No replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.

What is Spigot Search Protection?

The Malwarebytes research team has determined that Spigot Search Protection is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.

How do I know if my computer is affected by Spigot Search Protection?

In your browser(s) you will notice this searchpage as your startpage:



You may see this entry in your list of installed software:



and these browser settings may have changed:





How did Spigot Search Protection get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Spigot Search Protection?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

• Please download Malwarebytes Anti-Malware to your desktop.
• Double-click mbam-setup-version.exe and follow the prompts to install the program.
• At the end, be sure a check-mark is placed next to the following:
  • Enable free trial of Malwarebytes Anti-Malware Premium
  • Launch Malwarebytes Anti-Malware
• Then click Finish.
• If an update is found, you will be prompted to download and install the latest version.
• Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
• When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
• Reboot your computer if prompted.

Is there anything else I need to do to get rid of Spigot Search Protection?

• No, Malwarebytes' Anti-Malware removes Spigot Search Protection completely.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Spigot Search Protection hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

Technical details for experts

Signs in a HijackThis log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ie
O4 - HKCU\..\Run: [Search Protection] "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart

Alterations made by the installer:

File system details  
---------------------------------------------
    In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835
       Alters the file prefs.js
        12/30/2014 1:35 PM, 4572 bytes, A ==> 1/7/2015 11:27 AM, 4954 bytes, A
       Adds the file search.sqlite"="1/7/2015 11:27 AM, 0 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\searchplugins
       Adds the file yahoo_ff.xml"="1/7/2015 11:27 AM, 811 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Search Protection
       Adds the file SP.exe"="12/11/2014 9:50 AM, 1128760 bytes, A
       Adds the file Uninstall.exe"="1/7/2015 11:27 AM, 508519 bytes, A

Registry details  
------------------------------------------
    [HKEY_CURRENT_USER\Software\AppDataLow\Software\Search Protection]
       "523482"="REG_DWORD", 1
       "APP_VER"="REG_SZ", "10.6.0.1"
       "CCV"="REG_SZ", "196"
       "channelId"="REG_DWORD", 523482
       "FCV"="REG_SZ", "196"
       "FFFailed"="REG_DWORD", 0
       "GCFailed"="REG_DWORD", 0
       "HP_FF"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ff"
       "HP_GC"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=yo-yhp-ch"
       "HP_IE"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie"
       "InhibitGC"="REG_DWORD", 0
       "ISN"="REG_SZ", "F980E65CF97C47A8B562817423B0822E"
       "ping_ts"="REG_DWORD", 1420626464
       "sdsprotection"="REG_DWORD", 1
       "spid"="REG_SZ", "249"
       "WS_FF_AB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=523482&p="
       "WS_FF_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ff&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
       "WS_GC_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-yo_gc&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
       "WS_IE_AB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=greentree_ie1&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
       "WS_IE_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
       "Start Page"="REG_SZ", "https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ie"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
       "DefaultScope"="REG_SZ", "{8D93711D-8DE0-4A03-830C-CC9750A6BF85}"
       "ShowSearchSuggestionsInAddressGlobal"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8D93711D-8DE0-4A03-830C-CC9750A6BF85}]
       "DisplayName"="REG_SZ", "Yahoo"
       "FaviconPath"="REG_SZ", "C:\Users\{username}\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{8D93711D-8DE0-4A03-830C-CC9750A6BF85}.ico"
       "FaviconURL"="REG_SZ", "http://www.yahoo.com/favicon.ico"
       "OSDFileURL"="REG_SZ", "file:///C:/Users/MALWAR~1/AppData/Local/Temp/yahoo_ie.xml"
       "URL"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "Search Protection"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]
       "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE,0"
       "DisplayName"="REG_SZ", "Search Protection"
       "DisplayVersion"="REG_SZ", "10.6.0.1"
       "InstallDir"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\"
       "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\"
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "Publisher"="REG_SZ", "Spigot, Inc."
       "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Search Protection\uninstall.exe""
       "URLInfoAbout"="REG_SZ", "http://www.spigot.com"
       "VersionMajor"="REG_SZ", "1"
       "VersionMinor"="REG_SZ", "0"

Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/7/2015
Scan Time: 11:38:31 AM
Logfile: mbamSpigot.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.07.07
Rootkit Database: v2015.01.06.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Malwarebytes

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 287306
Time Elapsed: 3 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\SP.exe, 3772, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed]

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Search Protection, Quarantined, [a9ea18dc79102610543a0567c93a13ed], 
PUP.Optional.MyEmoticons.A, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\Search Protection, Quarantined, [286b9d57f099e353632a0e98cc372dd3], 

Registry Values: 1
PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Search Protection, "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart, Quarantined, [a9ea18dc79102610543a0567c93a13ed]

Registry Data: 1
PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie, Good: (www.google.com), Bad: (https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie),Replaced,[336000f4ff8a15217a5c07793dc8ee12]

Folders: 1
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed], 

Files: 4
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\searchplugins\yahoo_ff.xml, Quarantined, [b7dc975dd2b7a096d08805613ac9f60a], 
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\Uninstall.exe, Quarantined, [a9ea18dc79102610543a0567c93a13ed], 
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\SP.exe, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed], 
PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ff");), Replaced,[7023995b1079053151833c888b7ae41c]

Physical Sectors: 0
(No malicious items detected)


(end)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• Dynamically Blocks Malware Sites & Servers
• Malware Execution Prevention

Save yourself the hassle and get protected.