Jump to content

Search the Community

Showing results for tags 'pup.optional.spigot'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 13 results

  1. What is Fast Flight Tracker?The Malwarebytes research team has determined that Fast Flight Tracker is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Fast Flight Tracker is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Fast Flight Tracker?You may see this Chrome extension:this changed setting:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did Fast Flight Tracker get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove Fast Flight Tracker?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Fast Flight Tracker? No, Malwarebytes removes Fast Flight Tracker completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Fast Flight Tracker hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium as Malwarebytes Browser Guard blocks traffic to their domains: Technical details for expertsPossible signs in a FRST log: HKCU\...\Run: [IEXPLORE] => C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://search.fastflighttrackertab.com/?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&uc=20191202&i_id=flights_spt__1.30&source=_v1-bb8-iei-msn-su <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.fastflighttrackertab.com/?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&uc=20191202&i_id=flights_spt__1.30&source=_v1-bb8-iei-msn SearchScopes: HKCU -> DefaultScope {BEDB8A7B-C027-4E93-A731-A7D79707A16C} URL = hxxp://search.fastflighttrackertab.com/s?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&source=_v1-bb8-iei&uc=20191202&i_id=flights_spt__1.30&query={searchTerms} SearchScopes: HKCU -> {BEDB8A7B-C027-4E93-A731-A7D79707A16C} URL = hxxp://search.fastflighttrackertab.com/s?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&source=_v1-bb8-iei&uc=20191202&i_id=flights_spt__1.30&query={searchTerms} CHR NewTab: Default -> Active:"chrome-extension://glckebgofdjplfkbijgppaegilheackp/index.html" CHR Extension: (Fast Flight Tracker) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp [2019-12-02] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} (SpringTech (Cayman) Ltd.) C:\Users\{username}\Desktop\FastFlightTracker.exe Fast Flight Tracker (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 5.4.0.5 - SpringTech (Cayman) Ltd.) Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0 Adds the file about.html"="10/31/2019 6:51 PM, 6792 bytes, A Adds the file icon.png"="12/2/2019 9:31 AM, 7756 bytes, A Adds the file index.html"="10/31/2019 6:51 PM, 554 bytes, A Adds the file main.js"="10/31/2019 6:51 PM, 8110 bytes, A Adds the file main.js.map"="10/31/2019 6:51 PM, 4709 bytes, A Adds the file manifest.json"="12/2/2019 9:31 AM, 1371 bytes, A Adds the file polyfills.js"="10/31/2019 6:51 PM, 276508 bytes, A Adds the file polyfills.js.map"="10/31/2019 6:51 PM, 271850 bytes, A Adds the file polyfills-es5.js"="10/31/2019 6:51 PM, 401051 bytes, A Adds the file polyfills-es5.js.map"="10/31/2019 6:51 PM, 299080 bytes, A Adds the file popup.html"="10/31/2019 6:51 PM, 567 bytes, A Adds the file runtime.js"="10/31/2019 6:51 PM, 6233 bytes, A Adds the file runtime.js.map"="10/31/2019 6:51 PM, 6206 bytes, A Adds the file styles.css"="10/31/2019 6:51 PM, 249 bytes, A Adds the file styles.js"="10/31/2019 6:51 PM, 17346 bytes, A Adds the file styles.js.map"="10/31/2019 6:51 PM, 20279 bytes, A Adds the file vendor.js"="10/31/2019 6:51 PM, 3734558 bytes, A Adds the file vendor.js.map"="10/31/2019 6:51 PM, 3886759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\_metadata Adds the file computed_hashes.json"="12/2/2019 9:31 AM, 104400 bytes, A Adds the file verified_contents.json"="10/31/2019 6:51 PM, 3380 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\app Adds the file background.js"="10/31/2019 6:51 PM, 16608 bytes, A Adds the file index.js"="10/31/2019 6:51 PM, 4575 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glckebgofdjplfkbijgppaegilheackp Adds the file 000003.log"="12/2/2019 9:33 AM, 204 bytes, A Adds the file CURRENT"="12/2/2019 9:32 AM, 16 bytes, A Adds the file LOCK"="12/2/2019 9:32 AM, 0 bytes, A Adds the file LOG"="12/2/2019 9:32 AM, 183 bytes, A Adds the file MANIFEST-000001"="12/2/2019 9:32 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="12/2/2019 9:28 AM, 346392 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "glckebgofdjplfkbijgppaegilheackp"="REG_SZ", "708621DB551DC0D2A6B6150D51756C739C3CAA770DE5786BA4E464A4447CEEEE" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.fastflighttrackertab.com/?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&uc=20191202&i_id=flights_spt__1.30&source=_v1-bb8-iei-msn" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{BEDB8A7B-C027-4E93-A731-A7D79707A16C}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BEDB8A7B-C027-4E93-A731-A7D79707A16C}] "DisplayName"="REG_SZ", "Fast Flight Tracker - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.fastflighttrackertab.com/s?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&source=_v1-bb8-iei&uc=20191202&i_id=flights_spt__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IEXPLORE"="REG_SZ", "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://search.fastflighttrackertab.com/?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&uc=20191202&i_id=flights_spt__1.30&source=_v1-bb8-iei-msn-su" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Fast Flight Tracker" "DisplayVersion"="REG_SZ", "5.4.0.5" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech (Cayman) Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{BEDB8A7B-C027-4E93-A731-A7D79707A16C}" "UninstallHomepage"="REG_SZ", "http://search.fastflighttrackertab.com/?uid=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&ap=0&uc=20191202&i_id=flights_spt__1.30&source=_v1-bb8-iei-msn" "UninstallImpression"="REG_SZ", "http://www.searchnewtabs.com/impression.do?domain=fastflighttrackertab.com&implementation_id=flights_spt__1.30&offer_id=_iei_&source=_v1-bb8-iei&sub_id=20191202&traffic_source=0&user_id=6acd3c9f-3f09-4eaf-8e16-51b6885ddddf&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1575275248&sgn=fe2e5a8d4148cdd71a7ce616d8d737642cb58a3a&subid2=11.0.9600.19540&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/2/19 Scan Time: 9:40 AM Log File: 736de8d8-14df-11ea-8161-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.764 Update Package Version: 1.0.15634 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234376 Threats Detected: 39 Threats Quarantined: 39 Time Elapsed: 14 min, 48 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, 157, 373879, 1.0.15634, , ame, Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|glckebgofdjplfkbijgppaegilheackp, Quarantined, 207, 757812, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, 157, 373878, 1.0.15634, , ame, PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\glckebgofdjplfkbijgppaegilheackp, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\glckebgofdjplfkbijgppaegilheackp, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\_metadata, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\app, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLCKEBGOFDJPLFKBIJGPPAEGILHEACKP\1.3_0, Quarantined, 207, 757812, 1.0.15634, , ame, File: 31 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, 157, 373878, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glckebgofdjplfkbijgppaegilheackp\000003.log, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glckebgofdjplfkbijgppaegilheackp\CURRENT, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glckebgofdjplfkbijgppaegilheackp\LOCK, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glckebgofdjplfkbijgppaegilheackp\LOG, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\glckebgofdjplfkbijgppaegilheackp\MANIFEST-000001, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\GLCKEBGOFDJPLFKBIJGPPAEGILHEACKP\1.3_0\APP\BACKGROUND.JS, Quarantined, 207, 757812, 1.0.15634, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\app\index.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\_metadata\computed_hashes.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\_metadata\verified_contents.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\about.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\icon.png, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\index.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\main.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\main.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\manifest.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\polyfills-es5.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\polyfills-es5.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\polyfills.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\polyfills.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\popup.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\runtime.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\runtime.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\styles.css, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\styles.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\styles.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\vendor.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\glckebgofdjplfkbijgppaegilheackp\1.3_0\vendor.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\FASTFLIGHTTRACKER.EXE, Quarantined, 157, 756784, 1.0.15634, D7795909B8C4DB37C7A293AB, dds, 00482764 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is Track Packages Quick?The Malwarebytes research team has determined that Track Packages Quick is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Track Packages Quick is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Track Packages Quick?You may see this Chrome extension:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did Track Packages Quick get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.and the Chrome extension through the webstore:How do I remove Track Packages Quick?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Track Packages Quick? No, Malwarebytes removes Track Packages Quick completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Track Packages Quick hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium as Malwarebytes Browser Guard blocks traffic to their domains: Technical details for expertsPossible signs in a FRST log: HKCU\...\Run: [IEXPLORE] => C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://search.trackpackagesquicktab.com/?uc=20191126&ap=0&i_id=packages_spt__1.30&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&source=_v1-bb8-iei-msn-su <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.trackpackagesquicktab.com/?uc=20191126&ap=0&i_id=packages_spt__1.30&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&source=_v1-bb8-iei-msn SearchScopes: HKCU -> DefaultScope {BF687994-D15C-46AB-BA7B-6B4A68AFC674} URL = hxxp://search.trackpackagesquicktab.com/s?uc=20191126&ap=0&i_id=packages_spt__1.30&source=_v1-bb8-iei&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&query={searchTerms} SearchScopes: HKCU -> {BF687994-D15C-46AB-BA7B-6B4A68AFC674} URL = hxxp://search.trackpackagesquicktab.com/s?uc=20191126&ap=0&i_id=packages_spt__1.30&source=_v1-bb8-iei&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&query={searchTerms} CHR NewTab: Default -> Active:"chrome-extension://boobcghphfggckcfohcaifaelnnfnnok/index.html" CHR Extension: (Track Packages Quick) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok [2019-11-26] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} (SpringTech (Cayman) Ltd.) C:\Users\{username}\Desktop\TrackPackagesQuick.exe Track Packages Quick (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 5.4.0.5 - SpringTech (Cayman) Ltd.) <==== ATTENTION Significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0 Adds the file about.html"="9/27/2019 5:43 PM, 6799 bytes, A Adds the file icon.png"="11/26/2019 9:25 AM, 4756 bytes, A Adds the file index.html"="9/27/2019 5:43 PM, 624 bytes, A Adds the file main.js"="9/27/2019 5:43 PM, 8059 bytes, A Adds the file main.js.map"="9/27/2019 5:43 PM, 4604 bytes, A Adds the file manifest.json"="11/26/2019 9:25 AM, 1373 bytes, A Adds the file polyfills.js"="9/27/2019 5:43 PM, 276518 bytes, A Adds the file polyfills.js.map"="9/27/2019 5:43 PM, 271850 bytes, A Adds the file polyfills-es5.js"="9/27/2019 5:43 PM, 401061 bytes, A Adds the file polyfills-es5.js.map"="9/27/2019 5:43 PM, 299080 bytes, A Adds the file popup.html"="9/27/2019 5:43 PM, 570 bytes, A Adds the file runtime.js"="9/27/2019 5:43 PM, 6233 bytes, A Adds the file runtime.js.map"="9/27/2019 5:43 PM, 6206 bytes, A Adds the file styles.css"="9/27/2019 5:43 PM, 249 bytes, A Adds the file styles.js"="9/27/2019 5:43 PM, 17351 bytes, A Adds the file styles.js.map"="9/27/2019 5:43 PM, 20279 bytes, A Adds the file vendor.js"="9/27/2019 5:43 PM, 3734558 bytes, A Adds the file vendor.js.map"="9/27/2019 5:43 PM, 3886759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\_metadata Adds the file computed_hashes.json"="11/26/2019 9:25 AM, 104353 bytes, A Adds the file verified_contents.json"="9/27/2019 5:43 PM, 3380 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\app Adds the file background.js"="9/27/2019 5:43 PM, 12467 bytes, A Adds the file index.js"="9/27/2019 5:43 PM, 5573 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\boobcghphfggckcfohcaifaelnnfnnok Adds the file 000003.log"="11/26/2019 9:26 AM, 67 bytes, A Adds the file CURRENT"="11/26/2019 9:25 AM, 16 bytes, A Adds the file LOCK"="11/26/2019 9:25 AM, 0 bytes, A Adds the file LOG"="11/26/2019 9:26 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/26/2019 9:25 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="11/26/2019 9:21 AM, 346392 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "boobcghphfggckcfohcaifaelnnfnnok"="REG_SZ", "5F60EB6A11F1E289BD42176590D6E9114F44649CDC99570CCA06406F957BB6AA" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.trackpackagesquicktab.com/?uc=20191126&ap=0&i_id=packages_spt__1.30&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&source=_v1-bb8-iei-msn" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{BF687994-D15C-46AB-BA7B-6B4A68AFC674}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BF687994-D15C-46AB-BA7B-6B4A68AFC674}] "DisplayName"="REG_SZ", "Track Packages Quick - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.trackpackagesquicktab.com/s?uc=20191126&ap=0&i_id=packages_spt__1.30&source=_v1-bb8-iei&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IEXPLORE"="REG_SZ", "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://search.trackpackagesquicktab.com/?uc=20191126&ap=0&i_id=packages_spt__1.30&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&source=_v1-bb8-iei-msn-su" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Track Packages Quick" "DisplayVersion"="REG_SZ", "5.4.0.5" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech (Cayman) Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{BF687994-D15C-46AB-BA7B-6B4A68AFC674}" "UninstallHomepage"="REG_SZ", "http://search.trackpackagesquicktab.com/?uc=20191126&ap=0&i_id=packages_spt__1.30&uid=4bf5a58e-3837-4989-8884-a8795f2656f4&source=_v1-bb8-iei-msn" "UninstallImpression"="REG_SZ", "http://www.searchnewtabs.com/impression.do?domain=trackpackagesquicktab.com&implementation_id=packages_spt__1.30&offer_id=_iei_&source=_v1-bb8-iei&sub_id=20191126&traffic_source=0&user_id=4bf5a58e-3837-4989-8884-a8795f2656f4&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1574756447&sgn=5b305fce260f7b97393e6a9257f94d880ca55ea6&subid2=11.0.9600.19540&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/26/19 Scan Time: 9:35 AM Log File: c5a89218-1027-11ea-bc32-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.15426 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233661 Threats Detected: 41 Threats Quarantined: 41 Time Elapsed: 4 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, 157, 373878, , , , PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{BF687994-D15C-46AB-BA7B-6B4A68AFC674}, Quarantined, 207, 613266, 1.0.15426, , ame, Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{BF687994-D15C-46AB-BA7B-6B4A68AFC674}|URL, Quarantined, 207, 613266, 1.0.15426, , ame, PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|boobcghphfggckcfohcaifaelnnfnnok, Quarantined, 207, 757812, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, 157, 373878, 1.0.15426, , ame, PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\boobcghphfggckcfohcaifaelnnfnnok, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\_metadata, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\app, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BOOBCGHPHFGGCKCFOHCAIFAELNNFNNOK\1.1_0, Quarantined, 207, 757812, 1.0.15426, , ame, File: 31 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, 157, 373878, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\boobcghphfggckcfohcaifaelnnfnnok\000003.log, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\boobcghphfggckcfohcaifaelnnfnnok\CURRENT, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\boobcghphfggckcfohcaifaelnnfnnok\LOCK, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\boobcghphfggckcfohcaifaelnnfnnok\LOG, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\boobcghphfggckcfohcaifaelnnfnnok\MANIFEST-000001, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\BOOBCGHPHFGGCKCFOHCAIFAELNNFNNOK\1.1_0\APP\BACKGROUND.JS, Quarantined, 207, 757812, 1.0.15426, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\app\index.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\_metadata\computed_hashes.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\_metadata\verified_contents.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\about.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\icon.png, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\index.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\main.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\main.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\manifest.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\polyfills-es5.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\polyfills-es5.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\polyfills.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\polyfills.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\popup.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\runtime.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\runtime.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\styles.css, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\styles.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\styles.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\vendor.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\boobcghphfggckcfohcaifaelnnfnnok\1.1_0\vendor.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\TRACKPACKAGESQUICK.EXE, Quarantined, 157, 756784, 1.0.15426, D7795909B8C4DB37C7A293AB, dds, 00474145 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. What is Quick Audio Converter?The Malwarebytes research team has determined that Quick Audio Converter is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one is a newtab and search hijacker and uses web push notifications.How do I know if my computer is affected by Quick Audio Converter?You may see this Chrome extension:these warnings during install:You may see this new startpage:this entry in your list of installed Programs and Features:and these new settings:How did Quick Audio Converter get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website.How do I remove Quick Audio Converter?Our program Malwarebytes can detect and remove this potentially unwanted program.You can use their own uninstall instructions first, but I would advise to follow the steps below anyway. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Quick Audio Converter? No, Malwarebytes' Anti-Malware removes Quick Audio Converter completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Quick Audio Converter hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for expertsPossible signs in FRST logs: HKCU\...\Run: [IEXPLORE] => C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn (the data entry has 3 more characters). <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn SearchScopes: HKCU -> DefaultScope {20126AD1-6B9B-41E9-A3D8-B92F31CCBC31} URL = hxxp://search.quickaudioconvertertab.com/s?i_id=audioconverter_spt__1.30&source=_v2-bb9-iei&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&query={searchTerms} SearchScopes: HKCU -> {20126AD1-6B9B-41E9-A3D8-B92F31CCBC31} URL = hxxp://search.quickaudioconvertertab.com/s?i_id=audioconverter_spt__1.30&source=_v2-bb9-iei&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&query={searchTerms} CHR NewTab: Default -> Active:"chrome-extension://dhefhiblkacpepnjcdbncinodjgjapkk/index.html" CHR Extension: (Quick Audio Converter) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk [2019-11-19] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Quick Audio Converter (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 5.4.0.2 - SpringTech (Cayman) Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0 Adds the file about.html"="9/26/2019 4:26 PM, 6806 bytes, A Adds the file icon.png"="11/19/2019 9:19 AM, 10358 bytes, A Adds the file index.html"="9/26/2019 4:26 PM, 625 bytes, A Adds the file main.js"="9/26/2019 4:26 PM, 8060 bytes, A Adds the file main.js.map"="9/26/2019 4:26 PM, 4605 bytes, A Adds the file manifest.json"="11/19/2019 9:19 AM, 1378 bytes, A Adds the file polyfills.js"="9/26/2019 4:26 PM, 276518 bytes, A Adds the file polyfills.js.map"="9/26/2019 4:26 PM, 271850 bytes, A Adds the file polyfills-es5.js"="9/26/2019 4:26 PM, 401061 bytes, A Adds the file polyfills-es5.js.map"="9/26/2019 4:26 PM, 299080 bytes, A Adds the file popup.html"="9/26/2019 4:26 PM, 573 bytes, A Adds the file runtime.js"="9/26/2019 4:26 PM, 6233 bytes, A Adds the file runtime.js.map"="9/26/2019 4:26 PM, 6206 bytes, A Adds the file styles.css"="9/26/2019 4:26 PM, 249 bytes, A Adds the file styles.js"="9/26/2019 4:26 PM, 17351 bytes, A Adds the file styles.js.map"="9/26/2019 4:26 PM, 20279 bytes, A Adds the file vendor.js"="9/26/2019 4:26 PM, 3734558 bytes, A Adds the file vendor.js.map"="9/26/2019 4:26 PM, 3886759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata Adds the file computed_hashes.json"="11/19/2019 9:19 AM, 104353 bytes, A Adds the file verified_contents.json"="9/26/2019 4:26 PM, 3380 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\app Adds the file background.js"="9/26/2019 4:26 PM, 12471 bytes, A Adds the file index.js"="9/26/2019 4:26 PM, 5575 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_quickaudioconvertertab.com_0.indexeddb.leveldb Adds the file 000003.log"="11/19/2019 9:20 AM, 1047 bytes, A Adds the file CURRENT"="11/19/2019 9:19 AM, 16 bytes, A Adds the file LOCK"="11/19/2019 9:19 AM, 0 bytes, A Adds the file LOG"="11/19/2019 9:20 AM, 190 bytes, A Adds the file MANIFEST-000001"="11/19/2019 9:19 AM, 23 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk Adds the file 000003.log"="11/19/2019 9:20 AM, 67 bytes, A Adds the file CURRENT"="11/19/2019 9:19 AM, 16 bytes, A Adds the file LOCK"="11/19/2019 9:19 AM, 0 bytes, A Adds the file LOG"="11/19/2019 9:20 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/19/2019 9:19 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="11/19/2019 9:15 AM, 347416 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file QuickAudioConverter-27273412.exe"="11/19/2019 9:15 AM, 1117464 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "dhefhiblkacpepnjcdbncinodjgjapkk"="REG_SZ", "7BE027341D4A35EECDB258C8E18102CFA2C2B0A708BF55FE07690A15332A996B" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" ==> REG_SZ, "http://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" ==> REG_SZ, "{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}] "DisplayName"="REG_SZ", "Quick Audio Converter - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.quickaudioconvertertab.com/s?i_id=audioconverter_spt__1.30&source=_v2-bb9-iei&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IEXPLORE"="REG_SZ", "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn-su" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Quick Audio Converter" "DisplayVersion"="REG_SZ", "5.4.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech (Cayman) Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}" "UninstallHomepage"="REG_SZ", "http://search.quickaudioconvertertab.com/?i_id=audioconverter_spt__1.30&uid=054012ce-cd8e-4406-96da-9159c3da02a9&uc=20191119&ap=0&source=_v2-bb9-iei-msn" "UninstallImpression"="REG_SZ", "http://www.typeyoursearch.com/impression.do?domain=quickaudioconvertertab.com&implementation_id=audioconverter_spt__1.30&offer_id=_iei_&source=_v2-bb9-iei&sub_id=20191119&traffic_source=0&user_id=054012ce-cd8e-4406-96da-9159c3da02a9&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1574151299&sgn=907100ef78bf95073d45546b162f5a833901fdc0&subid2=11.0.9600.19540&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/19/19 Scan Time: 9:32 AM Log File: 294d1220-0aa7-11ea-94ae-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.15128 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233776 Threats Detected: 42 Threats Quarantined: 42 Time Elapsed: 3 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, 157, 373879, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}, Quarantined, 207, 368913, 1.0.15128, , ame, Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{20126AD1-6B9B-41E9-A3D8-B92F31CCBC31}|URL, Quarantined, 207, 368913, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|dhefhiblkacpepnjcdbncinodjgjapkk, Quarantined, 207, 757812, , , , Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, 207, 662623, 1.0.15128, , ame, Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, 157, 373878, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\app, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DHEFHIBLKACPEPNJCDBNCINODJGJAPKK\1.1_0, Quarantined, 207, 757812, 1.0.15128, , ame, File: 31 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, 157, 373878, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\000003.log, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\CURRENT, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\LOCK, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\LOG, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dhefhiblkacpepnjcdbncinodjgjapkk\MANIFEST-000001, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DHEFHIBLKACPEPNJCDBNCINODJGJAPKK\1.1_0\APP\BACKGROUND.JS, Quarantined, 207, 757812, 1.0.15128, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\app\index.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata\computed_hashes.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\_metadata\verified_contents.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\about.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\icon.png, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\index.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\main.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\main.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\manifest.json, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills-es5.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills-es5.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\polyfills.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\popup.html, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\runtime.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\runtime.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\styles.css, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\styles.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\styles.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\vendor.js, Quarantined, 207, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhefhiblkacpepnjcdbncinodjgjapkk\1.1_0\vendor.js.map, Quarantined, 207, 757812, , , , PUP.Optional.Spigot, C:\USERS\{username}\DOWNLOADS\QUICKAUDIOCONVERTER-27273412.EXE, Quarantined, 157, 756784, 1.0.15128, D7795909B8C4DB37C7A293AB, dds, 00464144 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Find My Nascar Lineup?The Malwarebytes research team has determined that Find My Nascar Lineup is a browser NewTab. These so-called "NewTabs" can manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.How do I know if my computer is affected by Find My Nascar Lineup?You may see this Chrome extension:these warnings during install:You may see this new startpage:and these new settings:How did Find My Nascar Lineup get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website:How do I remove Find My Nascar Lineup?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes for Windows to your desktop. Double-click MBSetup.exe and follow the prompts to install the program. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen. Click on the Get started button. Click Scan to start a Threat Scan. When the scan is finished click Quarantine to remove the found threats. Reboot the system if prompted to complete the removal process. Is there anything else I need to do to get rid of Find My Nascar Lineup? No, Malwarebytes' Anti-Malware removes Find My Nascar Lineup completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Find My Nascar Lineup hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and both Malwarebytes Premium and Malwarebytes Browser Guard blick their domains: Technical details for expertsPossible signs in FRST logs: HKCU\...\Run: [IEXPLORE] => C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-ms (the data entry has 4 more characters). <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn SearchScopes: HKCU -> DefaultScope {C447DB56-4C55-4194-82D4-66CA6C1AE688} URL = hxxp://search.findmynascarlineuptab.com/s?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&source=_v1-bb9-iei&uc=20191114&ap=appfocus553&query={searchTerms} SearchScopes: HKCU -> {C447DB56-4C55-4194-82D4-66CA6C1AE688} URL = hxxp://search.findmynascarlineuptab.com/s?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&source=_v1-bb9-iei&uc=20191114&ap=appfocus553&query={searchTerms} CHR NewTab: Default -> Active:"chrome-extension://mkdmnkkfdcpcfkdhbifiibojplamoene/index.html" CHR Extension: (Find My Nascar Lineup) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene [2019-11-14] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} (SpringTech (Cayman) Ltd.) C:\Users\{username}\Desktop\FindMyNascarLineup.exe Find My Nascar Lineup (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 5.4.0.2 - SpringTech (Cayman) Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0 Adds the file about.html"="10/7/2019 4:21 AM, 6802 bytes, A Adds the file icon.png"="11/14/2019 9:11 AM, 7123 bytes, A Adds the file index.html"="10/7/2019 4:21 AM, 625 bytes, A Adds the file main.js"="10/7/2019 4:21 AM, 8115 bytes, A Adds the file main.js.map"="10/7/2019 4:21 AM, 4604 bytes, A Adds the file manifest.json"="11/14/2019 9:11 AM, 1375 bytes, A Adds the file polyfills.js"="10/7/2019 4:21 AM, 276518 bytes, A Adds the file polyfills.js.map"="10/7/2019 4:21 AM, 271850 bytes, A Adds the file polyfills-es5.js"="10/7/2019 4:21 AM, 401061 bytes, A Adds the file polyfills-es5.js.map"="10/7/2019 4:21 AM, 299080 bytes, A Adds the file popup.html"="10/7/2019 4:21 AM, 570 bytes, A Adds the file runtime.js"="10/7/2019 4:21 AM, 6233 bytes, A Adds the file runtime.js.map"="10/7/2019 4:21 AM, 6206 bytes, A Adds the file styles.css"="10/7/2019 4:21 AM, 249 bytes, A Adds the file styles.js"="10/7/2019 4:21 AM, 17351 bytes, A Adds the file styles.js.map"="10/7/2019 4:21 AM, 20279 bytes, A Adds the file vendor.js"="10/7/2019 4:21 AM, 3734558 bytes, A Adds the file vendor.js.map"="10/7/2019 4:21 AM, 3886759 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata Adds the file computed_hashes.json"="11/14/2019 9:11 AM, 104353 bytes, A Adds the file verified_contents.json"="10/7/2019 4:21 AM, 3380 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\app Adds the file background.js"="10/7/2019 4:21 AM, 12302 bytes, A Adds the file index.js"="10/7/2019 4:21 AM, 5571 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene Adds the file 000003.log"="11/14/2019 9:11 AM, 67 bytes, A Adds the file CURRENT"="11/14/2019 9:11 AM, 16 bytes, A Adds the file LOCK"="11/14/2019 9:11 AM, 0 bytes, A Adds the file LOG"="11/14/2019 9:11 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/14/2019 9:11 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="11/14/2019 9:07 AM, 347416 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mkdmnkkfdcpcfkdhbifiibojplamoene"="REG_SZ", "41D4CF9CDC198CC27559220CAD8AC76F546BE4C3F5D87EA6942BAC565DB835B5" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{C447DB56-4C55-4194-82D4-66CA6C1AE688}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C447DB56-4C55-4194-82D4-66CA6C1AE688}] "DisplayName"="REG_SZ", "Find My Nascar Lineup - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.findmynascarlineuptab.com/s?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&source=_v1-bb9-iei&uc=20191114&ap=appfocus553&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IEXPLORE"="REG_SZ", "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn-su" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Find My Nascar Lineup" "DisplayVersion"="REG_SZ", "5.4.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech (Cayman) Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{C447DB56-4C55-4194-82D4-66CA6C1AE688}" "UninstallHomepage"="REG_SZ", "http://search.findmynascarlineuptab.com/?uid=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&i_id=sports_spt__1.30&uc=20191114&ap=appfocus553&source=_v1-bb9-iei-msn" "UninstallImpression"="REG_SZ", "http://www.typeyoursearch.com/impression.do?domain=findmynascarlineuptab.com&implementation_id=sports_spt__1.30&offer_id=_iei_&source=_v1-bb9-iei&sub_id=20191114&traffic_source=appfocus553&user_id=fb79c8d9-c2e1-4512-b2bc-81e94bc095df&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1573718519&sgn=9eecabf785db3129d9ed321158247c50cb04009f&subid2=11.0.9600.19507&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/14/19 Scan Time: 9:21 AM Log File: b1e51e00-06b7-11ea-a362-00ffdcc6fdfc.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.718 Update Package Version: 1.0.14910 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 233925 Threats Detected: 40 Threats Quarantined: 40 Time Elapsed: 5 min, 44 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, 158, 373878, , , , Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|IEXPLORE, Quarantined, 208, 757195, 1.0.14910, , ame, PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|mkdmnkkfdcpcfkdhbifiibojplamoene, Quarantined, 208, 757812, , , , Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 6 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, 158, 373878, 1.0.14910, , ame, PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\app, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MKDMNKKFDCPCFKDHBIFIIBOJPLAMOENE\1.1_0, Quarantined, 208, 757812, 1.0.14910, , ame, File: 31 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, 158, 373878, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\000003.log, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\CURRENT, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\LOCK, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\LOG, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mkdmnkkfdcpcfkdhbifiibojplamoene\MANIFEST-000001, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MKDMNKKFDCPCFKDHBIFIIBOJPLAMOENE\1.1_0\APP\BACKGROUND.JS, Quarantined, 208, 757812, 1.0.14910, , ame, PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\app\index.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata\computed_hashes.json, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\_metadata\verified_contents.json, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\about.html, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\icon.png, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\index.html, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\main.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\main.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\manifest.json, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills-es5.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills-es5.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\polyfills.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\popup.html, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\runtime.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\runtime.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\styles.css, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\styles.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\styles.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\vendor.js, Quarantined, 208, 757812, , , , PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkdmnkkfdcpcfkdhbifiibojplamoene\1.1_0\vendor.js.map, Quarantined, 208, 757812, , , , PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\FINDMYNASCARLINEUP.EXE, Quarantined, 158, 756784, 1.0.14910, D7795909B8C4DB37C7A293AB, dds, 00456916 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is My Flight Finder?The Malwarebytes research team has determined that My Flight Finder is a browser NewTab and search hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This particular one also uses web push notifications.How do I know if my computer is affected by My Flight Finder?You may see this entry in your list of installed Chrome extensions:and these warnings during install:You may see this changed setting in Internet Explorer:this entry in the list of installed Programs and Features:and this startpage in the affected browser(s):How did My Flight Finder get on my computer?Browser hijackers use different methods for distributing themselves. The Chrome extension was downloaded from the webstore:after a redirect from their website:How do I remove My Flight Finder?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Flight Finder? No, Malwarebytes removes My Flight Finder completely. If you have allowed the notifications you can read here how to disable them. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the My Flight Finder hijacker. It would have blocked the installer, giving you a chance to stop before it became too late. and we block traffic to several of their domains.Technical details for expertsPossible signs in FRST logs: HKCU\...\Run: [IEXPLORE] => C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://search.hmyflightfinder.net/?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei-msn-su <==== ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hmyflightfinder.net/?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei-msn SearchScopes: HKCU -> DefaultScope {64FD37A2-E224-4824-B937-5023F56944F0} URL = hxxp://search.hmyflightfinder.net/s?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei&query={searchTerms} SearchScopes: HKCU -> {64FD37A2-E224-4824-B937-5023F56944F0} URL = hxxp://search.hmyflightfinder.net/s?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei&query={searchTerms} CHR NewTab: Default -> Active:"chrome-extension://jcojppmbommbjimpoopbbgpkjbemnafa/newtabhtml/newtabpage.html" CHR Extension: (My Flight Finder Tab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa [2019-10-24] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} (SpringTech Ltd.) C:\Users\{username}\Desktop\MyFlightFinder-26320431.exe My Flight Finder (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 5.2.0.9 - SpringTech Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0 Adds the file central.js"="10/1/2019 2:06 PM, 2612 bytes, A Adds the file icon.png"="10/24/2019 9:05 AM, 2719 bytes, A Adds the file manifest.json"="10/24/2019 9:05 AM, 1364 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_locales\en Adds the file messages.json"="10/24/2019 9:05 AM, 209 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_metadata Adds the file computed_hashes.json"="10/24/2019 9:05 AM, 1460 bytes, A Adds the file verified_contents.json"="10/1/2019 2:06 PM, 3027 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\html\bAction Adds the file about.html"="10/1/2019 2:06 PM, 4052 bytes, A Adds the file newtabpage.html"="10/1/2019 2:06 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js Adds the file browseraction.js"="10/1/2019 2:06 PM, 997 bytes, A Adds the file config.js"="10/1/2019 2:06 PM, 1016 bytes, A Adds the file dailyFeature.js"="10/1/2019 2:06 PM, 3524 bytes, A Adds the file diagnostic.js"="10/1/2019 2:06 PM, 799 bytes, A Adds the file log.js"="10/1/2019 2:06 PM, 886 bytes, A Adds the file newTab.js"="10/1/2019 2:06 PM, 1628 bytes, A Adds the file search.js"="10/1/2019 2:06 PM, 857 bytes, A Adds the file store.js"="10/1/2019 2:06 PM, 235 bytes, A Adds the file utility.js"="10/1/2019 2:06 PM, 2537 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\newtabhtml Adds the file newtabpage.html"="10/1/2019 2:06 PM, 207 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa Adds the file 000003.log"="10/24/2019 9:05 AM, 457 bytes, A Adds the file CURRENT"="10/24/2019 9:05 AM, 16 bytes, A Adds the file LOCK"="10/24/2019 9:05 AM, 0 bytes, A Adds the file LOG"="10/24/2019 9:05 AM, 184 bytes, A Adds the file MANIFEST-000001"="10/24/2019 9:05 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="10/24/2019 9:00 AM, 396240 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "jcojppmbommbjimpoopbbgpkjbemnafa"="REG_SZ", "3B10AA98C486DCA467B5EA57A859F60933EE121046FA0C5EB1EC2E02036CE634" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hmyflightfinder.net/?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei-msn" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{64FD37A2-E224-4824-B937-5023F56944F0}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{64FD37A2-E224-4824-B937-5023F56944F0}] "DisplayName"="REG_SZ", "My Flight Finder - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hmyflightfinder.net/s?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "IEXPLORE"="REG_SZ", "C:\Program Files\Internet Explorer\IEXPLORE.EXE http://search.hmyflightfinder.net/?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei-msn-su" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "My Flight Finder" "DisplayVersion"="REG_SZ", "5.2.0.9" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{64FD37A2-E224-4824-B937-5023F56944F0}" "UninstallHomepage"="REG_SZ", "http://search.hmyflightfinder.net/?uc=20191024&ap=appfocus1&uid=204259f1-46df-4557-a3a0-e7d6c00f5b83&i_id=flights_spt__1.30&source=-lp0-bb9-iei-msn" "UninstallImpression"="REG_SZ", "http://www.browser-tech.com/impression.do?domain=hmyflightfinder.net&implementation_id=flights_spt__1.30&offer_id=_iei_&source=-lp0-bb9-iei&sub_id=20191024&traffic_source=appfocus1&user_id=204259f1-46df-4557-a3a0-e7d6c00f5b83&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1571900374&sgn=c2506711df4be4259af02f185bcd2e7cb6777a82&subid2=11.0.9600.19507&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/24/19 Scan Time: 1:53 PM Log File: f35924ee-f654-11e9-a22d-00ffdcc6fdfc.json -Software Information- Version: 3.8.3.2965 Components Version: 1.0.629 Update Package Version: 1.0.13047 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 234402 Threats Detected: 44 Threats Quarantined: 44 Time Elapsed: 18 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{4A223147-F24A-49C7-9BCA-1AE261B1E0D5}, Quarantined, [209], [368913],1.0.13047 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [158], [373879],1.0.13047 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{4A223147-F24A-49C7-9BCA-1AE261B1E0D5}|URL, Quarantined, [209], [368913],1.0.13047 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|jcojppmbommbjimpoopbbgpkjbemnafa, Quarantined, [209], [752296],1.0.13047 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [209], [613267],1.0.13047 Data Stream: 0 (No malicious items detected) Folder: 11 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [158], [373878],1.0.13047 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\html\bAction, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_locales\en, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\newtabhtml, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_metadata, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_locales, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\html, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCOJPPMBOMMBJIMPOOPBBGPKJBEMNAFA\1.1_0, Quarantined, [209], [752296],1.0.13047 File: 28 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [158], [373878],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa\000003.log, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa\CURRENT, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa\LOCK, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa\LOG, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa\LOG.old, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jcojppmbommbjimpoopbbgpkjbemnafa\MANIFEST-000001, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JCOJPPMBOMMBJIMPOOPBBGPKJBEMNAFA\1.1_0\JS\DAILYFEATURE.JS, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\html\bAction\about.html, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\html\bAction\newtabpage.html, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\browseraction.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\config.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\diagnostic.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\log.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\newTab.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\search.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\store.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\js\utility.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\newtabhtml\newtabpage.html, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_locales\en\messages.json, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_metadata\computed_hashes.json, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\_metadata\verified_contents.json, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\central.js, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\icon.png, Quarantined, [209], [752296],1.0.13047 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jcojppmbommbjimpoopbbgpkjbemnafa\1.1_0\manifest.json, Quarantined, [209], [752296],1.0.13047 Adware.BrowserIO, C:\USERS\{username}\DOWNLOADS\MYFLIGHTFINDER-26321233.EXE, Quarantined, [738], [661366],1.0.13047 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Quick Maps And Directions?The Malwarebytes research team has determined that Quick Maps And Directions is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.This one hijacks homepages and searchscopes.How do I know if my computer is affected by Quick Maps And Directions?You may see this entry in your list of installed software:and these warnings during install:these browser add-ons/extensions:and this changed default search engine:and you will see this new startpage or newtab in the affected browser(s):How did Quick Maps And Directions get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded through their website.How do I remove Quick Maps And Directions?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Quick Maps And Directions? No, Malwarebytes removes Quick Maps And Directions completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Quick Maps And Directions hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and it would have blocked access to their site: Technical details for expertsPossible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hquickmapsanddirections.com/?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei SearchScopes: HKCU -> DefaultScope {2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0} URL = hxxp://search.hquickmapsanddirections.com/s?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei&query={searchTerms} SearchScopes: HKCU -> {2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0} URL = hxxp://search.hquickmapsanddirections.com/s?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei&query={searchTerms} FF HomepageOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: web@Maps FF NewTabOverride: Mozilla\Firefox\Profiles\{profile}.default -> Enabled: web@Maps FF Extension: (Maps) - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Maps.xpi [2019-01-29] CHR NewTab: Default -> Active:"chrome-extension://clmhhlhnmdefjcebkphiefgdbglinjga/newtab/quicktab.html" CHR Extension: (Quick Maps and Directions) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga [2019-01-29] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Quick Maps And Directions (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.4.0.3 - SpringTech Ltd.) Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0 Adds the file after.js"="11/13/2018 2:10 PM, 950 bytes, A Adds the file background.js"="11/13/2018 2:11 PM, 12252 bytes, A Adds the file chromeRestore.js"="9/10/2018 12:14 PM, 2256 bytes, A Adds the file contentscript.js"="9/10/2018 12:14 PM, 1243 bytes, A Adds the file icon.png"="1/29/2019 9:41 AM, 5980 bytes, A Adds the file manifest.json"="1/29/2019 9:41 AM, 1464 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales\en Adds the file messages.json"="1/29/2019 9:41 AM, 283 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata Adds the file computed_hashes.json"="1/29/2019 9:41 AM, 1264 bytes, A Adds the file verified_contents.json"="11/13/2018 2:48 PM, 2736 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css Adds the file browserAction.css"="9/10/2018 12:14 PM, 95 bytes, A Adds the file description.css"="9/10/2018 12:14 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction Adds the file browserAction.html"="9/10/2018 12:14 PM, 239 bytes, A Adds the file description.html"="9/10/2018 12:14 PM, 273 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\popup Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js Adds the file userNewTab.js"="9/10/2018 12:14 PM, 1681 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js\popup Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\newtab Adds the file quicktab.html"="9/10/2018 12:14 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga Adds the file 000003.log"="1/29/2019 9:41 AM, 301 bytes, A Adds the file CURRENT"="1/29/2019 9:41 AM, 16 bytes, A Adds the file LOCK"="1/29/2019 9:41 AM, 0 bytes, A Adds the file LOG"="1/29/2019 9:41 AM, 184 bytes, A Adds the file MANIFEST-000001"="1/29/2019 9:41 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="1/29/2019 9:36 AM, 320256 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Maps Adds the file storage.js"="1/29/2019 9:39 AM, 350 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Maps.xpi"="1/29/2019 9:39 AM, 12474 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "clmhhlhnmdefjcebkphiefgdbglinjga"="REG_SZ", "C3882B0C5E1DA0279158C01DB92D7DB8D59F05A978E1CE56F1E0EC0F07C8DB7C" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hquickmapsanddirections.com/?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}] "DisplayName"="REG_SZ", "Quick Maps And Directions - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hquickmapsanddirections.com/s?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Quick Maps And Directions" "DisplayVersion"="REG_SZ", "4.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}" "UninstallHomepage"="REG_SZ", "http://search.hquickmapsanddirections.com/?uid=ffacf9dc-0dc1-484b-bb45-74b383914b45&i_id=maps_spt__1.30&uc=20190129&ap=appfocus1&source=-lp0-bb9-iei" "UninstallImpression"="REG_SZ", "http://www.springdwnld2.com/impression.do?domain=hquickmapsanddirections.com&implementation_id=maps_spt__1.30&offer_id=_iei_&source=-lp0-bb9-iei&sub_id=20190129&traffic_source=appfocus1&user_id=ffacf9dc-0dc1-484b-bb45-74b383914b45&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1548750669&sgn=e83397fd3c3b2a355519227a73ce9e87e17824a0&subid2=11.0.9600.19236&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/29/19 Scan Time: 9:52 AM Log File: 39d82530-23a3-11e9-bdf5-00ffdcc6fdfc.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.482 Update Package Version: 1.0.9014 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235789 Threats Detected: 46 Threats Quarantined: 46 Time Elapsed: 3 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}, Quarantined, [220], [614252],1.0.9014 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [167], [373879],1.0.9014 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{2D4DE1EF-E4F6-4575-845B-9B6ACF178EB0}|URL, Quarantined, [220], [614252],1.0.9014 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Default\extensions.settings|clmhhlhnmdefjcebkphiefgdbglinjga, Quarantined, [220], [530199],1.0.9014 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [220], [613776],1.0.9014 Data Stream: 0 (No malicious items detected) Folder: 15 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [167], [373878],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales\en, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\popup, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js\popup, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\newtab, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLMHHLHNMDEFJCEBKPHIEFGDBGLINJGA, Quarantined, [220], [530199],1.0.9014 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@MAPS, Quarantined, [1714], [508613],1.0.9014 File: 26 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\WEB@MAPS.XPI, Quarantined, [1714], [509072],1.0.9014 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [167], [373878],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\000003.log, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\CURRENT, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\LOCK, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\LOG, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clmhhlhnmdefjcebkphiefgdbglinjga\MANIFEST-000001, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLMHHLHNMDEFJCEBKPHIEFGDBGLINJGA\5.1_0\CHROMERESTORE.JS, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css\browserAction.css, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\css\description.css, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction\browserAction.html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\html\browserAction\description.html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\js\userNewTab.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\newtab\quicktab.html, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_locales\en\messages.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata\computed_hashes.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\_metadata\verified_contents.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\after.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\background.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\contentscript.js, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\icon.png, Quarantined, [220], [530199],1.0.9014 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clmhhlhnmdefjcebkphiefgdbglinjga\5.1_0\manifest.json, Quarantined, [220], [530199],1.0.9014 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@MAPS\STORAGE.JS, Quarantined, [1714], [508613],1.0.9014 Generic.Malware/Suspicious, C:\USERS\{username}\DESKTOP\QUICKMAPSANDDIRECTIONS-11959808.EXE, Quarantined, [0], [392686],1.0.9014 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Live TV Now?The Malwarebytes research team has determined that Live TV Now is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Live TV Now is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Live TV Now?You may see this browser add-on:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did Live TV Now get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove Live TV Now?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Live TV Now? No, Malwarebytes removes Live TV Now completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Live TV Now hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hlivetvnow.co/?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8 SearchScopes: HKCU -> DefaultScope {466FE350-6C13-453E-8AA2-36D2C20EC9FF} URL = hxxp://search.hlivetvnow.co/s?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8&query={searchTerms} SearchScopes: HKCU -> {466FE350-6C13-453E-8AA2-36D2C20EC9FF} URL = hxxp://search.hlivetvnow.co/s?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@TV.xpi [2018-10-02] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Live TV Now (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.4.0.3 - SpringTech Ltd.) Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="10/2/2018 9:02 AM, 320256 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@TV Adds the file storage.js"="10/2/2018 8:59 AM, 308 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@TV.xpi"="10/2/2018 8:59 AM, 14977 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hlivetvnow.co/?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{466FE350-6C13-453E-8AA2-36D2C20EC9FF}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{466FE350-6C13-453E-8AA2-36D2C20EC9FF}] "DisplayName"="REG_SZ", "Live TV Now - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hlivetvnow.co/s?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Live TV Now" "DisplayVersion"="REG_SZ", "4.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{466FE350-6C13-453E-8AA2-36D2C20EC9FF}" "UninstallHomepage"="REG_SZ", "http://search.hlivetvnow.co/?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8" "UninstallImpression"="REG_SZ", "http://www.springdwnld2.com/impression.do?domain=hlivetvnow.co&implementation_id=tv_spt__1.30&offer_id=_iei_&source=-lp0-bb8&sub_id=20181002&traffic_source=appfocus1&user_id={user clsid}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1538463719&sgn=ad6a2e0822ff0423b39a337b1a7ce4a87bed3f12&subid2=11.0.9600.19129&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/2/18 Scan Time: 9:10 AM Log File: 3c0e1146-c612-11e8-aaf7-00ffdcc6fdfc.json -Software Information- Version: 3.5.1.2522 Components Version: 1.0.441 Update Package Version: 1.0.7131 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 239068 Threats Detected: 6 Threats Quarantined: 6 Time Elapsed: 2 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [170], [373878],1.0.7131 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [170], [373878],1.0.7131 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@TV, Quarantined, [1701], [508613],1.0.7131 File: 3 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [170], [373878],1.0.7131 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\WEB@TV.XPI, Quarantined, [1701], [509071],1.0.7131 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@TV\STORAGE.JS, Quarantined, [1701], [508613],1.0.7131 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. These two PUPs keep coming back. I ran the scan, submitted the logs, but nothing helps. Right after I quarantine, I get a message from WinPatrol saying something like "someone is trying to change your start page to Google". Optional Spigot (in location) seems to be associated with the registry for the start page of Internet Explorer (I don't use IE) and the reimage is listed as a File, it's in the APPDATA LOCAL GOOGLE CHROME USER DATA DEFAULT PREFERENCES. Hope you can help. Paul
  9. What is Fastest Searches?The Malwarebytes research team has determined that Fastest Searches is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by Fastest Searches?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did Fastest Searches get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was installed through their website:but it was also available in the webstore:How do I remove Fastest Searches?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Fastest Searches? No, Malwarebytes removes Fastest Searches completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Fastest Searches hijacker. It would have blocked the website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://search.hfastestsearches.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> qs CHR Extension: (Fastest) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag [2018-08-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0 Adds the file background.js"="5/16/2018 11:13 AM, 16954 bytes, A Adds the file contentscript.js"="5/16/2018 11:07 AM, 374 bytes, A Adds the file icon.png"="8/31/2018 9:33 AM, 5540 bytes, A Adds the file manifest.json"="8/31/2018 9:33 AM, 1663 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales\en Adds the file messages.json"="8/31/2018 9:33 AM, 256 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata Adds the file computed_hashes.json"="8/31/2018 9:33 AM, 936 bytes, A Adds the file verified_contents.json"="5/24/2018 9:39 AM, 2008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\css Adds the file description.css"="3/30/2017 12:11 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html\popup Adds the file description.html"="5/1/2018 10:56 AM, 238 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag Adds the file 000003.log"="8/31/2018 9:33 AM, 142 bytes, A Adds the file CURRENT"="8/31/2018 9:33 AM, 16 bytes, A Adds the file LOCK"="8/31/2018 9:33 AM, 0 bytes, A Adds the file LOG"="8/31/2018 9:33 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/31/2018 9:33 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ikkekhbleajmjkelloigdbmbgkejjmag"="REG_SZ"", "56F15BA5875321C0ACC6232322046B30198203634B8427CF493D631C84EC1E84" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/31/18 Scan Time: 9:25 AM Log File: 07abfc88-acef-11e8-a2b7-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.6579 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 252323 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 4 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales\en, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html\popup, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\css, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IKKEKHBLEAJMJKELLOIGDBMBGKEJJMAG, Quarantined, [223], [495178],1.0.6579 File: 16 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\000003.log, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\CURRENT, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\LOCK, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\LOG, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\MANIFEST-000001, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IKKEKHBLEAJMJKELLOIGDBMBGKEJJMAG\1.7_0\BACKGROUND.JS, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\css\description.css, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html\popup\description.html, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales\en\messages.json, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata\computed_hashes.json, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata\verified_contents.json, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\contentscript.js, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\icon.png, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\manifest.json, Quarantined, [223], [495178],1.0.6579 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is Get Speed Tracker?The Malwarebytes research team has determined that Get Speed Tracker is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Get Speed Tracker is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Get Speed Tracker?You may see this Chrome extension:and these warnings during install:You may see this icon in your Chrome menu-bar:and this newtab page in the affected browser(s):How did Get Speed Tracker get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.but it was also available in the webstore:How do I remove Get Speed Tracker?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Get Speed Tracker? No, Malwarebytes removes Get Speed Tracker completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Get Speed Tracker hijacker. It would have blocked traffic to their domain.Technical details for expertsPossible signs in a FRST log: CHR Extension: (Get Speed Tracker) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp [2018-07-20] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0 Adds the file after.js"="4/13/2018 3:22 PM, 1276 bytes, A Adds the file background.js"="4/13/2018 3:22 PM, 13635 bytes, A Adds the file chromeRestore.js"="4/13/2018 3:22 PM, 2254 bytes, A Adds the file contentscript.js"="4/13/2018 3:22 PM, 1243 bytes, A Adds the file icon.png"="7/20/2018 10:58 AM, 2458 bytes, A Adds the file manifest.json"="7/20/2018 10:58 AM, 1432 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales\en Adds the file messages.json"="7/20/2018 10:58 AM, 280 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata Adds the file computed_hashes.json"="7/20/2018 10:58 AM, 1390 bytes, A Adds the file verified_contents.json"="4/13/2018 3:22 PM, 2809 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css Adds the file description.css"="4/13/2018 3:22 PM, 1008 bytes, A Adds the file popup.css"="4/13/2018 3:22 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup Adds the file description.html"="4/13/2018 3:22 PM, 270 bytes, A Adds the file popup.html"="4/13/2018 3:22 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js Adds the file userNewTab.js"="4/13/2018 3:22 PM, 1687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\popup Adds the file popup.js"="4/13/2018 3:22 PM, 803 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\newtab Adds the file quicktab.html"="4/13/2018 3:22 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp Adds the file 000003.log"="7/20/2018 10:59 AM, 316 bytes, A Adds the file CURRENT"="7/20/2018 10:58 AM, 16 bytes, A Adds the file LOCK"="7/20/2018 10:58 AM, 0 bytes, A Adds the file LOG"="7/20/2018 11:02 AM, 0 bytes, A Adds the file LOG.old"="7/20/2018 10:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="7/20/2018 10:58 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fhgogjapncmipcgnfmpoedbmbkmdphlp"="REG_SZ", "0621BAAE4CD49379939EB34CAF95F75483A1BC5675219C57B98B26239EBEDAE9" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/20/18 Scan Time: 11:29 AM Log File: 5f60d3a6-8bff-11e8-81c9-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5983 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 252026 Threats Detected: 36 Threats Quarantined: 36 Time Elapsed: 3 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales\en, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\popup, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\newtab, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FHGOGJAPNCMIPCGNFMPOEDBMBKMDPHLP, Quarantined, [225], [454579],1.0.5983 File: 24 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\000003.log, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\CURRENT, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\LOCK, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\LOG, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\LOG.old, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\MANIFEST-000001, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FHGOGJAPNCMIPCGNFMPOEDBMBKMDPHLP\2.6_0\CHROMERESTORE.JS, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css\description.css, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css\popup.css, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup\description.html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup\popup.html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\popup\popup.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\userNewTab.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\newtab\quicktab.html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales\en\messages.json, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata\computed_hashes.json, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata\verified_contents.json, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\after.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\background.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\contentscript.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\icon.png, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\manifest.json, Quarantined, [225], [454579],1.0.5983 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is FreeForms?The Malwarebytes research team has determined that FreeForms is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.FreeForms is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by FreeForms?You may see this Firefox add-on:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did FreeForms get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove FreeForms?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FreeForms? No, Malwarebytes removes FreeForms completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the FreeForms hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id} SearchScopes: HKCU -> DefaultScope {3BA6366D-96C9-451C-A641-A3C681E326A8} URL = hxxp://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms} SearchScopes: HKCU -> {3BA6366D-96C9-451C-A641-A3C681E326A8} URL = hxxp://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Forms.xpi [2018-06-12] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Free Forms (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.4.0.3 - SpringTech Ltd.) Changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="6/12/2018 11:53 AM, 320256 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Forms Adds the file storage.js"="6/12/2018 11:49 AM, 320 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Forms.xpi"="6/12/2018 11:49 AM, 9398 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{3BA6366D-96C9-451C-A641-A3C681E326A8}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BA6366D-96C9-451C-A641-A3C681E326A8}] "DisplayName"="REG_SZ", "Free Forms - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Free Forms" "DisplayVersion"="REG_SZ", "4.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{3BA6366D-96C9-451C-A641-A3C681E326A8}" "UninstallHomepage"="REG_SZ", "http://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}" "UninstallImpression"="REG_SZ", "http://www.springdwnld2.com/impression.do?domain=hfreeforms.co&implementation_id=forms_spt__1.30&offer_id=_iei_&source={source}&sub_id=20180612&traffic_source=appfocus1&user_id={user-id}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1528796599&sgn=10cfe64824d0d4bf9a06f9337e638e5e792f1673&subid2=11.0.9600.19002&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/12/18 Scan Time: 12:02 PM Log File: b388d550-6e27-11e8-9c44-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5448 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238620 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 4 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [172], [373879],1.0.5448 Registry Value: 0 (No malicious items detected) Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [225], [530202],1.0.5448 Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [172], [373878],1.0.5448 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@FORMS, Quarantined, [1682], [508613],1.0.5448 File: 4 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\WEB@FORMS.XPI, Quarantined, [1682], [511643],1.0.5448 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [172], [373878],1.0.5448 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@FORMS\STORAGE.JS, Quarantined, [1682], [508613],1.0.5448 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\FREEFORMS-73519.EXE, Quarantined, [172], [490686],1.0.5448 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Your Free Online Forms?The Malwarebytes research team has determined that Your Free Online Forms is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Your Free Online Forms is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Your Free Online Forms?You may see these browser extensions/add-ons:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did Your Free Online Forms get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove Your Free Online Forms?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Free Online Forms? No, Malwarebytes removes Your Free Online Forms completely. If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin under the Your Free Online Forms entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Your Free Online Forms hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hyourfreeonlineformspop.com/?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30 SearchScopes: HKCU -> DefaultScope {5DD103A3-84AE-4D79-8637-15E5C0B6C93B} URL = hxxp://search.hyourfreeonlineformspop.com/s?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30&query={searchTerms} SearchScopes: HKCU -> {5DD103A3-84AE-4D79-8637-15E5C0B6C93B} URL = hxxp://search.hyourfreeonlineformspop.com/s?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{default}.profile\Extensions\web@Forms.xpi [2018-03-09] CHR Extension: (Your Free Online Forms) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff [2018-03-09] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Your Free Online Forms (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.2.0.8 - Cloud Installer) Significant changes on in infected system: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0 Adds the file after.js"="3/6/2018 10:45 AM, 801 bytes, A Adds the file background.js"="3/6/2018 10:45 AM, 13576 bytes, A Adds the file chromeRestore.js"="3/6/2018 10:45 AM, 2257 bytes, A Adds the file contentscript.js"="3/6/2018 10:45 AM, 1243 bytes, A Adds the file icon.png"="3/9/2018 8:35 AM, 1998 bytes, A Adds the file manifest.json"="3/9/2018 8:35 AM, 1450 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales\en Adds the file messages.json"="3/9/2018 8:35 AM, 281 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata Adds the file computed_hashes.json"="3/9/2018 8:35 AM, 1286 bytes, A Adds the file verified_contents.json"="3/6/2018 10:47 AM, 2703 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css Adds the file description.css"="3/6/2018 10:45 AM, 1008 bytes, A Adds the file popup.css"="3/6/2018 10:45 AM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup Adds the file description.html"="3/6/2018 10:45 AM, 271 bytes, A Adds the file popup.html"="3/6/2018 10:46 AM, 161 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\js Adds the file userNewTab.js"="3/6/2018 10:45 AM, 1686 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\newtab Adds the file slim_newtabpage.html"="3/6/2018 10:45 AM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff Adds the file 000003.log"="3/9/2018 8:35 AM, 368 bytes, A Adds the file CURRENT"="3/9/2018 8:35 AM, 16 bytes, A Adds the file LOCK"="3/9/2018 8:35 AM, 0 bytes, A Adds the file LOG"="3/9/2018 8:35 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/9/2018 8:35 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="3/9/2018 8:29 AM, 324664 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{default}.profile\browser-extension-data\web@Forms Adds the file storage.js"="3/9/2018 8:33 AM, 438 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{default}.profile\extensions Adds the file web@Forms.xpi"="3/9/2018 8:33 AM, 9398 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ocfenoadhggmkjbkpmofciaigkpchnff"="REG_SZ", "B52DBEF29661858488DD238CA6F55F0FEF896E339DDDBA6176D83BFEA4B64A19" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hyourfreeonlineformspop.com/?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hyourfreeonlineformspop.com/s?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Your Free Online Forms" "DisplayVersion"="REG_SZ", "4.2.0.8" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}" "UninstallHomepage"="REG_SZ", "http://search.hyourfreeonlineformspop.com/?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30" "UninstallImpression"="REG_SZ", "http://imp.hyourfreeonlineformspop.com/impression.do?source={source}&sub_id=20180309&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus65&user_id={uid}&implementation_id=forms__1.30&subid2=11.0.9600.18920&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/9/18 Scan Time: 8:46 AM Log File: f164acfb-236d-11e8-ad9d-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4268 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244239 Threats Detected: 40 Threats Quarantined: 40 Time Elapsed: 2 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [606], [373879],1.0.4268 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}, Quarantined, [2148], [368913],1.0.4268 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}|URL, Quarantined, [2148], [368913],1.0.4268 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [2148], [373048],1.0.4268 Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [606], [373878],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales\en, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\newtab, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCFENOADHGGMKJBKPMOFCIAIGKPCHNFF, Quarantined, [2148], [495178],1.0.4268 File: 24 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [606], [373878],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\000003.log, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\CURRENT, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\LOCK, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\LOG, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\MANIFEST-000001, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCFENOADHGGMKJBKPMOFCIAIGKPCHNFF\3.1_0\BACKGROUND.JS, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css\description.css, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css\popup.css, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup\description.html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup\popup.html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\js\userNewTab.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\newtab\slim_newtabpage.html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales\en\messages.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata\computed_hashes.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata\verified_contents.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\after.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\chromeRestore.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\contentscript.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\icon.png, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\manifest.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\YOURFREEONLINEFORMS.EXE, Quarantined, [606], [455961],1.0.4268 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. What is Your Transit Info Now? The Malwarebytes research team has determined that Your Transit Info Now is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Your Transit Info Now is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Your Transit Info Now? You may see these browser extensions/add-ons: and this new default search provider: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did Your Transit Info Now get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Your Transit Info Now? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Transit Info Now? No, Malwarebytes removes Your Transit Info Now completely. If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the Your Transit Info Now entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Your Transit Info Now hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30 SearchScopes: HKCU -> DefaultScope {F6FD85C6-83A9-4999-BEE6-60D94650FF53} URL = hxxp://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms} SearchScopes: HKCU -> {F6FD85C6-83A9-4999-BEE6-60D94650FF53} URL = hxxp://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Transit.xpi [2018-02-21] CHR Extension: (Your Transit Info Now) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh [2018-02-21] C:\Users\{username}\Downloads\YourTransitInfoNow.exe Your Transit Info Now (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.2.0.8 - Cloud Installer) Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0 Adds the file after.js"="12/12/2017 1:18 PM, 803 bytes, A Adds the file background.js"="12/12/2017 1:18 PM, 13524 bytes, A Adds the file chromeRestore.js"="12/12/2017 1:18 PM, 2256 bytes, A Adds the file contentscript.js"="12/12/2017 1:18 PM, 1243 bytes, A Adds the file icon.png"="2/21/2018 8:47 AM, 1507 bytes, A Adds the file manifest.json"="2/21/2018 8:47 AM, 1450 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en Adds the file messages.json"="2/21/2018 8:47 AM, 282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata Adds the file computed_hashes.json"="2/21/2018 8:47 AM, 1401 bytes, A Adds the file verified_contents.json"="12/12/2017 1:18 PM, 2825 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css Adds the file description.css"="12/12/2017 1:18 PM, 1008 bytes, A Adds the file popup.css"="12/12/2017 1:18 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup Adds the file description.html"="12/12/2017 1:18 PM, 272 bytes, A Adds the file popup.html"="12/12/2017 1:18 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js Adds the file userNewTab.js"="12/12/2017 1:18 PM, 1687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup Adds the file popup.js"="12/12/2017 1:18 PM, 805 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab Adds the file slimtransit__newtab.html"="12/12/2017 1:18 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh Adds the file 000003.log"="2/21/2018 8:47 AM, 363 bytes, A Adds the file CURRENT"="2/21/2018 8:47 AM, 16 bytes, A Adds the file LOCK"="2/21/2018 8:47 AM, 0 bytes, A Adds the file LOG"="2/21/2018 8:47 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/21/2018 8:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="2/21/2018 8:53 AM, 324664 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Transit Adds the file storage.js"="2/21/2018 8:56 AM, 423 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Transit.xpi"="2/21/2018 8:56 AM, 11422 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file YourTransitInfoNow.exe"="2/21/2018 8:51 AM, 267856 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "icbgeaafimbjdfpcbgnkpokfcamiimoh"="REG_SZ", "9CC392D8125F111129856A98B3C2F4086ED3D8F1966885726FAF0A23D6CCA827" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{F6FD85C6-83A9-4999-BEE6-60D94650FF53}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Your Transit Info Now" "DisplayVersion"="REG_SZ", "4.2.0.8" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{F6FD85C6-83A9-4999-BEE6-60D94650FF53}" "UninstallHomepage"="REG_SZ", "http://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30" "UninstallImpression"="REG_SZ", "http://imp.yourtransitinfonow.com/impression.do?source={source}&sub_id=20180221&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus65&user_id={uid}&implementation_id=transit__1.30&subid2=11.0.9600.18920&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/21/18 Scan Time: 9:11 AM Log File: cfdf441f-16de-11e8-834c-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243403 Threats Detected: 42 Threats Quarantined: 42 Time Elapsed: 2 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}, Quarantined, [2109], [368913],1.0.4028 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [599], [373879],1.0.4028 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}|URL, Quarantined, [2109], [368913],1.0.4028 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [2109], [373048],1.0.4028 Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [599], [373878],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ICBGEAAFIMBJDFPCBGNKPOKFCAMIIMOH, Quarantined, [2109], [454579],1.0.4028 File: 25 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [599], [373878],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\000003.log, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\CURRENT, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\LOCK, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\LOG, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\MANIFEST-000001, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ICBGEAAFIMBJDFPCBGNKPOKFCAMIIMOH\1.10_0\CHROMERESTORE.JS, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css\description.css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css\popup.css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup\description.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup\popup.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup\popup.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\userNewTab.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab\slimtransit__newtab.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en\messages.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata\computed_hashes.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata\verified_contents.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\after.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\background.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\contentscript.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\icon.png, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\manifest.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot, C:\USERS\{username}\DOWNLOADS\YOURTRANSITINFONOW.EXE, Quarantined, [599], [455961],1.0.4028 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.