Home Malware Programs Adware Deal Keeper

Deal Keeper

Posted: July 29, 2014

Threat Metric

Ranking: 5,666
Threat Level: 2/10
Infected PCs: 18,840
First Seen: July 17, 2014
Last Seen: October 10, 2023
OS(es) Affected: Windows


Deal Keeper is a derivative of the Yontoo Adware, and like Yontoo, modifies your browser's settings so that extra advertisements can display. Although Deal Keeper concentrates its advertisements towards online retailer-related content, Deal Keeper may have adverse effects on your browser's stability or its safety, and malware researchers find few reasons to refrain from uninstalling Deal Keeper. To be sure of its complete removal, as well as the reversal of any associated browsing settings, you may wish to consider using dedicated anti-malware or anti-adware software, which also has the benefit of deleting associated threats (such as adware installers concealed via Trojan droppers).

Buying into a Deal that Downgrades Your Browser

Variants and associated programs for Yontoo products have gone through a wide range of revisions, including SurfEnhance, TornTV Hijacker and, now, Deal Keeper. Despite their changes in brand names, these products always have two primary functions, both of which malware researchers were able to confirm for Deal Keeper:

  • The adware loads pop-up advertisements in a superimposed format above other Web pages. These pop-ups may prevent you from accessing some parts of the website's content or interface. Your Web-browsing behavior also may be tracked for Deal Keeper and similar adware to provide context-based advertisements.
  • Your Web browser's search settings may be modified to use an alternative search site or to insert extra, 'sponsored' search results. The latter is not always visually distinguishable from native result links.

While malware researchers have watched for potential signs of Deal Keeper using its functions for threatening ends, at the present time, Deal Keeper only loads advertisements for retailers and other shopping-related links. However, adware networks may be compromised by persons who use them to distribute various attacks, which provide the predominant reason for why removing Deal Keeper is encouraged.

Keeping Your PC Safe from Bad Deals

Deal Keeper sometimes is reported to be installed automatically, which most usually is the result of the victim installing a bundle with more than one program's installation routine embedded in it. In the most benign cases, merely identifying offers to install (or avert the installation of) third-party products can help you avoid Deal Keeper. Anti-adware programs also should be able to identify these bundle-based installers, which tend to circulate on freeware websites.

Adware programs like Deal Keeper frequently claim to be simple to uninstall, but refuse to delete their browser-modifying components through normal channels. Instead of hoping that Deal Keeper will delete itself upon request, using professional anti-adware tools can provide all-inclusive software removal that also should restore your browser's behavior to normal. Deal Keeper primarily is confirmed for Windows browsers, with multiple brands strongly estimated to be affected by current versions of this adware.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



system32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys File name: {55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
Size: 48.78 KB (48784 bytes)
MD5: df715cb572378a993668026621282fab
Detection count: 48
File type: System file
Mime Type: unknown/sys
Path: system32\drivers
Group: Malware file
Last Updated: September 29, 2014
system32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys File name: {55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
Size: 61.07 KB (61072 bytes)
MD5: 5eb81e620027c97394b1a2cf1c00c0c9
Detection count: 7
File type: System file
Mime Type: unknown/sys
Path: system32\drivers
Group: Malware file
Last Updated: September 29, 2014
system32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys File name: {55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
Size: 48.78 KB (48784 bytes)
MD5: e28a89d82006bc1a0a81d20c16e9518d
Detection count: 7
File type: System file
Mime Type: unknown/sys
Path: system32\drivers
Group: Malware file
Last Updated: September 29, 2014
system32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys File name: {55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
Size: 48.78 KB (48784 bytes)
MD5: d695bdb7b1d4746b696232533791a75b
Detection count: 5
File type: System file
Mime Type: unknown/sys
Path: system32\drivers
Group: Malware file
Last Updated: September 29, 2014

Registry Modifications

The following newly produced Registry Values are:

CLSID{0B645528-4337-4580-8C82-8686D3B8A8B2}{17E7D28C-6BBC-4411-83BE-730663C0E130}{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}{3D62014A-A3A3-45C4-AAD8-754A3B854048}{66c4d8f8-66d0-4eca-8946-d0f47b781e94}{BA0AB49B-34A1-4C36-BB3B-E6F458974507}{CBC803E3-0620-4BD1-9994-FFE9EDBFCEED}{cdcb9930-a7f0-4aa9-8004-94481380a3df}{EF1E31FC-BB9B-4698-BF93-BC5A1035B8B6}HKEY..\..\..\..{RegistryKeys}Software\Deal KeeperSoftware\Microsoft\Internet Explorer\Approved Extensions\{1EC8187A-6435-44E3-BBE4-6CE6D3C69254}Software\Microsoft\Internet Explorer\Approved Extensions\{66c4d8f8-66d0-4eca-8946-d0f47b781e94}Software\Microsoft\Internet Explorer\Approved Extensions\{CDCB9930-A7F0-4AA9-8004-94481380A3DF}SOFTWARE\Microsoft\Tracing\DealKeeper_RASAPI32SOFTWARE\Microsoft\Tracing\DealKeeper_RASMANCSSOFTWARE\Microsoft\Tracing\updateDealKeeper_RASAPI32SOFTWARE\Microsoft\Tracing\updateDealKeeper_RASMANCSSOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66c4d8f8-66d0-4eca-8946-d0f47b781e94}Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1EC8187A-6435-44E3-BBE4-6CE6D3C69254}Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{66c4d8f8-66d0-4eca-8946-d0f47b781e94}Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CDCB9930-A7F0-4AA9-8004-94481380A3DF}Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1EC8187A-6435-44E3-BBE4-6CE6D3C69254}Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{66c4d8f8-66d0-4eca-8946-d0f47b781e94}Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CDCB9930-A7F0-4AA9-8004-94481380A3DF}Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}SOFTWARE\Wow6432Node\Deal KeeperSOFTWARE\Wow6432Node\Microsoft\Tracing\DealKeeper_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\DealKeeper_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\updateDealKeeper_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\updateDealKeeper_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66c4d8f8-66d0-4eca-8946-d0f47b781e94}SYSTEM\ControlSet001\services\eventlog\Application\Update Deal KeeperSYSTEM\ControlSet001\services\eventlog\Application\Util Deal KeeperSYSTEM\ControlSet001\services\Update Deal KeeperSYSTEM\ControlSet001\services\Util Deal KeeperSYSTEM\CurrentControlSet\services\eventlog\Application\Update Deal KeeperSYSTEM\CurrentControlSet\services\eventlog\Application\Util Deal KeeperSYSTEM\CurrentControlSet\services\Update Deal KeeperSYSTEM\CurrentControlSet\services\Util Deal KeeperHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}Deal Keeper

Additional Information

The following directories were created:
%ALLUSERSPROFILE%\Application Data\d7a0fe93-7bf3-4f3d-89c3-fe4e144b2eb8%ALLUSERSPROFILE%\d7a0fe93-7bf3-4f3d-89c3-fe4e144b2eb8%PROGRAMFILES%\Deal Keeper%PROGRAMFILES(x86)%\Deal Keeper%TEMP%\Deal Keeper
Loading...