Jump to content

Search the Community

Showing results for tags 'pup.optional.spigot'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3 Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 25 results

  1. What is Live TV Now?The Malwarebytes research team has determined that Live TV Now is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Live TV Now is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Live TV Now?You may see this browser add-on:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did Live TV Now get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove Live TV Now?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Live TV Now? No, Malwarebytes removes Live TV Now completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Live TV Now hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hlivetvnow.co/?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8 SearchScopes: HKCU -> DefaultScope {466FE350-6C13-453E-8AA2-36D2C20EC9FF} URL = hxxp://search.hlivetvnow.co/s?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8&query={searchTerms} SearchScopes: HKCU -> {466FE350-6C13-453E-8AA2-36D2C20EC9FF} URL = hxxp://search.hlivetvnow.co/s?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@TV.xpi [2018-10-02] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Live TV Now (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.4.0.3 - SpringTech Ltd.) Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="10/2/2018 9:02 AM, 320256 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@TV Adds the file storage.js"="10/2/2018 8:59 AM, 308 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@TV.xpi"="10/2/2018 8:59 AM, 14977 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hlivetvnow.co/?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{466FE350-6C13-453E-8AA2-36D2C20EC9FF}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{466FE350-6C13-453E-8AA2-36D2C20EC9FF}] "DisplayName"="REG_SZ", "Live TV Now - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hlivetvnow.co/s?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Live TV Now" "DisplayVersion"="REG_SZ", "4.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{466FE350-6C13-453E-8AA2-36D2C20EC9FF}" "UninstallHomepage"="REG_SZ", "http://search.hlivetvnow.co/?uc=20181002&i_id=tv_spt__1.30&uid={user clsid}&ap=appfocus1&source=-lp0-bb8" "UninstallImpression"="REG_SZ", "http://www.springdwnld2.com/impression.do?domain=hlivetvnow.co&implementation_id=tv_spt__1.30&offer_id=_iei_&source=-lp0-bb8&sub_id=20181002&traffic_source=appfocus1&user_id={user clsid}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1538463719&sgn=ad6a2e0822ff0423b39a337b1a7ce4a87bed3f12&subid2=11.0.9600.19129&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/2/18 Scan Time: 9:10 AM Log File: 3c0e1146-c612-11e8-aaf7-00ffdcc6fdfc.json -Software Information- Version: 3.5.1.2522 Components Version: 1.0.441 Update Package Version: 1.0.7131 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 239068 Threats Detected: 6 Threats Quarantined: 6 Time Elapsed: 2 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [170], [373878],1.0.7131 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [170], [373878],1.0.7131 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@TV, Quarantined, [1701], [508613],1.0.7131 File: 3 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [170], [373878],1.0.7131 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\WEB@TV.XPI, Quarantined, [1701], [509071],1.0.7131 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@TV\STORAGE.JS, Quarantined, [1701], [508613],1.0.7131 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. These two PUPs keep coming back. I ran the scan, submitted the logs, but nothing helps. Right after I quarantine, I get a message from WinPatrol saying something like "someone is trying to change your start page to Google". Optional Spigot (in location) seems to be associated with the registry for the start page of Internet Explorer (I don't use IE) and the reimage is listed as a File, it's in the APPDATA LOCAL GOOGLE CHROME USER DATA DEFAULT PREFERENCES. Hope you can help. Paul
  3. What is Fastest Searches?The Malwarebytes research team has determined that Fastest Searches is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements.How do I know if my computer is affected by Fastest Searches?You may see this entry in your list of installed Chrome extensions:and these warnings during install:and this changed setting:How did Fastest Searches get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was installed through their website:but it was also available in the webstore:How do I remove Fastest Searches?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Fastest Searches? No, Malwarebytes removes Fastest Searches completely. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Fastest Searches hijacker. It would have blocked the website, giving you a chance to stop it before it became too late. Technical details for expertsPossible signs in FRST logs: CHR DefaultSearchURL: Default -> hxxp://search.hfastestsearches.com/s?query={searchTerms} CHR DefaultSearchKeyword: Default -> qs CHR Extension: (Fastest) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag [2018-08-31] Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0 Adds the file background.js"="5/16/2018 11:13 AM, 16954 bytes, A Adds the file contentscript.js"="5/16/2018 11:07 AM, 374 bytes, A Adds the file icon.png"="8/31/2018 9:33 AM, 5540 bytes, A Adds the file manifest.json"="8/31/2018 9:33 AM, 1663 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales\en Adds the file messages.json"="8/31/2018 9:33 AM, 256 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata Adds the file computed_hashes.json"="8/31/2018 9:33 AM, 936 bytes, A Adds the file verified_contents.json"="5/24/2018 9:39 AM, 2008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\css Adds the file description.css"="3/30/2017 12:11 PM, 1008 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html\popup Adds the file description.html"="5/1/2018 10:56 AM, 238 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag Adds the file 000003.log"="8/31/2018 9:33 AM, 142 bytes, A Adds the file CURRENT"="8/31/2018 9:33 AM, 16 bytes, A Adds the file LOCK"="8/31/2018 9:33 AM, 0 bytes, A Adds the file LOG"="8/31/2018 9:33 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/31/2018 9:33 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ikkekhbleajmjkelloigdbmbgkejjmag"="REG_SZ"", "56F15BA5875321C0ACC6232322046B30198203634B8427CF493D631C84EC1E84" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/31/18 Scan Time: 9:25 AM Log File: 07abfc88-acef-11e8-a2b7-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.391 Update Package Version: 1.0.6579 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 252323 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 4 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 9 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales\en, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html\popup, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\css, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IKKEKHBLEAJMJKELLOIGDBMBGKEJJMAG, Quarantined, [223], [495178],1.0.6579 File: 16 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\000003.log, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\CURRENT, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\LOCK, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\LOG, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ikkekhbleajmjkelloigdbmbgkejjmag\MANIFEST-000001, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\IKKEKHBLEAJMJKELLOIGDBMBGKEJJMAG\1.7_0\BACKGROUND.JS, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\css\description.css, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\html\popup\description.html, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_locales\en\messages.json, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata\computed_hashes.json, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\_metadata\verified_contents.json, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\contentscript.js, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\icon.png, Quarantined, [223], [495178],1.0.6579 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ikkekhbleajmjkelloigdbmbgkejjmag\1.7_0\manifest.json, Quarantined, [223], [495178],1.0.6579 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  4. What is Get Speed Tracker?The Malwarebytes research team has determined that Get Speed Tracker is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Get Speed Tracker is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Get Speed Tracker?You may see this Chrome extension:and these warnings during install:You may see this icon in your Chrome menu-bar:and this newtab page in the affected browser(s):How did Get Speed Tracker get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.but it was also available in the webstore:How do I remove Get Speed Tracker?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Get Speed Tracker? No, Malwarebytes removes Get Speed Tracker completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Get Speed Tracker hijacker. It would have blocked traffic to their domain.Technical details for expertsPossible signs in a FRST log: CHR Extension: (Get Speed Tracker) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp [2018-07-20] Changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0 Adds the file after.js"="4/13/2018 3:22 PM, 1276 bytes, A Adds the file background.js"="4/13/2018 3:22 PM, 13635 bytes, A Adds the file chromeRestore.js"="4/13/2018 3:22 PM, 2254 bytes, A Adds the file contentscript.js"="4/13/2018 3:22 PM, 1243 bytes, A Adds the file icon.png"="7/20/2018 10:58 AM, 2458 bytes, A Adds the file manifest.json"="7/20/2018 10:58 AM, 1432 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales\en Adds the file messages.json"="7/20/2018 10:58 AM, 280 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata Adds the file computed_hashes.json"="7/20/2018 10:58 AM, 1390 bytes, A Adds the file verified_contents.json"="4/13/2018 3:22 PM, 2809 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css Adds the file description.css"="4/13/2018 3:22 PM, 1008 bytes, A Adds the file popup.css"="4/13/2018 3:22 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup Adds the file description.html"="4/13/2018 3:22 PM, 270 bytes, A Adds the file popup.html"="4/13/2018 3:22 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js Adds the file userNewTab.js"="4/13/2018 3:22 PM, 1687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\popup Adds the file popup.js"="4/13/2018 3:22 PM, 803 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\newtab Adds the file quicktab.html"="4/13/2018 3:22 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp Adds the file 000003.log"="7/20/2018 10:59 AM, 316 bytes, A Adds the file CURRENT"="7/20/2018 10:58 AM, 16 bytes, A Adds the file LOCK"="7/20/2018 10:58 AM, 0 bytes, A Adds the file LOG"="7/20/2018 11:02 AM, 0 bytes, A Adds the file LOG.old"="7/20/2018 10:59 AM, 184 bytes, A Adds the file MANIFEST-000001"="7/20/2018 10:58 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "fhgogjapncmipcgnfmpoedbmbkmdphlp"="REG_SZ", "0621BAAE4CD49379939EB34CAF95F75483A1BC5675219C57B98B26239EBEDAE9" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/20/18 Scan Time: 11:29 AM Log File: 5f60d3a6-8bff-11e8-81c9-00ffdcc6fdfc.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5983 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 252026 Threats Detected: 36 Threats Quarantined: 36 Time Elapsed: 3 min, 37 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales\en, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\popup, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\newtab, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FHGOGJAPNCMIPCGNFMPOEDBMBKMDPHLP, Quarantined, [225], [454579],1.0.5983 File: 24 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\000003.log, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\CURRENT, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\LOCK, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\LOG, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\LOG.old, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fhgogjapncmipcgnfmpoedbmbkmdphlp\MANIFEST-000001, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\FHGOGJAPNCMIPCGNFMPOEDBMBKMDPHLP\2.6_0\CHROMERESTORE.JS, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css\description.css, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\css\popup.css, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup\description.html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\html\popup\popup.html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\popup\popup.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\js\userNewTab.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\newtab\quicktab.html, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_locales\en\messages.json, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata\computed_hashes.json, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\_metadata\verified_contents.json, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\after.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\background.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\contentscript.js, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\icon.png, Quarantined, [225], [454579],1.0.5983 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhgogjapncmipcgnfmpoedbmbkmdphlp\2.6_0\manifest.json, Quarantined, [225], [454579],1.0.5983 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is FreeForms?The Malwarebytes research team has determined that FreeForms is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.FreeForms is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by FreeForms?You may see this Firefox add-on:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did FreeForms get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove FreeForms?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of FreeForms? No, Malwarebytes removes FreeForms completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the FreeForms hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains.Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id} SearchScopes: HKCU -> DefaultScope {3BA6366D-96C9-451C-A641-A3C681E326A8} URL = hxxp://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms} SearchScopes: HKCU -> {3BA6366D-96C9-451C-A641-A3C681E326A8} URL = hxxp://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Forms.xpi [2018-06-12] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Free Forms (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.4.0.3 - SpringTech Ltd.) Changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="6/12/2018 11:53 AM, 320256 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Forms Adds the file storage.js"="6/12/2018 11:49 AM, 320 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Forms.xpi"="6/12/2018 11:49 AM, 9398 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{3BA6366D-96C9-451C-A641-A3C681E326A8}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BA6366D-96C9-451C-A641-A3C681E326A8}] "DisplayName"="REG_SZ", "Free Forms - Powered by Yahoo!" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hfreeforms.co/s?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Free Forms" "DisplayVersion"="REG_SZ", "4.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "SpringTech Ltd." "UninstallDialog"="REG_DWORD", 2 "UninstallEngineID"="REG_SZ", "{3BA6366D-96C9-451C-A641-A3C681E326A8}" "UninstallHomepage"="REG_SZ", "http://search.hfreeforms.co/?ap=appfocus1&i_id=forms_spt__1.30&uc=20180612&source={source-id}" "UninstallImpression"="REG_SZ", "http://www.springdwnld2.com/impression.do?domain=hfreeforms.co&implementation_id=forms_spt__1.30&offer_id=_iei_&source={source}&sub_id=20180612&traffic_source=appfocus1&user_id={user-id}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&ts=1528796599&sgn=10cfe64824d0d4bf9a06f9337e638e5e792f1673&subid2=11.0.9600.19002&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/12/18 Scan Time: 12:02 PM Log File: b388d550-6e27-11e8-9c44-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.5448 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 238620 Threats Detected: 8 Threats Quarantined: 8 Time Elapsed: 4 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [172], [373879],1.0.5448 Registry Value: 0 (No malicious items detected) Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [225], [530202],1.0.5448 Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [172], [373878],1.0.5448 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@FORMS, Quarantined, [1682], [508613],1.0.5448 File: 4 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\WEB@FORMS.XPI, Quarantined, [1682], [511643],1.0.5448 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [172], [373878],1.0.5448 PUP.Optional.PolarityTech.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\BROWSER-EXTENSION-DATA\WEB@FORMS\STORAGE.JS, Quarantined, [1682], [508613],1.0.5448 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\FREEFORMS-73519.EXE, Quarantined, [172], [490686],1.0.5448 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Your Free Online Forms?The Malwarebytes research team has determined that Your Free Online Forms is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.Your Free Online Forms is a member of the Spigot family as described in the blogpost Spigot browser hijackers.How do I know if my computer is affected by Your Free Online Forms?You may see these browser extensions/add-ons:and this new default search provider:You may see this entry in your list of installed software:these warnings during install:and this new startpage in the affected browser(s):How did Your Free Online Forms get on my computer?Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site.How do I remove Your Free Online Forms?Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Free Online Forms? No, Malwarebytes removes Your Free Online Forms completely. If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin under the Your Free Online Forms entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me?We hope our application and this guide have helped you eradicate this hijacker.As you can see below the full version of Malwarebytes would have protected you against the Your Free Online Forms hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for expertsPossible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hyourfreeonlineformspop.com/?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30 SearchScopes: HKCU -> DefaultScope {5DD103A3-84AE-4D79-8637-15E5C0B6C93B} URL = hxxp://search.hyourfreeonlineformspop.com/s?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30&query={searchTerms} SearchScopes: HKCU -> {5DD103A3-84AE-4D79-8637-15E5C0B6C93B} URL = hxxp://search.hyourfreeonlineformspop.com/s?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{default}.profile\Extensions\web@Forms.xpi [2018-03-09] CHR Extension: (Your Free Online Forms) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff [2018-03-09] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Your Free Online Forms (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.2.0.8 - Cloud Installer) Significant changes on in infected system: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0 Adds the file after.js"="3/6/2018 10:45 AM, 801 bytes, A Adds the file background.js"="3/6/2018 10:45 AM, 13576 bytes, A Adds the file chromeRestore.js"="3/6/2018 10:45 AM, 2257 bytes, A Adds the file contentscript.js"="3/6/2018 10:45 AM, 1243 bytes, A Adds the file icon.png"="3/9/2018 8:35 AM, 1998 bytes, A Adds the file manifest.json"="3/9/2018 8:35 AM, 1450 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales\en Adds the file messages.json"="3/9/2018 8:35 AM, 281 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata Adds the file computed_hashes.json"="3/9/2018 8:35 AM, 1286 bytes, A Adds the file verified_contents.json"="3/6/2018 10:47 AM, 2703 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css Adds the file description.css"="3/6/2018 10:45 AM, 1008 bytes, A Adds the file popup.css"="3/6/2018 10:45 AM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup Adds the file description.html"="3/6/2018 10:45 AM, 271 bytes, A Adds the file popup.html"="3/6/2018 10:46 AM, 161 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\js Adds the file userNewTab.js"="3/6/2018 10:45 AM, 1686 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\newtab Adds the file slim_newtabpage.html"="3/6/2018 10:45 AM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff Adds the file 000003.log"="3/9/2018 8:35 AM, 368 bytes, A Adds the file CURRENT"="3/9/2018 8:35 AM, 16 bytes, A Adds the file LOCK"="3/9/2018 8:35 AM, 0 bytes, A Adds the file LOG"="3/9/2018 8:35 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/9/2018 8:35 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="3/9/2018 8:29 AM, 324664 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{default}.profile\browser-extension-data\web@Forms Adds the file storage.js"="3/9/2018 8:33 AM, 438 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{default}.profile\extensions Adds the file web@Forms.xpi"="3/9/2018 8:33 AM, 9398 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "ocfenoadhggmkjbkpmofciaigkpchnff"="REG_SZ", "B52DBEF29661858488DD238CA6F55F0FEF896E339DDDBA6176D83BFEA4B64A19" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hyourfreeonlineformspop.com/?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hyourfreeonlineformspop.com/s?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Your Free Online Forms" "DisplayVersion"="REG_SZ", "4.2.0.8" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}" "UninstallHomepage"="REG_SZ", "http://search.hyourfreeonlineformspop.com/?source={source}&uid={uid}&uc=20180309&ap=appfocus65&i_id=forms__1.30" "UninstallImpression"="REG_SZ", "http://imp.hyourfreeonlineformspop.com/impression.do?source={source}&sub_id=20180309&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus65&user_id={uid}&implementation_id=forms__1.30&subid2=11.0.9600.18920&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/9/18 Scan Time: 8:46 AM Log File: f164acfb-236d-11e8-ad9d-080027235d76.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4268 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 244239 Threats Detected: 40 Threats Quarantined: 40 Time Elapsed: 2 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [606], [373879],1.0.4268 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}, Quarantined, [2148], [368913],1.0.4268 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5DD103A3-84AE-4D79-8637-15E5C0B6C93B}|URL, Quarantined, [2148], [368913],1.0.4268 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [2148], [373048],1.0.4268 Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [606], [373878],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales\en, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\newtab, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCFENOADHGGMKJBKPMOFCIAIGKPCHNFF, Quarantined, [2148], [495178],1.0.4268 File: 24 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [606], [373878],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\000003.log, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\CURRENT, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\LOCK, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\LOG, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ocfenoadhggmkjbkpmofciaigkpchnff\MANIFEST-000001, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\OCFENOADHGGMKJBKPMOFCIAIGKPCHNFF\3.1_0\BACKGROUND.JS, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css\description.css, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\css\popup.css, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup\description.html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\html\popup\popup.html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\js\userNewTab.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\newtab\slim_newtabpage.html, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_locales\en\messages.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata\computed_hashes.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\_metadata\verified_contents.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\after.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\chromeRestore.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\contentscript.js, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\icon.png, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocfenoadhggmkjbkpmofciaigkpchnff\3.1_0\manifest.json, Quarantined, [2148], [495178],1.0.4268 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\YOURFREEONLINEFORMS.EXE, Quarantined, [606], [455961],1.0.4268 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat.We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. What is Your Transit Info Now? The Malwarebytes research team has determined that Your Transit Info Now is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Your Transit Info Now is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Your Transit Info Now? You may see these browser extensions/add-ons: and this new default search provider: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did Your Transit Info Now get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Your Transit Info Now? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Transit Info Now? No, Malwarebytes removes Your Transit Info Now completely. If you are using an older version of Malwarebytes, you may have to remove the Chrome extension manually under Tools > More Tools > Extensions. Click on the bin behind the Your Transit Info Now entry and confirm Remove in the prompt. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Your Transit Info Now hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30 SearchScopes: HKCU -> DefaultScope {F6FD85C6-83A9-4999-BEE6-60D94650FF53} URL = hxxp://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms} SearchScopes: HKCU -> {F6FD85C6-83A9-4999-BEE6-60D94650FF53} URL = hxxp://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms} FF Extension: No Name - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\web@Transit.xpi [2018-02-21] CHR Extension: (Your Transit Info Now) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh [2018-02-21] C:\Users\{username}\Downloads\YourTransitInfoNow.exe Your Transit Info Now (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.2.0.8 - Cloud Installer) Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0 Adds the file after.js"="12/12/2017 1:18 PM, 803 bytes, A Adds the file background.js"="12/12/2017 1:18 PM, 13524 bytes, A Adds the file chromeRestore.js"="12/12/2017 1:18 PM, 2256 bytes, A Adds the file contentscript.js"="12/12/2017 1:18 PM, 1243 bytes, A Adds the file icon.png"="2/21/2018 8:47 AM, 1507 bytes, A Adds the file manifest.json"="2/21/2018 8:47 AM, 1450 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en Adds the file messages.json"="2/21/2018 8:47 AM, 282 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata Adds the file computed_hashes.json"="2/21/2018 8:47 AM, 1401 bytes, A Adds the file verified_contents.json"="12/12/2017 1:18 PM, 2825 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css Adds the file description.css"="12/12/2017 1:18 PM, 1008 bytes, A Adds the file popup.css"="12/12/2017 1:18 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup Adds the file description.html"="12/12/2017 1:18 PM, 272 bytes, A Adds the file popup.html"="12/12/2017 1:18 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js Adds the file userNewTab.js"="12/12/2017 1:18 PM, 1687 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup Adds the file popup.js"="12/12/2017 1:18 PM, 805 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab Adds the file slimtransit__newtab.html"="12/12/2017 1:18 PM, 212 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh Adds the file 000003.log"="2/21/2018 8:47 AM, 363 bytes, A Adds the file CURRENT"="2/21/2018 8:47 AM, 16 bytes, A Adds the file LOCK"="2/21/2018 8:47 AM, 0 bytes, A Adds the file LOG"="2/21/2018 8:47 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/21/2018 8:47 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="2/21/2018 8:53 AM, 324664 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\browser-extension-data\web@Transit Adds the file storage.js"="2/21/2018 8:56 AM, 423 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file web@Transit.xpi"="2/21/2018 8:56 AM, 11422 bytes, A In the existing folder C:\Users\{username}\Downloads Adds the file YourTransitInfoNow.exe"="2/21/2018 8:51 AM, 267856 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "icbgeaafimbjdfpcbgnkpokfcamiimoh"="REG_SZ", "9CC392D8125F111129856A98B3C2F4086ED3D8F1966885726FAF0A23D6CCA827" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{F6FD85C6-83A9-4999-BEE6-60D94650FF53}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.yourtransitinfonow.com/s?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Your Transit Info Now" "DisplayVersion"="REG_SZ", "4.2.0.8" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{F6FD85C6-83A9-4999-BEE6-60D94650FF53}" "UninstallHomepage"="REG_SZ", "http://search.yourtransitinfonow.com/?source={source}&uid={uid}&uc=20180221&ap=appfocus65&i_id=transit__1.30" "UninstallImpression"="REG_SZ", "http://imp.yourtransitinfonow.com/impression.do?source={source}&sub_id=20180221&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus65&user_id={uid}&implementation_id=transit__1.30&subid2=11.0.9600.18920&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/21/18 Scan Time: 9:11 AM Log File: cfdf441f-16de-11e8-834c-080027750297.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.4028 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 243403 Threats Detected: 42 Threats Quarantined: 42 Time Elapsed: 2 min, 8 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}, Quarantined, [2109], [368913],1.0.4028 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [599], [373879],1.0.4028 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{F6FD85C6-83A9-4999-BEE6-60D94650FF53}|URL, Quarantined, [2109], [368913],1.0.4028 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [2109], [373048],1.0.4028 Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [599], [373878],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ICBGEAAFIMBJDFPCBGNKPOKFCAMIIMOH, Quarantined, [2109], [454579],1.0.4028 File: 25 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [599], [373878],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\000003.log, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\CURRENT, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\LOCK, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\LOG, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\icbgeaafimbjdfpcbgnkpokfcamiimoh\MANIFEST-000001, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\ICBGEAAFIMBJDFPCBGNKPOKFCAMIIMOH\1.10_0\CHROMERESTORE.JS, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css\description.css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\css\popup.css, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup\description.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\html\popup\popup.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\popup\popup.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\js\userNewTab.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\newtab\slimtransit__newtab.html, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_locales\en\messages.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata\computed_hashes.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\_metadata\verified_contents.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\after.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\background.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\contentscript.js, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\icon.png, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\icbgeaafimbjdfpcbgnkpokfcamiimoh\1.10_0\manifest.json, Quarantined, [2109], [454579],1.0.4028 PUP.Optional.Spigot, C:\USERS\{username}\DOWNLOADS\YOURTRANSITINFONOW.EXE, Quarantined, [599], [455961],1.0.4028 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  8. Looking for guidance on two potentially related problems: 1) Beginning around Nov. 8, Malwarebytes (Premium 3.3.1) has been identifying PUP.Optional.Spigot during its daily scan of our desktop. When I click "quarantine," Google Chrome abruptly shuts down. I restart Chrome, and then Malwarebytes finds Spigot again on its next scan. I did check my Google Chrome extensions, and nothing suspicious shows up there. I also went through the processes described in "Chrome Secure Preferences detection always comes back, " and it did not solve the problem. PUP.Optional.Spigot repeatedly comes back (in C:\USERS\ANN OR LIZ\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [647], [454814],1.0.3329). I also scanned our laptop, which is connected via home wifi network, and on which we use the same Google & gmail accounts as the desktop. The laptop had not been scanned in a long time; Malwarebytes found 55 threats -- many of them PUP.Optional.Spigot, in numerous locations. The Malwarebytes quarantine got rid of 54 of the 55; as with the desktop, the only one I can't get rid of is the one connected to Chrome. I did not re-enable sync. 2) On Nov. 20, Malwarebytes repeatedly blocked a malicious website, outbound. All but one was from File: C:\Windows\System32\svchost.exe; the other, from File: C:\Windows\System32\spoolsv.exe. I've checked our DNS servers (router & local ones on both computers) and all seems to be fine. On a possibly related note, a credit card number that had been stored in Chrome was stolen and a fraudulent charge attempted on Nov. 21. Can someone offer guidance on how to permanently get rid of PUP.Optional.Spigot in Chrome? And is it plausible that PUP.Optional.Spigot was the cause of the malicious website outbound attack on Nov. 20? If not, what else should we be doing? Logs created via FRST and MB-Check are attached. Thanks in advance for any guidance/assistance! mb-check-results.zip
  9. What is Email Access Online? The Malwarebytes research team has determined that Email Access Online is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Email Access Online is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Email Access Online? You may see this browser extension: and this new default search provider: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did Email Access Online get on my computer? Browser hijackers use different methods for distributing themselves. The Chrome extension for this one was available in the Webstore: How do I remove Email Access Online? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Email Access Online? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the Email Access Online entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Email Access Online hijacker. It would have blocked the download of the IE search hijacker, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains. Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hemailaccessonline.com/?source=googlesearch-googlesearch-lp2-bb8&uid=ad0fe61b-e3c5-428b-b411-d27614a69fe7&uc=20171109&ap=appfocus1&i_id=email__1.30 SearchScopes: HKCU -> DefaultScope {262A777B-FCCD-492A-9CE3-8CF4894826D6} URL = hxxp://search.hemailaccessonline.com/s?source=googlesearch-googlesearch-lp2-bb8&uid=ad0fe61b-e3c5-428b-b411-d27614a69fe7&uc=20171109&ap=appfocus1&i_id=email__1.30&query={searchTerms} SearchScopes: HKCU -> {262A777B-FCCD-492A-9CE3-8CF4894826D6} URL = hxxp://search.hemailaccessonline.com/s?source=googlesearch-googlesearch-lp2-bb8&uid=ad0fe61b-e3c5-428b-b411-d27614a69fe7&uc=20171109&ap=appfocus1&i_id=email__1.30&query={searchTerms} CHR Extension: (Email Access Online) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk [2017-11-09] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Email Access Online (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 4.2.0.6 - Cloud Installer) Significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0 Adds the file background.js"="6/16/2017 3:43 PM, 16229 bytes, A Adds the file contentscript.js"="6/16/2017 11:59 AM, 1238 bytes, A Adds the file icon.png"="11/9/2017 9:23 AM, 17075 bytes, A Adds the file manifest.json"="11/9/2017 9:23 AM, 1404 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_locales\en Adds the file messages.json"="11/9/2017 9:23 AM, 270 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_metadata Adds the file computed_hashes.json"="11/9/2017 9:23 AM, 1176 bytes, A Adds the file verified_contents.json"="6/16/2017 11:59 AM, 2783 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\css Adds the file description.css"="6/16/2017 11:59 AM, 1008 bytes, A Adds the file popup.css"="6/16/2017 11:59 AM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\html\popup Adds the file description.html"="6/16/2017 11:59 AM, 260 bytes, A Adds the file popup.html"="6/16/2017 11:59 AM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\js Adds the file userNewTab.js"="6/16/2017 11:59 AM, 2500 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\js\popup Adds the file popup.js"="6/16/2017 11:59 AM, 801 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\newtab Adds the file newtab.html"="6/16/2017 11:59 AM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\mnfmknfcikbldfckhalpmappaaiomggk Adds the file 000003.log"="11/9/2017 9:23 AM, 264 bytes, A Adds the file CURRENT"="11/9/2017 9:23 AM, 16 bytes, A Adds the file LOCK"="11/9/2017 9:23 AM, 0 bytes, A Adds the file LOG"="11/9/2017 9:29 AM, 0 bytes, A Adds the file LOG.old"="11/9/2017 9:23 AM, 184 bytes, A Adds the file MANIFEST-000001"="11/9/2017 9:23 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="11/9/2017 9:27 AM, 324664 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\PreferenceMACs\Default\extensions.settings] "mnfmknfcikbldfckhalpmappaaiomggk"="REG_SZ", "66C0DA98298962D193276F24D0E80FF80C65844F0637BB767F69BDC2E2BA535E" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hemailaccessonline.com/?source=googlesearch-googlesearch-lp2-bb8&uid=ad0fe61b-e3c5-428b-b411-d27614a69fe7&uc=20171109&ap=appfocus1&i_id=email__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{262A777B-FCCD-492A-9CE3-8CF4894826D6}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{262A777B-FCCD-492A-9CE3-8CF4894826D6}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hemailaccessonline.com/s?source=googlesearch-googlesearch-lp2-bb8&uid=ad0fe61b-e3c5-428b-b411-d27614a69fe7&uc=20171109&ap=appfocus1&i_id=email__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Email Access Online" "DisplayVersion"="REG_SZ", "4.2.0.6" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{262A777B-FCCD-492A-9CE3-8CF4894826D6}" "UninstallHomepage"="REG_SZ", "http://search.hemailaccessonline.com/?source=googlesearch-googlesearch-lp2-bb8&uid=ad0fe61b-e3c5-428b-b411-d27614a69fe7&uc=20171109&ap=appfocus1&i_id=email__1.30" "UninstallImpression"="REG_SZ", "http://imp.hemailaccessonline.com/impression.do?source=googlesearch-googlesearch-lp2-bb8&sub_id=20171109&useragent=Mozilla%2F5.0+(Windows%3B+U%3B+MSIE+9.0%3B+Windows+NT+9.0%3B+en-US)+AppEngine-Google%3B+(%2Bhttp%3A%2F%2Fcode.google.com%2Fappengine%3B+appid%3A+s~virustotalcloud)&traffic_source=appfocus1&user_id=ad0fe61b-e3c5-428b-b411-d27614a69fe7&implementation_id=email__1.30&subid2=11.0.9600.18816&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/9/17 Scan Time: 9:37 AM Log File: 42c37689-c529-11e7-a25a-080027750297.json Administrator: Yes -Software Information- Version: 3.2.2.2018 Components Version: 1.0.212 Update Package Version: 1.0.3211 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 332976 Threats Detected: 33 Threats Quarantined: 32 Time Elapsed: 1 min, 59 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{262A777B-FCCD-492A-9CE3-8CF4894826D6}, Quarantined, [1973], [368913],1.0.3211 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [648], [373879],1.0.3211 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{262A777B-FCCD-492A-9CE3-8CF4894826D6}|URL, Quarantined, [1973], [368913],1.0.3211 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [1973], [373048],1.0.3211 Data Stream: 0 (No malicious items detected) Folder: 12 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28E56CFB-E30E-4F66-85D8-339885B726B8}, Quarantined, [648], [373878],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_locales\en, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\html\popup, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_metadata, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\js\popup, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_locales, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\newtab, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\html, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\css, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\js, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MNFMKNFCIKBLDFCKHALPMAPPAAIOMGGK, Quarantined, [648], [449620],1.0.3211 File: 17 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Quarantined, [648], [373878],1.0.3211 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Secure Preferences, Removal Failed, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Preferences, Replaced, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\MNFMKNFCIKBLDFCKHALPMAPPAAIOMGGK\1.0_0\MANIFEST.JSON, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\css\description.css, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\css\popup.css, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\html\popup\description.html, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\html\popup\popup.html, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\js\popup\popup.js, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\js\userNewTab.js, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\newtab\newtab.html, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_locales\en\messages.json, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_metadata\computed_hashes.json, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\_metadata\verified_contents.json, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\background.js, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\contentscript.js, Quarantined, [648], [449620],1.0.3211 PUP.Optional.Spigot, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnfmknfcikbldfckhalpmappaaiomggk\1.0_0\icon.png, Quarantined, [648], [449620],1.0.3211 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  10. What is My Quick Converter? The Malwarebytes research team has determined that My Quick Converter is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. My Quick Converter is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by My Quick Converter? You may see this entry in your list of installed software: this new search provider: this warning during install: and this new startpage in the affected browser(s): How did My Quick Converter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was part of a bundle. How do I remove My Quick Converter? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Quick Converter? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the My Quick Converter entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the My Quick Converter hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain. Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.hmyquickconverter.com/?source=d-googledisplay&uid={uid}&uc={date}&ap=appfocus1&i_id=converter__1.30 SearchScopes: HKCU -> DefaultScope {B4282530-F0F4-4558-AE95-392A264A7187} URL = hxxp://search.hmyquickconverter.com/s?source=d-googledisplay&uid={uid}&uc={date}&ap=appfocus1&i_id=converter__1.30&query={searchTerms} SearchScopes: HKCU -> {B4282530-F0F4-4558-AE95-392A264A7187} URL = hxxp://search.hmyquickconverter.com/s?source=d-googledisplay&uid={uid}&uc={date}&ap=appfocus1&i_id=converter__1.30&query={searchTerms} C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} My Quick Converter (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.9.0.4 - Cloud Installer) The changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="8/8/2017 9:23 AM, 267832 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.hmyquickconverter.com/?source=d-googledisplay&uid={uid}&uc={date}&ap=appfocus1&i_id=converter__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{B4282530-F0F4-4558-AE95-392A264A7187}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B4282530-F0F4-4558-AE95-392A264A7187}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.hmyquickconverter.com/s?source=d-googledisplay&uid={uid}&uc={date}&ap=appfocus1&i_id=converter__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "My Quick Converter" "DisplayVersion"="REG_SZ", "2.9.0.4" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{B4282530-F0F4-4558-AE95-392A264A7187}" "UninstallHomepage"="REG_SZ", "http://search.hmyquickconverter.com/?source=d-googledisplay&uid={uid}&uc={date}&ap=appfocus1&i_id=converter__1.30" "UninstallImpression"="REG_SZ", "http://imp.hmyquickconverter.com/impression.do?source=d-googledisplay&sub_id={date}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus1&user_id={uid}&implementation_id=converter__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/8/17 Scan Time: 9:43 AM Log File: mbamQuickConverter.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2534 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 320972 Threats Detected: 7 Threats Quarantined: 7 Time Elapsed: 3 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [627], [373878],1.0.2534 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B4282530-F0F4-4558-AE95-392A264A7187}, Delete-on-Reboot, [1901], [368913],1.0.2534 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B4282530-F0F4-4558-AE95-392A264A7187}|URL, Delete-on-Reboot, [1901], [368913],1.0.2534 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [1901], [373048],1.0.2534 Data Stream: 0 (No malicious items detected) Folder: 1 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [627], [373878],1.0.2534 File: 2 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [627], [373878],1.0.2534 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\SETUP.EXE, Delete-on-Reboot, [627], [372110],1.0.2534 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  11. What is My Maps XP? The Malwarebytes research team has determined that My Maps XP is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. My Maps XP is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by My Maps XP? You may see these browser extensions/add-ons: and this new default search provider: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did My Maps XP get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove My Maps XP? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Maps XP? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the My Maps XP entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the My Maps XP hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.mymapsxp.com/?source=-bb8&uid={uid}&uc={date}&ap=appfocus15&i_id=maps__1.30 HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxps://www.google.co.uk/?gws_rd=ssl SearchScopes: HKCU -> DefaultScope {0179737B-394F-4828-AC26-EBA1D05F5CF8} URL = hxxp://search.mymapsxp.com/s?source=-bb8&uid={uid}&uc={date}&ap=appfocus15&i_id=maps__1.30&query={searchTerms} SearchScopes: HKCU -> {0179737B-394F-4828-AC26-EBA1D05F5CF8} URL = hxxp://search.mymapsxp.com/s?source=-bb8&uid={uid}&uc={date}&ap=appfocus15&i_id=maps__1.30&query={searchTerms} FF Homepage: hxxp://search.mymapsxp.com?uid={uidff}&uc={date}&ap=appfocus15&source=tt&page=homepage&implementation_id=maps_4.0.3 FF Extension: Maps - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Maps.xpi [2017-07-11] CHR Extension: (My Maps XP) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch [2017-07-11] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} My Maps XP (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.7.0.2 - Cloud Installer) The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0 Adds the file background.js"="10/27/2016 10:09 AM, 13290 bytes, A Adds the file icon.png"="7/11/2017 9:52 AM, 7862 bytes, A Adds the file manifest.json"="7/11/2017 9:52 AM, 1241 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_locales\en Adds the file messages.json"="7/11/2017 9:52 AM, 283 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_metadata Adds the file computed_hashes.json"="7/11/2017 9:52 AM, 1066 bytes, A Adds the file verified_contents.json"="10/27/2016 10:09 AM, 2668 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\css Adds the file description.css"="10/27/2016 10:09 AM, 1008 bytes, A Adds the file popup.css"="10/27/2016 10:09 AM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\html\popup Adds the file description.html"="10/27/2016 10:09 AM, 273 bytes, A Adds the file popup.html"="10/27/2016 10:09 AM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\js Adds the file userNewTab.js"="10/27/2016 10:09 AM, 2486 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\js\popup Adds the file popup.js"="10/27/2016 10:09 AM, 789 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\newtab Adds the file newtab.html"="10/27/2016 10:09 AM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dcldppjljccdpaeoepdopkfiekikkbch Adds the file 000003.log"="7/11/2017 9:52 AM, 258 bytes, A Adds the file CURRENT"="7/11/2017 9:52 AM, 16 bytes, A Adds the file LOCK"="7/11/2017 9:52 AM, 0 bytes, A Adds the file LOG"="7/11/2017 9:52 AM, 184 bytes, A Adds the file MANIFEST-000001"="7/11/2017 9:52 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="7/11/2017 9:58 AM, 264704 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Maps.xpi"="7/11/2017 9:55 AM, 19464 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\features\{8510f199-8c3c-44bd-9bbb-32cdc7b7e377} Adds the file followonsearch@mozilla.com.xpi"="7/11/2017 9:55 AM, 10465 bytes, A Adds the file shield-recipe-client@mozilla.org.xpi"="7/11/2017 9:55 AM, 44954 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage Adds the file store.json"="7/11/2017 9:56 AM, 319 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.mymapsxp.com/?source=-bb8&uid={uid}&uc={date}&ap=appfocus15&i_id=maps__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{0179737B-394F-4828-AC26-EBA1D05F5CF8}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0179737B-394F-4828-AC26-EBA1D05F5CF8}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.mymapsxp.com/s?source=-bb8&uid={uid}&uc={date}&ap=appfocus15&i_id=maps__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "My Maps XP" "DisplayVersion"="REG_SZ", "2.7.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{0179737B-394F-4828-AC26-EBA1D05F5CF8}" "UninstallHomepage"="REG_SZ", "http://search.mymapsxp.com/?source=-bb8&uid={uid}&uc={date}&ap=appfocus15&i_id=maps__1.30" "UninstallImpression"="REG_SZ", "http://imp.mymapsxp.com/impression.do?source=-bb8&sub_id={date}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus15&user_id={uid}&implementation_id=maps__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 7/11/17 Scan Time: 10:07 AM Log File: mbamMyDesktop.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.141 Update Package Version: 1.0.2339 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 337604 Threats Detected: 36 Threats Quarantined: 36 Time Elapsed: 3 min, 46 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [669], [373878],1.0.2339 PUP.Optional.MyMapsXP, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0179737B-394F-4828-AC26-EBA1D05F5CF8}, Delete-on-Reboot, [2223], [349123],1.0.2339 Registry Value: 1 PUP.Optional.MyMapsXP, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0179737B-394F-4828-AC26-EBA1D05F5CF8}|URL, Delete-on-Reboot, [2223], [349123],1.0.2339 Registry Data: 1 PUP.Optional.MyMapsXP, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [2223], [349111],1.0.2339 Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [669], [373878],1.0.2339 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage, Delete-on-Reboot, [2100], [348731],1.0.2339 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\JETPACK\@MAPS, Delete-on-Reboot, [2100], [348731],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_locales\en, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\html\popup, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_metadata, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\js\popup, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_locales, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\newtab, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\html, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\css, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\js, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DCLDPPJLJCCDPAEOEPDOPKFIEKIKKBCH, Delete-on-Reboot, [2223], [349102],1.0.2339 File: 18 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [669], [373878],1.0.2339 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage\store.json, Delete-on-Reboot, [2100], [348731],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\css\description.css, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\css\popup.css, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\html\popup\description.html, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\html\popup\popup.html, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\js\popup\popup.js, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\js\userNewTab.js, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\newtab\newtab.html, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_locales\en\messages.json, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\background.js, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\icon.png, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcldppjljccdpaeoepdopkfiekikkbch\2.0_0\manifest.json, Delete-on-Reboot, [2223], [349102],1.0.2339 PUP.Optional.MyMapsXP, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\PREFS.JS, Replaced, [2223], [349106],1.0.2339 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\MYMAPSXP.EXE, Delete-on-Reboot, [669], [372110],1.0.2339 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\@MAPS.XPI, Delete-on-Reboot, [2100], [348742],1.0.2339 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  12. What is Easy Classifieds Access? The Malwarebytes research team has determined that Easy Classifieds Access is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Easy Classifieds Access is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Easy Classifieds Access? You may see this browser extension: and these changed settings: You may see this entry in your list of installed software: these warnings during install: and this new homepage in the affected browser(s): How did Easy Classifieds Access get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Classifieds Access? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Classifieds Access? Malwarebytes can remove this PUP completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Classifieds Access hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easyclassifiedsaccess.com/?source=-bb8&uid={uid1}&uc={date}&ap=&i_id=classifieds__1.30 SearchScopes: HKCU -> DefaultScope {A3955D22-9D84-4411-83C3-D453496368EA} URL = hxxp://search.easyclassifiedsaccess.com/s?source=-bb8&uid={uid1}&uc={date}&ap=&i_id=classifieds__1.30&query={searchTerms} SearchScopes: HKCU -> {A3955D22-9D84-4411-83C3-D453496368EA} URL = hxxp://search.easyclassifiedsaccess.com/s?source=-bb8&uid={uid1}&uc={date}&ap=&i_id=classifieds__1.30&query={searchTerms} FF NewTab: hxxp://search.easyclassifiedsaccess.com?uid=19a043f9-8f30-4569-a7e6-32159f35759b&uc={date}&ap=0&source=tt&page=newtab&implementation_id=classifieds_0.2.0 FF Homepage: hxxp://search.easyclassifiedsaccess.com?uid=19a043f9-8f30-4569-a7e6-32159f35759b&uc={date}&ap=0&source=tt&page=homepage&implementation_id=classifieds_0.2.0 FF Extension: Classifieds - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Classifieds.xpi [2017-06-16] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Easy Classifieds Access (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.7.0.2 - Cloud Installer) The relevant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="6/16/2017 9:16 AM, 264704 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Classifieds.xpi"="6/16/2017 9:18 AM, 14013 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Classifieds Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Classifieds\simple-storage Adds the file store.json"="6/16/2017 9:19 AM, 327 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easyclassifiedsaccess.com/?source=-bb8&uid={uid1}&uc={date}&ap=&i_id=classifieds__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{A3955D22-9D84-4411-83C3-D453496368EA}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A3955D22-9D84-4411-83C3-D453496368EA}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easyclassifiedsaccess.com/s?source=-bb8&uid={uid1}&uc={date}&ap=&i_id=classifieds__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Easy Classifieds Access" "DisplayVersion"="REG_SZ", "2.7.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{A3955D22-9D84-4411-83C3-D453496368EA}" "UninstallHomepage"="REG_SZ", "http://search.easyclassifiedsaccess.com/?source=-bb8&uid={uid1}&uc={date}&ap=&i_id=classifieds__1.30" "UninstallImpression"="REG_SZ", "http://imp.easyclassifiedsaccess.com/impression.do?source=-bb8&sub_id={date}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=classifieds__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 6/16/17 Scan Time: 9:24 AM Log File: mbamEasyClassifiedAccess.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.141 Update Package Version: 1.0.2163 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 334966 Threats Detected: 12 Threats Quarantined: 12 Time Elapsed: 2 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [657], [373878],1.0.2163 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{A3955D22-9D84-4411-83C3-D453496368EA}, Delete-on-Reboot, [2047], [368913],1.0.2163 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{A3955D22-9D84-4411-83C3-D453496368EA}|URL, Delete-on-Reboot, [2047], [368913],1.0.2163 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [2047], [373048],1.0.2163 Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [657], [373878],1.0.2163 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Classifieds\simple-storage, Delete-on-Reboot, [2047], [361533],1.0.2163 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\JETPACK\@CLASSIFIEDS, Delete-on-Reboot, [2047], [361533],1.0.2163 File: 5 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [657], [373878],1.0.2163 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Classifieds\simple-storage\store.json, Delete-on-Reboot, [2047], [361533],1.0.2163 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\PREFS.JS, Replaced, [2047], [361537],1.0.2163 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\PREFS.JS, Replaced, [2047], [361538],1.0.2163 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.default\EXTENSIONS\@CLASSIFIEDS.XPI, Delete-on-Reboot, [2047], [361542],1.0.2163 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  13. MWB 3 identifies PUP.Optional.Spigot as malware (or a PUP) everyday, even if I quarantine it. The file is located at C:\Users\Jon\AppData\Roaming\Mozilla\Firefox\Profiles\yijbwobi.default\prefs.js If I delete it, the file is recreated by Firefox, and MWB identifies it again. Any ideas on: 1. Is it a problem? 2. If so - how do I get rid of it permanently, if not - how can I stop MWB identifying it every day? I am attaching the file with txt extension added. Maybe there is some text I can delete that will convince MWB that it is not a problem. Thanks prefs.js.txt
  14. What is GetMaps? The Malwarebytes research team has determined that GetMaps is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. GetMaps is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by GetMaps? You may see this browser extension/add-on: and these changed search settings: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did GetMaps get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove GetMaps? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GetMaps? No, Malwarebytes removes GetMaps completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the GetMaps hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.getmaps.co/?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30 SearchScopes: HKCU -> DefaultScope {AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308} URL = hxxp://search.getmaps.co/s?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30&query={searchTerms} SearchScopes: HKCU -> {AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308} URL = hxxp://search.getmaps.co/s?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30&query={searchTerms} FF Homepage: hxxp://search.getmaps.co?uid=e3ebc9c6-6b70-4592-a4b5-cfdd69bf4336&uc=20170523&ap=appfocus43&source=tt-bb8&page=homepage&implementation_id=maps_4.0.0 FF Extension: Maps - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\Extensions\@Maps.xpi [2017-05-23] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Get Maps (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.7.0.2 - Cloud Installer) The most significant changes made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Mozilla Firefox\updated\browser\extensions Adds the file {972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi"="5/23/2017 10:33 AM, 1717 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="5/23/2017 10:30 AM, 264704 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\extensions Adds the file @Maps.xpi"="5/23/2017 10:33 AM, 19297 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Maps\simple-storage Adds the file store.json"="5/23/2017 10:34 AM, 323 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.getmaps.co/?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.getmaps.co/s?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Get Maps" "DisplayVersion"="REG_SZ", "2.7.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallDialog"="REG_DWORD", 1 "UninstallEngineID"="REG_SZ", "{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}" "UninstallHomepage"="REG_SZ", "http://search.getmaps.co/?source=-bb8&uid=45ed69a3-6505-4be3-870c-a19578b69198&uc=20170523&ap=appfocus43&i_id=maps__1.30" "UninstallImpression"="REG_SZ", "http://imp.getmaps.co/impression.do?source=-bb8&sub_id=20170523&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus43&user_id=45ed69a3-6505-4be3-870c-a19578b69198&implementation_id=maps__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/23/17 Scan Time: 10:42 AM Log File: mbamGetMaps.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.122 Update Package Version: 1.0.2001 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 332097 Threats Detected: 11 Threats Quarantined: 11 Time Elapsed: 1 min, 19 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [648], [373878],1.0.2001 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}, Delete-on-Reboot, [2022], [368913],1.0.2001 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AA05F8FA-558C-4DD4-BA6F-C60D3F7B4308}|URL, Delete-on-Reboot, [2022], [368913],1.0.2001 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [648], [373878],1.0.2001 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Maps\simple-storage, Delete-on-Reboot, [2054], [348731],1.0.2001 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\JETPACK\@MAPS, Delete-on-Reboot, [2054], [348731],1.0.2001 File: 5 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [648], [373878],1.0.2001 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\x82gpani.default-1491393116824\jetpack\@Maps\simple-storage\store.json, Delete-on-Reboot, [2054], [348731],1.0.2001 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\PREFS.JS, Replaced, [2022], [361537],1.0.2001 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\GETMAPS.EXE, Delete-on-Reboot, [648], [372110],1.0.2001 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\EXTENSIONS\@MAPS.XPI, Delete-on-Reboot, [2054], [348742],1.0.2001 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  15. What is GetSports? The Malwarebytes research team has determined that GetSports is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. GetSports is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by GetSports? You may see these browser extensions/add-ons: and search settings like these: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did GetSports get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove GetSports? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GetSports? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the GetSports entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the GetSports hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.getsports.co/?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30 SearchScopes: HKCU -> DefaultScope {8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1} URL = hxxp://search.getsports.co/s?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30&query={searchTerms} SearchScopes: HKCU -> {8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1} URL = hxxp://search.getsports.co/s?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30&query={searchTerms} FF NewTab: hxxp://search.getsports.co?uid={uid2}&uc={date}&ap=appfocus1&source=-v2-bb8&page=newtab&implementation_id=sports_0.2.0 FF Homepage: hxxp://search.getsports.co?uid={uid2}&uc={date}&ap=appfocus1&source=-v2-bb8&page=homepage&implementation_id=sports_0.2.0 FF Extension: Sports - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\Extensions\@Sports.xpi [2017-05-05] CHR Extension: (Get Sports) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco [2017-05-05] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Get Sports (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.6.0.2 - Cloud Installer) The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0 Adds the file background.js"="12/6/2016 1:27 PM, 15293 bytes, A Adds the file contentscript.js"="12/6/2016 1:27 PM, 1238 bytes, A Adds the file icon.png"="5/5/2017 3:10 PM, 9393 bytes, A Adds the file manifest.json"="5/5/2017 3:10 PM, 1394 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales\en Adds the file messages.json"="5/5/2017 3:10 PM, 252 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata Adds the file computed_hashes.json"="5/5/2017 3:10 PM, 1176 bytes, A Adds the file verified_contents.json"="12/6/2016 1:27 PM, 2783 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css Adds the file description.css"="12/6/2016 1:27 PM, 1008 bytes, A Adds the file popup.css"="12/6/2016 1:27 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup Adds the file description.html"="12/6/2016 1:27 PM, 242 bytes, A Adds the file popup.html"="12/6/2016 1:27 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js Adds the file userNewTab.js"="12/6/2016 1:27 PM, 2494 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\popup Adds the file popup.js"="12/6/2016 1:27 PM, 793 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\newtab Adds the file newtab.html"="12/6/2016 1:27 PM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlfmljafhfcncnaekjmgnchfapibfmco Adds the file 000003.log"="5/5/2017 3:10 PM, 262 bytes, A Adds the file CURRENT"="5/5/2017 3:10 PM, 16 bytes, A Adds the file LOCK"="5/5/2017 3:10 PM, 0 bytes, A Adds the file LOG"="5/5/2017 3:10 PM, 184 bytes, A Adds the file MANIFEST-000001"="5/5/2017 3:10 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="5/5/2017 3:06 PM, 263168 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\extensions Adds the file @Sports.xpi"="5/5/2017 3:08 PM, 43962 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@Sports\simple-storage Adds the file store.json"="5/5/2017 3:09 PM, 327 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.getsports.co/?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.getsports.co/s?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Get Sports" "DisplayVersion"="REG_SZ", "2.6.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.getsports.co/?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30" "UninstallImpression"="REG_SZ", "http://imp.getsports.co/impression.do?source=-v2-bb8&sub_id={date}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus1&user_id={uid1}&implementation_id=sports__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/5/17 Scan Time: 3:19 PM Logfile: mbamGetSports.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1874 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 329664 Time Elapsed: 2 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [625], [373878],1.0.1874 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}, Delete-on-Reboot, [1974], [368913],1.0.1874 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}|URL, Delete-on-Reboot, [1974], [368913],1.0.1874 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [625], [373878],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@Sports\simple-storage, Delete-on-Reboot, [1974], [362990],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\JETPACK\@SPORTS, Delete-on-Reboot, [1974], [362990],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales\en, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\popup, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\newtab, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NLFMLJAFHFCNCNAEKJMGNCHFAPIBFMCO, Delete-on-Reboot, [1974], [362981],1.0.1874 File: 20 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [625], [373878],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@Sports\simple-storage\store.json, Delete-on-Reboot, [1974], [362990],1.0.1874 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\GETSPORTS.EXE, Delete-on-Reboot, [625], [372110],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\PREFS.JS, Replaced, [1974], [361537],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\PREFS.JS, Replaced, [1974], [361538],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\EXTENSIONS\@SPORTS.XPI, Delete-on-Reboot, [1974], [362994],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NLFMLJAFHFCNCNAEKJMGNCHFAPIBFMCO\4.0_0\BACKGROUND.JS, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css\description.css, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css\popup.css, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup\description.html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup\popup.html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\popup\popup.js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\userNewTab.js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\newtab\newtab.html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales\en\messages.json, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\contentscript.js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\icon.png, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\manifest.json, Delete-on-Reboot, [1974], [362981],1.0.1874 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  16. What is Easy Video Converter? The Malwarebytes research team has determined that Easy Video Converter is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Easy Video Converter is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Easy Video Converter? You may see this browser extension/add-on: and this new default search provider: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did Easy Video Converter get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Video Converter? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Video Converter? No, Malwarebytes removes Easy Video Converter completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Video Converter hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easyvideoconverteraccess.com/?source=tt&uid={uid1}&uc={date}&ap=&i_id=videoconverter__1.30 SearchScopes: HKCU -> DefaultScope {A01439CC-DBB1-421C-9197-4EE4F9A8CC28} URL = hxxp://search.easyvideoconverteraccess.com/s?source=tt&uid={uid1}&uc={date}&ap=&i_id=videoconverter__1.30&query={searchTerms} SearchScopes: HKCU -> {A01439CC-DBB1-421C-9197-4EE4F9A8CC28} URL = hxxp://search.easyvideoconverteraccess.com/s?source=tt&uid={uid1}&uc={date}&ap=&i_id=videoconverter__1.30&query={searchTerms} FF NewTab: hxxp://search.easyvideoconverteraccess.com?uid={uid2}&uc={date}&ap=&source=-bb8&page=newtab&implementation_id=videoconverter_0.2.0 FF Homepage: hxxp://search.easyvideoconverteraccess.com?uid={uid2}&uc={date}&ap=&source=-bb8&page=homepage&implementation_id=videoconverter_0.2.0 FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2017-02-01] [not signed] FF Extension: VideoConverter - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\Extensions\@VideoConverter.xpi [2017-04-24] FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2017-04-24] [not signed] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Easy Video Converter Access (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.6.0.2 - Cloud Installer) Changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="4/24/2017 10:42 AM, 263168 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\extensions Adds the file @VideoConverter.xpi"="4/24/2017 10:43 AM, 23421 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@VideoConverter\simple-storage Adds the file store.json"="4/24/2017 10:43 AM, 331 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easyvideoconverteraccess.com/?source=tt&uid={uid3}&uc={date}&ap=&i_id=videoconverter__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6F4023D3-7DD6-43A7-BFA6-03A108368BB6}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easyvideoconverteraccess.com/s?source=tt&uid={uid3}&uc={date}&ap=&i_id=videoconverter__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Easy Video Converter Access" "DisplayVersion"="REG_SZ", "2.6.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.easyvideoconverteraccess.com/?source=tt&uid={uid3}&uc={date}&ap=&i_id=videoconverter__1.30" "UninstallImpression"="REG_SZ", "http://imp.easyvideoconverteraccess.com/impression.do?source=tt&sub_id={date}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid3}&implementation_id=videoconverter__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 4/24/17 Scan Time: 10:45 AM Logfile: mbam2.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.96 Update Package Version: 1.0.1795 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 328087 Time Elapsed: 2 min, 13 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [627], [373878],1.0.1795 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{6F4023D3-7DD6-43A7-BFA6-03A108368BB6}, Delete-on-Reboot, [1976], [368913],1.0.1795 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{6F4023D3-7DD6-43A7-BFA6-03A108368BB6}|URL, Delete-on-Reboot, [1976], [368913],1.0.1795 Registry Data: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [1976], [373048],1.0.1795 Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [627], [373878],1.0.1795 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@VideoConverter\simple-storage, Delete-on-Reboot, [1976], [364587],1.0.1795 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\JETPACK\@VIDEOCONVERTER, Delete-on-Reboot, [1976], [364587],1.0.1795 File: 5 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [627], [373878],1.0.1795 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@VideoConverter\simple-storage\store.json, Delete-on-Reboot, [1976], [364587],1.0.1795 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\PREFS.JS, Replaced, [1976], [361537],1.0.1795 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\PREFS.JS, Replaced, [1976], [361538],1.0.1795 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\X82GPANI.DEFAULT-1491393116824\EXTENSIONS\@VIDEOCONVERTER.XPI, Delete-on-Reboot, [1976], [364614],1.0.1795 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  17. What is My News Wire? The Malwarebytes research team has determined that My News Wire is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. My News Wire is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by My News Wire? You may see these browser extensions/add-ons: and this new default search provider: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did My News Wire get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove My News Wire? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My News Wire? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the My News Wire entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the My News Wire hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.mynewswire.co/?source=-v2&uid={uid1}&uc={date}&ap=appfocus1&i_id=currentnews__1.30 SearchScopes: HKCU -> DefaultScope {629E4DAA-E816-488D-AB8A-72C4BE213E47} URL = hxxp://search.mynewswire.co/s?source=-v2&uid={uid1}&uc={date}&ap=appfocus1&i_id=currentnews__1.30&query={searchTerms} SearchScopes: HKCU -> {629E4DAA-E816-488D-AB8A-72C4BE213E47} URL = hxxp://search.mynewswire.co/s?source=-v2&uid={uid1}&uc={date}&ap=appfocus1&i_id=currentnews__1.30&query={searchTerms} FF NewTab: hxxp://search.mynewswire.co?uid={uid2}&uc={date}&ap=appfocus1&source=-v2&page=newtab&implementation_id=currentnews_0.2.0 FF Homepage: hxxp://search.mynewswire.co?uid={uid2}&uc={date}&ap=appfocus1&source=-v2&page=homepage&implementation_id=currentnews_0.2.0 FF Extension: News - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@News.xpi [2017-03-21] CHR Extension: (My News Wire) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd [2017-03-21] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} My News Wire (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.6.0.2 - Cloud Installer) The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0 Adds the file background.js"="3/19/2017 4:51 PM, 15293 bytes, A Adds the file contentscript.js"="3/19/2017 4:51 PM, 1238 bytes, A Adds the file icon.png"="3/21/2017 6:08 PM, 8987 bytes, A Adds the file manifest.json"="3/21/2017 6:08 PM, 1395 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\clallljdjoonecnidmcnnnodeccbphkd Adds the file 000003.log"="3/21/2017 6:08 PM, 263 bytes, A Adds the file CURRENT"="3/21/2017 6:08 PM, 16 bytes, A Adds the file LOCK"="3/21/2017 6:08 PM, 0 bytes, A Adds the file LOG"="3/21/2017 6:21 PM, 410 bytes, A Adds the file LOG.old"="3/21/2017 6:08 PM, 184 bytes, A Adds the file MANIFEST-000001"="3/21/2017 6:08 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="3/21/2017 6:26 PM, 263168 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @News.xpi"="3/21/2017 6:24 PM, 25774 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@News\simple-storage Adds the file store.json"="3/21/2017 6:25 PM, 321 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.mynewswire.co/?source=-v2&uid={uid1}&uc={date}&ap=appfocus1&i_id=currentnews__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{629E4DAA-E816-488D-AB8A-72C4BE213E47}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{629E4DAA-E816-488D-AB8A-72C4BE213E47}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.mynewswire.co/s?source=-v2&uid={uid1}&uc={date}&ap=appfocus1&i_id=currentnews__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "My News Wire" "DisplayVersion"="REG_SZ", "2.6.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.mynewswire.co/?source=-v2&uid={uid1}&uc={date}&ap=appfocus1&i_id=currentnews__1.30" "UninstallImpression"="REG_SZ", "http://imp.mynewswire.co/impression.do?source=-v2&sub_id={date}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus1&user_id={uid1}&implementation_id=currentnews__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/21/17 Scan Time: 6:34 PM Logfile: mbamMyNewsWire.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1556 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 365982 Time Elapsed: 8 min, 23 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [814], [373878],1.0.1556 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{629E4DAA-E816-488D-AB8A-72C4BE213E47}, Delete-on-Reboot, [2371], [368913],1.0.1556 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{629E4DAA-E816-488D-AB8A-72C4BE213E47}|URL, Delete-on-Reboot, [2371], [368913],1.0.1556 PUP.Optional.MyNewsWire, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [3142], [360171],1.0.1556 Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [814], [373878],1.0.1556 PUP.Optional.MyCurrentNews, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@News\simple-storage, Quarantined, [2596], [358267],1.0.1556 PUP.Optional.MyCurrentNews, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@NEWS, Quarantined, [2596], [358267],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\_locales\en, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\html\popup, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\_metadata, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\js\popup, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\_locales, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\newtab, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\html, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\css, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\js, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0, Quarantined, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLALLLJDJOONECNIDMCNNNODECCBPHKD, Quarantined, [2371], [362981],1.0.1556 File: 19 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [814], [373878],1.0.1556 PUP.Optional.MyNewsWire, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Removal Failed, [3142], [360167],1.0.1556 PUP.Optional.MyNewsWire, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Removal Failed, [3142], [360169],1.0.1556 PUP.Optional.MyCurrentNews, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@News\simple-storage\store.json, Delete-on-Reboot, [2596], [358267],1.0.1556 PUP.Optional.MyCurrentNews, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@NEWS.XPI, Delete-on-Reboot, [2596], [358285],1.0.1556 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\CLALLLJDJOONECNIDMCNNNODECCBPHKD\2.0_0\BACKGROUND.JS, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\css\description.css, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\css\popup.css, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\html\popup\description.html, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\html\popup\popup.html, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\js\popup\popup.js, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\js\userNewTab.js, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\newtab\newtab.html, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\_locales\en\messages.json, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\contentscript.js, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\icon.png, Delete-on-Reboot, [2371], [362981],1.0.1556 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\clallljdjoonecnidmcnnnodeccbphkd\2.0_0\manifest.json, Delete-on-Reboot, [2371], [362981],1.0.1556 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  18. What is InternetSpeedPilot? The Malwarebytes research team has determined that InternetSpeedPilot is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. InternetSpeedPilot is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by InternetSpeedPilot? You may see these browser extensions/add-ons: You may see this entry in your list of installed software: these warnings during install: this new default search provider: and this new startpage in the affected browser(s): How did InternetSpeedPilot get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove InternetSpeedPilot? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of InternetSpeedPilot? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the InternetSpeedPilot entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the InternetSpeedPilot hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.internetspeedpilot.com/?source=-bb8&uid={uid1}&uc=20170317&ap=&i_id=speedtest__1.30 SearchScopes: HKCU -> DefaultScope {3F5A5BA6-E379-41ED-9F33-B612ADC0F5D1} URL = hxxp://search.internetspeedpilot.com/s?source=-bb8&uid={uid1}&uc=20170317&ap=&i_id=speedtest__1.30&query={searchTerms} SearchScopes: HKCU -> {3F5A5BA6-E379-41ED-9F33-B612ADC0F5D1} URL = hxxp://search.internetspeedpilot.com/s?source=-bb8&uid={uid1}&uc=20170317&ap=&i_id=speedtest__1.30&query={searchTerms} FF NewTab: hxxp://search.internetspeedpilot.com?uid=3f47c94a-162d-4706-9adb-f2c13e47d883&uc=20170317&ap=&source=tt&page=newtab&implementation_id=speedtest_0.2.0 FF Homepage: hxxp://search.internetspeedpilot.com?uid=3f47c94a-162d-4706-9adb-f2c13e47d883&uc=20170317&ap=&source=tt&page=homepage&implementation_id=speedtest_0.2.0 FF Extension: Speedtest - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Speedtest.xpi [2017-03-17] CHR Extension: (Internet Speed Pilot) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh [2017-03-17] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Internet Speed Pilot (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.6.0.2 - Cloud Installer) Most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0 Adds the file background.js"="11/11/2016 3:32 PM, 15408 bytes, A Adds the file contentscript.js"="11/11/2016 3:32 PM, 1238 bytes, A Adds the file icon.png"="3/17/2017 11:32 AM, 2458 bytes, A Adds the file manifest.json"="3/17/2017 11:32 AM, 1404 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dadnfmoeipnlmdlfoioabgopkajneldh Adds the file 000003.log"="3/17/2017 11:32 AM, 248 bytes, A Adds the file CURRENT"="3/17/2017 11:32 AM, 16 bytes, A Adds the file LOCK"="3/17/2017 11:32 AM, 0 bytes, A Adds the file LOG"="3/17/2017 11:32 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/17/2017 11:32 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="3/17/2017 11:25 AM, 263168 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Speedtest.xpi"="3/17/2017 11:29 AM, 20651 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Speedtest\simple-storage Adds the file store.json"="3/17/2017 11:30 AM, 319 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.internetspeedpilot.com/?source=-bb8&uid={uid1}&uc=20170317&ap=&i_id=speedtest__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{3F5A5BA6-E379-41ED-9F33-B612ADC0F5D1}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3F5A5BA6-E379-41ED-9F33-B612ADC0F5D1}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.internetspeedpilot.com/s?source=-bb8&uid={uid1}&uc=20170317&ap=&i_id=speedtest__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Internet Speed Pilot" "DisplayVersion"="REG_SZ", "2.6.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.internetspeedpilot.com/?source=-bb8&uid={uid1}&uc=20170317&ap=&i_id=speedtest__1.30" "UninstallImpression"="REG_SZ", "http://imp.internetspeedpilot.com/impression.do?source=-bb8&sub_id=20170317&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=speedtest__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/17/17 Scan Time: 11:42 AM Logfile: mbamInternetSpeedPilot.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1522 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 365272 Time Elapsed: 7 min, 28 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [813], [373878],1.0.1522 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{3F5A5BA6-E379-41ED-9F33-B612ADC0F5D1}, Delete-on-Reboot, [2369], [368913],1.0.1522 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [2369], [373048],1.0.1522 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{3F5A5BA6-E379-41ED-9F33-B612ADC0F5D1}|URL, Delete-on-Reboot, [2369], [368913],1.0.1522 Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Quarantined, [813], [373878],1.0.1522 PUP.Optional.YourSpeedTestCenter, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Speedtest\simple-storage, Quarantined, [11557], [182698],1.0.1522 PUP.Optional.YourSpeedTestCenter, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@SPEEDTEST, Quarantined, [11557], [182698],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\_locales\en, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\html\popup, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\_metadata, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\js\popup, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\_locales, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\newtab, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\html, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\css, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\js, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0, Quarantined, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DADNFMOEIPNLMDLFOIOABGOPKAJNELDH, Quarantined, [2369], [362981],1.0.1522 File: 19 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Removal Failed, [2369], [361537],1.0.1522 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Removal Failed, [2369], [361538],1.0.1522 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [813], [373878],1.0.1522 PUP.Optional.YourSpeedTestCenter, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@SPEEDTEST.XPI, Delete-on-Reboot, [11557], [182771],1.0.1522 PUP.Optional.YourSpeedTestCenter, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Speedtest\simple-storage\store.json, Delete-on-Reboot, [11557], [182698],1.0.1522 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DADNFMOEIPNLMDLFOIOABGOPKAJNELDH\3.0_0\BACKGROUND.JS, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\css\description.css, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\css\popup.css, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\html\popup\description.html, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\html\popup\popup.html, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\js\popup\popup.js, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\js\userNewTab.js, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\newtab\newtab.html, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\_locales\en\messages.json, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\contentscript.js, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\icon.png, Delete-on-Reboot, [2369], [362981],1.0.1522 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dadnfmoeipnlmdlfoioabgopkajneldh\3.0_0\manifest.json, Delete-on-Reboot, [2369], [362981],1.0.1522 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  19. What is Easy Maps Access? The Malwarebytes research team has determined that Easy Maps Access is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Easy Maps Access is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Easy Maps Access? You may see these browser extensions/add-ons: You may see this entry in your list of installed software: these changed settings in the affected browser(s): these warnings during install: and this new startpage in the affected browser(s): How did Easy Maps Access get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Maps Access? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Maps Access? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the Easy Maps Access entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Maps Access hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to most of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easymapsaccess.com/?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30 SearchScopes: HKCU -> DefaultScope {E3155B66-F240-4213-99AD-886DAE937D4F} URL = hxxp://search.easymapsaccess.com/s?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30&query={searchTerms} SearchScopes: HKCU -> {E3155B66-F240-4213-99AD-886DAE937D4F} URL = hxxp://search.easymapsaccess.com/s?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30&query={searchTerms} FF Homepage: hxxp://search.easymapsaccess.com?uid=94ca00b2-21f4-4eee-b049-94507bbafd6e&uc=20170302&ap=&source=tt&page=homepage&implementation_id=maps_4.0.0 FF Extension: Maps - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Maps.xpi [2017-03-02] CHR Extension: (Easy Maps Access) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe [2017-03-02] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Easy Maps Access (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.5.0.2 - Cloud Installer) The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0 Adds the file background.js"="1/19/2017 10:03 AM, 15343 bytes, A Adds the file contentscript.js"="1/19/2017 10:03 AM, 1238 bytes, A Adds the file icon.png"="3/2/2017 11:06 AM, 7862 bytes, A Adds the file manifest.json"="3/2/2017 11:06 AM, 1400 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\newtab Adds the file newtab.html"="1/19/2017 10:03 AM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgijpfbdmkifnjbjkagakpidomeocdpe Adds the file 000003.log"="3/2/2017 11:06 AM, 240 bytes, A Adds the file CURRENT"="3/2/2017 11:06 AM, 16 bytes, A Adds the file LOCK"="3/2/2017 11:06 AM, 0 bytes, A Adds the file LOG"="3/2/2017 11:06 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/2/2017 11:06 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="3/2/2017 11:02 AM, 256000 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Maps.xpi"="3/2/2017 11:04 AM, 19297 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage Adds the file store.json"="3/2/2017 11:05 AM, 311 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD] "Blob"="REG_BINARY, ....................................................GlobalSign.b... .................S...#.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easymapsaccess.com/?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{E3155B66-F240-4213-99AD-886DAE937D4F}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E3155B66-F240-4213-99AD-886DAE937D4F}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easymapsaccess.com/s?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Easy Maps Access" "DisplayVersion"="REG_SZ", "2.5.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.easymapsaccess.com/?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30" "UninstallImpression"="REG_SZ", "http://imp.easymapsaccess.com/impression.do?source=tt&sub_id=20170302&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=maps__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" An excerpt from the Malwarebytes scan log: (full log available on request) Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/2/17 Scan Time: 11:16 AM Logfile: mbamEasyMapsAccess.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1400 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 362676 Time Elapsed: 1 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [812], [373878],1.0.1400 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{E3155B66-F240-4213-99AD-886DAE937D4F}, Delete-on-Reboot, [2368], [368913],1.0.1400 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [2368], [373048],1.0.1400 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{E3155B66-F240-4213-99AD-886DAE937D4F}|URL, Delete-on-Reboot, [2368], [368913],1.0.1400 Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [812], [373878],1.0.1400 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage, Delete-on-Reboot, [2400], [348731],1.0.1400 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@MAPS, Delete-on-Reboot, [2400], [348731],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales\en, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js\popup, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\newtab, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGIJPFBDMKIFNJBJKAGAKPIDOMEOCDPE, Delete-on-Reboot, [2368], [362981],1.0.1400 File: 18 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [812], [373878],1.0.1400 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2368], [361537],1.0.1400 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage\store.json, Delete-on-Reboot, [2400], [348731],1.0.1400 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@MAPS.XPI, Delete-on-Reboot, [2400], [348742],1.0.1400 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGIJPFBDMKIFNJBJKAGAKPIDOMEOCDPE\2.0_0\BACKGROUND.JS, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css\description.css, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css\popup.css, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup\description.html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup\popup.html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js\popup\popup.js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js\userNewTab.js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\newtab\newtab.html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales\en\messages.json, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\contentscript.js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\icon.png, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\manifest.json, Delete-on-Reboot, [2368], [362981],1.0.1400 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  20. What is Easy Interests Access? The Malwarebytes research team has determined that Easy Interests Access is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Easy Interests Access is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Easy Interests Access? You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): and this new default search provider: How did Easy Interests Access get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Interests Access? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Interests Access? If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Interests Access hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easyinterestsaccess.com/?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30 HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxps://www.google.co.uk/?gws_rd=ssl SearchScopes: HKCU -> DefaultScope {8FCAF78A-539A-4882-B107-3BE2440D10F7} URL = hxxp://search.easyinterestsaccess.com/s?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30&query={searchTerms} SearchScopes: HKCU -> {8FCAF78A-539A-4882-B107-3BE2440D10F7} URL = hxxp://search.easyinterestsaccess.com/s?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30&query={searchTerms} C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Easy Interests Access (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.4.0.3 - Cloud Installer) The changes made by the IE installer (this one failed on Firefox and Chrome): File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="2/23/2017 11:10 AM, 256000 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easyinterestsaccess.com/?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{8FCAF78A-539A-4882-B107-3BE2440D10F7}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8FCAF78A-539A-4882-B107-3BE2440D10F7}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easyinterestsaccess.com/s?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Easy Interests Access" "DisplayVersion"="REG_SZ", "2.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.easyinterestsaccess.com/?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30" "UninstallImpression"="REG_SZ", "http://imp.easyinterestsaccess.com/impression.do?source=tt&sub_id=20170223&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=interest__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/23/17 Scan Time: 11:19 AM Logfile: mbamEasyInterestsAccess.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1329 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 361399 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8FCAF78A-539A-4882-B107-3BE2440D10F7}, Quarantined, [2364], [368913],1.0.1329 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8FCAF78A-539A-4882-B107-3BE2440D10F7}|URL, Quarantined, [2364], [368913],1.0.1329 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [2364], [373048],1.0.1329 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. What is Your Instant Email? The Malwarebytes research team has determined that Your Instant Email is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Your Instant Email is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Your Instant Email? You may see this Firefox extension: this new default search provider in Internet Explorer: and this entry in your list of installed software: You may also see these warnings during install: and this new startpage in the affected browser(s): How did Your Instant Email get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Your Instant Email? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Instant Email? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the Your Instant Email entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Your Instant Email hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.yourinstantemail.com/?source=tt&uid={uid1}&uc=20170215&ap=&i_id=email__1.30 SearchScopes: HKCU -> DefaultScope {3FE479AA-6079-437A-913F-2FB27F48B31A} URL = hxxp://search.yourinstantemail.com/s?source=tt-bb8&uid={uid1}&uc=20170215&ap=&i_id=email__1.30&query={searchTerms} SearchScopes: HKCU -> {3FE479AA-6079-437A-913F-2FB27F48B31A} URL = hxxp://search.yourinstantemail.com/s?source=tt-bb8&uid={uid1}&uc=20170215&ap=&i_id=email__1.30&query={searchTerms} FF Homepage: hxxp://search.yourinstantemail.com?uid={uid2}&uc=20170215&ap=&source=tt&page=homepage&implementation_id=email_4.0.12 FF Extension: Email - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Email.xpi [2017-02-15] C:\Users\{username}\AppData\Roaming\SpigotSettings Your Instant Email (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.2.0.5 - Spigot, Inc.) <==== ATTENTION Most relevant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Email.xpi"="2/15/2017 8:51 AM, 21706 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Email\simple-storage Adds the file store.json"="2/15/2017 8:55 AM, 315 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\SpigotSettings Adds the file Uninstall.exe"="2/15/2017 8:50 AM, 267616 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.yourinstantemail.com/?source=tt&uid={uid1}&uc=20170215&ap=&i_id=email__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{3FE479AA-6079-437A-913F-2FB27F48B31A}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3FE479AA-6079-437A-913F-2FB27F48B31A}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.yourinstantemail.com/s?source=tt-bb8&uid={uid1}&uc=20170215&ap=&i_id=email__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Your Instant Email" "DisplayVersion"="REG_SZ", "2.2.0.5" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SpigotSettings\" "Publisher"="REG_SZ", "Spigot, Inc." "UninstallHomepage"="REG_SZ", "http://search.yourinstantemail.com/?source=tt&uid={uid1}&uc=20170215&ap=&i_id=email__1.30" "UninstallImpression"="REG_SZ", "http://imp.yourinstantemail.com/impression.do?source=tt&sub_id=20170215&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=email__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\SpigotSettings\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/15/17 Scan Time: 9:08 AM Logfile: mbamYourInstantEmail.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1266 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 360113 Time Elapsed: 1 min, 30 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [810], [300859],1.0.1266 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{3FE479AA-6079-437A-913F-2FB27F48B31A}, Delete-on-Reboot, [2353], [368913],1.0.1266 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{3FE479AA-6079-437A-913F-2FB27F48B31A}|URL, Delete-on-Reboot, [2353], [368913],1.0.1266 Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Email\simple-storage, Delete-on-Reboot, [1843], [335005],1.0.1266 PUP.Optional.MyEmailXP, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@EMAIL, Delete-on-Reboot, [1843], [335005],1.0.1266 File: 4 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\SPIGOTSETTINGS\UNINSTALL.EXE, Delete-on-Reboot, [810], [300859],1.0.1266 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2353], [361537],1.0.1266 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Email\simple-storage\store.json, Delete-on-Reboot, [1843], [335005],1.0.1266 PUP.Optional.MyEmailXP, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@EMAIL.XPI, Delete-on-Reboot, [1843], [335030],1.0.1266 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  22. What is GetFitNow? The Malwarebytes research team has determined that GetFitNow is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. GetFitNow is a member of the Spigot family. How do I know if my computer is affected by GetFitNow? You may see these browser extensions/add-ons: and these altered settings: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did GetFitNow get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove GetFitNow? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GetFitNow? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the GetFitNow entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the GetFitNow hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.getfitnow.co/?source=&uid={uid1}&uc=20170208&ap=appfocus1&i_id=fitness__1.30 SearchScopes: HKCU -> DefaultScope {E4B45767-A66A-459A-B864-3B8F8C7E246A} URL = hxxp://search.getfitnow.co/s?source=&uid={uid1}&uc=20170208&ap=appfocus1&i_id=fitness__1.30&query={searchTerms} SearchScopes: HKCU -> {E4B45767-A66A-459A-B864-3B8F8C7E246A} URL = hxxp://search.getfitnow.co/s?source=&uid={uid1}&uc=20170208&ap=appfocus1&i_id=fitness__1.30&query={searchTerms} FF Homepage: hxxp://search.getfitnow.co?uid={uid2}&uc=20170208&ap=appfocus1&source=tt&page=homepage&implementation_id=fitness_4.0.1 FF Extension: Fitness - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Fitness.xpi [2017-02-08] CHR Extension: (Get Fit Now) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh [2017-02-08] C:\Users\{username}\AppData\Roaming\SpigotSettings GetFitNow (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.1.0.1 - Spigot, Inc.) <==== ATTENTION The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jgblngkjeffdpdnfgenlfjnaakgahfoh Adds the file 000003.log"="2/8/2017 9:18 AM, 252 bytes, A Adds the file CURRENT"="2/8/2017 9:18 AM, 16 bytes, A Adds the file LOCK"="2/8/2017 9:18 AM, 0 bytes, A Adds the file LOG"="2/8/2017 9:28 AM, 410 bytes, A Adds the file LOG.old"="2/8/2017 9:18 AM, 184 bytes, A Adds the file MANIFEST-000001"="2/8/2017 9:18 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Fitness.xpi"="2/8/2017 9:16 AM, 64432 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Fitness\simple-storage Adds the file store.json"="2/8/2017 9:17 AM, 317 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\SpigotSettings Adds the file Uninstall.exe"="2/8/2017 9:12 AM, 267616 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.getfitnow.co/?source=&uid={uid1}&uc=20170208&ap=appfocus1&i_id=fitness__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{E4B45767-A66A-459A-B864-3B8F8C7E246A}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E4B45767-A66A-459A-B864-3B8F8C7E246A}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.getfitnow.co/s?source=&uid={uid1}&uc=20170208&ap=appfocus1&i_id=fitness__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "GetFitNow" "DisplayVersion"="REG_SZ", "2.1.0.1" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SpigotSettings\" "Publisher"="REG_SZ", "Spigot, Inc." "UninstallHomepage"="REG_SZ", "http://search.getfitnow.co/?source=&uid={uid1}&uc=20170208&ap=appfocus1&i_id=fitness__1.30" "UninstallImpression"="REG_SZ", "http://imp.getfitnow.co/impression.do?source=&sub_id=20170208&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus1&user_id={uid1}&implementation_id=fitness__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\SpigotSettings\Uninstall.exe" /uninstall" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/8/17 Scan Time: 9:38 AM Logfile: mbamGetFitNow.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1207 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 359252 Time Elapsed: 1 min, 45 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [811], [300859],1.0.1207 Registry Value: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Fitness\simple-storage, Delete-on-Reboot, [2350], [364585],1.0.1207 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@FITNESS, Delete-on-Reboot, [2350], [364585],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\_locales\en, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\html\popup, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\_metadata, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\js\popup, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\_locales, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\newtab, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\html, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\css, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\js, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGBLNGKJEFFDPDNFGENLFJNAAKGAHFOH, Delete-on-Reboot, [2350], [362981],1.0.1207 File: 18 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Fitness\simple-storage\store.json, Delete-on-Reboot, [2350], [364585],1.0.1207 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2350], [361537],1.0.1207 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\SPIGOTSETTINGS\UNINSTALL.EXE, Delete-on-Reboot, [811], [300859],1.0.1207 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JGBLNGKJEFFDPDNFGENLFJNAAKGAHFOH\3.0_0\BACKGROUND.JS, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\css\description.css, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\css\popup.css, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\html\popup\description.html, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\html\popup\popup.html, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\js\popup\popup.js, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\js\userNewTab.js, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\newtab\newtab.html, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\_locales\en\messages.json, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\contentscript.js, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\icon.png, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgblngkjeffdpdnfgenlfjnaakgahfoh\3.0_0\manifest.json, Delete-on-Reboot, [2350], [362981],1.0.1207 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@FITNESS.XPI, Delete-on-Reboot, [2350], [364607],1.0.1207 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  23. What is Easy Online Game Access? The Malwarebytes research team has determined that Easy Online Game Access is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. How do I know if my computer is affected by Easy Online Game Access? You may see these warnings during install: this browser extension: this new default Search Provider: and this new startpage in the affected browser(s): How did Easy Online Game Access get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Online Game Access? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Online Game Access? No, Malwarebytes removes Easy Online Game Access completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Online Game Access hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block the traffic to their sites. Technical details for experts Possible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easyonlinegameaccess.com/?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30 SearchScopes: HKCU -> DefaultScope {0B73690C-0686-422A-999D-FEE19642DD9E} URL = hxxp://search.easyonlinegameaccess.com/s?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30&query={searchTerms} SearchScopes: HKCU -> {0B73690C-0686-422A-999D-FEE19642DD9E} URL = hxxp://search.easyonlinegameaccess.com/s?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30&query={searchTerms} FF NewTab: hxxp://search.easyonlinegameaccess.com?uid={uid2}&uc=20170201&ap=&source=-bb8&page=newtab&implementation_id=games_0.2.0 FF Homepage: hxxp://search.easyonlinegameaccess.com?uid={uid2}&uc=20170201&ap=&source=-bb8&page=homepage&implementation_id=games_0.2.0 FF Extension: Games - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Games.xpi [2017-02-01] C:\Users\{username}\AppData\Roaming\SpigotSettings Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Games.xpi"="2/1/2017 9:28 AM, 27453 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Games\simple-storage Adds the file store.json"="2/1/2017 9:29 AM, 327 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\SpigotSettings Adds the file Uninstall.exe"="2/1/2017 9:25 AM, 267616 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easyonlinegameaccess.com/?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{0B73690C-0686-422A-999D-FEE19642DD9E}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0B73690C-0686-422A-999D-FEE19642DD9E}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easyonlinegameaccess.com/s?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "" "DisplayVersion"="REG_SZ", "2.1.0.1" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SpigotSettings\" "Publisher"="REG_SZ", "Spigot, Inc." "UninstallHomepage"="REG_SZ", "http://search.easyonlinegameaccess.com/?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30" "UninstallImpression"="REG_SZ", "http://imp.easyonlinegameaccess.com/impression.do?source=tt&sub_id=20170201&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=games__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\SpigotSettings\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/1/17 Scan Time: 9:40 AM Logfile: mbamEasyOnlineGameAccess.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.50 Update Package Version: 1.0.1148 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 358118 Time Elapsed: 1 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [811], [300859],1.0.1148 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Games\simple-storage, Delete-on-Reboot, [2349], [364932],1.0.1148 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@GAMES, Delete-on-Reboot, [2349], [364932],1.0.1148 File: 5 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2349], [361537],1.0.1148 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2349], [361538],1.0.1148 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Games\simple-storage\store.json, Delete-on-Reboot, [2349], [364932],1.0.1148 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\SPIGOTSETTINGS\UNINSTALL.EXE, Delete-on-Reboot, [811], [300859],1.0.1148 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@GAMES.XPI, Delete-on-Reboot, [811], [364940],1.0.1148 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  24. What is Your Television Now? The Malwarebytes research team has determined that Your Television Now is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. How do I know if my computer is affected by Your Television Now? You may see this entry in your list of installed software: and these warnings during install: this browser extension: these changed settings: and you will see this startpage in the affected browser(s): How did Your Television Now get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their website. How do I remove Your Television Now? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Your Television Now? No, Malwarebytes removes Your Television Now completely. You should have a look at our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Your Television Now hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and blocked access to their domain Technical details for experts Possible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.yourtelevisionnow.com/?source=tt&uid={uid1}&uc=20170123&ap=&i_id=tv__1.30 SearchScopes: HKCU -> DefaultScope {8A490DD9-D192-4A44-B961-D42E26BCCDF9} URL = hxxp://search.yourtelevisionnow.com/s?source=tt&uid={uid1}&uc=20170123&ap=&i_id=tv__1.30&query={searchTerms} SearchScopes: HKCU -> {8A490DD9-D192-4A44-B961-D42E26BCCDF9} URL = hxxp://search.yourtelevisionnow.com/s?source=tt&uid={uid1}&uc=20170123&ap=&i_id=tv__1.30&query={searchTerms} FF NewTab: hxxp://search.yourtelevisionnow.com?uid=35ee8831-69c2-4e4c-a3ff-eac66c3e6c09&uc=20170123&ap=&source=tt&page=newtab&implementation_id=tv_0.2.0 FF Homepage: hxxp://search.yourtelevisionnow.com?uid=35ee8831-69c2-4e4c-a3ff-eac66c3e6c09&uc=20170123&ap=&source=tt&page=homepage&implementation_id=tv_0.2.0 FF Extension: TV - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@TV.xpi [2017-01-23] C:\Users\{username}\AppData\Roaming\YourTelevisionNow YourTelevisionNow (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.0.0.1 - Spigot, Inc.) <==== ATTENTION Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @TV.xpi"="1/23/2017 8:58 AM, 24688 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@TV\simple-storage Adds the file store.json"="1/23/2017 8:58 AM, 317 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\YourTelevisionNow Adds the file YourTelevisionNowUn.exe"="1/23/2017 8:56 AM, 250696 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.yourtelevisionnow.com/?source=tt&uid={uid1}&uc=20170123&ap=&i_id=tv__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{8A490DD9-D192-4A44-B961-D42E26BCCDF9}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8A490DD9-D192-4A44-B961-D42E26BCCDF9}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.yourtelevisionnow.com/s?source=tt&uid={uid1}&uc=20170123&ap=&i_id=tv__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "YourTelevisionNow" "DisplayVersion"="REG_SZ", "2.0.0.1" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\YourTelevisionNow\" "Publisher"="REG_SZ", "Spigot, Inc." "UninstallHomepage"="REG_SZ", "http://search.yourtelevisionnow.com/?source=tt&uid={uid1}&uc=20170123&ap=&i_id=tv__1.30" "UninstallImpression"="REG_SZ", "http://imp.yourtelevisionnow.com/impression.do?source=tt&sub_id=20170123&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=tv__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\YourTelevisionNow\YourTelevisionNowUn.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/23/17 Scan Time: 12:07 PM Logfile: mbamYourTVNow.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1080 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 356865 Time Elapsed: 7 min, 57 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [812], [300859],1.0.1080 PUP.Optional.YourTelevisionNow, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{7B5E1387-A4C1-4F5E-A501-DEDFDCE5AA97}, Delete-on-Reboot, [17784], [252971],1.0.1080 Registry Value: 2 PUP.Optional.YourTelevisionNow, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{7B5E1387-A4C1-4F5E-A501-DEDFDCE5AA97}|URL, Delete-on-Reboot, [17784], [252971],1.0.1080 PUP.Optional.YourTelevisionNow, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [17784], [293375],1.0.1080 Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@TV\simple-storage, Quarantined, [2351], [363617],1.0.1080 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT\JETPACK\@TV, Quarantined, [2351], [363617],1.0.1080 File: 7 PUP.Optional.YourTelevisionNow, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT\PREFS.JS, Removal Failed, [17784], [301736],1.0.1080 PUP.Optional.YourTelevisionNow, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT\PREFS.JS, Removal Failed, [17784], [303304],1.0.1080 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT\PREFS.JS, Removal Failed, [2351], [361537],1.0.1080 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\YOURTELEVISIONNOW\YOURTELEVISIONNOWUN.EXE, Delete-on-Reboot, [812], [300859],1.0.1080 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\YOURTELEVISIONNOW.ZIP, Delete-on-Reboot, [812], [300859],1.0.1080 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@TV\simple-storage\store.json, Delete-on-Reboot, [2351], [363617],1.0.1080 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT\EXTENSIONS\@TV.XPI, Delete-on-Reboot, [2351], [363616],1.0.1080 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  25. What is My Shopping XP? The Malwarebytes research team has determined that My Shopping XP is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. How do I know if my computer is affected by My Shopping XP? You may see this entry in your list of installed software: and these warnings during install: this browser add-on: and you will see this entry in your startmenu: and this startpage in the affected browser(s): How did My Shopping XP get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site: How do I remove My Shopping XP? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Shopping XP? No, Malwarebytes removes My Shopping XP completely. You should read our Restore Browser page. You can read there how to fix (additional) browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the My Shopping XP hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.myshoppingxp.com?uid={uid1}&uc=20170117&source=-bb8&ap=appfocus15&i_id=shopping__1.0.2.25 FF NewTab: hxxp://search.myshoppingxp.com?uid=8242a7d2-1952-4934-b479-95ad131084b7&uc=20170117&ap=appfocus15&source=tt&page=newtab&implementation_id=shopping_0.2.0 FF Homepage: hxxp://search.myshoppingxp.com?uid=8242a7d2-1952-4934-b479-95ad131084b7&uc=20170117&ap=appfocus15&source=tt&page=homepage&implementation_id=shopping_0.2.0 FF Extension: Shopping - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Shopping.xpi [2017-01-17] C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon.com My Shopping XP (HKCU\...\2f1dc0e87b487648) (Version: 1.0.2.25 - Amazon.com) Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/17/17 Scan Time: 12:44 PM Logfile: mbamMyShoppingXP2.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1035 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 355998 Time Elapsed: 9 min, 5 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\2f1dc0e87b487648, Delete-on-Reboot, [2345], [360182],1.0.1035 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [2345], [361539],1.0.1035 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\2f1dc0e87b487648|URLUPDATEINFO, Delete-on-Reboot, [2345], [360182],1.0.1035 Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Shopping\simple-storage, Quarantined, [2345], [361784],1.0.1035 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@SHOPPING, Quarantined, [2345], [361784],1.0.1035 File: 4 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Removal Failed, [2345], [361537],1.0.1035 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Removal Failed, [2345], [361538],1.0.1035 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Shopping\simple-storage\store.json, Delete-on-Reboot, [2345], [361784],1.0.1035 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@SHOPPING.XPI, Delete-on-Reboot, [2345], [361785],1.0.1035 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.