Severity scale:  

Remove (Removal Guide) - Feb 2017 update

removal by Julie Splinters - -   Also known as Youndoo | Type: Browser hijacker

Youndoo virus. How bad is it?

Youndoo virus was first detected in June 2016. Since then, it had its ups and downs while trying to become a popular headache of computer users. However, it seems that the virus is not done – security experts have just reported about the renewed activity of this browser hijacker[1]. Could 2017 year be the year of virus? We will see. Now you should take a look at dangers that it can cause on your computer. In the beginning it may look like a reliable search engine alternative and may trick you into thinking that it is as functional and secure as any other popular browsing tools. Unfortunately, that is far from the truth. The security experts deem Youndoo virus a for its peculiar quality of taking over browsers and setting its own web page as their primary search engines and home pages. What is more, the PUP is widely known for its redirect tendency which is not only annoying and disruptive but can sometimes have some very unpleasant impact on the PC. We will talk more in depth why this browsing tool should not be trusted and how to remove Youndoo from the system in the following sections of this article. As for those looking for a quick removal solution, we can recommend Reimage — a program which will ensure the full and  removal of this potentially unwanted program.

The image displaying virus is a sneaky browser hijacker which enters computers without asking user's permission and creates fake Chrome and Firefox profiles to control the browser.

In comparison to other browser hijackers, say, which is overcrowded with unnecessary shopping and gaming platforms, Youndoo does not seem suspicious at all. Its style is specifically designed to create a sense of reliability. Nonetheless, this impression is instantly shattered once you start using this website as a regular search engine. First of all, you will notice its hideous tendency to drop you off on questionable domains [2]. It wouldn’t be such an annoying issue if not for its potential damage. In other words, redirect scope is not limited to advertising domains alone, but may include unreliable web pages with potentially malicious content as well. Thus, if the malware lurking out there infects your computer, your system programs may start malfunctioning or fake system error messages may begin popping up everywhere. Therefore, it would be wise to start Youndoo removal immediately.

In addition, collects specific non-personally identifiable information. In the site’s Privacy Policy, it is stated that the search engine compiles computer’s IP address, web browser type, the date and time of the request, the amount of data transferred, internet address, from where the site or file was retrieved or the desired function was requested, etc. This information is used for statistical purposes. Youndoo employs Google Analytics to process this data. The problem is that the website is supported by third-parties as well. Thus, if they get hold of the previously-mentioned data, your browser may be bombarded with customized and specifically targeted ads [3]. Consequently, the probability that you click on these pay-per-click [4] commercial offers doubles. The worst part is, while the owners of these ads receive a benefit, you get nothing. Another highly detested feature of Youndoo malware is that it employs additional software to help it with its shady activities. Alternatively called “helper objects,” these programs are primarily responsible for fortifying the position of the hijacker on the computer. As a result of their activity, you might encounter difficulties removing the hijacker from the first attempt. Since these files are scatter across the system, uninstalling Youndoo from the primary browser settings is not enough to completely banish this virus from the computer. In addition, they might also create loopholes for other unnecessary browser extensions and plug-ins to secretly enter and settle on the computer.

Update October 2016: Hijacker now creates a fake Chrome profile

Questions about

Youndoo developers do not step back and continue to improve the hijacker by introducing another feature which help to place and keep this shady marketing platform on the infected browser’s homepage. This feature involves creating a fake Google Chrome profile and running all of the Internet traffic through it [5]. Not to look too suspicious, the hijacker transfers some of the users’ original content, such as extensions and browsing history to the new profile, but replaces the default search engine and homepage with Besides, this new alteration also prevents the users from changing the undesirable settings back to the regular ones, even if the new profile is deleted. Instead, hijacker reappears every time the browser is rebooted. To find our whether your browser is not manipulated by this sneaky infection, you should go to the browser’s setting and pay attention to the section “People.” A legitimate Google Chrome profile will feature a blue users’ icon with your chosen name or “Person1” if you are not logged in. The fake profile will most likely go under a name “user0” which will appear next to the current user. Plus, you will notice that the icon is grey instead of the regular blue. You should react immediately if you notice such changes and initiate an antivirus scan.

Update February 2017: virus is caught creating additional Firefox profiles

Just a few months ago, Youndoo began terrorizing Chrome users by creating fake profiles on this web engine and gaining control over its settings. It seems that now the hackers have turned their full attention to Mozilla Firefox. It sticks to its old ways of creating additional profiles and typically labels them as “Firefox Default” [red en-6]. In a way, this makes it easier to remove the virus, since you simply have to delete the undesirable profile from the list of profiles and setting “default” one instead. Unfortunately, this is not the only addition that Youndoo creators have implemented to the newest version of this malware. The virus is now able to Schedule Tasks that will automatically run every couple of hours, downloading updates or reinstalling the virus after attempts of removal. It might be difficult to notice such processes because the virus will try to run them silently in the background of your system. Thus, you can make yourself feel more secure by running regular scans of your system and allowing antivirus utilities to take care of the potentially malicious components automatically. 

Methods of browser hijacker distribution:

This program spreads using software bundling technique, so when you are about to install new software, opt for “Custom/Advanced” settings. Only when you are sure that no attachments are pre-marked, finish the installation. Lastly, taking a glance at privacy policies and reading user reviews might also be useful in identifying whether this search engine is reliable or not. Please do not blindly rely on recommended installation settings (“Default/Standard/Basic”), because you might miss these offers and lose the opportunity to reject them.

Another suspicious method that helps to implement hijack is called DLL hijacking. This method has been discovered in August 2016. It appears that this browser hijacker is being distributed in the form of a bogus Wtsapi32.dll file, which originally is an essential system file, which is required to load a web browser fully. When this browser hijacker drops a fake Wtsapi32.dll file in browser’s folder, Windows loads it, but not the original file that is located in C:\Windows\System32 folder. This DLL file alters Windows Registry and makes the browser open a specified web page instead of default one. To fix this problem, the user needs to remove the wtsapi32.dll file from Google Chrome, Mozilla Firefox, and other affected browser’s application folders. That can also be done using malware removal programs.

Tactics that will help you remove hijacker in no time:

To remove Youndoo virus from your computer within few minutes, you should choose automatic removal option and install an anti-spyware program. To make sure that it protects you from other PUPs and viruses, we recommend updating it regularly. Keep in mind that a proper security program is not only necessary but also vital to the general protection of your computer. However, if you don’t want to install additional software on your computer, you can also perform manual removal procedure on your computer. Make sure you go through each removal step carefully to prevent the reappearance of this browser hijacker.

You can remove virus damage automatically with a help of one of these programs: Reimage, SpyHunter 5Combo Cleaner, Malwarebytes. We recommend these applications because they detect potentially unwanted programs and viruses with all their files and registry entries that are related to them.

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter 5.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove, follow these steps:

Eliminate from Windows systems

Though it might seem rational to remove fake Chrome profile from your infected browser first, this step is not necessary. The fake profile can be eliminated by resetting the browser. But don’t forget that you have to delete the hijacker from your computer first. As we have mentioned, the virus runs on a fake Wtsapi32.dll file which you have to terminate in order to stop the virus resetting your homepage and default search engine. Please NOTE that you should be very careful not to delete the legitimate system file that goes by the same title! You should investigate the virus description before you do that and, ideally, scan the file with an antivirus scanner. In Add/Remove programs list, you should also look for an entries called youndoo – Uninstall, youndoo 1.0, or similar ones, and delete them.

  1. Click Start Control Panel Programs and Features (if you are Windows XP user, click on Add/Remove Programs). Click 'Start -> Control Panel -> Programs and Features' (if you are 'Windows XP' user, click on 'Add/Remove Programs').
  2. If you are Windows 10 / Windows 8 user, then right-click in the lower left corner of the screen. Once Quick Access Menu shows up, select Control Panel and Uninstall a Program. If you are 'Windows 10 / Windows 8' user, then right-click in the lower left corner of the screen. Once 'Quick Access Menu' shows up, select 'Control Panel' and 'Uninstall a Program'.
  3. Uninstall and related programs
    Here, look for or any other recently installed suspicious programs.
  4. Uninstall them and click OK to save these changes. Right click on each of suspicious entries and select 'Uninstall'
  5. Remove from Windows shortcuts
    Right click on the shortcut of Mozilla Firefox and select Properties. Right click on browsers' icon and select 'Properties'
  6. Go to Shortcut tab and look at the Target field. Delete malicious URL that is related to your virus. Select 'Shortcut' tab and delete '' or other suspicious URL

Repeat steps that are given above with all browsers' shortcuts, including Internet Explorer and Google Chrome. Make sure you check all locations of these shortcuts, including Desktop, Start Menu and taskbar.

Remove from Mac OS X system

In case your Mac OS X has been infected with and you see “user0” profile has replaced your regular Chrome profile, you shouldn’t rush eliminating this new profile from your browser directly. Instead, look through your recently installed programs, delete software that looks suspicious (youndoo – Uninstall, youndoo 1.0 or similar applications) and reset your browser. The instructions below will explain how this should be done step-by-step.

  1. If you are using OS X, click Go button at the top left of the screen and select Applications. Cick 'Go' and select 'Applications'
  2. Wait until you see Applications folder and look for or any other suspicious programs on it. Now right click on every of such entries and select Move to Trash. Click on every malicious entry and select 'Move to Trash'

Delete from Internet Explorer (IE)

  1. Remove dangerous add-ons
    Open Internet Explorer, click on the Gear icon (IE menu) on the top right corner of the browser and choose Manage Add-ons. Click on menu icon and select 'Manage add-ons'
  2. You will see a Manage Add-ons window. Here, look for and other suspicious plugins. Disable these entries by clicking Disable: Right click on each of malicious entries and select 'Disable'
  3. Change your homepage if it was altered by virus:
    Click on the gear icon (menu) on the top right corner of the browser and select Internet Options. Stay in General tab.
  4. Here, remove malicious URL and enter preferable domain name. Click Apply to save changes. Delete malicious URL, enter your desired domain name and click 'Apply' to save changes
  5. Reset Internet Explorer
    Click on the gear icon (menu) again and select Internet options. Go to Advanced tab.
  6. Here, select Reset.
  7. When in the new window, check Delete personal settings and select Reset again to complete removal. Go to 'Advanced' tab and click on 'Reset' button. Now select 'Delete personal settings' and click on 'Reset' button again

Get rid of from Microsoft Edge

Reset Microsoft Edge settings (Method 1):

  1. Launch Microsoft Edge app and click More (three dots at the top right corner of the screen).
  2. Click Settings to open more options.
  3. Once Settings window shows up, click Choose what to clear button under Clear browsing data option. Go to Settings and select 'Choose what to clear'
  4. Here, select all what you want to remove and click Clear. Select 'Clear' button
  5. Now you should right-click on the Start button (Windows logo). Here, select Task Manager. Open the start menu and select 'Task Manager'
  6. When in Processes tab, search for Microsoft Edge.
  7. Right-click on it and choose Go to details option. If can’t see Go to details option, click More details and repeat previous steps. Right-click 'Microsoft Edge' and select 'Go to details' Select 'More details' if 'Go to details' option fails to show up
  8. When Details tab shows up, find every entry with Microsoft Edge name in it. Right click on each of them and select End Task to end these entries. Find Microsoft Edge entries and select 'End Task'

Resetting Microsoft Edge browser (Method 2):

If Method 1 failed to help you, you need to use an advanced Edge reset method.

  1. Note: you need to backup your data before using this method.
  2. Find this folder on your computer: C:\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe.
  3. Select every entry which is saved on it and right click with your mouse. Then Delete option. Go to Microsoft Edge folder on your computer, right-click every entry and click 'Delete'
  4. Click the Start button (Windows logo) and type in window power in Search my stuff line.
  5. Right-click the Windows PowerShell entry and choose Run as administrator. Find Windows PowerShell, right-click it and select 'Run as administrator'
  6. Once Administrator: Windows PowerShell window shows up, paste this command line after PS C:\WINDOWS\system32> and press Enter:
    Get-AppXPackage -AllUsers -Name Microsoft.MicrosoftEdge | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register $($_.InstallLocation)\AppXManifest.xml -Verbose}
    Copy and paste a required command and press 'Enter'

Once these steps are finished, should be removed from your Microsoft Edge browser.

Uninstall from Mozilla Firefox (FF)

To remove the fake Youndoo profile from your Mozilla Firefox browser you should first terminate every process that is running on your computer and then open the Run box by simultaneously pressing R and Windows keys. In the command window enter Firefox -P which will then open Firefox profile manager. In the new window select “Firefox Default” and click Delete Profile. In the pop-up window, select the option “Delete files”. When you are back on the profile choosing window, select “default” or your preferred profile and mark the box saying “Use the selected profile without asking at startup”. Finally, hit the Start Firefox button. The browser should open your chosen profile and settings. If these steps don’t help you reset your browser, you should follow the instructions presented below.

  1. Remove dangerous extensions
    Open Mozilla Firefox, click on the menu icon (top right corner) and select Add-ons Extensions. Click on menu icon and select 'Add-ons'
  2. Here, select and other questionable plugins. Click Remove to delete these entries. Select 'Extensions' and look for malicious entries. Click 'Remove' to get rid of each of them
  3. Change your homepage if it was altered by virus:
    Click on the menu (top right corner), choose Options General.
  4. Here, delete malicious URL and enter preferable website or click Restore to default.
  5. Click OK to save these changes. When in 'General' tab, delete malicious URL from 'Home Page' section or click on 'Restore to Default' button. Click 'OK' to save changes
  6. Reset Mozilla Firefox
    Click on the Firefox menu on the top left and click on the question mark. Here, choose Troubleshooting Information. Click on menu icon and then on '?'. Select 'Troubleshooting Information'
  7. Now you will see Reset Firefox to its default state message with Reset Firefox button. Click this button for several times and complete removal. Click on 'Reset Firefox' button for a couple of times

Erase from Google Chrome

To reset the regular settings of your Google Chrome, enter the Chrome’s settings panel and find the section labeled “People” under this section, you will see all profiles that have been created on your browser. You should select the entry called user0 and delete it. Then, unmark the section which “Allow anyone add a person to Chrome” and select your preferred profile as your default one.  

  1. Delete malicious plugins
    Open Google Chrome, click on the menu icon (top right corner) and select Tools Extensions. Click on menu icon. Select 'Tools' and 'Extensions'
  2. Here, select and other malicious plugins and select trash icon to delete these entries. Look for malicious entries and delete each of them by clicking on the Trash bin icon
  3. Change your homepage and default search engine if it was altered by your virus
    Click on menu icon and choose Settings.
  4. Here, look for the Open a specific page or set of pages under On startup option and click on Set pages. After clicking on menu and 'Settings', select 'Set pages'
  5. Now you should see another window. Here, delete malicious search sites and enter the one that you want to use as your homepage. Click 'X' to remove malicious URLs
  6. Click on menu icon again and choose Settings Manage Search engines under the Search section. When in 'Settings', select 'Manage search engines...'
  7. When in Search Engines..., remove malicious search sites. You should leave only Google or your preferred domain name. Click 'X' to remove malicious URLs
  8. Reset Google Chrome
    Click on menu icon on the top right of your Google Chrome and select Settings.
  9. Scroll down to the end of the page and click on Reset browser settings. When in 'Settings', scroll down to 'Reset browser settings' button and click on it
  10. Click Reset to confirm this action and complete removal. Click on 'Reset' button to complete your removal

Eliminate from Safari

  1. Remove dangerous extensions
    Open Safari web browser and click on Safari in menu at the top left of the screen. Once you do this, select Preferences. Click on 'Safari' and select 'Preferences'
  2. Here, select Extensions and look for or other suspicious entries. Click on the Uninstall button to get rid each of them. Go to 'Extensions' and uninstall malicious add-ons
  3. Change your homepage if it was altered by virus:
    Open your Safari web browser and click on Safari in menu section. Here, select Preferences as it was displayed previously and select General.
  4. Here, look at the Homepage field. If it was altered by, remove unwanted link and enter the one that you want to use for your searches. Remember to include the "http://" before typing in the address of the page. When in 'General', delete malicious URL and enter your desired domain name
  5. Reset Safari
    Open Safari browser and click on Safari in menu section at the top left of the screen. Here, select Reset Safari.... Click on 'Safari' and select 'Reset Safari...'
  6. Now you will see a detailed dialog window filled with reset options. All of those options are usually checked, but you can specify which of them you want to reset. Click the Reset button to complete removal process. Select all options and click on 'Reset' button

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages

  1. Claire says:
    June 17th, 2016 at 4:19 am

    A hijacker after hijacker…

  2. Mindy21 says:
    June 17th, 2016 at 4:21 am

    This one is less damaging than the rest. It uses google search, though the redirects might be a pain in the neck.

  3. Georgina says:
    June 17th, 2016 at 4:23 am

    At least, its not difficult to delete it.

Your opinion regarding