png, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\ajax.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\background.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\chrome.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\content_script.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\dlp.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\dlpHelper.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\extension_detect.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\index.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\logger.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\pageUtils.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\product.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\storage.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\TabManager.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\TemplateParser.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\ul.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\urlFragmentActions.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\urlUtils.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\util.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\js\webtooltabAPI.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\libs\PartnerId.js, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\_metadata\computed_hashes.json, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\_metadata\verified_contents.json, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\dynamicNewTab.html, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\product.html, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plljhbdegkhnpjnjbhodbjgdmdnnlbcd\13.321.12.18585_0\stubby.html, Quarantined, [1369], [467555],1.0.3704 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\MYMAPSEXPRESS.EXE, Quarantined, [228], [365288],1.0.3704 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is DictionaryBoss? The Malwarebytes research team has determined that DictionaryBoss is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. DictionaryBoss is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by DictionaryBoss? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did DictionaryBoss get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove DictionaryBoss? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of DictionaryBoss? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the DictionaryBoss entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the DictionaryBoss hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/dictionaryboss/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile},default\Extensions\_v4Members_@www.dictionaryboss.com.xpi [2018-01-08] CHR Extension: (DictionaryBoss) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm [2018-01-08] C:\Users\{username}\AppData\Local\DictionaryBossTooltab DictionaryBoss Internet Explorer Homepage and New Tab (HKCU\...\DictionaryBossTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\DictionaryBossTooltab Adds the file TooltabExtension.dll"="8/2/2017 11:29 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0 Adds the file dynamicNewTab.html"="11/9/2017 12:33 PM, 932 bytes, A Adds the file manifest.json"="1/8/2018 8:43 AM, 2450 bytes, A Adds the file product.html"="11/9/2017 12:33 PM, 932 bytes, A Adds the file stubby.html"="11/9/2017 12:33 PM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\_metadata Adds the file computed_hashes.json"="1/8/2018 8:43 AM, 3620 bytes, A Adds the file verified_contents.json"="11/9/2017 12:33 PM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\config Adds the file config.json"="11/9/2017 12:33 PM, 1527 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\icons Adds the file icon128.png"="1/8/2018 8:43 AM, 12634 bytes, A Adds the file icon16.png"="11/9/2017 12:33 PM, 1763 bytes, A Adds the file icon19disabled.png"="11/9/2017 12:33 PM, 1711 bytes, A Adds the file icon19on.png"="1/8/2018 8:43 AM, 971 bytes, A Adds the file icon48.png"="1/8/2018 8:43 AM, 3614 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js Adds the file ajax.js"="11/9/2017 12:33 PM, 2250 bytes, A Adds the file background.js"="11/9/2017 12:33 PM, 19608 bytes, A Adds the file chrome.js"="11/9/2017 12:33 PM, 180 bytes, A Adds the file content_script.js"="11/9/2017 12:33 PM, 5917 bytes, A Adds the file dlp.js"="11/9/2017 12:33 PM, 5690 bytes, A Adds the file dlpHelper.js"="11/9/2017 12:33 PM, 1836 bytes, A Adds the file extension_detect.js"="11/9/2017 12:33 PM, 4343 bytes, A Adds the file index.js"="11/9/2017 12:33 PM, 82 bytes, A Adds the file logger.js"="11/9/2017 12:33 PM, 575 bytes, A Adds the file pageUtils.js"="11/9/2017 12:33 PM, 2241 bytes, A Adds the file product.js"="11/9/2017 12:33 PM, 4434 bytes, A Adds the file storage.js"="11/9/2017 12:33 PM, 1675 bytes, A Adds the file TabManager.js"="11/9/2017 12:33 PM, 189 bytes, A Adds the file TemplateParser.js"="11/9/2017 12:33 PM, 3080 bytes, A Adds the file ul.js"="11/9/2017 12:33 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/9/2017 12:33 PM, 2521 bytes, A Adds the file urlUtils.js"="11/9/2017 12:33 PM, 5385 bytes, A Adds the file util.js"="11/9/2017 12:33 PM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/9/2017 12:33 PM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\libs Adds the file PartnerId.js"="11/9/2017 12:33 PM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm Adds the file 000003.log"="1/8/2018 8:43 AM, 4689 bytes, A Adds the file CURRENT"="1/8/2018 8:43 AM, 16 bytes, A Adds the file LOCK"="1/8/2018 8:43 AM, 0 bytes, A Adds the file LOG"="1/8/2018 8:44 AM, 412 bytes, A Adds the file LOG.old"="1/8/2018 8:43 AM, 185 bytes, A Adds the file MANIFEST-000001"="1/8/2018 8:43 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile},default\browser-extension-data\_v4Members_@www.dictionaryboss.com Adds the file storage.js"="1/8/2018 8:42 AM, 2312 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile},default\extensions Adds the file _v4Members_@www.dictionaryboss.com.xpi"="1/8/2018 8:41 AM, 57880 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\DictionaryBoss] "Start Page"="REG_SZ", "http://hp.myway.com/dictionaryboss/ttab02/index.html?n={n}&p2=^XQ^yyyyyy^TTAB02^nl&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3D" [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "epljggmdileomnkecfgpmcjodnikpdmm"="REG_SZ", "802A700678288DC11CA082CCEED8853DD8879094E88DE2AD305269174522C980" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/dictionaryboss/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\DictionaryBossTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "DictionaryBoss Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\DictionaryBossTooltab\TooltabExtension.dll" U uninstall:DictionaryBoss" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/8/18 Scan Time: 8:50 AM Log File: 8d5e5b1a-f448-11e7-85bd-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3646 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 246355 Threats Detected: 60 Threats Quarantined: 60 Time Elapsed: 5 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\DictionaryBossTooltab\TooltabExtension.dll, Quarantined, [1408], [356944],1.0.3646 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DictionaryBossTooltab Uninstall Internet Explorer, Delete-on-Reboot, [1408], [356944],1.0.3646 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\DictionaryBoss, Delete-on-Reboot, [1408], [444113],1.0.3646 Registry Value: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\DictionaryBoss|START PAGE, Delete-on-Reboot, [1408], [444113],1.0.3646 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DictionaryBossTooltab Uninstall Internet Explorer|PUBLISHER, Delete-on-Reboot, [235], [352442],1.0.3646 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [235], [293497],1.0.3646 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\DictionaryBossTooltab, Delete-on-Reboot, [1408], [356944],1.0.3646 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile},default\BROWSER-EXTENSION-DATA\_v4Members_@www.dictionaryboss.com, Delete-on-Reboot, [1408], [468075],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\_metadata, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\config, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\icons, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\libs, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPLJGGMDILEOMNKECFGPMCJODNIKPDMM\13.321.12.17724_0, Delete-on-Reboot, [1408], [456842],1.0.3646 File: 44 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\DictionaryBossTooltab\TooltabExtension.dll, Delete-on-Reboot, [1408], [356944],1.0.3646 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile},default\EXTENSIONS\_v4Members_@www.dictionaryboss.com.xpi, Delete-on-Reboot, [1408], [457930],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile},default\browser-extension-data\_v4Members_@www.dictionaryboss.com\storage.js, Delete-on-Reboot, [1408], [468075],1.0.3646 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm\000003.log, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm\CURRENT, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm\LOCK, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm\LOG, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm\LOG.old, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\epljggmdileomnkecfgpmcjodnikpdmm\MANIFEST-000001, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\EPLJGGMDILEOMNKECFGPMCJODNIKPDMM\13.321.12.17724_0\CONFIG\CONFIG.JSON, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\icons\icon128.png, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\icons\icon16.png, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\icons\icon19disabled.png, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\icons\icon19on.png, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\icons\icon48.png, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\ajax.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\background.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\chrome.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\content_script.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\dlp.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\dlpHelper.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\extension_detect.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\index.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\logger.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\pageUtils.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\product.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\storage.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\TabManager.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\TemplateParser.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\ul.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\urlFragmentActions.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\urlUtils.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\util.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\js\webtooltabAPI.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\libs\PartnerId.js, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\_metadata\computed_hashes.json, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\_metadata\verified_contents.json, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\dynamicNewTab.html, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\manifest.json, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\product.html, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\epljggmdileomnkecfgpmcjodnikpdmm\13.321.12.17724_0\stubby.html, Delete-on-Reboot, [1408], [456842],1.0.3646 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\DICTIONARYBOSS.{coid}.EXE, Delete-on-Reboot, [235], [365288],1.0.3646 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is YourTemplateFinder? The Malwarebytes research team has determined that YourTemplateFinder is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. YourTemplateFinder is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by YourTemplateFinder? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did YourTemplateFinder get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove YourTemplateFinder? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of YourTemplateFinder? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the YourTemplateFinder entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the YourTemplateFinder hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/yourtemplatefinder/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_brMembers_@free.yourtemplatefinder.com.xpi [2018-01-03] CHR Extension: (YourTemplateFinder ) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj [2018-01-03] C:\Users\{username}\AppData\Local\YourTemplateFinderTooltab YourTemplateFinder Internet Explorer Homepage and New Tab (HKCU\...\YourTemplateFinderTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0 Adds the file dynamicNewTab.html"="11/7/2017 1:41 PM, 932 bytes, A Adds the file manifest.json"="1/3/2018 12:52 PM, 2510 bytes, A Adds the file product.html"="11/7/2017 1:41 PM, 932 bytes, A Adds the file stubby.html"="11/7/2017 1:41 PM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\_metadata Adds the file computed_hashes.json"="1/3/2018 12:52 PM, 3620 bytes, A Adds the file verified_contents.json"="11/7/2017 1:41 PM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\config Adds the file config.json"="11/7/2017 1:41 PM, 1570 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\icons Adds the file icon128.png"="1/3/2018 12:52 PM, 16873 bytes, A Adds the file icon16.png"="11/7/2017 1:41 PM, 1525 bytes, A Adds the file icon19disabled.png"="11/7/2017 1:41 PM, 1662 bytes, A Adds the file icon19on.png"="1/3/2018 12:52 PM, 659 bytes, A Adds the file icon48.png"="1/3/2018 12:52 PM, 4505 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js Adds the file ajax.js"="11/7/2017 1:41 PM, 2250 bytes, A Adds the file background.js"="11/7/2017 1:41 PM, 19608 bytes, A Adds the file chrome.js"="11/7/2017 1:41 PM, 180 bytes, A Adds the file content_script.js"="11/7/2017 1:41 PM, 5917 bytes, A Adds the file dlp.js"="11/7/2017 1:41 PM, 5690 bytes, A Adds the file dlpHelper.js"="11/7/2017 1:41 PM, 1836 bytes, A Adds the file extension_detect.js"="11/7/2017 1:41 PM, 4343 bytes, A Adds the file index.js"="11/7/2017 1:41 PM, 82 bytes, A Adds the file logger.js"="11/7/2017 1:41 PM, 575 bytes, A Adds the file pageUtils.js"="11/7/2017 1:41 PM, 2241 bytes, A Adds the file product.js"="11/7/2017 1:41 PM, 4434 bytes, A Adds the file storage.js"="11/7/2017 1:41 PM, 1675 bytes, A Adds the file TabManager.js"="11/7/2017 1:41 PM, 189 bytes, A Adds the file TemplateParser.js"="11/7/2017 1:41 PM, 3080 bytes, A Adds the file ul.js"="11/7/2017 1:41 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/7/2017 1:41 PM, 2521 bytes, A Adds the file urlUtils.js"="11/7/2017 1:41 PM, 5385 bytes, A Adds the file util.js"="11/7/2017 1:41 PM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/7/2017 1:41 PM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\libs Adds the file PartnerId.js"="11/7/2017 1:41 PM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jadhamcfimejpbemfkgoeijaimpciehj Adds the file 000003.log"="1/3/2018 12:52 PM, 5215 bytes, A Adds the file CURRENT"="1/3/2018 12:52 PM, 16 bytes, A Adds the file LOCK"="1/3/2018 12:52 PM, 0 bytes, A Adds the file LOG"="1/3/2018 12:52 PM, 185 bytes, A Adds the file MANIFEST-000001"="1/3/2018 12:52 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\YourTemplateFinderTooltab Adds the file TooltabExtension.dll"="8/4/2017 8:12 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_brMembers_@free.yourtemplatefinder.com Adds the file storage.js"="1/3/2018 12:49 PM, 2602 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _brMembers_@free.yourtemplatefinder.com.xpi"="1/3/2018 12:49 PM, 71681 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jadhamcfimejpbemfkgoeijaimpciehj"="REG_SZ", "B61DA68C9B2E4EDD65F7C57024C4A6B888EA75857E09458A50792DB890ADC9FE" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/yourtemplatefinder/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YourTemplateFinderTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "YourTemplateFinder Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\YourTemplateFinderTooltab\TooltabExtension.dll" U uninstall:YourTemplateFinder" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\YourTemplateFinder] "Start Page"="REG_SZ", "http://hp.myway.com/yourtemplatefinder/ttab02/index.html?n={n}&p2=^BNF^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3D" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/3/18 Scan Time: 12:59 PM Log File: 9c5a339d-f07d-11e7-96c4-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3614 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245737 Threats Detected: 59 Threats Quarantined: 59 Time Elapsed: 2 min, 7 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\YourTemplateFinderTooltab\TooltabExtension.dll, Quarantined, [1409], [356944],1.0.3614 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YourTemplateFinderTooltab Uninstall Internet Explorer, Quarantined, [1409], [356944],1.0.3614 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\YourTemplateFinder, Quarantined, [1409], [444113],1.0.3614 Registry Value: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\YourTemplateFinder|START PAGE, Quarantined, [1409], [444113],1.0.3614 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YourTemplateFinderTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [236], [352442],1.0.3614 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [236], [293497],1.0.3614 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\YourTemplateFinderTooltab, Quarantined, [1409], [356944],1.0.3614 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_brMembers_@free.yourtemplatefinder.com, Quarantined, [1409], [468075],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jadhamcfimejpbemfkgoeijaimpciehj, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\_metadata, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\config, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\icons, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\libs, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JADHAMCFIMEJPBEMFKGOEIJAIMPCIEHJ, Quarantined, [1409], [456843],1.0.3614 File: 43 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\YourTemplateFinderTooltab\TooltabExtension.dll, Quarantined, [1409], [356944],1.0.3614 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_brMembers_@free.yourtemplatefinder.com.xpi, Quarantined, [1409], [457930],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_brMembers_@free.yourtemplatefinder.com\storage.js, Quarantined, [1409], [468075],1.0.3614 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jadhamcfimejpbemfkgoeijaimpciehj\000003.log, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jadhamcfimejpbemfkgoeijaimpciehj\CURRENT, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jadhamcfimejpbemfkgoeijaimpciehj\LOCK, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jadhamcfimejpbemfkgoeijaimpciehj\LOG, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jadhamcfimejpbemfkgoeijaimpciehj\MANIFEST-000001, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JADHAMCFIMEJPBEMFKGOEIJAIMPCIEHJ\13.321.12.16597_0\MANIFEST.JSON, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\config\config.json, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\icons\icon128.png, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\icons\icon16.png, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\icons\icon19disabled.png, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\icons\icon19on.png, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\icons\icon48.png, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\ajax.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\background.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\chrome.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\content_script.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\dlp.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\dlpHelper.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\extension_detect.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\index.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\logger.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\pageUtils.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\product.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\storage.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\TabManager.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\TemplateParser.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\ul.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\urlFragmentActions.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\urlUtils.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\util.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\js\webtooltabAPI.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\libs\PartnerId.js, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\_metadata\computed_hashes.json, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\_metadata\verified_contents.json, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\dynamicNewTab.html, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\product.html, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jadhamcfimejpbemfkgoeijaimpciehj\13.321.12.16597_0\stubby.html, Quarantined, [1409], [456843],1.0.3614 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\YOURTEMPLATEFINDER.EXE, Quarantined, [236], [365288],1.0.3614 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is EverydayLookup? The Malwarebytes research team has determined that EverydayLookup is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. EverydayLookup is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by EverydayLookup? You may see these browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did EverydayLookup get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website after a redirect by an ad-rotator. How do I remove EverydayLookup? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of EverydayLookup? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the EverydayLookup entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the EverydayLookup hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/everydaylookup/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_d9Members_@www.everydaylookup.com.xpi [2017-12-27] CHR Extension: (EverydayLookup) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi [2017-12-27] C:\Users\{username}\AppData\Local\EverydayLookupTooltab EverydayLookup Internet Explorer Homepage and New Tab (HKCU\...\EverydayLookupTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\EverydayLookupTooltab Adds the file TooltabExtension.dll"="8/7/2017 4:57 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0 Adds the file dynamicNewTab.html"="11/10/2017 12:58 PM, 932 bytes, A Adds the file manifest.json"="12/27/2017 9:50 AM, 2438 bytes, A Adds the file product.html"="11/10/2017 12:58 PM, 932 bytes, A Adds the file stubby.html"="11/10/2017 12:58 PM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\_metadata Adds the file computed_hashes.json"="12/27/2017 9:50 AM, 3620 bytes, A Adds the file verified_contents.json"="11/10/2017 12:58 PM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\config Adds the file config.json"="11/10/2017 12:58 PM, 1532 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\icons Adds the file icon128.png"="12/27/2017 9:50 AM, 5638 bytes, A Adds the file icon16.png"="11/10/2017 12:58 PM, 2017 bytes, A Adds the file icon19disabled.png"="11/10/2017 12:58 PM, 1630 bytes, A Adds the file icon19on.png"="12/27/2017 9:50 AM, 678 bytes, A Adds the file icon48.png"="12/27/2017 9:50 AM, 2343 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js Adds the file ajax.js"="11/10/2017 12:58 PM, 2250 bytes, A Adds the file background.js"="11/10/2017 12:58 PM, 19608 bytes, A Adds the file chrome.js"="11/10/2017 12:58 PM, 180 bytes, A Adds the file content_script.js"="11/10/2017 12:58 PM, 5917 bytes, A Adds the file dlp.js"="11/10/2017 12:58 PM, 5690 bytes, A Adds the file dlpHelper.js"="11/10/2017 12:58 PM, 1836 bytes, A Adds the file extension_detect.js"="11/10/2017 12:58 PM, 4343 bytes, A Adds the file index.js"="11/10/2017 12:58 PM, 82 bytes, A Adds the file logger.js"="11/10/2017 12:58 PM, 575 bytes, A Adds the file pageUtils.js"="11/10/2017 12:58 PM, 2241 bytes, A Adds the file product.js"="11/10/2017 12:58 PM, 4434 bytes, A Adds the file storage.js"="11/10/2017 12:58 PM, 1675 bytes, A Adds the file TabManager.js"="11/10/2017 12:58 PM, 189 bytes, A Adds the file TemplateParser.js"="11/10/2017 12:58 PM, 3080 bytes, A Adds the file ul.js"="11/10/2017 12:58 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/10/2017 12:58 PM, 2521 bytes, A Adds the file urlUtils.js"="11/10/2017 12:58 PM, 5385 bytes, A Adds the file util.js"="11/10/2017 12:58 PM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/10/2017 12:58 PM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\libs Adds the file PartnerId.js"="11/10/2017 12:58 PM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mlbjeanmodcojndblbmgpkkagjhkbngi Adds the file 000003.log"="12/27/2017 9:50 AM, 5031 bytes, A Adds the file CURRENT"="12/27/2017 9:50 AM, 16 bytes, A Adds the file LOCK"="12/27/2017 9:50 AM, 0 bytes, A Adds the file LOG"="12/27/2017 9:50 AM, 185 bytes, A Adds the file MANIFEST-000001"="12/27/2017 9:50 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_d9Members_@www.everydaylookup.com Adds the file storage.js"="12/27/2017 9:44 AM, 2454 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _d9Members_@www.everydaylookup.com.xpi"="12/27/2017 9:44 AM, 49673 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\EverydayLookup] "Start Page"="REG_SZ", "http://hp.myway.com/everydaylookup/ttab02/index.html?n={n}&p2=^BX1^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F%3Fc%3D{ptb}%26ptb%3DTTAB02" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/everydaylookup/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\EverydayLookupTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "EverydayLookup Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\EverydayLookupTooltab\TooltabExtension.dll" U uninstall:EverydayLookup" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/27/17 Scan Time: 9:59 AM Log File: 31d6402c-eae4-11e7-9aaa-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3566 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 245283 Threats Detected: 59 Threats Quarantined: 59 Time Elapsed: 1 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\EverydayLookupTooltab\TooltabExtension.dll, Quarantined, [1393], [356944],1.0.3566 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EverydayLookupTooltab Uninstall Internet Explorer, Delete-on-Reboot, [1393], [356944],1.0.3566 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\EverydayLookup, Delete-on-Reboot, [1393], [444113],1.0.3566 Registry Value: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\EverydayLookup|START PAGE, Delete-on-Reboot, [1393], [444113],1.0.3566 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EverydayLookupTooltab Uninstall Internet Explorer|PUBLISHER, Delete-on-Reboot, [236], [352442],1.0.3566 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [236], [293497],1.0.3566 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\EverydayLookupTooltab, Delete-on-Reboot, [1393], [356944],1.0.3566 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_d9Members_@www.everydaylookup.com, Delete-on-Reboot, [1393], [468075],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mlbjeanmodcojndblbmgpkkagjhkbngi, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\_metadata, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\config, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\icons, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\libs, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MLBJEANMODCOJNDBLBMGPKKAGJHKBNGI, Delete-on-Reboot, [1393], [467555],1.0.3566 File: 43 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\EverydayLookupTooltab\TooltabExtension.dll, Delete-on-Reboot, [1393], [356944],1.0.3566 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_d9Members_@www.everydaylookup.com.xpi, Delete-on-Reboot, [1393], [457930],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_d9Members_@www.everydaylookup.com\storage.js, Delete-on-Reboot, [1393], [468075],1.0.3566 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mlbjeanmodcojndblbmgpkkagjhkbngi\000003.log, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mlbjeanmodcojndblbmgpkkagjhkbngi\CURRENT, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mlbjeanmodcojndblbmgpkkagjhkbngi\LOCK, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mlbjeanmodcojndblbmgpkkagjhkbngi\LOG, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mlbjeanmodcojndblbmgpkkagjhkbngi\MANIFEST-000001, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MLBJEANMODCOJNDBLBMGPKKAGJHKBNGI\13.321.12.20948_0\MANIFEST.JSON, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\config\config.json, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\icons\icon128.png, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\icons\icon16.png, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\icons\icon19disabled.png, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\icons\icon19on.png, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\icons\icon48.png, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\ajax.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\background.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\chrome.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\content_script.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\dlp.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\dlpHelper.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\extension_detect.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\index.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\logger.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\pageUtils.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\product.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\storage.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\TabManager.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\TemplateParser.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\ul.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\urlFragmentActions.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\urlUtils.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\util.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\js\webtooltabAPI.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\libs\PartnerId.js, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\_metadata\computed_hashes.json, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\_metadata\verified_contents.json, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\dynamicNewTab.html, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\product.html, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlbjeanmodcojndblbmgpkkagjhkbngi\13.321.12.20948_0\stubby.html, Delete-on-Reboot, [1393], [467555],1.0.3566 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\EVERYDAYLOOKUP.EXE, Delete-on-Reboot, [236], [365288],1.0.3566 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is RadioRage? The Malwarebytes research team has determined that RadioRage is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. RadioRage is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by RadioRage? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did RadioRage get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove RadioRage? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of RadioRage? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the RadioRage entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the RadioRage hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/radiorage/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_4jMembers_@www.radiorage.com.xpi [2017-12-20] CHR Extension: (RadioRage) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg [2017-12-20] C:\Users\{username}\AppData\Local\RadioRageTooltab RadioRage Internet Explorer Homepage and New Tab (HKCU\...\RadioRageTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0 Adds the file dynamicNewTab.html"="11/9/2017 4:52 PM, 932 bytes, A Adds the file manifest.json"="12/20/2017 9:47 AM, 2471 bytes, A Adds the file product.html"="11/9/2017 4:52 PM, 932 bytes, A Adds the file stubby.html"="11/9/2017 4:52 PM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\_metadata Adds the file computed_hashes.json"="12/20/2017 9:47 AM, 3620 bytes, A Adds the file verified_contents.json"="11/9/2017 4:52 PM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\config Adds the file config.json"="11/9/2017 4:52 PM, 1485 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\icons Adds the file icon128.png"="12/20/2017 9:47 AM, 9565 bytes, A Adds the file icon16.png"="11/9/2017 4:52 PM, 1626 bytes, A Adds the file icon19disabled.png"="11/9/2017 4:52 PM, 1412 bytes, A Adds the file icon19on.png"="12/20/2017 9:47 AM, 594 bytes, A Adds the file icon48.png"="12/20/2017 9:47 AM, 2352 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js Adds the file ajax.js"="11/9/2017 4:52 PM, 2250 bytes, A Adds the file background.js"="11/9/2017 4:52 PM, 19608 bytes, A Adds the file chrome.js"="11/9/2017 4:52 PM, 180 bytes, A Adds the file content_script.js"="11/9/2017 4:52 PM, 5917 bytes, A Adds the file dlp.js"="11/9/2017 4:52 PM, 5690 bytes, A Adds the file dlpHelper.js"="11/9/2017 4:52 PM, 1836 bytes, A Adds the file extension_detect.js"="11/9/2017 4:52 PM, 4343 bytes, A Adds the file index.js"="11/9/2017 4:52 PM, 82 bytes, A Adds the file logger.js"="11/9/2017 4:52 PM, 575 bytes, A Adds the file pageUtils.js"="11/9/2017 4:52 PM, 2241 bytes, A Adds the file product.js"="11/9/2017 4:52 PM, 4434 bytes, A Adds the file storage.js"="11/9/2017 4:52 PM, 1675 bytes, A Adds the file TabManager.js"="11/9/2017 4:52 PM, 189 bytes, A Adds the file TemplateParser.js"="11/9/2017 4:52 PM, 3080 bytes, A Adds the file ul.js"="11/9/2017 4:52 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/9/2017 4:52 PM, 2521 bytes, A Adds the file urlUtils.js"="11/9/2017 4:52 PM, 5385 bytes, A Adds the file util.js"="11/9/2017 4:52 PM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/9/2017 4:52 PM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\libs Adds the file PartnerId.js"="11/9/2017 4:52 PM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg Adds the file 000003.log"="12/20/2017 9:47 AM, 4735 bytes, A Adds the file CURRENT"="12/20/2017 9:47 AM, 16 bytes, A Adds the file LOCK"="12/20/2017 9:47 AM, 0 bytes, A Adds the file LOG"="12/20/2017 9:49 AM, 412 bytes, A Adds the file LOG.old"="12/20/2017 9:47 AM, 184 bytes, A Adds the file MANIFEST-000001"="12/20/2017 9:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\RadioRageTooltab Adds the file TooltabExtension.dll"="8/4/2017 1:29 AM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_4jMembers_@www.radiorage.com Adds the file storage.js"="12/20/2017 9:49 AM, 2335 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _4jMembers_@www.radiorage.com.xpi"="12/20/2017 9:45 AM, 52842 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/radiorage/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\RadioRageTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "RadioRage Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\RadioRageTooltab\TooltabExtension.dll" U uninstall:RadioRage" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\RadioRage] "Start Page"="REG_SZ", "http://hp.myway.com/radiorage/ttab02/index.html?n={n}&p2=^ZX^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2FHYSCVNM%3Fc%3D{ptb}%26ptb%3D^ZX^mni000^TTAB02" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/20/17 Scan Time: 9:55 AM Log File: 974c251a-e563-11e7-9526-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3525 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244625 Threats Detected: 60 Threats Quarantined: 60 Time Elapsed: 1 min, 29 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\RadioRageTooltab\TooltabExtension.dll, Quarantined, [1394], [356944],1.0.3525 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RadioRageTooltab Uninstall Internet Explorer, Quarantined, [1394], [356944],1.0.3525 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\RadioRage, Quarantined, [1394], [444113],1.0.3525 Registry Value: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\RadioRage|START PAGE, Quarantined, [1394], [444113],1.0.3525 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\RadioRageTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [237], [352442],1.0.3525 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [237], [293497],1.0.3525 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\RadioRageTooltab, Quarantined, [1394], [356944],1.0.3525 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_4jMembers_@www.radiorage.com, Quarantined, [1394], [468075],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\_metadata, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\config, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\icons, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\libs, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JHHGLHEEFABMKONIKLJOBLMBDGLPDKPG, Quarantined, [1394], [467555],1.0.3525 File: 44 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\RadioRageTooltab\TooltabExtension.dll, Quarantined, [1394], [356944],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_4jMembers_@www.radiorage.com\storage.js, Quarantined, [1394], [468075],1.0.3525 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_4jMembers_@www.radiorage.com.xpi, Quarantined, [1394], [457930],1.0.3525 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg\000003.log, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg\CURRENT, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg\LOCK, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg\LOG, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg\LOG.old, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhhglheefabmkonikljoblmbdglpdkpg\MANIFEST-000001, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JHHGLHEEFABMKONIKLJOBLMBDGLPDKPG\13.321.12.18926_0\MANIFEST.JSON, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\config\config.json, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\icons\icon128.png, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\icons\icon16.png, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\icons\icon19disabled.png, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\icons\icon19on.png, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\icons\icon48.png, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\ajax.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\background.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\chrome.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\content_script.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\dlp.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\dlpHelper.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\extension_detect.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\index.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\logger.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\pageUtils.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\product.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\storage.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\TabManager.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\TemplateParser.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\ul.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\urlFragmentActions.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\urlUtils.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\util.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\js\webtooltabAPI.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\libs\PartnerId.js, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\_metadata\computed_hashes.json, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\_metadata\verified_contents.json, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\dynamicNewTab.html, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\product.html, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhhglheefabmkonikljoblmbdglpdkpg\13.321.12.18926_0\stubby.html, Quarantined, [1394], [467555],1.0.3525 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\RADIORAGE.EXE, Quarantined, [237], [365288],1.0.3525 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is ProductivityBoss? The Malwarebytes research team has determined that ProductivityBoss is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. ProductivityBoss is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by ProductivityBoss? You may see this browser extensions/add-ons: these warnings during install: You may see this icon in your browser menu-bars: and this new homepage in the affected browsers: How did ProductivityBoss get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove ProductivityBoss? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of ProductivityBoss? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the ProductivityBoss entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the ProductivityBoss hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/productivityboss/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_e5Members_@www.productivityboss.com.xpi [2017-12-12] CHR Extension: (ProductivityBoss) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld [2017-12-12] C:\Users\{username}\AppData\Local\ProductivityBossTooltab (Mindspark Interactive Network, Inc.) C:\Users\{username}\Desktop\ProductivityBoss.exe ProductivityBoss Internet Explorer Homepage and New Tab (HKCU\...\ProductivityBossTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0 Adds the file dynamicNewTab.html"="11/7/2017 1:36 PM, 932 bytes, A Adds the file manifest.json"="12/12/2017 11:05 AM, 2434 bytes, A Adds the file product.html"="11/7/2017 1:36 PM, 932 bytes, A Adds the file stubby.html"="11/7/2017 1:36 PM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\_metadata Adds the file computed_hashes.json"="12/12/2017 11:05 AM, 3620 bytes, A Adds the file verified_contents.json"="11/7/2017 1:36 PM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\config Adds the file config.json"="11/7/2017 1:36 PM, 1550 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\icons Adds the file icon128.png"="12/12/2017 11:05 AM, 10589 bytes, A Adds the file icon16.png"="11/7/2017 1:36 PM, 1443 bytes, A Adds the file icon19disabled.png"="11/7/2017 1:36 PM, 1519 bytes, A Adds the file icon19on.png"="12/12/2017 11:05 AM, 594 bytes, A Adds the file icon48.png"="12/12/2017 11:05 AM, 2687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js Adds the file ajax.js"="11/7/2017 1:36 PM, 2250 bytes, A Adds the file background.js"="11/7/2017 1:36 PM, 19608 bytes, A Adds the file chrome.js"="11/7/2017 1:36 PM, 180 bytes, A Adds the file content_script.js"="11/7/2017 1:36 PM, 5917 bytes, A Adds the file dlp.js"="11/7/2017 1:36 PM, 5690 bytes, A Adds the file dlpHelper.js"="11/7/2017 1:36 PM, 1836 bytes, A Adds the file extension_detect.js"="11/7/2017 1:36 PM, 4343 bytes, A Adds the file index.js"="11/7/2017 1:36 PM, 82 bytes, A Adds the file logger.js"="11/7/2017 1:36 PM, 575 bytes, A Adds the file pageUtils.js"="11/7/2017 1:36 PM, 2241 bytes, A Adds the file product.js"="11/7/2017 1:36 PM, 4434 bytes, A Adds the file storage.js"="11/7/2017 1:36 PM, 1675 bytes, A Adds the file TabManager.js"="11/7/2017 1:36 PM, 189 bytes, A Adds the file TemplateParser.js"="11/7/2017 1:36 PM, 3080 bytes, A Adds the file ul.js"="11/7/2017 1:36 PM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/7/2017 1:36 PM, 2521 bytes, A Adds the file urlUtils.js"="11/7/2017 1:36 PM, 5385 bytes, A Adds the file util.js"="11/7/2017 1:36 PM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/7/2017 1:36 PM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\libs Adds the file PartnerId.js"="11/7/2017 1:36 PM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld Adds the file 000003.log"="12/12/2017 11:05 AM, 4651 bytes, A Adds the file CURRENT"="12/12/2017 11:05 AM, 16 bytes, A Adds the file LOCK"="12/12/2017 11:05 AM, 0 bytes, A Adds the file LOG"="12/12/2017 11:07 AM, 412 bytes, A Adds the file LOG.old"="12/12/2017 11:05 AM, 185 bytes, A Adds the file MANIFEST-000001"="12/12/2017 11:05 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\ProductivityBossTooltab Adds the file TooltabExtension.dll"="8/4/2017 12:35 AM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_e5Members_@www.productivityboss.com Adds the file storage.js"="12/12/2017 11:08 AM, 2293 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _e5Members_@www.productivityboss.com.xpi"="12/12/2017 11:03 AM, 53969 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "cangheohokmjkfnfeikedbhjcocnogld"="REG_SZ", "B6189FD63A077EC6C1242B6DB795D9A380FE4EF80943F84F4F7833ED4941F83E" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/productivityboss/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ProductivityBossTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "ProductivityBoss Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\ProductivityBossTooltab\TooltabExtension.dll" U uninstall:ProductivityBoss" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" [HKEY_CURRENT_USER\Software\ProductivityBoss] "Start Page"="REG_SZ", "http://hp.myway.com/productivityboss/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F{ptb}%26ptb%3D" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/12/17 Scan Time: 11:17 AM Log File: 9da40ab6-df25-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3471 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243795 Threats Detected: 60 Threats Quarantined: 60 Time Elapsed: 2 min, 51 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\ProductivityBossTooltab\TooltabExtension.dll, Quarantined, [1376], [356944],1.0.3471 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ProductivityBossTooltab Uninstall Internet Explorer, Quarantined, [1376], [356944],1.0.3471 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\ProductivityBoss, Quarantined, [1376], [444113],1.0.3471 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ProductivityBossTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [228], [352442],1.0.3471 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\ProductivityBoss|START PAGE, Quarantined, [1376], [444113],1.0.3471 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [228], [293497],1.0.3471 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\ProductivityBossTooltab, Quarantined, [1376], [356944],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\_metadata, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\config, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\icons, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\libs, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\EXTENSIONS\cangheohokmjkfnfeikedbhjcocnogld, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_e5Members_@www.productivityboss.com, Quarantined, [1376], [468075],1.0.3471 File: 44 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\ProductivityBossTooltab\TooltabExtension.dll, Quarantined, [1376], [356944],1.0.3471 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_e5Members_@www.productivityboss.com.xpi, Quarantined, [1376], [457930],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\config\config.json, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\icons\icon128.png, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\icons\icon16.png, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\icons\icon19disabled.png, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\icons\icon19on.png, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\icons\icon48.png, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\ajax.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\background.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\chrome.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\content_script.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\dlp.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\dlpHelper.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\extension_detect.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\index.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\logger.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\pageUtils.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\product.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\storage.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\TabManager.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\TemplateParser.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\ul.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\urlFragmentActions.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\urlUtils.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\util.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\js\webtooltabAPI.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\libs\PartnerId.js, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\_metadata\computed_hashes.json, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\_metadata\verified_contents.json, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\dynamicNewTab.html, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\manifest.json, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\product.html, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\cangheohokmjkfnfeikedbhjcocnogld\13.321.12.16567_0\stubby.html, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld\000003.log, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld\CURRENT, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld\LOCK, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld\LOG, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld\LOG.old, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.ChromesSearch.ChrPRST, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cangheohokmjkfnfeikedbhjcocnogld\MANIFEST-000001, Quarantined, [2674], [465508],1.0.3471 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_e5Members_@www.productivityboss.com\storage.js, Quarantined, [1376], [468075],1.0.3471 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\PRODUCTIVITYBOSS.EXE, Quarantined, [228], [365288],1.0.3471 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is fromDOCtoPDF? The Malwarebytes research team has determined that fromDOCtoPDF is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. fromDOCtoPDF is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by fromDOCtoPDF? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did fromDOCtoPDF get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove fromDOCtoPDF? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of fromDOCtoPDF? If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the fromDOCtoPDF entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the fromDOCtoPDF hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/fromdoctopdf/ttab02ie/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_65Members_@download.fromdoctopdf.com.xpi [2017-12-06] CHR Extension: (FromDocToPDF) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie [2017-12-06] C:\Users\{username}\AppData\Local\FromDocToPDFTooltab FromDocToPDF Internet Explorer Homepage and New Tab (HKCU\...\FromDocToPDFTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Most significant cahnges made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\FromDocToPDFTooltab Adds the file TooltabExtension.dll"="9/13/2017 8:43 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0 Adds the file dynamicNewTab.html"="11/7/2017 10:34 AM, 932 bytes, A Adds the file manifest.json"="12/6/2017 9:31 AM, 2498 bytes, A Adds the file product.html"="11/7/2017 10:34 AM, 932 bytes, A Adds the file stubby.html"="11/7/2017 10:34 AM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata Adds the file computed_hashes.json"="12/6/2017 9:31 AM, 3620 bytes, A Adds the file verified_contents.json"="11/7/2017 10:34 AM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\config Adds the file config.json"="11/7/2017 10:34 AM, 1517 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons Adds the file icon128.png"="12/6/2017 9:31 AM, 10808 bytes, A Adds the file icon16.png"="11/7/2017 10:34 AM, 1587 bytes, A Adds the file icon19disabled.png"="11/7/2017 10:34 AM, 1512 bytes, A Adds the file icon19on.png"="12/6/2017 9:31 AM, 702 bytes, A Adds the file icon48.png"="12/6/2017 9:31 AM, 3585 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js Adds the file ajax.js"="11/7/2017 10:34 AM, 2250 bytes, A Adds the file background.js"="11/7/2017 10:34 AM, 19608 bytes, A Adds the file chrome.js"="11/7/2017 10:34 AM, 180 bytes, A Adds the file content_script.js"="11/7/2017 10:34 AM, 5917 bytes, A Adds the file dlp.js"="11/7/2017 10:34 AM, 5690 bytes, A Adds the file dlpHelper.js"="11/7/2017 10:34 AM, 1836 bytes, A Adds the file extension_detect.js"="11/7/2017 10:34 AM, 4343 bytes, A Adds the file index.js"="11/7/2017 10:34 AM, 82 bytes, A Adds the file logger.js"="11/7/2017 10:34 AM, 575 bytes, A Adds the file pageUtils.js"="11/7/2017 10:34 AM, 2241 bytes, A Adds the file product.js"="11/7/2017 10:34 AM, 4434 bytes, A Adds the file storage.js"="11/7/2017 10:34 AM, 1675 bytes, A Adds the file TabManager.js"="11/7/2017 10:34 AM, 189 bytes, A Adds the file TemplateParser.js"="11/7/2017 10:34 AM, 3080 bytes, A Adds the file ul.js"="11/7/2017 10:34 AM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/7/2017 10:34 AM, 2521 bytes, A Adds the file urlUtils.js"="11/7/2017 10:34 AM, 5385 bytes, A Adds the file util.js"="11/7/2017 10:34 AM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/7/2017 10:34 AM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\libs Adds the file PartnerId.js"="11/7/2017 10:34 AM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie Adds the file 000003.log"="12/6/2017 9:31 AM, 5071 bytes, A Adds the file CURRENT"="12/6/2017 9:31 AM, 16 bytes, A Adds the file LOCK"="12/6/2017 9:31 AM, 0 bytes, A Adds the file LOG"="12/6/2017 9:32 AM, 412 bytes, A Adds the file LOG.old"="12/6/2017 9:31 AM, 185 bytes, A Adds the file MANIFEST-000001"="12/6/2017 9:31 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_65Members_@download.fromdoctopdf.com Adds the file storage.js"="12/6/2017 9:32 AM, 2501 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _65Members_@download.fromdoctopdf.com.xpi"="12/6/2017 9:28 AM, 55285 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\FromDocToPDF] "Start Page"="REG_SZ", "http://hp.myway.com/fromdoctopdf/ttab02ie/index.html?n={n}&p2=^Y6^mni000^ttab02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2F%3D{ptb}%26ptb%3Dttab02" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/fromdoctopdf/ttab02ie/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\FromDocToPDFTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "FromDocToPDF Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\FromDocToPDFTooltab\TooltabExtension.dll" U uninstall:FromDocToPDF" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/6/17 Scan Time: 9:42 AM Log File: 62debd36-da61-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3421 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243087 Threats Detected: 56 Threats Quarantined: 56 Time Elapsed: 1 min, 56 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FromDocToPDFTooltab\TooltabExtension.dll, Quarantined, [777], [356944],1.0.3421 Registry Key: 1 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FromDocToPDFTooltab Uninstall Internet Explorer, Quarantined, [777], [356944],1.0.3421 Registry Value: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FromDocToPDFTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [225], [352442],1.0.3421 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [225], [293497],1.0.3421 Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FromDocToPDFTooltab, Quarantined, [777], [356944],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\config, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\libs, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KBFHENINKDONANKPFFGBMKILNLKMPDIE\13.321.12.16049_0, Quarantined, [777], [456842],1.0.3421 File: 43 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\FromDocToPDFTooltab\TooltabExtension.dll, Quarantined, [777], [356944],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_65Members_@download.fromdoctopdf.com.xpi, Quarantined, [777], [457930],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\000003.log, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\CURRENT, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\LOCK, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\LOG, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\LOG.old, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kbfheninkdonankpffgbmkilnlkmpdie\MANIFEST-000001, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KBFHENINKDONANKPFFGBMKILNLKMPDIE\13.321.12.16049_0\CONFIG\CONFIG.JSON, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon128.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon16.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon19disabled.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon19on.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\icons\icon48.png, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\ajax.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\background.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\chrome.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\content_script.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\dlp.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\dlpHelper.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\extension_detect.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\index.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\logger.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\pageUtils.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\product.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\storage.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\TabManager.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\TemplateParser.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\ul.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\urlFragmentActions.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\urlUtils.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\util.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\js\webtooltabAPI.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\libs\PartnerId.js, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata\computed_hashes.json, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\_metadata\verified_contents.json, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\dynamicNewTab.html, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\manifest.json, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\product.html, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfheninkdonankpffgbmkilnlkmpdie\13.321.12.16049_0\stubby.html, Quarantined, [777], [456842],1.0.3421 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\FROMDOCTOPDF.EXE, Quarantined, [225], [365288],1.0.3421 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is InternetSpeedTracker? The Malwarebytes research team has determined that InternetSpeedTracker is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. InternetSpeedTracker is a member of the Mindspark/Ask family now known as IAC Applications. How do I know if my computer is affected by InternetSpeedTracker? You may see this browser extensions/add-ons: these warnings during install: You may see this entry in your list of installed software: and this new homepage in the affected browsers: How did InternetSpeedTracker get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website after a redirect by an ad-rotator. How do I remove InternetSpeedTracker? Our program Malwarebytes can detect and remove this potentially unwanted program. You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of InternetSpeedTracker? If you are using Chrome and an older version of Malwarebytes, you may have to remove the Extension manually under Tools > More Tools > Extensions. Click on the bin behind the InternetSpeedTracker entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the InternetSpeedTracker hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp.myway.com/internetspeedtracker/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\_9tMembers_@free.internetspeedtracker.com.xpi [2017-11-29] CHR Extension: (InternetSpeedTracker) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc [2017-11-29] C:\Users\{username}\AppData\Local\Internet Speed TrackerTooltab Internet Speed Tracker Internet Explorer Homepage and New Tab (HKCU\...\Internet Speed TrackerTooltab Uninstall Internet Explorer) (Version: - Mindspark Interactive Network, Inc.) <==== ATTENTION Most significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0 Adds the file dynamicNewTab.html"="11/7/2017 10:40 AM, 932 bytes, A Adds the file manifest.json"="11/29/2017 8:54 AM, 2536 bytes, A Adds the file product.html"="11/7/2017 10:40 AM, 932 bytes, A Adds the file stubby.html"="11/7/2017 10:40 AM, 932 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata Adds the file computed_hashes.json"="11/29/2017 8:54 AM, 3620 bytes, A Adds the file verified_contents.json"="11/7/2017 10:40 AM, 4621 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\config Adds the file config.json"="11/7/2017 10:40 AM, 1587 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons Adds the file icon128.png"="11/29/2017 8:54 AM, 4963 bytes, A Adds the file icon16.png"="11/7/2017 10:40 AM, 559 bytes, A Adds the file icon19disabled.png"="11/7/2017 10:40 AM, 631 bytes, A Adds the file icon19on.png"="11/29/2017 8:54 AM, 630 bytes, A Adds the file icon48.png"="11/29/2017 8:54 AM, 1597 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js Adds the file ajax.js"="11/7/2017 10:40 AM, 2250 bytes, A Adds the file background.js"="11/7/2017 10:40 AM, 19608 bytes, A Adds the file chrome.js"="11/7/2017 10:40 AM, 180 bytes, A Adds the file content_script.js"="11/7/2017 10:40 AM, 5917 bytes, A Adds the file dlp.js"="11/7/2017 10:40 AM, 5690 bytes, A Adds the file dlpHelper.js"="11/7/2017 10:40 AM, 1836 bytes, A Adds the file extension_detect.js"="11/7/2017 10:40 AM, 4343 bytes, A Adds the file index.js"="11/7/2017 10:40 AM, 82 bytes, A Adds the file logger.js"="11/7/2017 10:40 AM, 575 bytes, A Adds the file pageUtils.js"="11/7/2017 10:40 AM, 2241 bytes, A Adds the file product.js"="11/7/2017 10:40 AM, 4434 bytes, A Adds the file storage.js"="11/7/2017 10:40 AM, 1675 bytes, A Adds the file TabManager.js"="11/7/2017 10:40 AM, 189 bytes, A Adds the file TemplateParser.js"="11/7/2017 10:40 AM, 3080 bytes, A Adds the file ul.js"="11/7/2017 10:40 AM, 3824 bytes, A Adds the file urlFragmentActions.js"="11/7/2017 10:40 AM, 2521 bytes, A Adds the file urlUtils.js"="11/7/2017 10:40 AM, 5385 bytes, A Adds the file util.js"="11/7/2017 10:40 AM, 3840 bytes, A Adds the file webtooltabAPI.js"="11/7/2017 10:40 AM, 8357 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\libs Adds the file PartnerId.js"="11/7/2017 10:40 AM, 22130 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc Adds the file 000003.log"="11/29/2017 8:54 AM, 4961 bytes, A Adds the file CURRENT"="11/29/2017 8:54 AM, 16 bytes, A Adds the file LOCK"="11/29/2017 8:54 AM, 0 bytes, A Adds the file LOG"="11/29/2017 8:54 AM, 185 bytes, A Adds the file MANIFEST-000001"="11/29/2017 8:54 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Internet Speed TrackerTooltab Adds the file TooltabExtension.dll"="8/4/2017 7:01 PM, 266864 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_9tMembers_@free.internetspeedtracker.com Adds the file storage.js"="11/29/2017 8:53 AM, 2472 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file _9tMembers_@free.internetspeedtracker.com.xpi"="11/29/2017 8:52 AM, 44694 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "kohoehgoafblafjinhplmhcbphgaaobc"="REG_SZ", "5D62E9F71822E9740CD6B4F38D59B820BC7706AA534FFE42BEFA29FFEB4015AA" [HKEY_CURRENT_USER\Software\Internet Speed Tracker] "Start Page"="REG_SZ", "http://hp.myway.com/internetspeedtracker/ttab02/index.html?n={n}&p2=^BBQ^mni000^TTAB02&ptb={ptb}&coid={coid}" "UnInstallSurveyUrl"="REG_SZ", "http://@{downloadDomain}.dl.myway.com/uninstall.jhtml?surveyUrl=http%3A%2F%2Fwww.research.net%2Fr%2F66QYSWY%3Fc%3D{ptb}%26ptb%3D^BBQ^mni000^TTAB02" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://hp.myway.com/internetspeedtracker/ttab02/index.html?n={n}&p2={p2}&ptb={ptb}&coid={coid}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Internet Speed TrackerTooltab Uninstall Internet Explorer] "DisplayName"="REG_SZ", "Internet Speed Tracker Internet Explorer Homepage and New Tab" "HelpLink"="REG_SZ", "http://support.mindspark.com/" "Publisher"="REG_SZ", "Mindspark Interactive Network, Inc." "UninstallString"="REG_SZ", "Rundll32.exe "C:\Users\{username}\AppData\Local\Internet Speed TrackerTooltab\TooltabExtension.dll" U uninstall:Internet Speed Tracker" "URLInfoAbout"="REG_SZ", "http://support.mindspark.com/" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/29/17 Scan Time: 9:06 AM Log File: 2978c292-d4dc-11e7-ae87-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.236 Update Package Version: 1.0.3371 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 335568 Threats Detected: 59 Threats Quarantined: 59 Time Elapsed: 4 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 1 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Internet Speed TrackerTooltab\TooltabExtension.dll, Quarantined, [851], [356944],1.0.3371 Registry Key: 2 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Internet Speed TrackerTooltab Uninstall Internet Explorer, Quarantined, [851], [356944],1.0.3371 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Internet Speed Tracker, Quarantined, [851], [444113],1.0.3371 Registry Value: 2 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Internet Speed TrackerTooltab Uninstall Internet Explorer|PUBLISHER, Quarantined, [260], [352442],1.0.3371 PUP.Optional.MindSpark.Generic, HKCU\SOFTWARE\Internet Speed Tracker|START PAGE, Quarantined, [851], [444113],1.0.3371 Registry Data: 1 PUP.Optional.MindSpark, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [260], [293497],1.0.3371 Data Stream: 0 (No malicious items detected) Folder: 10 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Internet Speed TrackerTooltab, Quarantined, [851], [356944],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\_9tMembers_@free.internetspeedtracker.com, Quarantined, [851], [457935],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\config, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\libs, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KOHOEHGOAFBLAFJINHPLMHCBPHGAAOBC, Quarantined, [851], [456843],1.0.3371 File: 43 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\Internet Speed TrackerTooltab\TooltabExtension.dll, Quarantined, [851], [356944],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\_9tMembers_@free.internetspeedtracker.com.xpi, Quarantined, [851], [457930],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\_9tMembers_@free.internetspeedtracker.com\storage.js, Quarantined, [851], [457935],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\000003.log, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\CURRENT, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\LOCK, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\LOG, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kohoehgoafblafjinhplmhcbphgaaobc\MANIFEST-000001, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\KOHOEHGOAFBLAFJINHPLMHCBPHGAAOBC\13.321.12.16092_0\MANIFEST.JSON, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\config\config.json, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon128.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon16.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon19disabled.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon19on.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\icons\icon48.png, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\ajax.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\background.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\chrome.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\content_script.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\dlp.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\dlpHelper.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\extension_detect.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\index.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\logger.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\pageUtils.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\product.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\storage.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\TabManager.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\TemplateParser.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\ul.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\urlFragmentActions.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\urlUtils.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\util.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\js\webtooltabAPI.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\libs\PartnerId.js, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata\computed_hashes.json, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\_metadata\verified_contents.json, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\dynamicNewTab.html, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\product.html, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\kohoehgoafblafjinhplmhcbphgaaobc\13.321.12.16092_0\stubby.html, Quarantined, [851], [456843],1.0.3371 PUP.Optional.MindSpark, C:\USERS\{username}\DESKTOP\INTERNETSPEEDTRACKER.EXE, Quarantined, [260], [365288],1.0.3371 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.