Search the Community

Showing results for tags 'spigot'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Malware Removal for Windows
    • Malware Removal for Mac
    • Malware Removal for Mobile
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3
    • Malwarebytes for Mac
    • Malwarebytes for Android
    • False Positives
    • Translator Lounge
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
  • General
    • General Chat
    • Forums Announcements & Feedback

Found 10 results

  1. What is TubeTab? The Malwarebytes research team has determined that TubeTab is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. TubeTab is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by TubeTab? You may see this Chrome extension: this icon in your Chrome toolbar: and these warnings when you open Chrome during or after the install: and this new startpage in the affected browser(s): How did TubeTab get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software. How do I remove TubeTab? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of TubeTab? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the TubeTab entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the TubeTab hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains: Technical details for experts Possible signs in a FRST log: CHR DefaultSearchURL: Default -> hxxp://search.searchytdvta.com/s?remove=remove&query={searchTerms} CHR DefaultSearchKeyword: Default -> ut CHR Extension: (TubeTab) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce [2017-08-14] CHR HKCU\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jlhpijolpcimadhjingadnbcjncmjdce] - hxxps://clients2.google.com/service/update2/crx The changes made by the installer: File system details [View: All details] (Selection) Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0 Adds the file background.js"="7/12/2017 2:29 PM, 16416 bytes, A Adds the file contentscript.js"="7/12/2017 2:29 PM, 1540 bytes, A Adds the file icon.png"="8/14/2017 9:10 AM, 6164 bytes, A Adds the file manifest.json"="8/14/2017 9:10 AM, 1794 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales\en Adds the file messages.json"="8/14/2017 9:10 AM, 269 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata Adds the file computed_hashes.json"="8/14/2017 9:10 AM, 1223 bytes, A Adds the file verified_contents.json"="7/12/2017 2:29 PM, 2783 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css Adds the file description.css"="7/12/2017 2:29 PM, 1008 bytes, A Adds the file popup.css"="7/12/2017 2:29 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup Adds the file description.html"="7/12/2017 2:29 PM, 259 bytes, A Adds the file popup.html"="7/12/2017 2:29 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js Adds the file userNewTab.js"="7/12/2017 2:29 PM, 2587 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\popup Adds the file popup.js"="7/12/2017 2:29 PM, 805 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\newtab Adds the file newtab.html"="7/12/2017 2:29 PM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jlhpijolpcimadhjingadnbcjncmjdce Adds the file 000003.log"="8/14/2017 9:10 AM, 268 bytes, A Adds the file CURRENT"="8/14/2017 9:10 AM, 16 bytes, A Adds the file LOCK"="8/14/2017 9:10 AM, 0 bytes, A Adds the file LOG"="8/14/2017 9:10 AM, 184 bytes, A Adds the file MANIFEST-000001"="8/14/2017 9:10 AM, 41 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Google\Chrome\Extensions\jlhpijolpcimadhjingadnbcjncmjdce] "update_url"="REG_SZ", "https://clients2.google.com/service/update2/crx" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/14/17 Scan Time: 9:24 AM Log File: mbamTubeTab.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2581 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321366 Threats Detected: 25 Threats Quarantined: 25 Time Elapsed: 1 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 11 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales\en, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\popup, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\newtab, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JLHPIJOLPCIMADHJINGADNBCJNCMJDCE, Quarantined, [1902], [362981],1.0.2581 File: 14 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JLHPIJOLPCIMADHJINGADNBCJNCMJDCE\2.4_0\BACKGROUND.JS, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css\description.css, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\css\popup.css, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup\description.html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\html\popup\popup.html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\popup\popup.js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\js\userNewTab.js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\newtab\newtab.html, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_locales\en\messages.json, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata\computed_hashes.json, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\_metadata\verified_contents.json, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\contentscript.js, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\icon.png, Quarantined, [1902], [362981],1.0.2581 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhpijolpcimadhjingadnbcjncmjdce\2.4_0\manifest.json, Quarantined, [1902], [362981],1.0.2581 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  2. What is GetSports? The Malwarebytes research team has determined that GetSports is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. GetSports is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by GetSports? You may see these browser extensions/add-ons: and search settings like these: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did GetSports get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove GetSports? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of GetSports? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the GetSports entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the GetSports hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.getsports.co/?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30 SearchScopes: HKCU -> DefaultScope {8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1} URL = hxxp://search.getsports.co/s?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30&query={searchTerms} SearchScopes: HKCU -> {8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1} URL = hxxp://search.getsports.co/s?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30&query={searchTerms} FF NewTab: hxxp://search.getsports.co?uid={uid2}&uc={date}&ap=appfocus1&source=-v2-bb8&page=newtab&implementation_id=sports_0.2.0 FF Homepage: hxxp://search.getsports.co?uid={uid2}&uc={date}&ap=appfocus1&source=-v2-bb8&page=homepage&implementation_id=sports_0.2.0 FF Extension: Sports - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\Extensions\@Sports.xpi [2017-05-05] CHR Extension: (Get Sports) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco [2017-05-05] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Get Sports (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.6.0.2 - Cloud Installer) The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0 Adds the file background.js"="12/6/2016 1:27 PM, 15293 bytes, A Adds the file contentscript.js"="12/6/2016 1:27 PM, 1238 bytes, A Adds the file icon.png"="5/5/2017 3:10 PM, 9393 bytes, A Adds the file manifest.json"="5/5/2017 3:10 PM, 1394 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales\en Adds the file messages.json"="5/5/2017 3:10 PM, 252 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata Adds the file computed_hashes.json"="5/5/2017 3:10 PM, 1176 bytes, A Adds the file verified_contents.json"="12/6/2016 1:27 PM, 2783 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css Adds the file description.css"="12/6/2016 1:27 PM, 1008 bytes, A Adds the file popup.css"="12/6/2016 1:27 PM, 95 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup Adds the file description.html"="12/6/2016 1:27 PM, 242 bytes, A Adds the file popup.html"="12/6/2016 1:27 PM, 214 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js Adds the file userNewTab.js"="12/6/2016 1:27 PM, 2494 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\popup Adds the file popup.js"="12/6/2016 1:27 PM, 793 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\newtab Adds the file newtab.html"="12/6/2016 1:27 PM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlfmljafhfcncnaekjmgnchfapibfmco Adds the file 000003.log"="5/5/2017 3:10 PM, 262 bytes, A Adds the file CURRENT"="5/5/2017 3:10 PM, 16 bytes, A Adds the file LOCK"="5/5/2017 3:10 PM, 0 bytes, A Adds the file LOG"="5/5/2017 3:10 PM, 184 bytes, A Adds the file MANIFEST-000001"="5/5/2017 3:10 PM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="5/5/2017 3:06 PM, 263168 bytes, A In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\extensions Adds the file @Sports.xpi"="5/5/2017 3:08 PM, 43962 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@Sports\simple-storage Adds the file store.json"="5/5/2017 3:09 PM, 327 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.getsports.co/?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.getsports.co/s?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Get Sports" "DisplayVersion"="REG_SZ", "2.6.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.getsports.co/?source=-v2-bb8&uid={uid1}&uc={date}&ap=appfocus1&i_id=sports__1.30" "UninstallImpression"="REG_SZ", "http://imp.getsports.co/impression.do?source=-v2-bb8&sub_id={date}&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=appfocus1&user_id={uid1}&implementation_id=sports__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/5/17 Scan Time: 3:19 PM Logfile: mbamGetSports.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.103 Update Package Version: 1.0.1874 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 329664 Time Elapsed: 2 min, 6 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [625], [373878],1.0.1874 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}, Delete-on-Reboot, [1974], [368913],1.0.1874 Registry Value: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8C42E1F9-15DF-4A77-8FD4-5109B63A6CD1}|URL, Delete-on-Reboot, [1974], [368913],1.0.1874 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [625], [373878],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@Sports\simple-storage, Delete-on-Reboot, [1974], [362990],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\JETPACK\@SPORTS, Delete-on-Reboot, [1974], [362990],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales\en, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\popup, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\newtab, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NLFMLJAFHFCNCNAEKJMGNCHFAPIBFMCO, Delete-on-Reboot, [1974], [362981],1.0.1874 File: 20 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [625], [373878],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default-1491393116824\jetpack\@Sports\simple-storage\store.json, Delete-on-Reboot, [1974], [362990],1.0.1874 PUP.Optional.Spigot, C:\USERS\{username}\DESKTOP\GETSPORTS.EXE, Delete-on-Reboot, [625], [372110],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\PREFS.JS, Replaced, [1974], [361537],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\PREFS.JS, Replaced, [1974], [361538],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\{profile}.DEFAULT-1491393116824\EXTENSIONS\@SPORTS.XPI, Delete-on-Reboot, [1974], [362994],1.0.1874 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\NLFMLJAFHFCNCNAEKJMGNCHFAPIBFMCO\4.0_0\BACKGROUND.JS, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css\description.css, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\css\popup.css, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup\description.html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\html\popup\popup.html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\popup\popup.js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\js\userNewTab.js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\newtab\newtab.html, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_locales\en\messages.json, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\contentscript.js, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\icon.png, Delete-on-Reboot, [1974], [362981],1.0.1874 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlfmljafhfcncnaekjmgnchfapibfmco\4.0_0\manifest.json, Delete-on-Reboot, [1974], [362981],1.0.1874 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  3. LittleSnitch (3rd party firewall) prompted me on an outbound connection from an application I didn't recognize in ~/Library/Application Support/AppPolicy/AppBox. It was attempting to connect to www. unionsoftwareonline. com. Doing some digging this site appeared to be associated with the PUP/Adware "AppMonitor". I ran a Malwarebytes scan and it detected three components related to Adware.Spigot: 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/Firefox/Profiles/6kxmn62h.default/searchplugins/YahooEngine.xml 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/AppCommon 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/LaunchAgents/com.unionsoftwareonline.AppMonitor.plist However, it did not identify or offer to remove the directory or binary I noted above. Using LaunchControl (a GUI for examining your launchd configuration), I identified a User Agent was installed ( /Users/xxx/Library/LaunchAgents/com.appbox.AppBox.plist) with the following parameters: /Users/xxx/Library/Application Support/AppPolicy/AppBox" -i -c <6 digit number> -isn <string of digits and letters separated by dashes> I know malware can download and install other components. But I believe Malwarebytes should try to clean them up as well... Is this a known or possibly new variant/component of Adware.Spigot? I tried searching the Malwarebytes labs Threat Center. But I couldn't even get a hit on "Adware.Spigot" or "Spigot" and that is clearly something it identifies. (Is there a searchable compendium of all threats that Malwarebytes identifies? Sorry, new around here...) I unloaded the launchd agent and disabled it but held onto the binary for the moment in case it is of use for further analysis.
  4. What is Easy Maps Access? The Malwarebytes research team has determined that Easy Maps Access is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Easy Maps Access is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Easy Maps Access? You may see these browser extensions/add-ons: You may see this entry in your list of installed software: these changed settings in the affected browser(s): these warnings during install: and this new startpage in the affected browser(s): How did Easy Maps Access get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Maps Access? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Maps Access? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the Easy Maps Access entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Maps Access hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to most of their domains: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easymapsaccess.com/?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30 SearchScopes: HKCU -> DefaultScope {E3155B66-F240-4213-99AD-886DAE937D4F} URL = hxxp://search.easymapsaccess.com/s?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30&query={searchTerms} SearchScopes: HKCU -> {E3155B66-F240-4213-99AD-886DAE937D4F} URL = hxxp://search.easymapsaccess.com/s?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30&query={searchTerms} FF Homepage: hxxp://search.easymapsaccess.com?uid=94ca00b2-21f4-4eee-b049-94507bbafd6e&uc=20170302&ap=&source=tt&page=homepage&implementation_id=maps_4.0.0 FF Extension: Maps - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Maps.xpi [2017-03-02] CHR Extension: (Easy Maps Access) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe [2017-03-02] C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Easy Maps Access (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.5.0.2 - Cloud Installer) The most significant changes made by the installers: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0 Adds the file background.js"="1/19/2017 10:03 AM, 15343 bytes, A Adds the file contentscript.js"="1/19/2017 10:03 AM, 1238 bytes, A Adds the file icon.png"="3/2/2017 11:06 AM, 7862 bytes, A Adds the file manifest.json"="3/2/2017 11:06 AM, 1400 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\newtab Adds the file newtab.html"="1/19/2017 10:03 AM, 190 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\dgijpfbdmkifnjbjkagakpidomeocdpe Adds the file 000003.log"="3/2/2017 11:06 AM, 240 bytes, A Adds the file CURRENT"="3/2/2017 11:06 AM, 16 bytes, A Adds the file LOCK"="3/2/2017 11:06 AM, 0 bytes, A Adds the file LOG"="3/2/2017 11:06 AM, 184 bytes, A Adds the file MANIFEST-000001"="3/2/2017 11:06 AM, 41 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="3/2/2017 11:02 AM, 256000 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Maps.xpi"="3/2/2017 11:04 AM, 19297 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage Adds the file store.json"="3/2/2017 11:05 AM, 311 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD] "Blob"="REG_BINARY, ....................................................GlobalSign.b... .................S...#.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easymapsaccess.com/?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{E3155B66-F240-4213-99AD-886DAE937D4F}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E3155B66-F240-4213-99AD-886DAE937D4F}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easymapsaccess.com/s?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Easy Maps Access" "DisplayVersion"="REG_SZ", "2.5.0.2" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.easymapsaccess.com/?source=tt&uid={uid1}&uc=20170302&ap=&i_id=maps__1.30" "UninstallImpression"="REG_SZ", "http://imp.easymapsaccess.com/impression.do?source=tt&sub_id=20170302&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=maps__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" An excerpt from the Malwarebytes scan log: (full log available on request) Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/2/17 Scan Time: 11:16 AM Logfile: mbamEasyMapsAccess.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1400 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 362676 Time Elapsed: 1 min, 33 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 2 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [812], [373878],1.0.1400 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{E3155B66-F240-4213-99AD-886DAE937D4F}, Delete-on-Reboot, [2368], [368913],1.0.1400 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [2368], [373048],1.0.1400 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{E3155B66-F240-4213-99AD-886DAE937D4F}|URL, Delete-on-Reboot, [2368], [368913],1.0.1400 Data Stream: 0 (No malicious items detected) Folder: 14 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [812], [373878],1.0.1400 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage, Delete-on-Reboot, [2400], [348731],1.0.1400 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@MAPS, Delete-on-Reboot, [2400], [348731],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales\en, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js\popup, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\newtab, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGIJPFBDMKIFNJBJKAGAKPIDOMEOCDPE, Delete-on-Reboot, [2368], [362981],1.0.1400 File: 18 PUP.Optional.Spigot, C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe, Delete-on-Reboot, [812], [373878],1.0.1400 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2368], [361537],1.0.1400 PUP.Optional.Maps, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Maps\simple-storage\store.json, Delete-on-Reboot, [2400], [348731],1.0.1400 PUP.Optional.Maps, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@MAPS.XPI, Delete-on-Reboot, [2400], [348742],1.0.1400 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\DGIJPFBDMKIFNJBJKAGAKPIDOMEOCDPE\2.0_0\BACKGROUND.JS, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css\description.css, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\css\popup.css, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup\description.html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\html\popup\popup.html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js\popup\popup.js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\js\userNewTab.js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\newtab\newtab.html, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_locales\en\messages.json, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\contentscript.js, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\icon.png, Delete-on-Reboot, [2368], [362981],1.0.1400 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgijpfbdmkifnjbjkagakpidomeocdpe\2.0_0\manifest.json, Delete-on-Reboot, [2368], [362981],1.0.1400 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  5. What is Easy Interests Access? The Malwarebytes research team has determined that Easy Interests Access is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. Easy Interests Access is a member of the Spigot family as described in the blogpost Spigot browser hijackers. How do I know if my computer is affected by Easy Interests Access? You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): and this new default search provider: How did Easy Interests Access get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Interests Access? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Interests Access? If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Interests Access hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to their domain: Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easyinterestsaccess.com/?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30 HKCU\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxps://www.google.co.uk/?gws_rd=ssl SearchScopes: HKCU -> DefaultScope {8FCAF78A-539A-4882-B107-3BE2440D10F7} URL = hxxp://search.easyinterestsaccess.com/s?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30&query={searchTerms} SearchScopes: HKCU -> {8FCAF78A-539A-4882-B107-3BE2440D10F7} URL = hxxp://search.easyinterestsaccess.com/s?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30&query={searchTerms} C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Easy Interests Access (HKCU\...\{28e56cfb-e30e-4f66-85d8-339885b726b8}) (Version: 2.4.0.3 - Cloud Installer) The changes made by the IE installer (this one failed on Firefox and Chrome): File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8} Adds the file Uninstall.exe"="2/23/2017 11:10 AM, 256000 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easyinterestsaccess.com/?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{8FCAF78A-539A-4882-B107-3BE2440D10F7}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8FCAF78A-539A-4882-B107-3BE2440D10F7}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easyinterestsaccess.com/s?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "Easy Interests Access" "DisplayVersion"="REG_SZ", "2.4.0.3" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\" "Publisher"="REG_SZ", "Cloud Installer" "UninstallHomepage"="REG_SZ", "http://search.easyinterestsaccess.com/?source=tt&uid={uid1}&uc=20170223&ap=&i_id=interest__1.30" "UninstallImpression"="REG_SZ", "http://imp.easyinterestsaccess.com/impression.do?source=tt&sub_id=20170223&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=interest__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\{28e56cfb-e30e-4f66-85d8-339885b726b8}\Uninstall.exe" /uninstall" The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/23/17 Scan Time: 11:19 AM Logfile: mbamEasyInterestsAccess.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.1329 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 361399 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8FCAF78A-539A-4882-B107-3BE2440D10F7}, Quarantined, [2364], [368913],1.0.1329 Registry Value: 2 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8FCAF78A-539A-4882-B107-3BE2440D10F7}|URL, Quarantined, [2364], [368913],1.0.1329 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replaced, [2364], [373048],1.0.1329 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  6. What is Easy Online Game Access? The Malwarebytes research team has determined that Easy Online Game Access is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. This one also displays advertisements. How do I know if my computer is affected by Easy Online Game Access? You may see these warnings during install: this browser extension: this new default Search Provider: and this new startpage in the affected browser(s): How did Easy Online Game Access get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove Easy Online Game Access? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Easy Online Game Access? No, Malwarebytes removes Easy Online Game Access completely. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the Easy Online Game Access hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late. and we block the traffic to their sites. Technical details for experts Possible signs in FRST logs: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.easyonlinegameaccess.com/?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30 SearchScopes: HKCU -> DefaultScope {0B73690C-0686-422A-999D-FEE19642DD9E} URL = hxxp://search.easyonlinegameaccess.com/s?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30&query={searchTerms} SearchScopes: HKCU -> {0B73690C-0686-422A-999D-FEE19642DD9E} URL = hxxp://search.easyonlinegameaccess.com/s?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30&query={searchTerms} FF NewTab: hxxp://search.easyonlinegameaccess.com?uid={uid2}&uc=20170201&ap=&source=-bb8&page=newtab&implementation_id=games_0.2.0 FF Homepage: hxxp://search.easyonlinegameaccess.com?uid={uid2}&uc=20170201&ap=&source=-bb8&page=homepage&implementation_id=games_0.2.0 FF Extension: Games - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Games.xpi [2017-02-01] C:\Users\{username}\AppData\Roaming\SpigotSettings Alterations made by the installer: File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\extensions Adds the file @Games.xpi"="2/1/2017 9:28 AM, 27453 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Games\simple-storage Adds the file store.json"="2/1/2017 9:29 AM, 327 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\SpigotSettings Adds the file Uninstall.exe"="2/1/2017 9:25 AM, 267616 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = REG_SZ, "http://search.easyonlinegameaccess.com/?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes] "DefaultScope" = REG_SZ, "{0B73690C-0686-422A-999D-FEE19642DD9E}" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0B73690C-0686-422A-999D-FEE19642DD9E}] "DisplayName"="REG_SZ", "Search" "SuggestionsURL"="REG_SZ", "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" "URL"="REG_SZ", "http://search.easyonlinegameaccess.com/s?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30&query={searchTerms}" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}] "DisplayName"="REG_SZ", "" "DisplayVersion"="REG_SZ", "2.1.0.1" "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\SpigotSettings\" "Publisher"="REG_SZ", "Spigot, Inc." "UninstallHomepage"="REG_SZ", "http://search.easyonlinegameaccess.com/?source=tt&uid={uid1}&uc=20170201&ap=&i_id=games__1.30" "UninstallImpression"="REG_SZ", "http://imp.easyonlinegameaccess.com/impression.do?source=tt&sub_id=20170201&useragent=Mozilla%2F5.0+(Windows+NT+6.1%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&traffic_source=&user_id={uid1}&implementation_id=games__1.30&event={exEvent}" "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\SpigotSettings\Uninstall.exe" /uninstall" Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 2/1/17 Scan Time: 9:40 AM Logfile: mbamEasyOnlineGameAccess.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.50 Update Package Version: 1.0.1148 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 358118 Time Elapsed: 1 min, 36 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{28e56cfb-e30e-4f66-85d8-339885b726b8}, Delete-on-Reboot, [811], [300859],1.0.1148 Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Games\simple-storage, Delete-on-Reboot, [2349], [364932],1.0.1148 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@GAMES, Delete-on-Reboot, [2349], [364932],1.0.1148 File: 5 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2349], [361537],1.0.1148 PUP.Optional.Spigot.Generic, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Replaced, [2349], [361538],1.0.1148 PUP.Optional.Spigot.Generic, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Games\simple-storage\store.json, Delete-on-Reboot, [2349], [364932],1.0.1148 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\SPIGOTSETTINGS\UNINSTALL.EXE, Delete-on-Reboot, [811], [300859],1.0.1148 PUP.Optional.Spigot, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@GAMES.XPI, Delete-on-Reboot, [811], [364940],1.0.1148 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  7. hey all , after removing distromatic pup from my system my internet became very very slow i had 2 pups , distro and spigot , malwarebytes had a rough time with spigot , so i used some advice from an answer i found in here and used Zoek to wipe it it took a few tries but finally no more pups my problem now is that my internet a very slow , like 2-4kbps any advice would be great ! thankyou .
  8. What is My Email XP? The Malwarebytes research team has determined that My Email XP is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice. My Email XP is a member of the Spigot family. How do I know if my computer is affected by My Email XP? You may see these browser extensions/add-ons: You may see this entry in your list of installed software: these warnings during install: and this new startpage in the affected browser(s): How did My Email XP get on my computer? Browser hijackers use different methods for distributing themselves. This particular one was downloaded from their site. How do I remove My Email XP? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of My Email XP? If you are using Chrome, you may have to remove the Extension manually under Tools > Settings > Extensions. Remove the checkmark and click on the bin behind the My Email XP entry. If your browsers have been hijacked, you should read our Restore Browser page. You can read there how to fix additional browser redirect methods. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this hijacker. As you can see below the full version of Malwarebytes would have protected you against the My Email XP hijacker. It would have warned you before the hijacker could install itself, giving you a chance to stop it before it became too late. and it blocks traffic to some of their domains. Technical details for experts Possible signs in a FRST log: HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.myemailxp.com?uid={uid}&uc=20170112&source=tt-bb8&ap=&i_id=email__1.0.2.25 FF Homepage: hxxp://search.myemailxp.com?uid={uid}&uc=20170112&ap=&source=-bb8&page=homepage&implementation_id=email_4.0.12 FF Extension: Email - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\Extensions\@Email.xpi [2017-01-12] CHR Extension: (My Email XP) - C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap [2017-01-12] C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon.com My Email XP (HKCU\...\b416bdd8c1e685ae) (Version: 1.0.2.25 - Amazon.com) The Malwarebytes scan log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/12/17 Scan Time: 12:43 PM Logfile: mbamMyEmailXP.txt Administrator: Yes -Software Information- Version: 3.0.5.1299 Components Version: 1.0.43 Update Package Version: 1.0.986 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 355331 Time Elapsed: 7 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\b416bdd8c1e685ae, Delete-on-Reboot, [2892], [360182],1.0.986 Registry Value: 2 PUP.Optional.MyEmailXP, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|START PAGE, Replace-on-Reboot, [1844], [335015],1.0.986 PUP.Optional.Spigot.Generic, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\b416bdd8c1e685ae|URLUPDATEINFO, Delete-on-Reboot, [2892], [360182],1.0.986 Data Stream: 0 (No malicious items detected) Folder: 13 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Email\simple-storage, Quarantined, [1844], [335005],1.0.986 PUP.Optional.MyEmailXP, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\JETPACK\@EMAIL, Quarantined, [1844], [335005],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\_locales\en, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\html\popup, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\_metadata, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\js\popup, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\_locales, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\newtab, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\html, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\css, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\js, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0, Quarantined, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\USERS\{username}\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PLNOKIJLNFFEHDEMKHGNLGACNCEKFKAP, Quarantined, [1844], [360385],1.0.986 File: 16 PUP.Optional.MyEmailXP, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\PREFS.JS, Removal Failed, [1844], [335011],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\jetpack\@Email\simple-storage\store.json, Delete-on-Reboot, [1844], [335005],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\css\description.css, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\css\popup.css, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\html\popup\description.html, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\html\popup\popup.html, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\js\popup\popup.js, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\js\userNewTab.js, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\newtab\newtab.html, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\_locales\en\messages.json, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\_metadata\computed_hashes.json, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\_metadata\verified_contents.json, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\background.js, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\icon.png, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default\Extensions\plnokijlnffehdemkhgnlgacncekfkap\2.0_0\manifest.json, Delete-on-Reboot, [1844], [360385],1.0.986 PUP.Optional.MyEmailXP, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\NCH5MQSA.DEFAULT\EXTENSIONS\@EMAIL.XPI, Delete-on-Reboot, [1844], [335030],1.0.986 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  9. My mac has been running very slow. Half the pages I visit finish loading and do not display the page at all. I have to refresh the page several times and still nothing. Then there is this turbomac ad - almost 3 or 4 on every page I visit There is an offerz4u ad which appears like a horizontal comic strip at the bottom of the page with a option to close by crossing it. it sometimes appears on the middle of the page like a vertical comic strip too. Even outlook and gmail weren't opening. The offline outlook account that says "Mail" on mac --- all the accounts were deleted and it was not allowing me to create new ones or re-sign in into the old ones. I researched the problem and was advised to remove certain .plist files from launch Daemons and gmail and few pages started working. But 99% of the issues weren't solved so I installed MBAM, ran a scan and it detected upwards of 250 problems. Now some of them seem like simple folders on a mac which have been flagged for reasons unclear to me. Eg: Library/AppPolicy I needed to as what items are malware and adware before deleting since the last time I clicked delete all in MBAM on windows, it deleted several registry keys and files that were not infected and screwed up my system when deleted. I'm attached screenshots of the list of detected things on MBAM scan since I found no other way to show you the logs. I was afraid if I hit cancel then the whole list would disappear. Most of the name you see were under the heading "Vsearch" P.S. Every time I visit a website, it takes a long time to load so I noted down all the redirects and names of addresses that appear on tthe bottom right of the page and I'm attaching that as the first file here. Please help. WEbsite redirects.txt
  10. WIndows 8. I have had the spigot virus for