Jump to content

Removal instructions for Spigot Search Protection

Metallica
 Share

Recommended Posts

  • Staff
Metallica

Metallica

Posted
  • Staff
Posted

What is Spigot Search Protection?

The Malwarebytes research team has determined that Spigot Search Protection is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.

How do I know if my computer is affected by Spigot Search Protection?

In your browser(s) you will notice this searchpage as your startpage:

main.png

You may see this entry in your list of installed software:

warning4.png

and these browser settings may have changed:

warning1.png

warning2.png

How did Spigot Search Protection get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Spigot Search Protection?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.

  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
  • Reboot your computer if prompted.
Is there anything else I need to do to get rid of Spigot Search Protection?
  • No, Malwarebytes' Anti-Malware removes Spigot Search Protection completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Spigot Search Protection hijacker. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

protection1.png

Technical details for experts

Signs in a HijackThis log:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ieO4 - HKCU\..\Run: [Search Protection] "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart
Alterations made by the installer:

File system details  ---------------------------------------------    In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835       Alters the file prefs.js        12/30/2014 1:35 PM, 4572 bytes, A ==> 1/7/2015 11:27 AM, 4954 bytes, A       Adds the file search.sqlite"="1/7/2015 11:27 AM, 0 bytes, A    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\searchplugins       Adds the file yahoo_ff.xml"="1/7/2015 11:27 AM, 811 bytes, A    Adds the folder C:\Users\{username}\AppData\Roaming\Search Protection       Adds the file SP.exe"="12/11/2014 9:50 AM, 1128760 bytes, A       Adds the file Uninstall.exe"="1/7/2015 11:27 AM, 508519 bytes, ARegistry details  ------------------------------------------    [HKEY_CURRENT_USER\Software\AppDataLow\Software\Search Protection]       "523482"="REG_DWORD", 1       "APP_VER"="REG_SZ", "10.6.0.1"       "CCV"="REG_SZ", "196"       "channelId"="REG_DWORD", 523482       "FCV"="REG_SZ", "196"       "FFFailed"="REG_DWORD", 0       "GCFailed"="REG_DWORD", 0       "HP_FF"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ff"       "HP_GC"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=yo-yhp-ch"       "HP_IE"="REG_SZ", "https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie"       "InhibitGC"="REG_DWORD", 0       "ISN"="REG_SZ", "F980E65CF97C47A8B562817423B0822E"       "ping_ts"="REG_DWORD", 1420626464       "sdsprotection"="REG_DWORD", 1       "spid"="REG_SZ", "249"       "WS_FF_AB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=523482&p="       "WS_FF_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ff&ei=utf-8&ilc=12&type=523482&p={searchTerms}"       "WS_GC_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-yo_gc&ei=utf-8&ilc=12&type=523482&p={searchTerms}"       "WS_IE_AB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=greentree_ie1&ei=utf-8&ilc=12&type=523482&p={searchTerms}"       "WS_IE_IB"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}"    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]       "Start Page"="REG_SZ", "https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ie"    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]       "DefaultScope"="REG_SZ", "{8D93711D-8DE0-4A03-830C-CC9750A6BF85}"       "ShowSearchSuggestionsInAddressGlobal"="REG_DWORD", 1    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8D93711D-8DE0-4A03-830C-CC9750A6BF85}]       "DisplayName"="REG_SZ", "Yahoo"       "FaviconPath"="REG_SZ", "C:\Users\{username}\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{8D93711D-8DE0-4A03-830C-CC9750A6BF85}.ico"       "FaviconURL"="REG_SZ", "http://www.yahoo.com/favicon.ico"       "OSDFileURL"="REG_SZ", "file:///C:/Users/MALWAR~1/AppData/Local/Temp/yahoo_ie.xml"       "URL"="REG_SZ", "https://nl.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=523482&p={searchTerms}"    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]       "Search Protection"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart"    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection]       "DisplayIcon"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE,0"       "DisplayName"="REG_SZ", "Search Protection"       "DisplayVersion"="REG_SZ", "10.6.0.1"       "InstallDir"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\"       "InstallLocation"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Search Protection\"       "NoModify"="REG_DWORD", 1       "NoRepair"="REG_DWORD", 1       "Publisher"="REG_SZ", "Spigot, Inc."       "UninstallString"="REG_SZ", ""C:\Users\{username}\AppData\Roaming\Search Protection\uninstall.exe""       "URLInfoAbout"="REG_SZ", "http://www.spigot.com"       "VersionMajor"="REG_SZ", "1"       "VersionMinor"="REG_SZ", "0"
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 1/7/2015Scan Time: 11:38:31 AMLogfile: mbamSpigot.txtAdministrator: YesVersion: 2.00.4.1028Malware Database: v2015.01.07.07Rootkit Database: v2015.01.06.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: MalwarebytesScan Type: Threat ScanResult: CompletedObjects Scanned: 287306Time Elapsed: 3 min, 34 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: DisabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 1PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\SP.exe, 3772, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed]Modules: 0(No malicious items detected)Registry Keys: 2PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Search Protection, Quarantined, [a9ea18dc79102610543a0567c93a13ed], PUP.Optional.MyEmoticons.A, HKCU\SOFTWARE\APPDATALOW\SOFTWARE\Search Protection, Quarantined, [286b9d57f099e353632a0e98cc372dd3], Registry Values: 1PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Search Protection, "C:\Users\{username}\AppData\Roaming\Search Protection\SP.EXE" /autostart, Quarantined, [a9ea18dc79102610543a0567c93a13ed]Registry Data: 1PUP.Optional.Spigot.A, HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie,'>https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie, Good: (www.google.com), Bad: (https://nl.search.yahoo.com/?type=523482&fr=spigot-yhp-ie),Replaced,[336000f4ff8a15217a5c07793dc8ee12]Folders: 1PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed], Files: 4PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\searchplugins\yahoo_ff.xml, Quarantined, [b7dc975dd2b7a096d08805613ac9f60a], PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\Uninstall.exe, Quarantined, [a9ea18dc79102610543a0567c93a13ed], PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Search Protection\SP.exe, Delete-on-Reboot, [a9ea18dc79102610543a0567c93a13ed], PUP.Optional.Spigot.A, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\6qeoodjs.default-1401006518835\prefs.js, Good: (), Bad: (user_pref("browser.startup.homepage", "https://us.search.yahoo.com/?type=523482&fr=spigot-yhp-ff"), Replaced,[7023995b1079053151833c888b7ae41c]Physical Sectors: 0(No malicious items detected)(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.