Yontoo Adware

Yontoo Adware Description


Yontoo is a browser add-on for multiple types of web browsers (including Internet Explorer and Chrome) that adds a self-described ‘virtual graphic layer’ on top of normal web pages. In most cases, this is used to enable certain types of content for the Facebook website, but in some scenarios, Yontoo may deliver irrelevant content such as advertisements that interfere with web-browsing due to their sheer numbers. Although malware researchers haven’t noted any characteristics that would indicate that Yontoo is a serious security threat to your PC, you may wish to be cautious about installing Yontoo and remain alert for potentially negative content that Yontoo may display in your web browser. If you’d like to remove Yontoo from your computer, it’s recommended that you use anti-malware software to insure the complete removal of all of Yontoo’s components.

Why Yontoo Gives You Reasons to Rage Against the Machine


Yontoo’s browser-specific toolbar is marketed by the name PageRage, and must be downloaded manually to be installed on your PC. In most cases, installations of Yontoo occur after you install a related Facebook application that requires Yontoo technology. Yontoo can be used to deliver benign or harmless content, and malware researchers haven’t found any indications that Yontoo will directly attack your PC with the consent of the Yontoo company.
DOWNLOAD NOW

» Learn more about SpyHunter's Spyware Detection Tool
and steps to uninstall SpyHunter.

Unfortunately, Yontoo also has a seedier side, as noted below.

Along with its appealing features, Yontoo also may degrade the performance of your PC and use up a significant amount of bandwidth to perform its constant website-layering functions. Yontoo may also be used to display advertisements, sponsored offers, links to unusual sites and other forms of content that aren’t related to your interests. Yontoo is capable of displaying this content in excessive quantities that actually harm your ability to interact with real website content.

Why Yontoo’s Past Should Be of Concern in the Present


Although there have never been reports of serious Yontoo attacks or exploits, nonetheless, widespread and unwanted propagation of Yontoo was reported early in 2012. This indicates that Yontoo is still being packaged with other Facebook applications and, although Yontoo still requires your consent to be installed, may be installed in a somewhat misleading or unnoticeable manner. As long as you pay close attention to installation-related messages when installing browser add-ons or Facebook apps, your computer should be safe from unwanted Yontoo installations.

Yontoo should be easy to detect in your web browser due to its highly-visible symptoms, but we don’t recommend that you try to delete Yontoo by its included removal features. Toolbars that are linked to Yontoo have been known to be difficult to remove completely, and scanning your PC with a qualified anti-malware program is likely to be the most expedient solution to a Yontoo problem.

Aliases


TROJ_GEN.RCBH1C7 [TrendMicro-HouseCall]Generic5.FR [AVG]Adware/Gaba [Fortinet]AdWare.Win32.Gabpath [Ikarus]Win32:Gabpath-OY [GData]Troj/DwnLdr-JYF [Sophos]Artemis!C03154CDDB74 [McAfee-GW-Edition]TR/ATRAPS.Gen2 [AntiVir]Adware.Win32.Gaba [VIPRE]AdWare.Win32.Gabpath!IK [Emsisoft]

More aliases (391)


Yontoo Adware Automatic Detection Tool (Recommended)


Is your PC infected with Yontoo Adware? To safely & quickly detect Yontoo Adware we highly recommend you run the malware scanner listed below.



Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

Registry Modifications

Tutorial: To edit and delete registry entries manually, read the tutorial on how to remove malicious registry entries.

Tip & Warning: Editing and removing the wrong registry keys can severely damage your PC, so remember to backup your Windows Registry! To optimize your Windows Registry and speed up your PC, download RegHunter's registry cleaner.
  • The following newly produced Registry Values are:
    HKEY..\..\..\..{RegistryKeys}AppID\YontooIEClient.DLLSoftware\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}SOFTWARE\Classes\YontooIEClient.ApiSOFTWARE\Classes\YontooIEClient.Api.1SOFTWARE\Classes\YontooIEClient.LayersSOFTWARE\Classes\YontooIEClient.Layers.1SOFTWARE\Microsoft\Tracing\yontoo-07D4_RASAPI32SOFTWARE\Microsoft\Tracing\yontoo-07D4_RASMANCSSOFTWARE\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASAPI32SOFTWARE\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASMANCSSOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}SOFTWARE\Wow6432Node\Classes\AppID\YontooIEClient.DLLSOFTWARE\Wow6432Node\Google\chrome\Extensions\niapdbllcanepiiimjjndipklodoedlcSOFTWARE\Wow6432Node\Microsoft\Tracing\Yontoo-0554_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\Yontoo-0554_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-07D4_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-07D4_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-0B90_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-1198_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-1198_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Tracing\YontooDesktop_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASAPI32SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASMANCSSOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}SOFTWARE\Wow6432Node\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}SYSTEM\ControlSet001\services\Yontoo Desktop UpdaterYontooIEClient.ApiHKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}{889DF117-14D1-44EE-9F31-C5FB5D47F68B}HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\"AppID" = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\"Default" = "YontooIEClient"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{A8F0AD53-1AEE-447E-89CD-71C325796F84}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{FC1DD4E4-688F-4E9B-BAE5-BFB6A956AE51}\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}"Default" = "1"
  • The following CLSID's were detected:
    HKEY..\..\{CLSID Path} {9307081B-7444-494C-8CF6-2FA7C0E92BFB}{9D9785E5-3424-40B6-A287-BA143AD53109}{7E84186E-B5DE-4226-8A66-6E49C6B511B4}{CFDAFE39-20CE-451D-BD45-A37452F39CF0}{D372567D-67C1-4B29-B3F0-159B52B3E967}{889DF117-14D1-44EE-9F31-C5FB5D47F68B}{FE9271F2-6EFD-44b0-A826-84C829536E93}{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}{10DE7085-6A1E-4D41-A7BF-9AF93E351401}{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}{1AD27395-1659-4DFF-A319-2CFA243861A5}

Additional Information

  • The following URL's were detected:
    yontoo.com
Posted: February 17, 2012 | By
Share:
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.00 out of 5)
Loading ... Loading ...
Threat Metric
Threat Level: 2/10
Detection Count: 672,511

Leave a Reply

What is 6 + 5 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)