{"id":6558,"date":"2017-02-08T11:10:08","date_gmt":"2017-02-08T19:10:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/08\/news-382\/"},"modified":"2017-02-08T11:10:08","modified_gmt":"2017-02-08T19:10:08","slug":"news-382","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/02\/08\/news-382\/","title":{"rendered":"Spigot browser hijackers"},"content":{"rendered":"

There is a large family of Spigot browser hijackers that all have a lot in common. So by giving you a description of them we hope this will help you to avoid any similar and new ones that might come along.<\/p>\n

Targeted browsers<\/strong><\/h3>\n

For some, but not all browser hijackers in this family there are extensions for Firefox and Google Chrome. In Internet Explorer they change the default Search Provider and the startpage. Trying to install the PUP on Edge will get you nothing but an \u201cUnsupported Browser\u201d notice.<\/p>\n

\"\"<\/p>\n

Recognizing the sites
The websites where these hijackers can be downloaded will show you the EULA —<\/p>\n

\"\"<\/p>\n

–explaining to you, \u201cthe User\u201d, what the downside of installing \u201cthe Software\u201d might be.<\/p>\n

\n

The Software is a free desktop application that offers you direct links to websites from your new preferred homepage and saves your new preferred home page and\/or new tab page. When we set your Browser’s settings using the Software, they will be saved automatically on Chrome\u2122, Firefox\u00ae, and Internet Explorer\u00ae. As part of the installation process of the Software, we may change your Internet Browser settings and\/or provide you with the ability to opt to make changes to your Internet Browser settings.<\/p>\n<\/blockquote>\n

Download locations<\/strong><\/h3>\n

Downloads typically come from proinstall-download[dot]com or report-download[dot]com (both blocked by our Web Protection module<\/a>). Both of these domains are registered with GoDaddy (no surprise there!). \u00a0The download location changed not too long ago.<\/p>\n

\"\"<\/p>\n

It used to be secure[dot]fileldr08[dot]com and from the screenshot above you can see why we categorized these browser hijackers as PUP.Optional.Spigot. Worth noting is that after they switched away from the above download location, I was unable to install the extensions on Google Chrome. It failed to download and offer the extension. But this got fixed after a few weeks.<\/p>\n

The startpage<\/strong><\/h3>\n

The new startpage for the affected browser is a typical search page with a toolbar and some shortcuts, pointing to sites where you can find the information or functionality that the hijacker promised to provide, supplemented by local weather and social media links.<\/p>\n

\"\"<\/p>\n

Installation guidance<\/strong><\/h3>\n

Another typical behavior, that these hijackers copied from the likes of Mindspark<\/a>, is the right in your face installation guidance with huge green arrows pointing out what your next step should be.<\/p>\n

\"\"<\/p>\n

 <\/p>\n

Removal guides<\/strong><\/p>\n

You can find some examples among the removal guides on our forums:<\/p>\n