This topic is locked
What is Youndoo?
The Malwarebytes research team has determined that Youndoo is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
This one belongs to the GsearchFinder family that adds an extra Firefox profile.
How do I know if my computer is affected by Youndoo?
You may see this entry in your list of installed software:
this type of Scheduled Task:
and you will be hijacked to this search page:
and see these settings in your browser(s):
Chrome
Firefox
How did Youndoo get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove Youndoo?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
Due to the nature of this hijack it is better to perform some parts of the removal yourself.
You can skip the parts that are for browsers which you don't have installed.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Remove the new Firefox profile, see detailed instructions in the post below this one.
- Reset Google Chrome settings, see detailed instructions in the post below this one. This is necessary or the new install will inherit the corrupted settings of the infected one.
- Uninstall Chrome, see detailed instructions in the post below this one.
- In Malwarebytes Anti-Malware, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- If you wish to use Chrome again, do a clean Chrome install,see detailed instructions in the post below this one.
- No, Malwarebytes' Anti-Malware removes Youndoo completely.
- This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Youndoo hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Please note that some file- and foldernames in the logs below are randomized.
Possible signs in FRST logs:
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
ShellExecuteHooks: - {6710C780-E20E-4C49-A87D-321850ED3D7C} - C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll [388096 2016-06-28] ()
FF ProfilePath: C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default
FF NewTab: hxxp://www.youndoo.com/?z={z1}&from=btp&uid=VBOXXHARDDISK_VB3361b1e7-85c503b7&type=hp
FF DefaultSearchEngine: youndoo
FF SelectedSearchEngine: youndoo
FF Homepage: hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp
FF SearchPlugin: C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\searchplugins\xirzzddp.xml [2016-06-29]
FF Extension: GsearchFinder - C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\Extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi [2016-06-28]
CHR HomePage: lirosyhizetheratbther -> hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp
CHR StartupUrls: lirosyhizetheratbther -> "hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp"
CHR DefaultSearchURL: lirosyhizetheratbther -> hxxp://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp
CHR DefaultSearchKeyword: lirosyhizetheratbther -> youndoo
S2 plohisAdapterArw.exe; C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe [708896 2016-06-28] ()
C:\Windows\System32\Tasks\Plohis Adapter
C:\Users\{username}\AppData\Local\grizosyanqshbuzersp
C:\Program Files (x86)\Bevconesy
youndoo - Uninstall (HKLM-x32\...\{61FC6201-6727-43A3-ADFF-A360F9817331}) (Version: - )
Task: {48BD166D-DC7D-484A-BE0B-B9D487A4D21D} - System32\Tasks\Plohis Adapter => C:\Program Files (x86)\Bevconesy\plohisAdapterGrq.exe [2016-06-28] ()
() C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll
Alterations made by the installer:
File system details [View: All details] (Selection)
---------------------------------------------------
Adds the folder C:\Program Files (x86)\Bevconesy
Adds the file AppleVersions.dllbkz"="6/29/2016 8:52 AM, 36 bytes, A
Adds the file hiqerward.exee58"="6/29/2016 8:52 AM, 36 bytes, A
Adds the file msvcr100.dll"="6/28/2016 3:38 AM, 773968 bytes, A
Adds the file Nfccontrols.dll"="6/28/2016 3:38 AM, 471552 bytes, A
Adds the file plohisAdapterArw.exe"="6/28/2016 3:37 AM, 708896 bytes, A
Adds the file plohisAdapterGrq.exe"="6/28/2016 3:37 AM, 346400 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther
Adds the file ChromeDWriteFontCache"="2/10/2016 11:39 AM, 22900556 bytes, A
Adds the file Cookies"="6/28/2016 9:18 AM, 12288 bytes, A
Adds the file Cookies-journal"="6/28/2016 9:18 AM, 0 bytes, A
Adds the file Current Session"="6/28/2016 9:18 AM, 95082 bytes, A
Adds the file Current Tabs"="6/28/2016 9:18 AM, 46289 bytes, A
Adds the file Extension Cookies"="3/3/2016 10:14 AM, 7168 bytes, A
Adds the file Extension Cookies-journal"="3/3/2016 10:14 AM, 0 bytes, A
Adds the file Favicons"="5/26/2016 8:25 AM, 20480 bytes, A
Adds the file Favicons-journal"="5/26/2016 8:25 AM, 0 bytes, A
Adds the file Google Profile.ico"="2/10/2016 11:38 AM, 176873 bytes, A
Adds the file History"="6/28/2016 9:17 AM, 94208 bytes, A
Adds the file History Provider Cache"="6/28/2016 9:18 AM, 6 bytes, A
Adds the file History-journal"="6/28/2016 9:17 AM, 0 bytes, A
Adds the file Last Session"="6/28/2016 9:16 AM, 97207 bytes, A
Adds the file Last Tabs"="6/28/2016 9:17 AM, 46289 bytes, A
Adds the file Login Data"="4/19/2016 1:37 PM, 18432 bytes, A
Adds the file Login Data-journal"="4/19/2016 1:37 PM, 0 bytes, A
Adds the file Network Action Predictor"="2/10/2016 11:39 AM, 13312 bytes, A
Adds the file Network Action Predictor-journal"="2/10/2016 11:39 AM, 0 bytes, A
Adds the file Network Persistent State"="6/28/2016 9:18 AM, 40 bytes, A
Adds the file Origin Bound Certs"="4/19/2016 1:37 PM, 9216 bytes, A
Adds the file Origin Bound Certs-journal"="4/19/2016 1:37 PM, 0 bytes, A
Adds the file Preferences"="6/28/2016 9:18 AM, 8686 bytes, A
Adds the file QuotaManager"="3/3/2016 10:14 AM, 15360 bytes, A
Adds the file QuotaManager-journal"="3/3/2016 10:14 AM, 0 bytes, A
Adds the file README"="2/10/2016 11:38 AM, 180 bytes, A
Adds the file Secure Preferences"="6/29/2016 8:52 AM, 38194 bytes, A
Adds the file Secure Preferenceswipicharozustokacult"="6/28/2016 9:18 AM, 37517 bytes, A
Adds the file Shortcuts"="3/3/2016 10:14 AM, 20480 bytes, A
Adds the file Shortcuts-journal"="3/3/2016 10:14 AM, 0 bytes, A
Adds the file Top Sites"="3/3/2016 10:14 AM, 20480 bytes, A
Adds the file Top Sites-journal"="3/3/2016 10:14 AM, 0 bytes, A
Adds the file TransportSecurity"="6/17/2016 9:35 AM, 8 bytes, A
Adds the file Visited Links"="5/11/2016 8:48 AM, 131072 bytes, A
Adds the file Web Data"="3/3/2016 10:14 AM, 63488 bytes, A
Adds the file Web Data-journal"="3/3/2016 10:14 AM, 0 bytes, A
Adds the file Web Datawipicharozustokacult"="3/3/2016 10:14 AM, 63488 bytes, A
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Cache
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\data_reduction_proxy_leveldb
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\databases
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Extension State
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Extensions
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\GPUCache
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\JumpListIcons
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\JumpListIconsOld
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Local Storage
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Session Storage
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Storage\ext\chrome-signin\def\GPUCache
Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Caps
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\CertificateTransparency
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Crashpad
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Crashpad\reports
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\EVWhitelist
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\data_reduction_proxy_leveldb
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\databases
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Extension State
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Extensions
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Local Storage
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Session Storage
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Storage\ext\chrome-signin\def
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\PepperFlash
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\pnacl
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\ShaderCache
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\SwiftShader
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\SwReporter
Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\WidevineCDM
In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox
Alters the file profiles.ini
2/10/2016 11:14 AM, 122 bytes, A ==> 6/29/2016 8:52 AM, 210 bytes, A
Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\rijercultclozerwardvebeied
Adds the file backprofiles.ini"="2/10/2016 11:14 AM, 122 bytes, A
Adds the folder C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default
Adds the file addons.json"="6/20/2016 10:43 AM, 1453 bytes, A
Adds the file blocklist.xml"="6/20/2016 10:45 AM, 235727 bytes, A
Adds the file cert8.db"="6/20/2016 1:23 PM, 65536 bytes, A
Adds the file compatibility.ini"="6/20/2016 11:24 AM, 228 bytes, A
Adds the file content-prefs.sqlite"="2/10/2016 11:14 AM, 229376 bytes, A
Adds the file cookies.sqlite"="6/20/2016 1:23 PM, 524288 bytes, A
Adds the file extensions.ini"="6/20/2016 11:24 AM, 185 bytes, A
Adds the file extensions.json"="6/20/2016 11:24 AM, 4312 bytes, A
Adds the file formhistory.sqlite"="5/11/2016 8:46 AM, 196608 bytes, A
Adds the file key3.db"="6/20/2016 1:23 PM, 16384 bytes, A
Adds the file mimeTypes.rdf"="2/10/2016 11:14 AM, 3739 bytes, A
Adds the file parent.lock"="6/20/2016 11:24 AM, 0 bytes, A
Adds the file permissions.sqlite"="2/10/2016 11:14 AM, 98304 bytes, A
Adds the file places.sqlite"="6/20/2016 11:23 AM, 10485760 bytes, A
Adds the file pluginreg.dat"="5/18/2016 9:33 AM, 346 bytes, A
Adds the file prefs.js"="6/29/2016 8:52 AM, 11926 bytes, A
Adds the file revocations.txt"="6/20/2016 11:24 AM, 7488 bytes, A
Adds the file search-metadata.json"="6/29/2016 8:52 AM, 216 bytes, A
Adds the file secmod.db"="2/10/2016 11:14 AM, 16384 bytes, A
Adds the file sessionCheckpoints.json"="6/20/2016 1:23 PM, 288 bytes, A
Adds the file sessionstore.js"="6/20/2016 1:23 PM, 870 bytes, A
Adds the file SiteSecurityServiceState.txt"="6/20/2016 1:23 PM, 328 bytes, A
Adds the file times.json"="2/10/2016 11:14 AM, 29 bytes, A
Adds the file webappsstore.sqlite"="5/18/2016 9:34 AM, 98304 bytes, A
Adds the file xulstore.json"="6/20/2016 11:25 AM, 322 bytes, A
Adds the folder C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom
Adds the file addons.json"="6/20/2016 10:43 AM, 1453 bytes, A
Adds the file blocklist.xml"="6/20/2016 10:45 AM, 235727 bytes, A
Adds the file cert8.db"="6/20/2016 1:23 PM, 65536 bytes, A
Adds the file compatibility.ini"="6/20/2016 11:24 AM, 228 bytes, A
Adds the file content-prefs.sqlite"="2/10/2016 11:14 AM, 229376 bytes, A
Adds the file cookies.sqlite"="6/20/2016 1:23 PM, 524288 bytes, A
Adds the file extensions.ini"="6/20/2016 11:24 AM, 185 bytes, A
Adds the file extensions.json"="6/20/2016 11:24 AM, 4312 bytes, A
Adds the file formhistory.sqlite"="5/11/2016 8:46 AM, 196608 bytes, A
Adds the file key3.db"="6/20/2016 1:23 PM, 16384 bytes, A
Adds the file mimeTypes.rdf"="2/10/2016 11:14 AM, 3739 bytes, A
Adds the file parent.lock"="6/20/2016 11:24 AM, 0 bytes, A
Adds the file permissions.sqlite"="2/10/2016 11:14 AM, 98304 bytes, A
Adds the file places.sqlite"="6/20/2016 11:23 AM, 10485760 bytes, A
Adds the file pluginreg.dat"="5/18/2016 9:33 AM, 346 bytes, A
Adds the file prefs.js"="6/29/2016 8:52 AM, 11926 bytes, A
Adds the file revocations.txt"="6/20/2016 11:24 AM, 7488 bytes, A
Adds the file search-metadata.json"="6/29/2016 8:52 AM, 216 bytes, A
Adds the file secmod.db"="2/10/2016 11:14 AM, 16384 bytes, A
Adds the file sessionCheckpoints.json"="6/20/2016 1:23 PM, 288 bytes, A
Adds the file sessionstore.js"="6/20/2016 1:23 PM, 870 bytes, A
Adds the file SiteSecurityServiceState.txt"="6/20/2016 1:23 PM, 328 bytes, A
Adds the file times.json"="2/10/2016 11:14 AM, 29 bytes, A
Adds the file webappsstore.sqlite"="5/18/2016 9:34 AM, 98304 bytes, A
Adds the file xulstore.json"="6/20/2016 11:25 AM, 322 bytes, A
In the existing folder C:\Windows\System32\Tasks
Adds the file Plohis Adapter"="6/29/2016 8:52 AM, 9020 bytes, A
Registry details [View: All details] (Selection)
------------------------------------------------
[HKEY_LOCAL_MACHINE\SOFTWARE\causqo]
"day"="REG_SZ", "20160629"
"upday"="REG_SZ", "20160629"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}\InProcServer32]
"(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll"
"ThreadingModel"="REG_SZ", "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft]
"help"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6710C780-E20E-4C49-A87D-321850ED3D7C}"="REG_SZ", ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"EnableShellExecuteHooks"="REG_DWORD", 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
"s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
"sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp"
"spname"="REG_SZ", "youndoo"
"surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q="
"tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
"uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{E6276374-DE18-4AA5-A365-9016A2F98A2D}]
"c"="REG_DWORD", 1
"f"="REG_DWORD", 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\causqo]
"day"="REG_SZ", "20160629"
"upday"="REG_SZ", "20160629"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CB75DF05542D4707119BC449A5FA9A4A]
"(Default)"="REG_SZ", "{9DC74CD5-24EA-4ADE-9C42-608A8CE17116}"
"{9DC74CD5-24EA-4ADE-9C42-608A8CE17116}"="REG_BINARY, ......................................................................................................................................................................................................z.......................................................................................................................................................................................................z.....................................................................................................................................................................................................................................................................................................................
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{61FC6201-6727-43A3-ADFF-A360F9817331}]
"DisplayName"="REG_SZ", "youndoo - Uninstall"
"UninstallString"="REG_SZ", "rundll32.exe "C:\Program Files (x86)\Bevconesy\Nfccontrols.dll",u "/k={61FC6201-6727-43A3-ADFF-A360F9817331}""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
"s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
"sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp"
"spname"="REG_SZ", "youndoo"
"surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q="
"tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
"uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\youndooSoftware\youndoohp]
"oem"="REG_SZ", "btp"
"Time"="REG_DWORD", 1467183137
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\plohisAdapterArw.exe]
"DelayedAutostart"="REG_DWORD", 1
"Description"="REG_SZ", "Receives activation requests over the server and passes them to Plohis."
"DisplayName"="REG_SZ", "Plohis Adapter"
"ErrorControl"="REG_DWORD", 1
"ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe" {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116}"
"ObjectName"="REG_SZ", "LocalSystem"
"Start"="REG_DWORD", 2
"Type"="REG_DWORD", 272
"WOW64"="REG_DWORD", 1
[HKEY_USERS\.DEFAULT\Software\causqo]
"day"="REG_SZ", "20160629"
"upday"="REG_SZ", "20160629"
[HKEY_USERS\.DEFAULT\Software\CB75DF05542D4707119BC449A5FA9A4A]
"c"="REG_DWORD", 1
"d"="REG_SZ", "20160629"
"o"="REG_DWORD", 1
[HKEY_CURRENT_USER\Software\CB75DF05542D4707119BC449A5FA9A4A]
"c"="REG_DWORD", 1
"d"="REG_SZ", "20160629"
"o"="REG_DWORD", 1
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
"hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
"s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
"sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp"
"spname"="REG_SZ", "youndoo"
"surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q="
"tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
"uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A"
Malwarebytes Anti-Malware log:Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 6/29/2016
Scan Time: 9:26 AM
Logfile: mbamYoundoo.txt
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2016.06.29.02
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 314230
Time Elapsed: 8 min, 25 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 7
PUP.Optional.YesSearches, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\plohisAdapterArw.exe, Quarantined, [5a5c12f099011f17263fe6eb0ff2867a],
PUP.Optional.Youndoo, HKLM\SOFTWARE\CLASSES\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarantined, [8234837f6c2e44f2f5813c34c43e54ac],
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [d2e4738f17836bcb9eb5537716ecb64a],
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\youndooSoftware, Quarantined, [d6e034cef9a1bf777e91a129679bf709],
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{61FC6201-6727-43A3-ADFF-A360F9817331}, Quarantined, [892d07fbf4a643f378da1eac0bf77987],
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [7b3bc43e4f4b6fc7084be4e689794ab6],
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [684e659de0bae74f84cbfeccfe04fa06],
Registry Values: 14
PUP.Optional.Youndoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarantined, [bdf96c96c1d9af871d590f619d659967],
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [d2e4738f17836bcb9eb5537716ecb64a]
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [b6003ac84f4b70c6d28112b8a35ff40c]
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [c4f2af53376342f4054e408acb3739c7]
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [8135f70bfc9ebc7ace85a426f90934cc]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{61FC6201-6727-43A3-ADFF-A360F9817331}|DisplayName, youndoo - Uninstall, Quarantined, [892d07fbf4a643f378da1eac0bf77987]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [7b3bc43e4f4b6fc7084be4e689794ab6]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [694d5ca66832a1950251fdcde81a1ce4]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [06b047bb8f0be056aba8ca0049b9e51b]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [12a4b151603a2e0880d399314bb77c84]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [684e659de0bae74f84cbfeccfe04fa06]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [cbeb9969fd9d1521004f8347b54da759]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [fdb9bf431a807db974db43878c766c94]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [981e0ef4bfdb5ed8a6a9d7f353af8977]
Registry Data: 0
(No malicious items detected)
Folders: 2
PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\YourGSearchFinder_br, Quarantined, [d0e68979e8b286b05d60ecdc837f43bd],
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab],
Files: 24
PUP.Optional.YesSearches, C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe, Quarantined, [5a5c12f099011f17263fe6eb0ff2867a],
PUP.Optional.YesSearches, C:\Users\{username}\Desktop\setup.exe, Quarantined, [00b6b84a3a60162066e54f83956c5aa6],
PUP.Optional.YesSearches, C:\Program Files (x86)\Bevconesy\plohisAdapterGrq.exe, Quarantined, [971f1fe3aded71c51e479f32e61b09f7],
PUP.Optional.YesSearches.Gen, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll, Delete-on-Reboot, [6353ec16633783b35c4d0ac024dedf21],
PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi, Quarantined, [2492e9193367bc7a72b747b74bb810f0],
PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi, Quarantined, [694d9d6523778bab7dace717ab58f010],
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\AppleVersions.dllbkz, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab],
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\hiqerward.exee58, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab],
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\msvcr100.dll, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab],
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\Nfccontrols.dll, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab],
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp");), Replaced,[2c8a0ff3bcde77bf6e320b93c3417888]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (reported", 1);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("browser.cache.frec), Replaced,[2d8960a2b2e880b628787628da2a0df3]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: ( application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL about:config
*/
user_pref("acc), Replaced,[387ed52de3b7bb7b366a3b63a4604fb1]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (manual change to preferences, you can visit the URL about:config
*/
user_pref("accessibility.typeaheadfind", true);
user_pref("app.update.auto", false);
user_pref("app.update.enabled", fal), Replaced,[833308fa49513204bce41d81f70d51af]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (2211);
user_pref("app.update.lastUpdateTime.background-update-timer", 1466411971);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1466412), Replaced,[05b1f40e0892fb3b168ac4da0ef613ed]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (\"multiprocessCompatible\":false,\"runInSafeMode\":false},\"[email protected]\":{\"version\":\"1.3.2\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\browser\\\\fe), Replaced,[9d19fd05fc9e86b0a4fceab4966ea25e]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (;
user_pref("browser.search.searchengine.hp", "http://www.youndoo.com/?z={z1}&from=btp&uid=VBOXXHARDDISK_VB3361b1e7-85c503b), Replaced,[d0e65ba7d5c5aa8cd2ce0e9023e15ba5]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp");), Replaced,[e6d0e61cf9a1092de7b9138b2ada639d]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (_bookmarks", false);
user_pref("browser.cache.disk.capacity", 358400);
user_pref("browser.cache.disk.filesystem_reported", 1);
user_pref("browser.cache.disk.smart_size.), Replaced,[b8fed32fb4e6cf67a9f79a0483814fb1]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: ( application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL about:config
*/
user_pref("acc), Replaced,[7c3ae51d425843f3c0e089156f950bf5]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (manual change to preferences, you can visit the URL about:config
*/
user_pref("accessibility.typeaheadfind", true);
user_pref("app.update.auto", false);
user_pref("app.update.enabled", fal), Replaced,[f3c353afd4c649ed940c623c2dd72ad6]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (2211);
user_pref("app.update.lastUpdateTime.background-update-timer", 1466411971);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1466412), Replaced,[ccea05fd5d3d3ef8e1bf1e807292db25]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\searchplugins\xirzzddp.xml, Quarantined, [328435cd3a60d16567e83668bc48946c],
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\searchplugins\xirzzddp.xml, Quarantined, [a115be44bbdf072fb8974c52c53f31cf],
Physical Sectors: 0
(No malicious items detected)
(end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention
Back to top
Sign In
Create Account
