PDA

View Full Version : Manual Removal Guide for PU.Mindspark.CrazyForCricket


Friday
2018-01-15, 08:56
The following instructions have been created to help you to get rid of "PU.Mindspark.CrazyForCricket" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
pups

Description:
PU.Mindspark.CrazyForCricket installs a toolbar by Mindspark Interactive Network.
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "CrazyForCricket Search Scope Monitor" and pointing to "?<$PROGRAMFILES>\CrazyForCricket_??\bar\?.bin\??srchmn.exe*".

Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "CrazyForCricket_3kbar Uninstall".

Files:

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\1.bin\chrome".
The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\IE9Mesg".
The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\Message".
The directory at "<$PROGRAMFILES>\CrazyForCricket_3k\bar\Settings".
Make sure you set your file manager to display hidden and system files. If PU.Mindspark.CrazyForCricket uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.DynamicBarButton.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.DynamicBarButton", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.FeedManager.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.FeedManager", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLMenu.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLMenu", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLPanel.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.HTMLPanel", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.MultipleButton.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.MultipleButton", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.PseudoTransparentPlugin.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.PseudoTransparentPlugin", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.Radio.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.Radio", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.RadioSettings.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.RadioSettings", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ScriptButton.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ScriptButton", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.SettingsPlugin.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.SettingsPlugin", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ThirdPartyInstaller.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ThirdPartyInstaller", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ToolbarPlugin.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.ToolbarPlugin", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.UrlAlertButton.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.UrlAlertButton", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.XMLSessionPlugin.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "CrazyForCricket_3k.XMLSessionPlugin", plus associated values.
Delete the registry key "@CrazyForCricket_3k.com/Plugin" at "HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\".
Delete the registry key "{05097A3C-CFC5-4907-95AC-132BA704D76F}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{092296E9-D56D-41AD-A111-448227205497}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0964B742-C98A-4D42-8D65-4382BA0508B7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{096E428D-4D3E-41F3-BD94-7802874418E7}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0F45752E-4C16-4CD4-AE3E-3837D4D59B33}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{107146DA-A6F3-4DB1-91E7-7644DD10C169}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{108EB6C5-4696-4A15-8052-743C5D1E5BB2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1335072C-E723-4859-9332-6A6DA6160935}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{18A1DF8F-C046-4E99-A314-470AAE0A2CB6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1902ef92-f69b-4055-86dc-0e32699ed795}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{1F26E9A5-AA91-4225-9AC4-E434BE7FE0F4}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{281c82db-94e5-4137-adc2-9cb2abed5f6f}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{32C37DFF-CE7A-4734-86F0-FF6078AEBE19}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{32C37DFF-CE7A-4734-86F0-FF6078AEBE19}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
Delete the registry key "{36FCA7CD-5151-48F1-8D5F-9AC73DFDC2A6}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{37312322-bd30-4111-a684-b31dcfd422c6}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{37312322-bd30-4111-a684-b31dcfd422c6}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
Delete the registry key "{38ceee4a-1785-4113-866f-b64a3e3f32cb}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
Delete the registry key "{3E093598-83DC-4C7A-B2A8-450CA39DD9E1}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{410FF5E3-0E61-4B89-A43B-7B8744DBE171}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{42c1f8dc-83d9-4968-b2af-366c54f4189a}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{44509438-d2fc-4a6b-a0c0-54d275bed2ee}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{4ed1a238-fb5b-48e2-a1ed-a15b4d040289}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5019FCD4-24B7-4E8A-A7CA-C81A76C8CEB5}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{5478de70-9d15-45ec-9711-e0919233f596}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
Delete the registry key "{55B4A8A4-EAF9-4FA3-847A-5CFA28904E8A}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{592085A3-44B1-40BC-9FF1-44C9211FDB40}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5D9AB568-44EE-456B-B65E-769024D25A44}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{5ef8f4d7-5a35-4ad6-8aa2-ed6b50083819}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{60e2a9ce-e831-43b9-bf8a-bfc0e91919c0}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{60e2a9ce-e831-43b9-bf8a-bfc0e91919c0}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
Delete the registry key "{648c6918-b41c-4949-be9d-a225425f16c7}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{648c6918-b41c-4949-be9d-a225425f16c7}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{675F07AE-21A7-4F42-AC6F-EA2A2C0FD8B8}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{6aec2384-69ed-4942-aae7-f819497015bd}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{6aec2384-69ed-4942-aae7-f819497015bd}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
Delete the registry key "{6B99290B-D79E-4C7F-BF39-5F70FFA5A2D6}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{794e9ed4-ec61-43a7-8327-0034b8410d74}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{79C7C30D-D9AA-401B-B7F3-376D2F5D6789}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{7BE49DA6-0549-48FB-9F36-0C70AF2928CC}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{7f991f7d-0809-4045-ac3b-0350261c5b2e}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{7f991f7d-0809-4045-ac3b-0350261c5b2e}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
Delete the registry key "{90d212a0-76a9-4a47-88c1-4c9964cae8ca}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{95E2EDE2-3341-458C-8C9E-A67B5FB408F8}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{95e2ede2-3341-458c-8c9e-a67b5fb408f8}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
Delete the registry key "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}" at "HKEY_CURRENT_USER\Software\Classes\CLSID\".
Delete the registry key "{999ED5E7-2104-4602-997C-CE3AA379AEE5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{9ddabb0a-cdcc-4cc6-ab2d-356099308433}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9E8D8C93-A031-4E9F-9D9B-F0A35272ADA0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A01AE2C1-28CF-49AF-86E7-4BE60B6E4F69}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A2225C12-D592-4A61-9F13-46D2CF2A019B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{a2723584-3cdf-450c-b820-518472c84bf2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{a2723584-3cdf-450c-b820-518472c84bf2}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
Delete the registry key "{A4560945-15C7-4C9B-9ADC-2E01253FC03A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{A45EDC5B-9A3D-44A3-B294-93F5C7FE923B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ADBA4311-3DB9-4CBB-9FB3-6EE8D5DEE771}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B1C9CF54-47EF-4A01-A99D-F9222E267BF2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{b8fa95bc-25f8-427c-9703-470b90f60726}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{b8fa95bc-25f8-427c-9703-470b90f60726}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\".
Delete the registry key "{C9536838-461F-4FFA-8010-9A1FE3728032}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{ca2e7a2d-e642-4338-9494-4e7f65db01f9}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CCDF6FF6-EAE2-45FE-AC04-594CAC7BD94A}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D0CC9EDE-82F7-4940-B466-BCC3EE6ED994}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{ddda43cc-30e5-4eae-bb8d-ff0a548c4243}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{E09B2268-D14F-4056-B70D-2CD22AB34E72}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{E7406006-9BAA-4DC6-ADCF-7B557F94FC61}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ECCA5396-1157-4CAB-B858-99D79AE0E2D0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EE8F31F6-74C7-4162-90EC-1F7EE7E96FA1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ee8f31f6-74c7-4162-90ec-1f7ee7e96fa1}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\".
Delete the registry key "{f25d2176-353c-4ea6-af02-d73a1c62f3a4}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{f3e8d7c0-82e1-42e5-a58e-f9114acf45cb}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{f3e8d7c0-82e1-42e5-a58e-f9114acf45cb}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\".
Delete the registry key "{F48B11F3-644B-4473-99BE-B021CB3ACCCB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{feb75341-5764-4acb-8ba1-47a136cf9537}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{FEBD9B49-8392-49E1-90B3-BD20AF5D2CAF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "CrazyForCricket_3k" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "CrazyForCricket_3k" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "CrazyForCricket_3kService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\".
Delete the registry key "CrazyForCricket_3kService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\".
Delete the registry key "CrazyForCricket_3kService" at "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\".
Delete the registry value "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\".
Delete the registry value "{9ddabb0a-cdcc-4cc6-ab2d-356099308433}" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\".
Delete the registry value "3kffxtbr@CrazyForCricket_3k.com" at "HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\".
If PU.Mindspark.CrazyForCricket uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.