GsearchFinder hijackers add extra Firefox profile

GsearchFinder hijackers add extra Firefox profile

Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.


Our researchers found that Gsearchfinder search hijackers called YesSearches and HohoSearch are adding an extra Firefox profile on affected systems. So we wanted to bring you up to speed by discussing the consequences and how to remedy such a situation.

Who are they?

YesSearches and HohoSearch are browser hijackers targeting Chrome and Firefox. They can be found in bundlers like Amonetize, SoftPulse, Somoto, and OutBrowse. You can find the Privacy Policy of YesSearches along with the About and the License Agreement and the wording of the ones for HohoSearch are exactly the same. Some of the phrases in the About section seem to be copied from amog[dot]com.

What methods do they use?

They alter the shortcuts for the browser on the desktop and in the taskbar (pinned) and add a link to their search-page so the browser will open with that site if you use those shortcuts. If you are affected they would do that anyway since they also hijack the start-page and “Home” button.

warning1w

On top of that they install two services and a Scheduled Task, usually an indicator that you will receive advertisements at regular and set intervals. The Scheduled Task for example is triggered every two hours.

every2

But the new part about these hijackers was the creation of an extra Firefox profile.

An extra Firefox profile?

Yes, maybe we should even be thankful for this. Rather than messing up your default profile they create an extra one that has been pre-hijacked. Looking at the Mozilla Support page about “Use the Profile Manager to create and remove Firefox profiles” it is easier to remove an unwanted profile than it is to clean up a hijacked one. So let’s have a look at the necessary steps.

Removing an unwanted Firefox profile created by GsearchFinder

  • Close all Firefox processes so the running browser does not interfere with the fix.
  • Use the key combination Windows key + R to open the Run box.
  • Type or copy the command Firefox -P to open the Firefox profile manager.
Choices
  • Make sure the profile called “Firefox Default” is selected (not the one simply called “default”) and click on Delete Profile…
  • When prompted to ask if you want to delete the fake profile, click Delete Files.
Delete
  • Select the option to Use the selected profile without asking at startup by putting a checkmark in the corresponding box.
Check
  • If more than one profiles are left in the list, select the one that you would prefer to use. Usually only the default profile will be left and automatically selected.
  • Click the Start Firefox button
  • From now on FireFox will open with the selected profile.

If there are other browser settings that you would like to change like the default search engine or the startpage, we advise to have a look at our Restore Browser page.

Additional information

Removal guide for YesSearches with an alternative method how to remove the extra Firefox profile.

Removal guide for HohoSearch.

Md5 YesSearches installer: bebb7882ca5ade782fb7c0cd6df4d2f2

Md5 HohoSearch installer: 2e757415b7bfa8d9f2e28734d7919b4f

One of the services has the same name for both variants so that might be something to look out for. They show up in FRST logs like this:

  • YesSearches: S2 BugreportW; C:Program Files (x86)yesbndmbat.exe [988176 2016-04-18] ()
  • HohoSearch: S2 BugreportW; C:Program Files (x86)hohobndgredity.exe [988904 2016-04-20] ()

Which means that the services are set to “Auto” and they use different files and folders depending on the search hijack, but the name of the service is “BugreportW” in both cases.

Malwarebytes Anti-Malware Premium protects users against these hijackers. It also removes the files and folders involved and cleans the altered shortcuts. Users will have to remove the second profile manually (we are looking into a safe way of doing this for you) and they will have to alter the changes made to the Chrome settings.

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.