Removal instructions for Spigot Search Protection

Content is republished with permission from Malwarebytes.

What is Spigot Search Protection?

The Malwarebytes research team has determined that Spigot Search Protection is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.

How do I know if my computer is affected by Spigot Search Protection?

In your browser(s) you will notice this searchpage as your startpage:

You may see this entry in your list of installed software:

and these browser settings may have changed:

How did Spigot Search Protection get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Spigot Search Protection?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

Please download Malwarebytes Anti-Malware to your desktop.
Double-click mbam-setup-version.exe and follow the prompts to install the program.
At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
Then click Finish.
If an update is found, you will be prompted to download and install the latest version.
Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
Reboot your computer if prompted.

Is there anything else I need to do to get rid of Spigot Search Protection?

No, Malwarebytes' Anti-Malware removes Spigot Search Protection completely.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Spigot Search Protection hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

Technical details for experts

Signs in a HijackThis log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ie
O4 - HKCU\..\Run: [Search Protection] "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart

Alterations made by the installer:

File system details  
---------------------------------------------
    In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835
       Alters the file prefs.js
        12/30/2014 1:35 PM, 4572 bytes, A ==> 1/7/2015 11:27 AM, 4954 bytes, A
       Adds the file search.sqlite"="1/7/2015 11:27 AM, 0 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\searchplugins
       Adds the file yahoo_ff.xml"="1/7/2015 11:27 AM, 811 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Search Protection
       Adds the file SP.exe"="12/11/2014 9:50 AM, 1128760 bytes, A
       Adds the file Uninstall.exe"="1/7/2015 11:27 AM, 508519 bytes, A

Registry details  
------------------------------------------
    [HKEY_CURRENT_USER\Software\AppDataLow\Software\Search Protection]
       "523482"="REG_DWORD", 1
       "APP_VER"="REG_SZ", "10.6.0.1"
       "CCV"="REG_SZ", "196"
       "channelId"="REG_DWORD", 523482
       "FCV"="REG_SZ", "196"
       "FFFailed"="REG_DWORD", 0
       "GCFailed"="REG_DWORD", 0
       "HP_FF"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ff"
       "HP_GC"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=yo-yhp-ch"
       "HP_IE"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie"
       "InhibitGC"="REG_DWORD", 0
       "ISN"="REG_SZ", "F980E65CF97C47A8B562817423B0822E"
       "ping_ts"="REG_DWORD", 1420626464
       "sdsprotection"="REG_DWORD", 1
       "spid"="REG_SZ", "249"
       "WS_FF_AB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=523482&p="
       "WS_FF_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ff&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
       "WS_GC_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-yo_gc&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
       "WS_IE_AB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=greentree_ie1&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
       "WS_IE_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
       "Start Page"="REG_SZ", "https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ie"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
       "DefaultScope"="REG_SZ", "{8D93711D-8DE0-4A03-830C-CC9750A6BF85}"
       "ShowSearchSuggestionsInAddressGlobal"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8D93711D-8DE0-4A03-830C-CC9750A6BF85}]
       "DisplayName"="REG_SZ", "Yahoo"
       "FaviconPath"="REG_SZ", "C:\Users\{username}\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{8D93711D-8DE0-4A03-830C-CC9750A6BF85}.ico"
       "FaviconURL"="REG_SZ", "http://www.yahoo.com/favicon.ico"
       "OSDFileURL"="REG_SZ", "file:///C:/Users/MALWAR~1/AppData/Local/Temp/yahoo_ie.xml"
       "URL"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "Search Protection"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
       "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE,0"
       "DisplayName"="REG_SZ", "Search Protection"
       "DisplayVersion"="REG_SZ", "10.6.0.1"
       "InstallDir"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\"
       "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\"
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "Spigot, Inc."
       "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Search Protection\uninstall.exe""
       "URLInfoAbout"="REG_SZ", "http://www.spigot.com"
       "VersionMajor"="REG_SZ", "1"
       "VersionMinor"="REG_SZ", "0"

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/7/2015
Scan Time: 11:38:31 AM
Logfile: mbamSpigot.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.07.07
Rootkit Database: v2015.01.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Malwarebytes

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 287306
Time Elapsed: 3 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\SP.exe, 3772, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed]

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Search Protection, Quarantined, [a9ea18dc79102610543a0567c93a13ed], 
PUP.Optional.MyEmoticons.A, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\Search Protection, Quarantined, [286b9d57f099e353632a0e98cc372dd3], 

Registry Values: 1
PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Search Protection, "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart, Quarantined, [a9ea18dc79102610543a0567c93a13ed]

Registry Data: 1
PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie, Good: (www.google.com), Bad: (https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie),Replaced,[336000f4ff8a15217a5c07793dc8ee12]

Folders: 1
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed], 

Files: 4
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\searchplugins\yahoo_ff.xml, Quarantined, [b7dc975dd2b7a096d08805613ac9f60a], 
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\Uninstall.exe, Quarantined, [a9ea18dc79102610543a0567c93a13ed], 
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\SP.exe, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed], 
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ff");), Replaced,[7023995b1079053151833c888b7ae41c]

Physical Sectors: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):

Dynamically Blocks Malware Sites & Servers
Malware Execution Prevention

Save yourself the hassle and get protected.

#1
Metallica

Posted 07 January 2015 - 05:38 AM

Advertisements

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us