Mindspark toolbars

Mindspark toolbars

Mindspark

Mindspark is a marketing company that focuses on interactive advertising.

Is that wrong?

Not by definition, but after receiving some complaints about the Mindspark toolbars I decided to do some testing. One thing we can say up front is that their only goal seems to be visibility. To the extreme of leaving nothing else to see.

There are PUPs and there are toolbars, but Mindspark aka MyWebSearch aka Ask makes plenty of both. Estimates by people who “collect”  these, there must be well over a hundred different toolbars powered by Mindspark. Although they are not so different if you look at a subset of them.

Mindsparkbars

 

I used Firefox to install all of these. If I would have used Internet Explorer most of these would also have installed a browser helper object (BHO) and a service (or two) . And BHOs also have their influence on explorer.exe which, I fear, in combination with all the services, would have slowed the computer down to a crawl.

Install

Installing them is easy. So easy in fact, that you may have ended up with one without ever wanting to. Often these are bundled in installers where you have to opt out instead of click through.

Before you choose one they have already checked which browser you are using and if you are using Firefox. Regardless whether I used Chrome or IE, the Firefox extension was always downloaded as well.

 

warning4

 

Once you have shown your interest, instructions are clear and concise.

Mindspark2
Mindspark3
Mindspark4

 

Consequences

But if you monitor such an install you will see so many changes being made on your computer, it makes you wonder what the purpose of all of them is.

Three RUN keys? Really? Why?

O4 – HKLM..Run: [SafePCRepair EPM Support] “C:PROGRA~1SAFEPC~2bar1.bin89medint.exe” T8EPMSUP.DLL,S

O4 – HKLM..Run: [SafePCRepair AppIntegrator 32-bit] C:PROGRA~1SAFEPC~2bar1.binAppIntegrator.exe

O4 – HKLM..Run: [SafePCRepair Search Scope Monitor] “C:PROGRA~1SAFEPC~2bar1.bin89srchmn.exe” /m=2 /w /h

And two services:

O23 – Service: ioloToolService (ioloService) – iolo technologies, LLC – C:Program FilesSafePCRepairioloToolService.exe

O23 – Service: SafePCRepairService (SafePCRepair_89Service) – Mindspark – C:PROGRA~1SAFEPC~2bar1.bin89barsvc.exe

And two BHOs:

O2 – BHO: Toolbar BHO – {1fc509df-4b29-4ab3-96e6-47c178d60287} – C:PROGRA~1SAFEPC~2bar1.bin89bar.dll

O2 – BHO: Search Assistant BHO – {5d13bf91-ea09-4ed8-9acd-c6bad32617b9} – C:Program FilesSafePCRepair_89bar1.bin89SrcAs.dll

And then of course the toolbar and a SearchHook.

O3 – Toolbar: SafePCRepair – {a9d9ea68-5d09-43ef-a0c5-6f6a6f82a0e1} – C:Program FilesSafePCRepair_89bar1.bin89bar.dll

R3 – URLSearchHook: (no name) – {be823b8c-a7ec-4078-a321-0f8046cbb48a} – C:Program FilesSafePCRepair_89bar1.bin89SrcAs.dll

 

Let me tell you that the size of the text file with the monitored changes  for 1 toolbar in 3 browsers amounted to 125 kB !! That is a very long list of added files and registry values.

Tricking users?

This is all not so bad if installing the toolbar was intentional and if it does what you wanted it to do. But I also noticed another trick that is below par in my book. Looking at some of their affiliates sites you may get a different toolbar then you expect. Maybe because the toolbar you want is not available in your region or for your browser.

Example: looking for IWon! and not reading carefully can get you the mapsgalaxy toolbar, also by Mindspark.

mismatch

Positive side

Yes. There is a positive side. Their uninstaller works pretty good and they offer additional instructions on their site.

And if that doesn’t work Malwarebytes Anti-Malware can take care of them for you. Below is a video where you can see how we deal with a bunch of potentially unwanted toolbars (not limited to Mindspark brands).

If you are a Malwarebytes Anti-Malware Premium user and you have it set to Protect you against Potentially Unwanted Programs (see below), you will get a warning and the install will fail unless you explicitly allow it.

PUPdetections

And most certainly you are welcome at our forums to read a few examples I wrote a removal guide for: SafePCRepair and myWeddingAdviser and ask for help if that doesn’t work out for you.

Save yourself the hassle and get protected.

 

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.