Jump to content

Recommended Posts

  • Staff
What is Zingload?

The Malwarebytes research team has determined that Zingload is adware. These adware applications display advertisements not originating from the sites you are browsing.

How do I know if my computer is affected by Zingload?

You may see this entry in your list of installed programs:

warning4.png

and notice that the shortcuts for your browsers on the desktop, in the taskbar, and in the startmenu have been altered:

This will be the page that opens when you start those browsers:

main.png

and these setting in Chrome (as an example):

warning2.png

warning1.png

How did Zingload get on my computer?

Adware applications use different methods for distributing themselves. This particular one was installed by a trojan.

How do I remove Zingload?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to:
    Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • If an update is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Zingload?
  • You should have a look at Restore Browser page. You can read there how to fix additional browser redirect methods.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Zingload adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late.

 

protection1.png


Technical details for experts

Possible signs in FRST logs:
 
 GroupPolicy: Restriction - Chrome <======= ATTENTION
 CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
 StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.zingload.com/?type=ll&uid={uid}
 FF Homepage: hxxp://www.zingload.com/?type=hp&uid={uid}
 FF SearchPlugin: C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\nch5mqsa.default\searchplugins\zingload.xml [2016-07-15]
 StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.zingload.com/?type=ll&uid={uid}
 CHR HomePage: Default -> hxxp://www.zingload.com/?type=hp&uid={uid}
 CHR StartupUrls: Default -> "hxxp://www.zingload.com/?type=hp&uid={uid}"
 StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe hxxp://www.zingload.com/?type=ll&uid={uid}
 C:\Users\{username}\AppData\Local\Temp\1468571993VkJPWtmp.exe

FastCompress-Zip_1.0.2.3_Release (HKLM-x32\...\FastCompress-Zip) (Version:  - )
ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid}
ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid}
ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.zingload.com/?type=ll&uid={uid}
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid}
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.zingload.com/?type=ll&uid={uid}
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.zingload.com/?type=ll&uid={uid}
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.zingload.com/?type=ll&uid={uid}
ShortcutWithArgument: C:\Users\Public\Desktop\Opera.lnk -> C:\Program Files (x86)\Opera\launcher.exe (Opera Software) -> hxxp://www.zingload.com/?type=ll&uid={uid}
 
Alterations made by the installer:
File system details [View: All details] (Selection)
---------------------------------------------------
    In the existing folder C:\ProgramData\Microsoft\Windows\Start Menu\Programs
       Alters the file Google Chrome.lnk
        6/28/2016 9:16 AM, 2195 bytes, A ==> 7/15/2016 10:40 AM, 2343 bytes, A
       Alters the file Mozilla Firefox.lnk
        2/8/2016 1:27 PM, 1159 bytes, A ==> 7/15/2016 10:40 AM, 1307 bytes, A
    In the existing folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\Default
       Alters the file Secure Preferences
        7/8/2016 8:40 AM, 37517 bytes, A ==> 7/15/2016 10:40 AM, 38068 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
       Alters the file Google Chrome.lnk
        2/10/2016 11:39 AM, 2279 bytes, A ==> 7/15/2016 10:40 AM, 2427 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
       Alters the file Google Chrome.lnk
        3/3/2016 10:14 AM, 2393 bytes, A ==> 7/15/2016 10:40 AM, 2541 bytes, A
       Alters the file Mozilla Firefox.lnk
        6/20/2016 11:24 AM, 1159 bytes, A ==> 7/15/2016 10:40 AM, 1331 bytes, A
    In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default
       Alters the file prefs.js
        7/15/2016 10:33 AM, 10586 bytes, A ==> 7/15/2016 10:40 AM, 10703 bytes, A
       Adds the file search-metadata.json"="7/15/2016 10:40 AM, 89 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}.default\searchplugins
       Adds the file zingload.xml"="7/15/2016 10:40 AM, 534 bytes, A
    In the existing folder C:\Users\Public\Desktop
       Alters the file Google Chrome.lnk
        6/28/2016 9:16 AM, 2183 bytes, A ==> 7/15/2016 10:40 AM, 2331 bytes, A
       Alters the file Mozilla Firefox.lnk
        2/8/2016 1:27 PM, 1147 bytes, A ==> 7/15/2016 10:40 AM, 1295 bytes, A
       Alters the file Opera.lnk
        2/8/2016 1:39 PM, 1135 bytes, A ==> 7/15/2016 10:40 AM, 1259 bytes, A


Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command]
       "(Default)" = REG_SZ, ""C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command]
       "(Default)" = REG_SZ, ""C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
       "(Default)" = REG_SZ, "C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\OperaStable\shell\open\command]
       "(Default)" = REG_SZ, ""C:\Program Files (x86)\Opera\Launcher.exe" http://www.zingload.com/?type=ll&uid={uid}"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
       "DefaultSearchProviderEnabled"="REG_SZ", "1"
       "DefaultSearchProviderKeyword"="REG_SZ", "zingload"
       "DefaultSearchProviderName"="REG_SZ", "Google"
       "DefaultSearchProviderSearchURL"="REG_SZ", "http://search.zingload.com/web?type=ds&x=fqxavzjbkb-292c0d15&uid={uid}&q={searchTerms}"
Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/15/2016
Scan Time: 1:20 PM
Logfile: mbamZingload.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.07.15.04
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 315109
Time Elapsed: 13 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 6
PUP.Optional.Zingload, HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\FIREFOX.EXE\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (firefox.exe), Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[a1af37ed88123cfae19a773b00049868]
PUP.Optional.Zingload, HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\GOOGLE CHROME\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (Chrome.exe), Bad: ("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[5df351d3aeec082e602050629c68df21]
PUP.Optional.Zingload, HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\IEXPLORE.EXE\SHELL\OPEN\COMMAND, C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}, Good: (iexplore.exe), Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}),Replaced,[d67adc488b0f55e1fd7f318110f47987]
PUP.Optional.Zingload, HKLM\SOFTWARE\WOW6432NODE\CLIENTS\STARTMENUINTERNET\FIREFOX.EXE\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (firefox.exe), Bad: ("C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[0c44061e9a0079bd1665fab80ff5d927]
PUP.Optional.Zingload, HKLM\SOFTWARE\WOW6432NODE\CLIENTS\STARTMENUINTERNET\GOOGLE CHROME\SHELL\OPEN\COMMAND, "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}, Good: (Chrome.exe), Bad: ("C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" http://www.zingload.com/?type=ll&uid={uid}),Replaced,[f858b86c82180f276e12585ad52f18e8]
PUP.Optional.Zingload, HKLM\SOFTWARE\WOW6432NODE\CLIENTS\STARTMENUINTERNET\IEXPLORE.EXE\SHELL\OPEN\COMMAND, C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}, Good: (iexplore.exe), Bad: (C:\Program Files\Internet Explorer\iexplore.exe http://www.zingload.com/?type=ll&uid={uid}),Replaced,[4a06c163bedc0e287606436fcf35fd03]

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Downloader, C:\Users\{username}\Desktop\InstallDingjDlr.exe, Quarantined, [2a26ad77207a1422ea33717b3ac729d7], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.