Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Yessearches.com Virus from Chrome, Firefox and Internet Explorer

yessearches-home-page-sensorstechforumA notorious Browser Hijacking application has been reported to become even more popular, making it to be one the of top 4000 websites regarding traffic at this moment. The application aims to heavily modify the computer it`s installed on, changing various settings and obtaining different user information. It not only tampers with the registry editor of Windows but it also creates multiple files that may result in system crashes, changes of the web browsers’ pages, suspicious browser ads, redirects and even system crashes and freezes. All users who have become affected by the Yessearches menace should immediately focus on removing it from their computer, instructions for which can be located in this article.

Threat Summary

NameYessearches
TypeBrowser Hijacker, PUP
Short DescriptionYour browsers will have their homepage, search engine and new tab settings set to Yessearches.com.
SymptomsThe homepage, new tab, and search engine of Google Chrome, Internet Explorer and Mozilla Firefox browsers are changed. An extension of the hijacker can be installed in them. Possible pop-up ads and browser redirects.
Distribution MethodFreeware Installations, Bundled Packages
Detection Tool See If Your System Has Been Affected by Yessearches

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Yessearches.

Yessearches.com – Means Of Distribution

To be successfully installed on the affected users’ computers, Yessearches uses a very widespread marketing technique – bundling. This involves the including of Yessearches in the installer of another program downloaded by the user. Usually, such “bundled” programs are provided in third-party websites that provide free downloads of different software. Once the user downloads the software, they tend to miss a step, prompting them to add the application as a free extra, for example:

yessearches-bundled-sensorstechforum

Such steps are usually featured in the “Custom” or “Advanced” installation options and sometimes they are not even featured. Instead, the existence of such applications may be simply mentioned in the EULA agreement for the freeware. Users are advised to take extreme caution in the future and always check thoroughly every installation.

Yessearches.com – Technical Analysis

Upon installation, Yessearches Hijacker creates these files in the following Windows directories:

In %ProgramFiles%\Claqogeheqther\:
Clqvrfsrv.exe
Clqvrftsk.exe
In %Windir%\Tasks\:
Claqogeheqther Verfier.job
In %ProgramFiles%\yesbnd\
Uninst.exe
\dmp\Clqvrfsrv.exe
\dmp\Clqvrftsk.exe Source: Symantec

The Yessearches.com software may also modify various settings of the affected computer, by creating values with custom data and new keys in the Windows Registry Editor:

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
Uninstall – cos\”UninstallString” = “”%ProgramFiles%\yesbnd\Uninst.exe” /cf={A16B1AF7-982D-40C3-B5C1-633E1A6A6678}”
Uninstall – cos\”DisplayIcon” = “%ProgramFiles%\yesbnd\Uninst.exe”
Uninstall – cos\”DisplayName” = “yessearches – Uninstall”
In HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\
{EB52F1AB-3C2B-424F-9794-833C687025CF}\”hp” = “http://www.yessearches.com/?ts=AHEqAXApBH0oBk..&v=20160504&uid=2BFD730887F2E94280C04291F45773E1&ptid=cos&mode=ffsengext”
EB52F1AB-3C2B-424F-9794-833C687025CF}\”tab” = “http://www.yessearches.com/?ts=AHEqAXApBH0oBk..&v=20160504&uid=2BFD730887F2E94280C04291F45773E1&ptid=cos&mode=ffsengext”
{EB52F1AB-3C2B-424F-9794-833C687025CF}\”sp” = “http://www.yessearches.com/chrome.php?uid=2BFD730887F2E94280C04291F45773E1&ptid=cos&q={searchTerms}&ts=AHEqAXApBH0oBk..&v=20160504&mode=ffsengext”
{EB52F1AB-3C2B-424F-9794-833C687025CF}\”surl” = “http://www.yessearches.com/chrome.php?uid=2BFD730887F2E94280C04291F45773E1&ptid=cos&ts=AHEqAXApBH0oBk..&v=20160504&mode=ffexttoolbar&q=”
{EB52F1AB-3C2B-424F-9794-833C687025CF}\”uid” = “2BFD730887F2E94280C04291F45773E1″
{EB52F1AB-3C2B-424F-9794-833C687025CF}\”s” = “HtTp://dxe9i1qsfz3r2.cloudfront.net/v4/ggggggsite/%s?update0=version,%s&update1=sys,%s&update4=ref,%s&update5=mode,%s&update6=sys0,%s&update7=sys1,%s&update8=sys2,%s&update9=sys3,%s&update10=sys4,%s”
In HKEY_LOCAL_MACHINE\SOFTWARE\yessearchesSoftware\yessearcheshp\”oem” = “cos”
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Clqvrfsrv\”Type” = “110”
Clqvrfsrv\”Start” = “2”
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Clqvrfsrv\”ErrorControl” = “1”
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Clqvrfsrv\
“ImagePath” = “”%ProgramFiles%\Claqogeheqther\Clqvrfsrv.exe” {79740E79-A383-47A7-B513-3DF6563D007F} {A16B1AF7-982D-40C3-B5C1-633E1A6A6678}” “DisplayName” = “Claqogeheqther Verfier”
“ObjectName” = “LocalSystem”
“Description” = “Keep Claqogeheqther in profect condition.”
Security\”Security” = “[HEXADECIMAL VALUE]”
Enum\”0″ = “Root\LEGACY_CLQVRFSRV\0000″
Enum\”Count” = “1”
Enum\”NextInstance” = “1”

From what it seems these registry entries may allow for Yessearches browser hijacker to have the closest thing to escalated privileges on your computer, changing web browser settings and making other modifications in addition to that as well.

Furthermore, when the website of Yessearches was checked, it was immediately noticed that it aims to resemble a legitimate search engine, but uses other search providers to display its results. However, it is important to know that the search engine uses a high amount of different cookies as well, which is rather unorthodox for search engines, especially when the connection to them is not HTTPS.

yessearches-cookies-sensorstechforum

Not only this, but the hoax search engine also displays advertisements to various third-party software providers. This is the primary menace associated with Yessearches.com browser hijacker since third-party websites may conceal different dangers to users:

  • URLs containing malicious JavaScripts.
  • URLs containing Exploit Kits.
  • URLs containing Ransomware, Trojans and other malware inserted via drive-by downloads.
  • URLs, which may redirect the user to scamming websites which aim to collect financial information, for example, Phishing web pages or tech support scams.

This is the main reason why experts advise removing unwanted ad-supported applications, like Yessearches Browser Hijacker. They may not be malware that directly affects the information, however this hijacker may have the capability to indirectly infect your device. The company even admits the lack of control in their privacy policy:

yessearches-large-number-of-external-links-sensorstechforum

Remove Yessearches.com Browser Hijacker Permanently

In case you have seen symptoms of this software being active on your computer, you should act swiftly towards removing it. First, you should check for malicious processes, running by Yessearches(.)com. For names and locations you should look at the technical analysis for the executables’ names and try to stop them if they are actively running as processes in your Windows Task Manager. You can open the Task Manager by pressing Windows Button+R and then typing “taskmgr” after which clicking on OK.

Since manual removal involves risky tampering with the registry editor, we advise either backing up your data or using an advanced anti-malware software to delete every file and other object associated with Yessearches.com. Having such program also makes sure you detect other malware that may be installed on your computer.

Manually delete Yessearches from Windows and your browser

Note! Substantial notification about the Yessearches threat: Manual removal of Yessearches requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Remove or Uninstall Yessearches in Windows
2. Remove Yessearches from Your Browser
3. Fix registry entries created by Yessearches on your PC

Automatically remove Yessearches by downloading an advanced anti-malware program

1. Remove Yessearches with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against attacks related to Yessearches in the future
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.