Home Malware Programs Adware Yontoo Adware

Yontoo Adware

Posted: February 17, 2012

Threat Metric

Ranking: 2,933
Threat Level: 2/10
Infected PCs: 297,463
First Seen: August 17, 2010
Last Seen: October 15, 2023
OS(es) Affected: Windows

Yontoo is a browser add-on for multiple types of web browsers (including Internet Explorer and Chrome) that adds a self-described 'virtual graphic layer' on top of normal web pages. In most cases, this is used to enable certain types of content for the Facebook website, but in some scenarios, Yontoo may deliver irrelevant content such as advertisements that interfere with web-browsing due to their sheer numbers. Although malware researchers haven't noted any characteristics that would indicate that Yontoo is a serious security threat to your PC, you may wish to be cautious about installing Yontoo and remain alert for potentially negative content that Yontoo may display in your web browser. If you'd like to remove Yontoo from your computer, it's recommended that you use anti-malware software to insure the complete removal of all of Yontoo's components.

Why Yontoo Gives You Reasons to Rage Against the Machine

Yontoo's browser-specific toolbar is marketed by the name PageRage, and must be downloaded manually to be installed on your PC. In most cases, installations of Yontoo occur after you install a related Facebook application that requires Yontoo technology. Yontoo can be used to deliver benign or harmless content, and malware researchers haven't found any indications that Yontoo will directly attack your PC with the consent of the Yontoo company. Unfortunately, Yontoo also has a seedier side, as noted below.

Along with its appealing features, Yontoo also may degrade the performance of your PC and use up a significant amount of bandwidth to perform its constant website-layering functions. Yontoo may also be used to display advertisements, sponsored offers, links to unusual sites and other forms of content that aren't related to your interests. Yontoo is capable of displaying this content in excessive quantities that actually harm your ability to interact with real website content.

Why Yontoo's Past Should Be of Concern in the Present

Although there have never been reports of serious Yontoo attacks or exploits, nonetheless, widespread and unwanted propagation of Yontoo was reported early in 2012. This indicates that Yontoo is still being packaged with other Facebook applications and, although Yontoo still requires your consent to be installed, may be installed in a somewhat misleading or unnoticeable manner. As long as you pay close attention to installation-related messages when installing browser add-ons or Facebook apps, your computer should be safe from unwanted Yontoo installations.

Yontoo should be easy to detect in your web browser due to its highly-visible symptoms, but we don't recommend that you try to delete Yontoo by its included removal features. Toolbars that are linked to Yontoo have been known to be difficult to remove completely, and scanning your PC with a qualified anti-malware program is likely to be the most expedient solution to a Yontoo problem.

Aliases

Generic5.FR [AVG]Adware/Gaba [Fortinet]AdWare.Win32.Gabpath [Ikarus]Win32:Gabpath-OY [GData]Troj/DwnLdr-JYF [Sophos]Artemis!C03154CDDB74 [McAfee-GW-Edition]TR/ATRAPS.Gen2 [AntiVir]not-a-virus:AdWare.Win32.Gaba.njw [Kaspersky]Win32:Gabpath-OY [Adw] [Avast]unknown virus Win32/DH{DwNh} [AVG]W32/AutoRun.HLP!worm [Fortinet]Trojan/win32.agent.gen [Antiy-AVL]TR/Rogue.7619581 [AntiVir]Win32.HLLW.Autoruner1.17062 [DrWeb]W32/Autorun.worm.aacz [McAfee]
More aliases (391)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



E:\Sicherung\ich\AppData\Roaming\Yontoo\YontooDesktop.exe File name: YontooDesktop.exe
Size: 42.78 KB (42784 bytes)
MD5: 2a6c01bac0f8aa9143d61ae1e28e263a
Detection count: 16,718
File type: Executable File
Mime Type: unknown/exe
Path: E:\Sicherung\ich\AppData\Roaming\Yontoo\YontooDesktop.exe
Group: Malware file
Last Updated: July 11, 2023
C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe File name: Y2Desktop.Updater.exe
Size: 23.55 KB (23552 bytes)
MD5: 24fb8db6d1d55e2c5d0a53dfe48e6af8
Detection count: 8,612
File type: Executable File
Mime Type: unknown/exe
Path: C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe
Group: Malware file
Last Updated: August 25, 2023
C:\Users\<username>\AppData\Roaming\Yontoo\YontooDesktop.exe File name: YontooDesktop.exe
Size: 47.39 KB (47392 bytes)
MD5: 1a6615bbc61ddfa4deca9eb7d0497c88
Detection count: 2,963
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Yontoo\YontooDesktop.exe
Group: Malware file
Last Updated: August 21, 2023
C:\Users\<username>\AppData\Roaming\Yontoo\YontooDesktop.exe File name: YontooDesktop.exe
Size: 42.78 KB (42784 bytes)
MD5: 6bc2b7ff6ae90d8fc4d081272d08ed30
Detection count: 1,576
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Yontoo\YontooDesktop.exe
Group: Malware file
Last Updated: April 21, 2022
C:\Users\<username>\AppData\Roaming\Yontoo\YontooDesktop.exe File name: YontooDesktop.exe
Size: 42.78 KB (42784 bytes)
MD5: 86009b559125264bc077bde01628c013
Detection count: 1,492
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Yontoo\YontooDesktop.exe
Group: Malware file
Last Updated: June 12, 2023
E:\Archivos de programa\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: d844fbc9f172cd0c1768d186e043aa5c
Detection count: 1,194
File type: Dynamic link library
Mime Type: unknown/dll
Path: E:\Archivos de programa\Yontoo\YontooIEClient.dll
Group: Malware file
Last Updated: October 1, 2022
%APPDATA%\Yontoo\YontooDesktop.exe File name: YontooDesktop.exe
Size: 42.78 KB (42784 bytes)
MD5: b67c31c0e28830be1f2e564ef684a138
Detection count: 1,157
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Yontoo
Group: Malware file
Last Updated: April 18, 2013
C:\Users\<username>\AppData\Roaming\Yontoo\dat\cst.exe File name: cst.exe
Size: 13.31 KB (13312 bytes)
MD5: ab0f942b8a465c2e4399167537bccd7f
Detection count: 728
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Yontoo\dat\cst.exe
Group: Malware file
Last Updated: August 21, 2023
%PROGRAMFILES%\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: 46508b5d8022ad77aa8e40af953afeac
Detection count: 419
File type: Dynamic link library
Mime Type: unknown/dll
Path: %PROGRAMFILES%\Yontoo\YontooIEClient.dll
Group: Malware file
Last Updated: March 7, 2023
C:\$Recycle.Bin\S-1-5-21-3015829596-1507154211-1980195923-1001\$RJ083FD\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: 5677a8d244739d5ad46691c7ace29280
Detection count: 297
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\$Recycle.Bin\S-1-5-21-3015829596-1507154211-1980195923-1001\$RJ083FD\YontooIEClient.dll
Group: Malware file
Last Updated: March 10, 2023
C:\Program Files (x86)\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: 2b600176b6eeef08e4b1b3c2b8af2cca
Detection count: 279
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\Program Files (x86)\Yontoo\YontooIEClient.dll
Group: Malware file
Last Updated: January 12, 2023
D:\Backup 2108 Otavio\Arquivos de programas\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: 65ac938ce467044f81fdd500a3e254f0
Detection count: 176
File type: Dynamic link library
Mime Type: unknown/dll
Path: D:\Backup 2108 Otavio\Arquivos de programas\Yontoo\YontooIEClient.dll
Group: Malware file
Last Updated: November 14, 2022
C:\Program Files\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 198.07 KB (198072 bytes)
MD5: 9241e20ee71996cafe7dbb529b5179e1
Detection count: 126
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\Program Files\Yontoo\YontooIEClient.dll
Group: Malware file
Last Updated: August 29, 2022
C:\Program Files (x86)\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: a73f6438b00f78eb54d41b38634125e1
Detection count: 96
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\Program Files (x86)\Yontoo\YontooIEClient.dll
Group: Malware file
Last Updated: October 2, 2021
C:\Program Files (x86)\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: f523b5f3410bb653c14afbc23b2415f6
Detection count: 89
File type: Dynamic link library
Mime Type: unknown/dll
Path: C:\Program Files (x86)\Yontoo\YontooIEClient.dll
Group: Malware file
Last Updated: November 20, 2021
%APPDATA%\Yontoo\YontooDesktop.exe File name: YontooDesktop.exe
Size: 42.78 KB (42784 bytes)
MD5: 1c8317e85a2dcf1de39a07d95eb20afa
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Yontoo
Group: Malware file
Last Updated: March 26, 2016
%PROGRAMFILES%\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 197.92 KB (197920 bytes)
MD5: e0c4453dd0af16c93c50b203f4af2d5c
Detection count: 59
File type: Dynamic link library
Mime Type: unknown/dll
Path: %PROGRAMFILES%\Yontoo
Group: Malware file
Last Updated: May 13, 2013
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\AAD8VVY1\YontooUninstaller.exe File name: YontooUninstaller.exe
Size: 523.55 KB (523552 bytes)
MD5: f473f6e32b773edee97950d2746fd088
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\AAD8VVY1
Group: Malware file
Last Updated: April 1, 2020
%PROGRAMFILES%\Yontoo\YontooIEClient.dll File name: YontooIEClient.dll
Size: 194.92 KB (194928 bytes)
MD5: bdb37117b2ac1ff1040fe1029c4ae186
Detection count: 33
File type: Dynamic link library
Mime Type: unknown/dll
Path: %PROGRAMFILES%\Yontoo
Group: Malware file
Last Updated: March 26, 2016
%APPDATA%\Yontoo\YontooDesktop.exe File name: YontooDesktop.exe
Size: 42.78 KB (42784 bytes)
MD5: c5e6d05907b43cab3d6a7e4a4cf0043a
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Yontoo
Group: Malware file
Last Updated: March 26, 2016
%CommonAppData%\Temp\YontooTix2700750.log File name: %CommonAppData%\Temp\YontooTix2700750.log
Mime Type: unknown/log
Group: Malware file
%CommonAppData%\Yontoo Layers\YontooIEClient.dll File name: %CommonAppData%\Yontoo Layers\YontooIEClient.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%ProgramFiles%\Yontoo Layers Runtime\YontooIEClient.dll File name: %ProgramFiles%\Yontoo Layers Runtime\YontooIEClient.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%Temp%\YontooFFClient.xpi File name: %Temp%\YontooFFClient.xpi
Mime Type: unknown/xpi
Group: Malware file
%Temp%\YontooIEClient.dll File name: %Temp%\YontooIEClient.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%Temp%\YontooLayers.crx File name: %Temp%\YontooLayers.crx
Mime Type: unknown/crx
Group: Malware file
%Temp%\YontooLayers.pem File name: %Temp%\YontooLayers.pem
Mime Type: unknown/pem
Group: Malware file
%Temp%\YontooSetup-Silent.exe File name: %Temp%\YontooSetup-Silent.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
OptChrome.exe File name: OptChrome.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

CLSID{1AD27395-1659-4DFF-A319-2CFA243861A5}{7E84186E-B5DE-4226-8A66-6E49C6B511B4}{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}{99066096-8989-4612-841F-621A01D54AD7}{CFDAFE39-20CE-451D-BD45-A37452F39CF0}{D372567D-67C1-4B29-B3F0-159B52B3E967}{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}{FE9271F2-6EFD-44b0-A826-84C829536E93}HKEY..\..\{CLSID Path}{1AD27395-1659-4DFF-A319-2CFA243861A5}Regexp file mask%TEMP%\YontooFFClient.xpi%TEMP%\YontooIEClient.dll%TEMP%\YontooLayers.crx%TEMP%\YontooSetup-Silent.exeHKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\"AppID" = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\"Default" = "YontooIEClient"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{A8F0AD53-1AEE-447E-89CD-71C325796F84}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{FC1DD4E4-688F-4E9B-BAE5-BFB6A956AE51}\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}"Default" = "1"HKEY..\..\..\..{RegistryKeys}SOFTWARE\Classes\AppID\YontooIEClient.DLLSOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLLSoftware\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}SOFTWARE\Classes\YontooIEClient.ApiSOFTWARE\Classes\YontooIEClient.Api.1SOFTWARE\Classes\YontooIEClient.LayersSOFTWARE\Classes\YontooIEClient.Layers.1SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}SOFTWARE\Wow6432Node\Classes\AppID\YontooIEClient.DLLSOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-0B90_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-0B90_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\YontooDesktop_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooDesktop_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}SOFTWARE\Wow6432Node\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}SYSTEM\ControlSet001\services\Yontoo Desktop UpdaterSYSTEM\ControlSet002\services\Yontoo Desktop UpdaterSYSTEM\CurrentControlSet\services\Yontoo Desktop UpdaterHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Additional Information

The following directories were created:
%ALLUSERSPROFILE%\9466af57-1f38-4973-ab1c-22f7e17e2d6a%ALLUSERSPROFILE%\Application Data\9466af57-1f38-4973-ab1c-22f7e17e2d6a%ALLUSERSPROFILE%\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}%ALLUSERSPROFILE%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}%APPDATA%\Yontoo%PROGRAMFILES(x86)%\Yontoo%PROGRAMFILES(x86)%\Yontoo Layers Runtime%ProgramFiles%\Yontoo%ProgramFiles%\Yontoo Layers Runtime%ProgramFiles(x86)%\Yontoo Layers%TEMP%\YontooLayers
The following URL's were detected:
yontoo.com
Loading...