Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for Youndoo

- - - - - gsearchfinder

  • This topic is locked This topic is locked
1 reply to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Content is republished with permission from Malwarebytes.

What is Youndoo?

The Malwarebytes research team has determined that Youndoo is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
This one belongs to the GsearchFinder family that adds an extra Firefox profile.

How do I know if my computer is affected by Youndoo?

You may see this entry in your list of installed software:

warning4.png

this type of Scheduled Task:

warning3.png

and you will be hijacked to this search page:

main.png

and see these settings in your browser(s):

warning1.png
Chrome

warning2.png
Firefox

How did Youndoo get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove Youndoo?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
Due to the nature of this hijack it is better to perform some parts of the removal yourself.
You can skip the parts that are for browsers which you don't have installed.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Remove the new Firefox profile, see detailed instructions in the post below this one.
  • Reset Google Chrome settings, see detailed instructions in the post below this one. This is necessary or the new install will inherit the corrupted settings of the infected one.
  • Uninstall Chrome, see detailed instructions in the post below this one.
  • In Malwarebytes Anti-Malware, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • If you wish to use Chrome again, do a clean Chrome install,see detailed instructions in the post below this one.
Is there anything else I need to do to get rid of Youndoo?
  • No, Malwarebytes' Anti-Malware removes Youndoo completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Youndoo hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

protection1.png


Technical details for experts

Please note that some file- and foldernames in the logs below are randomized.

Possible signs in FRST logs:

 HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
 ShellExecuteHooks:  - {6710C780-E20E-4C49-A87D-321850ED3D7C} - C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll [388096 2016-06-28] ()
 FF ProfilePath: C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default
 FF NewTab: hxxp://www.youndoo.com/?z={z1}&from=btp&uid=VBOXXHARDDISK_VB3361b1e7-85c503b7&type=hp
 FF DefaultSearchEngine: youndoo
 FF SelectedSearchEngine: youndoo
 FF Homepage: hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp
 FF SearchPlugin: C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\searchplugins\xirzzddp.xml [2016-06-29]
 FF Extension: GsearchFinder - C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\Extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi [2016-06-28]
 CHR HomePage: lirosyhizetheratbther -> hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp
 CHR StartupUrls: lirosyhizetheratbther -> "hxxp://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp"
 CHR DefaultSearchURL: lirosyhizetheratbther -> hxxp://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp
 CHR DefaultSearchKeyword: lirosyhizetheratbther -> youndoo
 S2 plohisAdapterArw.exe; C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe [708896 2016-06-28] ()
 C:\Windows\System32\Tasks\Plohis Adapter
 C:\Users\{username}\AppData\Local\grizosyanqshbuzersp
 C:\Program Files (x86)\Bevconesy

youndoo - Uninstall (HKLM-x32\...\{61FC6201-6727-43A3-ADFF-A360F9817331}) (Version:  - )
Task: {48BD166D-DC7D-484A-BE0B-B9D487A4D21D} - System32\Tasks\Plohis Adapter => C:\Program Files (x86)\Bevconesy\plohisAdapterGrq.exe [2016-06-28] ()
() C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll
Alterations made by the installer:

File system details [View: All details] (Selection)
---------------------------------------------------
    Adds the folder C:\Program Files (x86)\Bevconesy
       Adds the file AppleVersions.dllbkz"="6/29/2016 8:52 AM, 36 bytes, A
       Adds the file hiqerward.exee58"="6/29/2016 8:52 AM, 36 bytes, A
       Adds the file msvcr100.dll"="6/28/2016 3:38 AM, 773968 bytes, A
       Adds the file Nfccontrols.dll"="6/28/2016 3:38 AM, 471552 bytes, A
       Adds the file plohisAdapterArw.exe"="6/28/2016 3:37 AM, 708896 bytes, A
       Adds the file plohisAdapterGrq.exe"="6/28/2016 3:37 AM, 346400 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther
       Adds the file ChromeDWriteFontCache"="2/10/2016 11:39 AM, 22900556 bytes, A
       Adds the file Cookies"="6/28/2016 9:18 AM, 12288 bytes, A
       Adds the file Cookies-journal"="6/28/2016 9:18 AM, 0 bytes, A
       Adds the file Current Session"="6/28/2016 9:18 AM, 95082 bytes, A
       Adds the file Current Tabs"="6/28/2016 9:18 AM, 46289 bytes, A
       Adds the file Extension Cookies"="3/3/2016 10:14 AM, 7168 bytes, A
       Adds the file Extension Cookies-journal"="3/3/2016 10:14 AM, 0 bytes, A
       Adds the file Favicons"="5/26/2016 8:25 AM, 20480 bytes, A
       Adds the file Favicons-journal"="5/26/2016 8:25 AM, 0 bytes, A
       Adds the file Google Profile.ico"="2/10/2016 11:38 AM, 176873 bytes, A
       Adds the file History"="6/28/2016 9:17 AM, 94208 bytes, A
       Adds the file History Provider Cache"="6/28/2016 9:18 AM, 6 bytes, A
       Adds the file History-journal"="6/28/2016 9:17 AM, 0 bytes, A
       Adds the file Last Session"="6/28/2016 9:16 AM, 97207 bytes, A
       Adds the file Last Tabs"="6/28/2016 9:17 AM, 46289 bytes, A
       Adds the file Login Data"="4/19/2016 1:37 PM, 18432 bytes, A
       Adds the file Login Data-journal"="4/19/2016 1:37 PM, 0 bytes, A
       Adds the file Network Action Predictor"="2/10/2016 11:39 AM, 13312 bytes, A
       Adds the file Network Action Predictor-journal"="2/10/2016 11:39 AM, 0 bytes, A
       Adds the file Network Persistent State"="6/28/2016 9:18 AM, 40 bytes, A
       Adds the file Origin Bound Certs"="4/19/2016 1:37 PM, 9216 bytes, A
       Adds the file Origin Bound Certs-journal"="4/19/2016 1:37 PM, 0 bytes, A
       Adds the file Preferences"="6/28/2016 9:18 AM, 8686 bytes, A
       Adds the file QuotaManager"="3/3/2016 10:14 AM, 15360 bytes, A
       Adds the file QuotaManager-journal"="3/3/2016 10:14 AM, 0 bytes, A
       Adds the file README"="2/10/2016 11:38 AM, 180 bytes, A
       Adds the file Secure Preferences"="6/29/2016 8:52 AM, 38194 bytes, A
       Adds the file Secure Preferenceswipicharozustokacult"="6/28/2016 9:18 AM, 37517 bytes, A
       Adds the file Shortcuts"="3/3/2016 10:14 AM, 20480 bytes, A
       Adds the file Shortcuts-journal"="3/3/2016 10:14 AM, 0 bytes, A
       Adds the file Top Sites"="3/3/2016 10:14 AM, 20480 bytes, A
       Adds the file Top Sites-journal"="3/3/2016 10:14 AM, 0 bytes, A
       Adds the file TransportSecurity"="6/17/2016 9:35 AM, 8 bytes, A
       Adds the file Visited Links"="5/11/2016 8:48 AM, 131072 bytes, A
       Adds the file Web Data"="3/3/2016 10:14 AM, 63488 bytes, A
       Adds the file Web Data-journal"="3/3/2016 10:14 AM, 0 bytes, A
       Adds the file Web Datawipicharozustokacult"="3/3/2016 10:14 AM, 63488 bytes, A
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Cache
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\data_reduction_proxy_leveldb
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\databases
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Extension State
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Extensions
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\GPUCache
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\JumpListIcons
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\JumpListIconsOld
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Local Storage
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Session Storage
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Storage\ext\chrome-signin\def\GPUCache
    Adds the folder C:\Users\{username}\AppData\Local\Google\Chrome\User Data\lirosyhizetheratbther\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Caps
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\CertificateTransparency
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Crashpad
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\Crashpad\reports
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\EVWhitelist
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\data_reduction_proxy_leveldb
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\databases
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Extension State
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Extensions
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Local Storage
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Session Storage
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Storage\ext\chrome-signin\def
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\lirosyhizetheratbther\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\PepperFlash
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\pnacl
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\ShaderCache
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\SwiftShader
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\SwReporter
    Adds the folder C:\Users\{username}\AppData\Local\grizosyanqshbuzersp\WidevineCDM
    In the existing folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox
       Alters the file profiles.ini
        2/10/2016 11:14 AM, 122 bytes, A ==> 6/29/2016 8:52 AM, 210 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\rijercultclozerwardvebeied
       Adds the file backprofiles.ini"="2/10/2016 11:14 AM, 122 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default
       Adds the file addons.json"="6/20/2016 10:43 AM, 1453 bytes, A
       Adds the file blocklist.xml"="6/20/2016 10:45 AM, 235727 bytes, A
       Adds the file cert8.db"="6/20/2016 1:23 PM, 65536 bytes, A
       Adds the file compatibility.ini"="6/20/2016 11:24 AM, 228 bytes, A
       Adds the file content-prefs.sqlite"="2/10/2016 11:14 AM, 229376 bytes, A
       Adds the file cookies.sqlite"="6/20/2016 1:23 PM, 524288 bytes, A
       Adds the file extensions.ini"="6/20/2016 11:24 AM, 185 bytes, A
       Adds the file extensions.json"="6/20/2016 11:24 AM, 4312 bytes, A
       Adds the file formhistory.sqlite"="5/11/2016 8:46 AM, 196608 bytes, A
       Adds the file key3.db"="6/20/2016 1:23 PM, 16384 bytes, A
       Adds the file mimeTypes.rdf"="2/10/2016 11:14 AM, 3739 bytes, A
       Adds the file parent.lock"="6/20/2016 11:24 AM, 0 bytes, A
       Adds the file permissions.sqlite"="2/10/2016 11:14 AM, 98304 bytes, A
       Adds the file places.sqlite"="6/20/2016 11:23 AM, 10485760 bytes, A
       Adds the file pluginreg.dat"="5/18/2016 9:33 AM, 346 bytes, A
       Adds the file prefs.js"="6/29/2016 8:52 AM, 11926 bytes, A
       Adds the file revocations.txt"="6/20/2016 11:24 AM, 7488 bytes, A
       Adds the file search-metadata.json"="6/29/2016 8:52 AM, 216 bytes, A
       Adds the file secmod.db"="2/10/2016 11:14 AM, 16384 bytes, A
       Adds the file sessionCheckpoints.json"="6/20/2016 1:23 PM, 288 bytes, A
       Adds the file sessionstore.js"="6/20/2016 1:23 PM, 870 bytes, A
       Adds the file SiteSecurityServiceState.txt"="6/20/2016 1:23 PM, 328 bytes, A
       Adds the file times.json"="2/10/2016 11:14 AM, 29 bytes, A
       Adds the file webappsstore.sqlite"="5/18/2016 9:34 AM, 98304 bytes, A
       Adds the file xulstore.json"="6/20/2016 11:25 AM, 322 bytes, A
    Adds the folder C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom
       Adds the file addons.json"="6/20/2016 10:43 AM, 1453 bytes, A
       Adds the file blocklist.xml"="6/20/2016 10:45 AM, 235727 bytes, A
       Adds the file cert8.db"="6/20/2016 1:23 PM, 65536 bytes, A
       Adds the file compatibility.ini"="6/20/2016 11:24 AM, 228 bytes, A
       Adds the file content-prefs.sqlite"="2/10/2016 11:14 AM, 229376 bytes, A
       Adds the file cookies.sqlite"="6/20/2016 1:23 PM, 524288 bytes, A
       Adds the file extensions.ini"="6/20/2016 11:24 AM, 185 bytes, A
       Adds the file extensions.json"="6/20/2016 11:24 AM, 4312 bytes, A
       Adds the file formhistory.sqlite"="5/11/2016 8:46 AM, 196608 bytes, A
       Adds the file key3.db"="6/20/2016 1:23 PM, 16384 bytes, A
       Adds the file mimeTypes.rdf"="2/10/2016 11:14 AM, 3739 bytes, A
       Adds the file parent.lock"="6/20/2016 11:24 AM, 0 bytes, A
       Adds the file permissions.sqlite"="2/10/2016 11:14 AM, 98304 bytes, A
       Adds the file places.sqlite"="6/20/2016 11:23 AM, 10485760 bytes, A
       Adds the file pluginreg.dat"="5/18/2016 9:33 AM, 346 bytes, A
       Adds the file prefs.js"="6/29/2016 8:52 AM, 11926 bytes, A
       Adds the file revocations.txt"="6/20/2016 11:24 AM, 7488 bytes, A
       Adds the file search-metadata.json"="6/29/2016 8:52 AM, 216 bytes, A
       Adds the file secmod.db"="2/10/2016 11:14 AM, 16384 bytes, A
       Adds the file sessionCheckpoints.json"="6/20/2016 1:23 PM, 288 bytes, A
       Adds the file sessionstore.js"="6/20/2016 1:23 PM, 870 bytes, A
       Adds the file SiteSecurityServiceState.txt"="6/20/2016 1:23 PM, 328 bytes, A
       Adds the file times.json"="2/10/2016 11:14 AM, 29 bytes, A
       Adds the file webappsstore.sqlite"="5/18/2016 9:34 AM, 98304 bytes, A
       Adds the file xulstore.json"="6/20/2016 11:25 AM, 322 bytes, A
    In the existing folder C:\Windows\System32\Tasks
       Adds the file Plohis Adapter"="6/29/2016 8:52 AM, 9020 bytes, A

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_LOCAL_MACHINE\SOFTWARE\causqo]
       "day"="REG_SZ", "20160629"
       "upday"="REG_SZ", "20160629"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}\InProcServer32]
       "(Default)"="REG_SZ", "C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll"
       "ThreadingModel"="REG_SZ", "Apartment"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft]
       "help"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
       "{6710C780-E20E-4C49-A87D-321850ED3D7C}"="REG_SZ", ""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
       "EnableShellExecuteHooks"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
       "hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
       "s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
       "sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp"
       "spname"="REG_SZ", "youndoo"
       "surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q="
       "tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
       "uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\{E6276374-DE18-4AA5-A365-9016A2F98A2D}]
       "c"="REG_DWORD", 1
       "f"="REG_DWORD", 1
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\causqo]
       "day"="REG_SZ", "20160629"
       "upday"="REG_SZ", "20160629"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CB75DF05542D4707119BC449A5FA9A4A]
       "(Default)"="REG_SZ", "{9DC74CD5-24EA-4ADE-9C42-608A8CE17116}"
       "{9DC74CD5-24EA-4ADE-9C42-608A8CE17116}"="REG_BINARY, ......................................................................................................................................................................................................z.......................................................................................................................................................................................................z.....................................................................................................................................................................................................................................................................................................................
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{61FC6201-6727-43A3-ADFF-A360F9817331}]
       "DisplayName"="REG_SZ", "youndoo - Uninstall"
       "UninstallString"="REG_SZ", "rundll32.exe "C:\Program Files (x86)\Bevconesy\Nfccontrols.dll",u "/k={61FC6201-6727-43A3-ADFF-A360F9817331}""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
       "hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
       "s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
       "sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp"
       "spname"="REG_SZ", "youndoo"
       "surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q="
       "tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
       "uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\youndooSoftware\youndoohp]
       "oem"="REG_SZ", "btp"
       "Time"="REG_DWORD", 1467183137
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\plohisAdapterArw.exe]
       "DelayedAutostart"="REG_DWORD", 1
       "Description"="REG_SZ", "Receives activation requests over the server and passes them to Plohis."
       "DisplayName"="REG_SZ", "Plohis Adapter"
       "ErrorControl"="REG_DWORD", 1
       "ImagePath"="REG_EXPAND_SZ, ""C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe" {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116}"
       "ObjectName"="REG_SZ", "LocalSystem"
       "Start"="REG_DWORD", 2
       "Type"="REG_DWORD", 272
       "WOW64"="REG_DWORD", 1
    [HKEY_USERS\.DEFAULT\Software\causqo]
       "day"="REG_SZ", "20160629"
       "upday"="REG_SZ", "20160629"
    [HKEY_USERS\.DEFAULT\Software\CB75DF05542D4707119BC449A5FA9A4A]
       "c"="REG_DWORD", 1
       "d"="REG_SZ", "20160629"
       "o"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\CB75DF05542D4707119BC449A5FA9A4A]
       "c"="REG_DWORD", 1
       "d"="REG_SZ", "20160629"
       "o"="REG_DWORD", 1
    [HKEY_CURRENT_USER\Software\Mozilla\Firefox\{EB52F1AB-3C2B-424F-9794-833C687025CF}]
       "hp"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
       "s"="REG_SZ", "HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?u=%s&update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s"
       "sp"="REG_SZ", "http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp"
       "spname"="REG_SZ", "youndoo"
       "surl"="REG_SZ", "http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q="
       "tab"="REG_SZ", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext"
       "uid"="REG_SZ", "CB75DF05542D4707119BC449A5FA9A4A"

 
Malwarebytes Anti-Malware log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/29/2016
Scan Time: 9:26 AM
Logfile: mbamYoundoo.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.29.02
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 314230
Time Elapsed: 8 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 7
PUP.Optional.YesSearches, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\plohisAdapterArw.exe, Quarantined, [5a5c12f099011f17263fe6eb0ff2867a], 
PUP.Optional.Youndoo, HKLM\SOFTWARE\CLASSES\CLSID\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarantined, [8234837f6c2e44f2f5813c34c43e54ac], 
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [d2e4738f17836bcb9eb5537716ecb64a], 
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\youndooSoftware, Quarantined, [d6e034cef9a1bf777e91a129679bf709], 
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{61FC6201-6727-43A3-ADFF-A360F9817331}, Quarantined, [892d07fbf4a643f378da1eac0bf77987], 
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [7b3bc43e4f4b6fc7084be4e689794ab6], 
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [684e659de0bae74f84cbfeccfe04fa06], 

Registry Values: 14
PUP.Optional.Youndoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{6710C780-E20E-4C49-A87D-321850ED3D7C}, Quarantined, [bdf96c96c1d9af871d590f619d659967], 
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [d2e4738f17836bcb9eb5537716ecb64a]
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [b6003ac84f4b70c6d28112b8a35ff40c]
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [c4f2af53376342f4054e408acb3739c7]
PUP.Optional.Youndoo, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [8135f70bfc9ebc7ace85a426f90934cc]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{61FC6201-6727-43A3-ADFF-A360F9817331}|DisplayName, youndoo - Uninstall, Quarantined, [892d07fbf4a643f378da1eac0bf77987]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [7b3bc43e4f4b6fc7084be4e689794ab6]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [694d5ca66832a1950251fdcde81a1ce4]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [06b047bb8f0be056aba8ca0049b9e51b]
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [12a4b151603a2e0880d399314bb77c84]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [684e659de0bae74f84cbfeccfe04fa06]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp&mode=ffsengext, Quarantined, [cbeb9969fd9d1521004f8347b54da759]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.youndoo.com/search/?q={searchTerms}&z={z1}&from=btp&uid={harddiskID}&type=sp, Quarantined, [fdb9bf431a807db974db43878c766c94]
PUP.Optional.Youndoo, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.youndoo.com/search/?&z={z1}&from=btp&uid={harddiskID}&type=sp&q=, Quarantined, [981e0ef4bfdb5ed8a6a9d7f353af8977]

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\YourGSearchFinder_br, Quarantined, [d0e68979e8b286b05d60ecdc837f43bd], 
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], 

Files: 24
PUP.Optional.YesSearches, C:\Program Files (x86)\Bevconesy\plohisAdapterArw.exe, Quarantined, [5a5c12f099011f17263fe6eb0ff2867a], 
PUP.Optional.YesSearches, C:\Users\{username}\Desktop\setup.exe, Quarantined, [00b6b84a3a60162066e54f83956c5aa6], 
PUP.Optional.YesSearches, C:\Program Files (x86)\Bevconesy\plohisAdapterGrq.exe, Quarantined, [971f1fe3aded71c51e479f32e61b09f7], 
PUP.Optional.YesSearches.Gen, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Cookies\werrise.dll, Delete-on-Reboot, [6353ec16633783b35c4d0ac024dedf21], 
PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi, Quarantined, [2492e9193367bc7a72b747b74bb810f0], 
PUP.Optional.GsearchFinder, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\extensions\@90B817C8-8A5C-413B-9DDD-B2C61ED6E79A.xpi, Quarantined, [694d9d6523778bab7dace717ab58f010], 
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\AppleVersions.dllbkz, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], 
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\hiqerward.exee58, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], 
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\msvcr100.dll, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], 
PUP.Optional.Youndoo, C:\Program Files (x86)\Bevconesy\Nfccontrols.dll, Quarantined, [2b8b29d9a9f12d09eba69c2d56ac55ab], 
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp");), Replaced,[2c8a0ff3bcde77bf6e320b93c3417888]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (reported", 1);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("browser.cache.frec), Replaced,[2d8960a2b2e880b628787628da2a0df3]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: ( application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_pref("acc), Replaced,[387ed52de3b7bb7b366a3b63a4604fb1]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (manual change to preferences, you can visit the URL about:config
 */

user_pref("accessibility.typeaheadfind", true);
user_pref("app.update.auto", false);
user_pref("app.update.enabled", fal), Replaced,[833308fa49513204bce41d81f70d51af]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (2211);
user_pref("app.update.lastUpdateTime.background-update-timer", 1466411971);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1466412), Replaced,[05b1f40e0892fb3b168ac4da0ef613ed]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (\"multiprocessCompatible\":false,\"runInSafeMode\":false},\"[email protected]\":{\"version\":\"1.3.2\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\browser\\\\fe), Replaced,[9d19fd05fc9e86b0a4fceab4966ea25e]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\prefs.js, Good: (), Bad: (;
user_pref("browser.search.searchengine.hp", "http://www.youndoo.com/?z={z1}&from=btp&uid=VBOXXHARDDISK_VB3361b1e7-85c503b), Replaced,[d0e65ba7d5c5aa8cd2ce0e9023e15ba5]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.youndoo.com/?z={z1}&from=btp&uid={harddiskID}&type=hp");), Replaced,[e6d0e61cf9a1092de7b9138b2ada639d]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (_bookmarks", false);
user_pref("browser.cache.disk.capacity", 358400);
user_pref("browser.cache.disk.filesystem_reported", 1);
user_pref("browser.cache.disk.smart_size.), Replaced,[b8fed32fb4e6cf67a9f79a0483814fb1]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: ( application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_pref("acc), Replaced,[7c3ae51d425843f3c0e089156f950bf5]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (manual change to preferences, you can visit the URL about:config
 */

user_pref("accessibility.typeaheadfind", true);
user_pref("app.update.auto", false);
user_pref("app.update.enabled", fal), Replaced,[f3c353afd4c649ed940c623c2dd72ad6]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\prefs.js, Good: (), Bad: (2211);
user_pref("app.update.lastUpdateTime.background-update-timer", 1466411971);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1466412), Replaced,[ccea05fd5d3d3ef8e1bf1e807292db25]
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\8ntoizyz.default\searchplugins\xirzzddp.xml, Quarantined, [328435cd3a60d16567e83668bc48946c], 
PUP.Optional.Youndoo, C:\Users\{username}\AppData\Roaming\Profiles\kikutionppsecoerkidom\searchplugins\xirzzddp.xml, Quarantined, [a115be44bbdf072fb8974c52c53f31cf], 

Physical Sectors: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
How to remove a fake or infected FireFox profile.
  • Close Firefox so the running browser does not interfere with the fix.
  • Use the key combination Windows key + R to open the Run box.
  • Type or copy the command Firefox -P to open the Firefox profile manager.
    Choices.png
  • Make sure the profile called "Firefox Default" is selected (not the one simply called "default") and click on Delete Profile...
  • When prompted to ask if you want to delete the fake profile, click Delete Files.
    Delete.png
  • Select the option to Use the selected profile without asking at startup by putting a checkmark in the corresponding box.
    Check.png
    If more than one profiles are left in the list, select the one that you would prefer to use. Usually only the default profile will be left and automatically selected.
  • Click the Start Firefox button
  • From now on FireFox will open with the selected profile.
An alternative procedure is to manually edit profiles.ini
Unless you have done so before, you will have to "unhide" hidden files. Information on how to do that can be found here or here.
  • Close Firefox so the running browser does not interfere with the fix.
  • Locate profiles.ini in the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\profiles.ini (for Windows Vista and later).
  • Rightclick on profiles.ini and choose "Edit" from the menu.
  • After this infection it will look like this:
    after.png
    where the ******** are a random 8 digit string representing your profile from before the infection.
    The second profile in the list is the one created by this infection.
  • Edit the 1 behind StartWithLastProfile and replace it with a 0 (zero), so the line now looks like this:
    SetToZero.png
  • Save the edited file by clicking File > Save.
  • This will prompt FireFox to ask you which profile you want to use the next time you run it.
    Choices.png
  • Make sure the profile called "Firefox Default" is selected (not the one simply called "default") and click on Delete Profile...
  • When prompted to ask if you want to delete the fake profile, click Delete Files.
    Delete.png
  • Select the option to Use the selected profile without asking at startup by putting a checkmark in the corresponding box.
    Check.png
    If more than one profiles are left in the list, select the one that you would prefer to use. Usually only the default profile will be left and automatically selected.
  • Click the Start Firefox button
  • From now on FireFox will open with the selected profile.
If there are other browser settings that you would like to change like the default search engine or the startpage, we advise to have a look at our Restore Browser page.


The information for this procedure was derived from: http://kb.mozillazin...default_profile

Reset Google Chrome settings

Please open Google Chrome.

Enter the Chrome menu by clicking the Options button (upper right corner) and select Settings.

At the bottom click Show advanced settings.

Scroll down and find the Reset settings button. Click it.

In the dialog that appears, click Reset.

Close Google Chrome.


Uninstall Chrome

Please press both Windows & R keys on your keyboard.

A small box should appear in the lower left corner. Please type in appwizz.cpl and click OK.

Youll see the Control Panel window with a list of installed programs.
Search there for Google Chrome and uninstall it.
If prompted to delete all the personal browsing data please mark it for deletion.

Finally please reboot your machine before approaching anything else.



Clean Chrome Install

Please go to the link below:
Google Chrome download

Download and install a new, fresh version of Chrome.
  • 0





Also tagged with one or more of these keywords: gsearchfinder

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.