What is Youndoo?
The Malwarebytes research team has determined that Youndoo is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
This one belongs to the GsearchFinder family that adds an extra Firefox profile.
How do I know if my computer is affected by Youndoo?
You may see this entry in your list of installed software:
this type of Scheduled Task:
and you will be hijacked to this search page:
and see these settings in your browser(s):
Chrome
Firefox
How did Youndoo get on my computer?
Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.
How do I remove Youndoo?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
Due to the nature of this hijack it is better to perform some parts of the removal yourself.
You can skip the parts that are for browsers which you don't have installed.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Remove the new Firefox profile, see detailed instructions in the post below this one.
- Reset Google Chrome settings, see detailed instructions in the post below this one. This is necessary or the new install will inherit the corrupted settings of the infected one.
- Uninstall Chrome, see detailed instructions in the post below this one.
- In Malwarebytes Anti-Malware, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- If you wish to use Chrome again, do a clean Chrome install,see detailed instructions in the post below this one.
- No, Malwarebytes' Anti-Malware removes Youndoo completely.
- This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Youndoo hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Please note that some file- and foldernames in the logs below are randomized.
Possible signs in FRST logs:
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1 ShellExecuteHooks: - {6710C780-E20E-4C49-A87D-321850ED3D7C} - C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll [388096 2016-06-28] () FF ProfilePath: C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default FF NewTab: hxxp://www.youndoo.com/?z={z1}&from=btp&uid=VBOXXHARDDISK_VB3361b1e7-85c503b7&type=hp FF DefaultSearchEngine: youndoo FF SelectedSearchEngine: youndoo FF Homepage: hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp FF SearchPlugin: C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\searchplugins\xirzzddp.xml [2016-06-29] FF Extension: GsearchFinder - C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\Extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi [2016-06-28] CHR HomePage: lirosyhizetheratbther -> hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp CHR StartupUrls: lirosyhizetheratbther -> "hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp" CHR DefaultSearchURL: lirosyhizetheratbther -> hxxp://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp CHR DefaultSearchKeyword: lirosyhizetheratbther -> youndoo S2 plohisAdapterArw.exe; C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe [708896 2016-06-28] () C:\Windows\System32\Tasks\Plohis Adapter C:\Users\{username}\AppData\Local\grizosyanqshbuzersp C:\Program Files (x86)\Bevconesy youndoo - Uninstall (HKLM-x32\...\{61FC6201-6727-43A3-ADFF-A360F9817331}) (Version: - ) Task: {48BD166D-DC7D-484A-BE0B-B9D487A4D21D} - System32\Tasks\Plohis Adapter => C:\Program Files (x86)\Bevconesy\plohisAdapterGrq.exe [2016-06-28] () () C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dllAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\Bevconesy Adds the file AppleVersions.dllbkz"="6/29/2016 8:52 AM, 36 bytes, A Adds the file hiqerward.exee58"="6/29/2016 8:52 AM, 36 bytes, A Adds the file msvcr100.dll"="6/28/2016 3:38 AM, 773968 bytes, A Adds the file Nfccontrols.dll"="6/28/2016 3:38 AM, 471552 bytes, A Adds the file plohisAdapterArw.exe"="6/28/2016 3:37 AM, 708896 bytes, A Adds the file plohisAdapterGrq.exe"="6/28/2016 3:37 AM, 346400 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther Adds the file ChromeDWriteFontCache"="2/10/2016 11:39 AM, 22900556 bytes, A Adds the file Cookies"="6/28/2016 9:18 AM, 12288 bytes, A Adds the file Cookies-journal"="6/28/2016 9:18 AM, 0 bytes, A Adds the file Current Session"="6/28/2016 9:18 AM, 95082 bytes, A Adds the file Current Tabs"="6/28/2016 9:18 AM, 46289 bytes, A Adds the file Extension Cookies"="3/3/2016 10:14 AM, 7168 bytes, A Adds the file Extension Cookies-journal"="3/3/2016 10:14 AM, 0 bytes, A Adds the file Favicons"="5/26/2016 8:25 AM, 20480 bytes, A Adds the file Favicons-journal"="5/26/2016 8:25 AM, 0 bytes, A Adds the file Google Profile.ico"="2/10/2016 11:38 AM, 176873 bytes, A Adds the file History"="6/28/2016 9:17 AM, 94208 bytes, A Adds the file History Provider Cache"="6/28/2016 9:18 AM, 6 bytes, A Adds the file History-journal"="6/28/2016 9:17 AM, 0 bytes, A Adds the file Last Session"="6/28/2016 9:16 AM, 97207 bytes, A Adds the file Last Tabs"="6/28/2016 9:17 AM, 46289 bytes, A Adds the file Login Data"="4/19/2016 1:37 PM, 18432 bytes, A Adds the file Login Data-journal"="4/19/2016 1:37 PM, 0 bytes, A Adds the file Network Action Predictor"="2/10/2016 11:39 AM, 13312 bytes, A Adds the file Network Action Predictor-journal"="2/10/2016 11:39 AM, 0 bytes, A Adds the file Network Persistent State"="6/28/2016 9:18 AM, 40 bytes, A Adds the file Origin Bound Certs"="4/19/2016 1:37 PM, 9216 bytes, A Adds the file Origin Bound Certs-journal"="4/19/2016 1:37 PM, 0 bytes, A Adds the file Preferences"="6/28/2016 9:18 AM, 8686 bytes, A Adds the file QuotaManager"="3/3/2016 10:14 AM, 15360 bytes, A Adds the file QuotaManager-journal"="3/3/2016 10:14 AM, 0 bytes, A Adds the file README"="2/10/2016 11:38 AM, 180 bytes, A Adds the file Secure Preferences"="6/29/2016 8:52 AM, 38194 bytes, A Adds the file Secure Preferenceswipicharozustokacult"="6/28/2016 9:18 AM, 37517 bytes, A Adds the file Shortcuts"="3/3/2016 10:14 AM, 20480 bytes, A Adds the file Shortcuts-journal"="3/3/2016 10:14 AM, 0 bytes, A Adds the file Top Sites"="3/3/2016 10:14 AM, 20480 bytes, A Adds the file Top Sites-journal"="3/3/2016 10:14 AM, 0 bytes, A Adds the file TransportSecurity"="6/17/2016 9:35 AM, 8 bytes, A Adds the file Visited Links"="5/11/2016 8:48 AM, 131072 bytes, A Adds the file Web Data"="3/3/2016 10:14 AM, 63488 bytes, A Adds the file Web Data-journal"="3/3/2016 10:14 AM, 0 bytes, A Adds the file Web Datawipicharozustokacult"="3/3/2016 10:14 AM, 63488 bytes, A Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Cache Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\data_reduction_proxy_leveldb Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\databases Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Extension State Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Extensions Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\GPUCache Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\JumpListIcons Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\JumpListIconsOld Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Local Storage Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Session Storage Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Storage\ext\chrome-signin\def\GPUCache Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Caps Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\CertificateTransparency Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Crashpad Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Crashpad\reports Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\EVWhitelist Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\data_reduction_proxy_leveldb Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\databases Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Extension State Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Extensions Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Local Storage Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Session Storage Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Storage\ext\chrome-signin\def Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\PepperFlash Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\pnacl Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\ShaderCache Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\SwiftShader Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\SwReporter Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\WidevineCDM In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox Alters the file profiles.ini 2/10/2016 11:14 AM, 122 bytes, A ==> 6/29/2016 8:52 AM, 210 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\rijercultclozerwardvebeied Adds the file backprofiles.ini"="2/10/2016 11:14 AM, 122 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default Adds the file addons.json"="6/20/2016 10:43 AM, 1453 bytes, A Adds the file blocklist.xml"="6/20/2016 10:45 AM, 235727 bytes, A Adds the file cert8.db"="6/20/2016 1:23 PM, 65536 bytes, A Adds the file compatibility.ini"="6/20/2016 11:24 AM, 228 bytes, A Adds the file content-prefs.sqlite"="2/10/2016 11:14 AM, 229376 bytes, A Adds the file cookies.sqlite"="6/20/2016 1:23 PM, 524288 bytes, A Adds the file extensions.ini"="6/20/2016 11:24 AM, 185 bytes, A Adds the file extensions.json"="6/20/2016 11:24 AM, 4312 bytes, A Adds the file formhistory.sqlite"="5/11/2016 8:46 AM, 196608 bytes, A Adds the file key3.db"="6/20/2016 1:23 PM, 16384 bytes, A Adds the file mimeTypes.rdf"="2/10/2016 11:14 AM, 3739 bytes, A Adds the file parent.lock"="6/20/2016 11:24 AM, 0 bytes, A Adds the file permissions.sqlite"="2/10/2016 11:14 AM, 98304 bytes, A Adds the file places.sqlite"="6/20/2016 11:23 AM, 10485760 bytes, A Adds the file pluginreg.dat"="5/18/2016 9:33 AM, 346 bytes, A Adds the file prefs.js"="6/29/2016 8:52 AM, 11926 bytes, A Adds the file revocations.txt"="6/20/2016 11:24 AM, 7488 bytes, A Adds the file search-metadata.json"="6/29/2016 8:52 AM, 216 bytes, A Adds the file secmod.db"="2/10/2016 11:14 AM, 16384 bytes, A Adds the file sessionCheckpoints.json"="6/20/2016 1:23 PM, 288 bytes, A Adds the file sessionstore.js"="6/20/2016 1:23 PM, 870 bytes, A Adds the file SiteSecurityServiceState.txt"="6/20/2016 1:23 PM, 328 bytes, A Adds the file times.json"="2/10/2016 11:14 AM, 29 bytes, A Adds the file webappsstore.sqlite"="5/18/2016 9:34 AM, 98304 bytes, A Adds the file xulstore.json"="6/20/2016 11:25 AM, 322 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom Adds the file addons.json"="6/20/2016 10:43 AM, 1453 bytes, A Adds the file blocklist.xml"="6/20/2016 10:45 AM, 235727 bytes, A Adds the file cert8.db"="6/20/2016 1:23 PM, 65536 bytes, A Adds the file compatibility.ini"="6/20/2016 11:24 AM, 228 bytes, A Adds the file content-prefs.sqlite"="2/10/2016 11:14 AM, 229376 bytes, A Adds the file cookies.sqlite"="6/20/2016 1:23 PM, 524288 bytes, A Adds the file extensions.ini"="6/20/2016 11:24 AM, 185 bytes, A Adds the file extensions.json"="6/20/2016 11:24 AM, 4312 bytes, A Adds the file formhistory.sqlite"="5/11/2016 8:46 AM, 196608 bytes, A Adds the file key3.db"="6/20/2016 1:23 PM, 16384 bytes, A Adds the file mimeTypes.rdf"="2/10/2016 11:14 AM, 3739 bytes, A Adds the file parent.lock"="6/20/2016 11:24 AM, 0 bytes, A Adds the file permissions.sqlite"="2/10/2016 11:14 AM, 98304 bytes, A Adds the file places.sqlite"="6/20/2016 11:23 AM, 10485760 bytes, A Adds the file pluginreg.dat"="5/18/2016 9:33 AM, 346 bytes, A Adds the file prefs.js"="6/29/2016 8:52 AM, 11926 bytes, A Adds the file revocations.txt"="6/20/2016 11:24 AM, 7488 bytes, A Adds the file search-metadata.json"="6/29/2016 8:52 AM, 216 bytes, A Adds the file secmod.db"="2/10/2016 11:14 AM, 16384 bytes, A Adds the file sessionCheckpoints.json"="6/20/2016 1:23 PM, 288 bytes, A Adds the file sessionstore.js"="6/20/2016 1:23 PM, 870 bytes, A Adds the file SiteSecurityServiceState.txt"="6/20/2016 1:23 PM, 328 bytes, A Adds the file times.json"="2/10/2016 11:14 AM, 29 bytes, A Adds the file webappsstore.sqlite"="5/18/2016 9:34 AM, 98304 bytes, A Adds the file xulstore.json"="6/20/2016 11:25 AM, 322 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Plohis Adapter"="6/29/2016 8:52 AM, 9020 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\causqo] "day"="REG_SZ", "20160629" "upday"="REG_SZ", "20160629" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}\InProcServer32] "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll" "ThreadingModel"="REG_SZ", "Apartment" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft] "help"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{6710C780-E20E-4C49-A87D-321850ED3D7C}"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] "EnableShellExecuteHooks"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}] "hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext" "s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s" "sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp" "spname"="REG_SZ", "youndoo" "surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=" "tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext" "uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{E6276374-DE18-4AA5-A365-9016A2F98A2D}] "c"="REG_DWORD", 1 "f"="REG_DWORD", 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\causqo] "day"="REG_SZ", "20160629" "upday"="REG_SZ", "20160629" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CB75DF05542D4707119BC449A5FA9A4A] "(Default)"="REG_SZ", "{9DC74CD5-24EA-4ADE-9C42-608A8CE17116}" "{9DC74CD5-24EA-4ADE-9C42-608A8CE17116}"="REG_BINARY, ......................................................................................................................................................................................................z.......................................................................................................................................................................................................z..................................................................................................................................................................................................................................................................................................................... [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{61FC6201-6727-43A3-ADFF-A360F9817331}] "DisplayName"="REG_SZ", "youndoo - Uninstall" "UninstallString"="REG_SZ", "rundll32.exe "C:\Program Files (x86)\Bevconesy\Nfccontrols.dll",u "/k={61FC6201-6727-43A3-ADFF-A360F9817331}"" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}] "hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext" "s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s" "sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp" "spname"="REG_SZ", "youndoo" "surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=" "tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext" "uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\youndooSoftware\youndoohp] "oem"="REG_SZ", "btp" "Time"="REG_DWORD", 1467183137 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\plohisAdapterArw.exe] "DelayedAutostart"="REG_DWORD", 1 "Description"="REG_SZ", "Receives activation requests over the server and passes them to Plohis." "DisplayName"="REG_SZ", "Plohis Adapter" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe" {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116}" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 272 "WOW64"="REG_DWORD", 1 [HKEY_USERS\.DEFAULT\Software\causqo] "day"="REG_SZ", "20160629" "upday"="REG_SZ", "20160629" [HKEY_USERS\.DEFAULT\Software\CB75DF05542D4707119BC449A5FA9A4A] "c"="REG_DWORD", 1 "d"="REG_SZ", "20160629" "o"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\CB75DF05542D4707119BC449A5FA9A4A] "c"="REG_DWORD", 1 "d"="REG_SZ", "20160629" "o"="REG_DWORD", 1 [HKEY_CURRENT_USER\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}] "hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext" "s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s" "sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp" "spname"="REG_SZ", "youndoo" "surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=" "tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext" "uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 6/29/2016 Scan Time: 9:26 AM Logfile: mbamYoundoo.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.06.29.02 Rootkit Database: v2016.05.27.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 314230 Time Elapsed: 8 min, 25 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 7 PUP.Optional.YesSearches, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\plohisAdapterArw.exe, Quarantined, [5a5c12f099011f17263fe6eb0ff2867a], PUP.Optional.Youndoo, HKLM\SOFTWARE\CLASSES\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarantined, [8234837f6c2e44f2f5813c34c43e54ac], PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [d2e4738f17836bcb9eb5537716ecb64a], PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\youndooSoftware, Quarantined, [d6e034cef9a1bf777e91a129679bf709], PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{61FC6201-6727-43A3-ADFF-A360F9817331}, Quarantined, [892d07fbf4a643f378da1eac0bf77987], PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [7b3bc43e4f4b6fc7084be4e689794ab6], PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [684e659de0bae74f84cbfeccfe04fa06], Registry Values: 14 PUP.Optional.Youndoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarantined, [bdf96c96c1d9af871d590f619d659967], PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [d2e4738f17836bcb9eb5537716ecb64a] PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [b6003ac84f4b70c6d28112b8a35ff40c] PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [c4f2af53376342f4054e408acb3739c7] PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [8135f70bfc9ebc7ace85a426f90934cc] PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{61FC6201-6727-43A3-ADFF-A360F9817331}|DisplayName, youndoo - Uninstall, Quarantined, [892d07fbf4a643f378da1eac0bf77987] PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [7b3bc43e4f4b6fc7084be4e689794ab6] PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [694d5ca66832a1950251fdcde81a1ce4] PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [06b047bb8f0be056aba8ca0049b9e51b] PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [12a4b151603a2e0880d399314bb77c84] PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [684e659de0bae74f84cbfeccfe04fa06] PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [cbeb9969fd9d1521004f8347b54da759] PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [fdb9bf431a807db974db43878c766c94] PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [981e0ef4bfdb5ed8a6a9d7f353af8977] Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\YourGSearchFinder_br, Quarantined, [d0e68979e8b286b05d60ecdc837f43bd], PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], Files: 24 PUP.Optional.YesSearches, C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe, Quarantined, [5a5c12f099011f17263fe6eb0ff2867a], PUP.Optional.YesSearches, C:\Users\{username}\Desktop\setup.exe, Quarantined, [00b6b84a3a60162066e54f83956c5aa6], PUP.Optional.YesSearches, C:\Program Files (x86)\Bevconesy\plohisAdapterGrq.exe, Quarantined, [971f1fe3aded71c51e479f32e61b09f7], PUP.Optional.YesSearches.Gen, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll, Delete-on-Reboot, [6353ec16633783b35c4d0ac024dedf21], PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi, Quarantined, [2492e9193367bc7a72b747b74bb810f0], PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi, Quarantined, [694d9d6523778bab7dace717ab58f010], PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\AppleVersions.dllbkz, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\hiqerward.exee58, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\msvcr100.dll, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\Nfccontrols.dll, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp");), Replaced,[2c8a0ff3bcde77bf6e320b93c3417888] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (reported", 1); user_pref("browser.cache.disk.smart_size.first_run", false); user_pref("browser.cache.disk.smart_size.use_old_max", false); user_pref("browser.cache.frec), Replaced,[2d8960a2b2e880b628787628da2a0df3] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: ( application is running, * the changes will be overwritten when the application exits. * * To make a manual change to preferences, you can visit the URL about:config */ user_pref("acc), Replaced,[387ed52de3b7bb7b366a3b63a4604fb1] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (manual change to preferences, you can visit the URL about:config */ user_pref("accessibility.typeaheadfind", true); user_pref("app.update.auto", false); user_pref("app.update.enabled", fal), Replaced,[833308fa49513204bce41d81f70d51af] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (2211); user_pref("app.update.lastUpdateTime.background-update-timer", 1466411971); user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1466412), Replaced,[05b1f40e0892fb3b168ac4da0ef613ed] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (\"multiprocessCompatible\":false,\"runInSafeMode\":false},\"[email protected]\":{\"version\":\"1.3.2\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\browser\\\\fe), Replaced,[9d19fd05fc9e86b0a4fceab4966ea25e] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (; user_pref("browser.search.searchengine.hp", "http://www.youndoo.com/?z={z1}&from=btp&uid=VBOXXHARDDISK_VB3361b1e7-85c503b), Replaced,[d0e65ba7d5c5aa8cd2ce0e9023e15ba5] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp");), Replaced,[e6d0e61cf9a1092de7b9138b2ada639d] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (_bookmarks", false); user_pref("browser.cache.disk.capacity", 358400); user_pref("browser.cache.disk.filesystem_reported", 1); user_pref("browser.cache.disk.smart_size.), Replaced,[b8fed32fb4e6cf67a9f79a0483814fb1] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: ( application is running, * the changes will be overwritten when the application exits. * * To make a manual change to preferences, you can visit the URL about:config */ user_pref("acc), Replaced,[7c3ae51d425843f3c0e089156f950bf5] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (manual change to preferences, you can visit the URL about:config */ user_pref("accessibility.typeaheadfind", true); user_pref("app.update.auto", false); user_pref("app.update.enabled", fal), Replaced,[f3c353afd4c649ed940c623c2dd72ad6] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (2211); user_pref("app.update.lastUpdateTime.background-update-timer", 1466411971); user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1466412), Replaced,[ccea05fd5d3d3ef8e1bf1e807292db25] PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\searchplugins\xirzzddp.xml, Quarantined, [328435cd3a60d16567e83668bc48946c], PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\searchplugins\xirzzddp.xml, Quarantined, [a115be44bbdf072fb8974c52c53f31cf], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention