Jump to content

Removal instructions for YesSearches


Recommended Posts

  • Staff
What is YesSearches?

The Malwarebytes research team has determined that YesSearches is a browser hijacker. These so-called "hijackers" manipulate your browser(s), for example to change your startpage or searchscopes, so that the affected browser visits their site or one of their choice.
This one also displays advertisements and creates a new FireFox profile.

How do I know if my computer is affected by YesSearches?

You may see this entry in your list of installed software:

warning4.png

and this Start/Home-page in your browsers:

main.png

this browser add-on in Firefox:

warning1.png

this type of Scheduled Task:

warning3.png

and you will see altered settings in Chrome and Firefox:

warning2.png

warning5.png

and the browser shortcuts on your desktop and in your taskbar may have been altered:

warning6.png

How did YesSearches get on my computer?

Browser hijackers use different methods for distributing themselves. This particular one was bundled with other software.

How do I remove YesSearches?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of YesSearches?
  • No, Malwarebytes' Anti-Malware removes YesSearches completely.
  • This PUP creates some scheduled tasks. You can read here how to check for and, if necessary, remove Scheduled Tasks.
  • Look at the first reply to this topic to learn how you can go back to your old Firefox profile
  • We advise you to look at our Restore Browser page. You can read there how to fix additional browser redirect methods.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the YesSearches hijacker. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.

 

protection1.png


Technical details for experts

Possible signs in FRST logs:

 
 FF ProfilePath: C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1
 FF NewTab: hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffseng
 FF DefaultSearchEngine: yessearches
 FF SelectedSearchEngine: yessearches
 FF Homepage: hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffseng
 FF SearchPlugin: C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml [2016-04-19]
 FF Extension: GsearchFinder - C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\Extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi [2016-04-18]
 CHR HomePage: Default -> hxxp://www.yessearches.com/?mode=nnnb&ptid=obs&uid=CB75DF05542D4707119BC449A5FA9A4A&v=20160415&ts=AHEqAH0oBXYpBU..
 CHR StartupUrls: Default -> "hxxp://www.yessearches.com/?mode=nnnb&ptid=obs&uid=CB75DF05542D4707119BC449A5FA9A4A&v=20160415&ts=AHEqAH0oBXYpBU.."
 CHR DefaultSearchURL: Default -> hxxp://www.yessearches.com/chrome.php?q={searchTerms}&ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=nnnb
 CHR DefaultSearchKeyword: Default -> yessearches
 S2 BugreportW; C:\Program Files (x86)\yesbnd\mbat.exe [988176 2016-04-18] ()
 S2 jjcscheduleservice; C:\Program Files (x86)\Jejochclipasp\jjcscheduleservice.exe [310768 2016-04-18] ()
 C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108
 C:\Windows\System32\Tasks\Jejochclipasp Schedule
 C:\Users\Public\Documents\dmp
 C:\Program Files (x86)\yesbnd
 C:\Program Files (x86)\Jejochclipasp

yessearches - Uninstall (HKLM-x32\...\Uninstall - obs) (Version:  - ) <==== ATTENTION
Task: {88210FD6-28C7-4AA9-BC2C-5E3154354AC9} - System32\Tasks\Jejochclipasp Schedule => C:\Program Files (x86)\Jejochclipasp\jjcscheduletask.exe [2016-04-18] ()
ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=scrp
ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=scrp
ShortcutWithArgument: C:\Users\{username}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=scrp
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=scrp
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=scrp
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=scrp
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=scrp
Excerpt of the Malwarebytes Anti-Malware log (full log available on request):
 
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/19/2016
Scan Time: 8:53 AM
Logfile: mbamYesSearches.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.04.19.02
Rootkit Database: v2016.04.17.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 373439
Time Elapsed: 10 min, 30 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 
(No malicious items detected)

Modules: 
(No malicious items detected)

Registry Keys: 11
PUP.Optional.YesSearches, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\BugreportW, Quarantined, [f9b5327e5a3fa195f5acdf4b679b867a], 
PUP.Optional.YesSearches, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\jjcscheduleservice, Quarantined, [802e0ea2f0a988aece78012b5fa3aa56], 
PUP.Optional.YesSearches, HKU\S-1-5-18\SOFTWARE\{A16B1AF7-982D-40C3-B5C1-633E1A6A6678}, Quarantined, [1c92347cb2e78caa30d9ab14c63cb44c], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\{A16B1AF7-982D-40C3-B5C1-633E1A6A6678}, Quarantined, [1e90b5fb3b5e55e160a9843b89795aa6], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{88210FD6-28C7-4AA9-BC2C-5E3154354AC9}, Delete-on-Reboot, [496527892f6af640def4ebbf18ec8d73], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Jejochclipasp Schedule, Delete-on-Reboot, [8925565a801951e506cd4664689cb64a], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [6d417a363960a0964303e652da295da3], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\yessearchesSoftware, Quarantined, [723c2a86c7d27abc1cdaadea857f946c], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\UNINSTALL - OBS, Quarantined, [c4ea9719a8f1bd797d6b604971936a96], 
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [e0ce9c146c2d81b520261c1c887b8e72], 
PUP.Optional.YesSearches, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}, Quarantined, [7836efc1dbbe290d4d9f8616798b1be5], 

Registry Values: 14
PUP.Optional.YesSearches, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{88210FD6-28C7-4AA9-BC2C-5E3154354AC9}|Path, \Jejochclipasp Schedule, Delete-on-Reboot, [496527892f6af640def4ebbf18ec8d73]
PUP.Optional.YesSearches, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffsengext, Quarantined, [6d417a363960a0964303e652da295da3]
PUP.Optional.YesSearches, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffsengext, Quarantined, [d3dbeec255446bcb97af1127857e8878]
PUP.Optional.YesSearches, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.yessearches.com/chrome.php?uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&q={searchTerms}&ts=AHEqAH0oBXYpBU..&v=20160415&mode=ffsengext, Quarantined, [446a0ba5752457dfec5a1820d0338c74]
PUP.Optional.YesSearches, HKLM\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.yessearches.com/chrome.php?uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&ts=AHEqAH0oBXYpBU..&v=20160415&mode=ffexttoolbar&q=, Quarantined, [a8060fa1efaa88ae0a3cbd7b55aecf31]
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Uninstall - obs|DisplayName, yessearches - Uninstall, Quarantined, [c4ea9719a8f1bd797d6b604971936a96]
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffsengext, Quarantined, [e0ce9c146c2d81b520261c1c887b8e72]
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffsengext, Quarantined, [06a8723ec2d79a9c84c284b48c7706fa]
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.yessearches.com/chrome.php?uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&q={searchTerms}&ts=AHEqAH0oBXYpBU..&v=20160415&mode=ffsengext, Quarantined, [9e10f8b8c6d30036e561d167e51eb54b]
PUP.Optional.YesSearches, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.yessearches.com/chrome.php?uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&ts=AHEqAH0oBXYpBU..&v=20160415&mode=ffexttoolbar&q=, Quarantined, [0ba34d6314855fd72e18ce6a798aea16]
PUP.Optional.YesSearches, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|hp, http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffsengext, Quarantined, [7836efc1dbbe290d4d9f8616798b1be5]
PUP.Optional.YesSearches, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|tab, http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffsengext, Quarantined, [d7d7f2be8712290daf3d1a8232d20af6]
PUP.Optional.YesSearches, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|sp, http://www.yessearches.com/chrome.php?uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&q={searchTerms}&ts=AHEqAH0oBXYpBU..&v=20160415&mode=ffsengext, Quarantined, [9519f3bd4851a591ac40198318ecef11]
PUP.Optional.YesSearches, HKCU\SOFTWARE\MOZILLA\FIREFOX\{EB52F1AB-3C2B-424F-9794-833C687025CF}|surl, http://www.yessearches.com/chrome.php?uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&ts=AHEqAH0oBXYpBU..&v=20160415&mode=ffexttoolbar&q=, Quarantined, [535b00b0b7e280b624c8eeaef0146e92]

Registry Data: 
(No malicious items detected)

Folders: 476
PUP.Optional.YesSearches, C:\Program Files (x86)\Jejochclipasp, Quarantined, [604ed6da19807bbbce01b0faf50f21df], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\YourGSearchFinder_br, Quarantined, [01ad5858c8d18aacf3b9b0810102e917], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\dmp, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\dmp\arogegh.exe, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\dmp\CCeuter.exe, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\dmp\jjcscheduleservice.exe, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\dmp\jjcscheduletask.exe, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\dmp\mbat.exe, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\databases, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\data_reduction_proxy_leveldb, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\aohghmighlieiainnegkcijnfilokake, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.9_0, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_metadata, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_metadata, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.60_0\_locales, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.1_1, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.1_1\_locales, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.1.2.0_0, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.1.2.0_0\css, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.1.2.0_0\html, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.1.2.0_0\images, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.1.2.0_0\_locales, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.1_0\_locales, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\JumpListIcons, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\JumpListIconsOld, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Local Extension Settings, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Local Storage, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Session Storage, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Storage, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Storage\ext, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Storage\ext\chrome-signin, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Storage\ext\chrome-signin\def, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Web Applications, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Web Applications\_crx_aohghmighlieiainnegkcijnfilokake, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Caps, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Crashpad, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Crashpad\reports, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\EVWhitelist, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\PepperFlash, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\pnacl, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\ShaderCache, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\SwiftShader, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\SwReporter, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\WidevineCDM, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 

Files: 590
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\mbat.exe, Quarantined, [f9b5327e5a3fa195f5acdf4b679b867a], 
PUP.Optional.YesSearches, C:\Program Files (x86)\Jejochclipasp\jjcscheduleservice.exe, Quarantined, [802e0ea2f0a988aece78012b5fa3aa56], 
PUP.Optional.YesSearches, C:\Program Files (x86)\Jejochclipasp\jjcscheduletask.exe, Quarantined, [49657937d2c72313e56160cc9b67e21e], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\arogegh.exe, Quarantined, [fdb1fdb34455c175f38ff22fae54ba46], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\CCeuter.exe, Quarantined, [8a24a10fe7b247efedb61911c14144bc], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\FFeuter.exe, Quarantined, [545ab6fabcdd48eecf8ece5b6d954cb4], 
PUP.Optional.CrossAd.Gen, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi, Quarantined, [cee0218f0495b2847b1e40f620e335cb], 
PUP.Optional.CrossAd.Gen, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\extensions\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi, Quarantined, [7935c4ec3a5ff93d66331422cd36f50b], 
PUP.Optional.YesSearches, C:\Program Files (x86)\Jejochclipasp\{A16B1AF7-982D-40C3-B5C1-633E1A6A6678}, Quarantined, [604ed6da19807bbbce01b0faf50f21df], 
PUP.Optional.YesSearches, C:\Windows\System32\Tasks\Jejochclipasp Schedule, Quarantined, [218d2b854b4e3402af218c1e9f65d22e], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\conf.json, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924.xpi, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\Uninst.exe, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Program Files (x86)\yesbnd\{A16B1AF7-982D-40C3-B5C1-633E1A6A6678}, Quarantined, [8c22fcb478217db9b1384c1efb0a6799], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Default\Secure Preferences, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\chrome_shutdown_ms.txt, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\First Run, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Local State, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Bloom, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Bloom Prefix Set, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Cookies, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Cookies-journal, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Csd Whitelist, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Download, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Download Whitelist, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Extension Blacklist, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing Inclusion Whitelist, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing IP Blacklist, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing UwS List, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Safe Browsing UwS List Prefix Set, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Crashpad\metadata, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E108\Crashpad\settings.dat, Quarantined, [cce2ded2d7c268ce24071d4d23e223dd], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\searchplugins\DD1B66D4.xml, Quarantined, [dfcfc2ee3465bb7bd514a5c435d0d12f], 
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffseng");), Replaced,[406e3977c7d2e84eff0dc9a2858016ea]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (), Bad: (_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("browser.cache.frecency_experiment", 2);
user_pref("browser.downl), Replaced,[921c436d4a4f1b1b060694d7897c5ba5]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (), Bad: (hile the application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_), Replaced,[b3fbd2dea1f81521a26a44270afb9b65]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (), Bad: (nning,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_pref("accessibility.typeahe), Replaced,[7638d4dc7f1a68ce957707646b9ad32d]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (), Bad: (user_pref("app.update.lastUpdateTime.background-update-timer", 0);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 0);
user_pref("a), Replaced,[03ab9c143960280e0ffde18ab94c01ff]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (), Bad: ( false);
user_pref("extensions.autoDisableScopes", 10);
user_pref("extensions.blocklist.pingCountVersion", -1);
user_pref("extensions.bootstrappedAddons", "{\"@E9438230-A7DF-4D1F-8F2D-CA1D0F0F7924\":{\), Replaced,[317d258b6831b97dc14b5e0d5baa29d7]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (), Bad: (lla.nextupdatetime", "1461051229533");
user_pref("browser.search.countryCode", "NL");
user_pref("browser.search.defaultenginename", "yessearches");
user_pref("br), Replaced,[b7f70ca487124cea36d659129e6758a8]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\41A66E7E5EE1\prefs.js, Good: (user_pref("browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/), Bad: (user_pref("browser.startup.homepage", "http://www.yessearches.com), Replaced,[e7c7822e0f8a9a9c9294b3b861a409f7]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5FA9A4A&ptid=obs&mode=ffseng");), Replaced,[3a740ca4c4d5280ee3293c2f63a2a759]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\prefs.js, Good: (), Bad: (ser_pref("browser.migration.version", 36);
user_pref("browser.newtab.url", "http://www.yessearches.com/?ts=AHEqAH0oBXYpBU..&v=20160415&uid=CB75DF05542D4707119BC449A5F), Replaced,[149a3779fb9eb4829d6f34378580a060]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\prefs.js, Good: (), Bad: (hile the application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_), Replaced,[4e608030f0a99a9c7894afbc24e18a76]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\prefs.js, Good: (), Bad: (nning,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */

user_pref("accessibility.typeahe), Replaced,[05a9763a5f3a95a16aa2f67561a4ca36]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\prefs.js, Good: (), Bad: (ref("app.update.lastUpdateTime.xpi-signature-verification", );
user_pref("browser.bookmarks.restore_default_bookmarks", false);
user_pref("browser.cache.di), Replaced,[4d614f61712840f6fd0fe9820df8b050]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\prefs.js, Good: (user_pref("browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/), Bad: (user_pref("browser.startup.homepage", "http://www.yessearches.com), Replaced,[7c32dad6d6c377bf28fea5c65ca9b947]
PUP.Optional.YesSearches, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\searchplugins\DD1B66D4.xml, Quarantined, [5658e5cbfa9fdb5b50a6aabfcf3614ec], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\prefs.js, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\extensions.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\addons.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\blocklist.xml, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\cert8.db, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\compatibility.ini, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\content-prefs.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\cookies.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\extensions.ini, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\healthreport.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\key3.db, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\mimeTypes.rdf, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\parent.lock, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\permissions.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\places.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\pluginreg.dat, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\revocations.txt, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\search-metadata.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\secmod.db, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\sessionCheckpoints.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\sessionstore.js, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\SiteSecurityServiceState.txt, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\times.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\webappsstore.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\xulstore.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\crashes\store.json.mozlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\session-state.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\state.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-02\1455099301593.ebc67212-de21-415b-80c8-c736883d8e4e.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-02\1455100734479.96decdd8-f399-4448-8278-35ddb847a58f.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-02\1455731655465.2657f7c7-8555-4b6b-95ac-c8acb7e016ce.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-02\1455797845926.4adefa72-6256-43e8-be60-61b5839b9929.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-02\1456392969084.f1e20e54-f1da-4d60-9107-808aba3adbd6.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-03\1458544859095.ea2f30b8-fc4c-4495-ae05-ef17beded10d.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-04\1459501120814.70c5fcc6-b7f9-4562-b421-1425a5be66c5.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-04\1459501170114.edb3333b-e1d0-47e5-b57a-1ca4227fe697.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-04\1459762965948.122d3735-3c6f-4d37-95d2-5b20b797f4b2.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\datareporting\archived\2016-04\1460360748645.fb95965f-81a9-4d3d-8a6c-ace1159da0ac.main.jsonlz4, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\saved-telemetry-pings\122d3735-3c6f-4d37-95d2-5b20b797f4b2, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\saved-telemetry-pings\70c5fcc6-b7f9-4562-b421-1425a5be66c5, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\saved-telemetry-pings\edb3333b-e1d0-47e5-b57a-1ca4227fe697, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\saved-telemetry-pings\fb95965f-81a9-4d3d-8a6c-ace1159da0ac, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\sessionstore-backups\previous.js, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\sessionstore-backups\recovery.bak, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\sessionstore-backups\recovery.js, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\sessionstore-backups\upgrade.js-20160123151951, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\sessionstore-backups\upgrade.js-20160315153207, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\storage\permanent\chrome\.metadata, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\storage\permanent\chrome\idb\2918063365piupsah.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\storage\permanent\moz-safe-about+home\.metadata, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\Profiles\CCACCBF1-7AB4-4CF5-B32D-668C686A539F\webapps\webapps.json, Quarantined, [6b437d33a3f66dc9ae1587e371942ad6], 

Physical Sectors: 
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Link to post
Share on other sites

  • Staff
How to remove a fake or infected FireFox profile.
  • Close Firefox so the running browser does not interfere with the fix.
  • Use the key combination Windows key + R to open the Run box.
  • Type or copy the command Firefox -P to open the Firefox profile manager.
    Choices.png
  • Make sure the profile called "Firefox Default" is selected (not the one simply called "default") and click on Delete Profile...
  • When prompted to ask if you want to delete the fake profile, click Delete Files.
    Delete.png
  • Select the option to Use the selected profile without asking at startup by putting a checkmark in the corresponding box.
    Check.png
    If more than one profiles are left in the list, select the one that you would prefer to use. Usually only the default profile will be left and automatically selected.
  • Click the Start Firefox button
  • From now on FireFox will open with the selected profile.
An alternative procedure is to manually edit profiles.ini
Unless you have done so before, you will have to "unhide" hidden files. Information on how to do that can be found here or here.
  • Close Firefox so the running browser does not interfere with the fix.
  • Locate profiles.ini in the folder C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\profiles.ini (for Windows Vista and later).
  • Rightclick on profiles.ini and choose "Edit" from the menu.
  • After this infection it will look like this:
    after.png
    where the ******** are a random 8 digit string representing your profile from before the infection.
    The second profile in the list is the one created by this infection.
  • Edit the 1 behind StartWithLastProfile and replace it with a 0 (zero), so the line now looks like this:
    SetToZero.png
  • Save the edited file by clicking File > Save.
  • This will prompt FireFox to ask you which profile you want to use the next time you run it.
    Choices.png
  • Make sure the profile called "Firefox Default" is selected (not the one simply called "default") and click on Delete Profile...
  • When prompted to ask if you want to delete the fake profile, click Delete Files.
    Delete.png
  • Select the option to Use the selected profile without asking at startup by putting a checkmark in the corresponding box.
    Check.png
    If more than one profiles are left in the list, select the one that you would prefer to use. Usually only the default profile will be left and automatically selected.
  • Click the Start Firefox button
  • From now on FireFox will open with the selected profile.
If there are other browser settings that you would like to change like the default search engine or the startpage, we advise to have a look at our Restore Browser page.


The information for this procedure was derived from: http://kb.mozillazin...default_profile
Edited by Metallica
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.