Yontoo Adware Description

[+] Click Image to Enlarge

• 

The Presence of Yontoo Adware is Linked to the Use of a Particular Freeware Application

There have been many reports of computer systems showing constant advertisements due to a Yontoo Adware infection. Although these kinds of applications are often installed with the full knowledge that they will display advertisements, ESG security analysts have also received reports of severe virus and Trojan infections contracted from advertisements that Yontoo Adware displays. Basically, the Yontoo application will be installed as part of a requirement for installing an application known as PageRage, designed to overlay designs on top of Facebook’s profile pages, in essence allowing computer users to customize and make more attractive their Facebook wall, profile and Timeline.

PageRage’s manufacturers claim that Yontoo Adware is a legitimate way of supporting their software, although it is up to computer users to decide whether the advertisements that Yontoo Adware delivers to the infected computer system are worth being able to tweak the appearance of a Facebook profile. There are several reasons why Yontoo Adware is a form of malware, although this kind of infection may be worth the risk for some computer users. The main danger of installing Yontoo Adware on your computer is the fact that advertisements that this Adware application displays are often gateways towards severe malware infections. Yontoo Adware also has some behaviors that are not compatible with legitimate applications acting in good faith. For example, Yontoo Adware has several tracking and data-recollection components that are embedded and impossible to disable, as well as the fact that Yontoo Adware is not entirely honest about what Yontoo Adware does when installed on the computer user’s system.

It is Quite Easy to Contract Further Malware Infections from Yontoo Adware

While Yontoo Adware is limited to your web browser and can be easily quarantined by most security applications, some of the advertisements that Yontoo Adware displays contain extremely dangerous content. In only a short while, fake virus scans and alarming error messages most often associated with Trojans distributing rogue security programs were observed. Some advertisements that Yontoo Adware displays have also been observed to contain components that attempt to exploit vulnerabilities in Flash and JavaScript in order to inject malware into the victim’s computer system.

Type: Adware

How Can You Detect Yontoo Adware?

Yontoo Adware Removal Details

Yontoo Adware has typically the following processes in memory:

• %Temp%\YontooSetup-Silent.exe
• %ProgramFiles%\Yontoo Layers Runtime\YontooIEClient.dll
• %Temp%\YontooIEClient.dll

Yontoo Adware creates the following files in the system:

• %Temp%\YontooLayers.crx
• %Temp%\YontooLayers.pem
• %Temp%\YontooFFClient.xpi

Yontoo Adware creates the following registry entries:

• HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{FC1DD4E4-688F-4E9B-BAE5-BFB6A956AE51}\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}”Default” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}”Default” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\”AppID” = “{CFDAFE39-20CE-451D-BD45-A37452F39CF0}”
• HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}”Default” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1
• HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
• HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\”Default” = “YontooIEClient”
• HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{A8F0AD53-1AEE-447E-89CD-71C325796F84}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}”Default” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}”Default” = “1″
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
• HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Important Article Disclaimer