Follow:

 

BrowserModifier:Win32/MindQuizSearch


BrowserModifier:Win32/MindQuizSearch is a program that directs the affected user to its Web site and changes the affected user's start page. The browser modifier also installs Rugo's Search Toolbar.


What to do now

Use Microsoft Windows Defender, Microsoft Security Essentials, the Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this program and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Additional remediation instructions for this program
This program may make lasting changes to a computer’s configuration. For more information on these changes, please see the following article/s: 

Threat behavior

BrowserModifier:Win32/MindQuizSearch is a program that directs the affected user to its Web site and changes the affected user's start page. The browser modifier also installs Rugo's Search Toolbar.
Installation
BrowserModifier:Win32/MindQuizSearch adds Rugo’s Search Toolbar, which is installed as a Browser Help Object (BHO) in Internet Explorer and an extension in Mozilla Firefox.
 
Upon execution, the browser modifier installs the following file:
c:\Program Files\Mind Quiz
 
The browser modifier then makes the following changes to the registry:
 
Adds value: "Start Page"
With data: “http://tmq.bingstart.com/?cfg=2-168-0-1nUEv”
Adds value: "Start Page Restore"
With data: <former start page>
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Where <former start page> is the URL of the start page before BrowserModifier:Win32/MindQuizSearch was run.
 
Adds value: "DefaultScope"
With data: "{E5F5D888-2587-E012-A817-7038F5690F26}"
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes
 
Adds value: "DisplayName"
With data: “Bing”
Adds value: "FaviconURLFallback"
With data: http://www.bing.com/favicon.ico
Adds value: "SuggestionsURLFallback"
With data: "http://api.bing.com/qsml.aspx?query={searchTerms}&market={Language}&form=IE8SSC&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}"
"URL"="http://tmq.bingstart.com/s/?q={searchTerms}&iesrc=IE-SearchBox&site=Bing&cfg=2-168-0-1nUEv"
To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E5F5D888-2587-E012-A817-7038F5690F26}
 
Adds value: "MindQuizSearchToolbar 1.1"
With data: "Zugo Ltd"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Additional information
When run, BrowserModifier:Win32/MindQuizSearch opens the browser to "http//www.themindquiz.com". The Web site may look like the following:
 
 
On installation, the browser modifier installs Rugo's Search Toolbar; the toolbar is visible as a Web browser add-on via "Tools > Manage Add-ons" in Internet Explorer.
 
Note: Rugo's Search Toolbar is not currently classified as a malicious program.
 
Analysis by Michael Johnson

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    c:\Program Files\Mind Quiz
  • Your Internet Explorer main page may have been changed to the following:
  • http://tmq.bingstart.com/?cfg=2-168-0-1nUEv
  • The presence of the following registry modifications:
  • Added value: "Start Page"
    With data: “http://tmq.bingstart.com/?cfg=2-168-0-1nUEv”
    Added value: "Start Page Restore"
    With data: <former start page>
    To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
    Where <former start page> is the URL of the start page before BrowserModifier:Win32/MindQuizSearch was run.
     
    Added value: "DefaultScope"
    With data: "{E5F5D888-2587-E012-A817-7038F5690F26}"
    To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes
     
    Added value: "DisplayName"
    With data: “Bing”
    Added value: "FaviconURLFallback"
    With data: http://www.bing.com/favicon.ico
    Added value: "SuggestionsURLFallback"
    With data: "http://api.bing.com/qsml.aspx?query={searchTerms}&market={Language}&form=IE8SSC&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}"
    "URL"="http://tmq.bingstart.com/s/?q={searchTerms}&iesrc=IE-SearchBox&site=Bing&cfg=2-168-0-1nUEv"
    To subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E5F5D888-2587-E012-A817-7038F5690F26}
     
    Added value: "MindQuizSearchToolbar 1.1"
    With data: "Zugo Ltd"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

Prevention


Alert level: High
First detected by definition: 1.83.848.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: May 31, 2010
This entry was first published on: Jun 21, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • TR/BHO.MindQuizSearch (Avira)
  • Zugo (Sunbelt Software)