Yontoo Layers

Yontoo Layers Description

There have been many reports of computer systems showing constant advertisements due to a Yontoo adware infection. Although these kinds of applications are often installed with the full knowledge that they will display advertisements, ESG security analysts have also received reports of severe virus and Trojan infections contracted from advertisements that Yontoo displays. Basically, the Yontoo application will be installed as part of a requirement for installing an application known as PageRage, designed to overlay designs on top of Facebook's profile pages, in essence allowing computer users to customize and make more attractive their Facebook wall, profile and Timeline.

PageRage's manufacturers claim that Yontoo is a legitimate way of supporting their software, although it is up to computer users to decide whether the advertisements that Yontoo delivers to the computer system are worth being able to tweak the appearance of a Facebook profile. There are several reasons why Yontoo is a form of adware, although this kind of infection may be worth the risk for some computer users. The main issue of installing Yontoo on your computer is the fact that advertisements that Yontoo displays may lead to undesirable sites. Yontoo also has some behaviors that are not compatible with good applications acting in good faith. For example, Yontoo Adware has several tracking and data-recollection components that are embedded and may be difficult to disable, as well as the fact that Yontoo is not entirely honest about what Yontoo does when installed on the computer user's system. While Yontoo Layers is limited to your web browser and can be easily quarantined by most security applications, some of the advertisements that Yontoo displays contain questionable content.
Aliases: TROJ_GEN.RCBH1C7 [TrendMicro-HouseCall], Win32:Gabpath-OY [Adw] [Avast], Adware.Gaba!QngOsncZpnk [VirusBuster], not-a-virus:AdWare.Win32.Gaba.njw [Kaspersky], AdWare.Win32.Gabpath!IK [Emsisoft], Adware.Win32.Gaba [VIPRE], TR/ATRAPS.Gen2 [AntiVir], Artemis!C03154CDDB74 [McAfee-GW-Edition], Generic5.FR [AVG], Adware/Gaba [Fortinet], AdWare.Win32.Gabpath [Ikarus], Win32:Gabpath-OY [GData], Troj/DwnLdr-JYF [Sophos], Trojan.Generic.7619581 [nProtect] and W32/Suspicious_Gen4.AIGJQ [Norman].

Infected with Yontoo Layers? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect Yontoo Layers

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of Yontoo Layers outbreaks and other threats from global to local level.

File System Details

Yontoo Layers creates the following file(s):
# File Name Size MD5 Detection Count
1 %APPDATA%\Yontoo\YontooDesktop.exe 42,784 b67c31c0e28830be1f2e564ef684a138 493
2 %WINDIR%\BOX_cFosTASK.exe 405,218 d692a04e3b0fa1db641ef237fa2ef2e2 201
3 %TEMP%\Soundfx .exe 1,590,784 b218fbe9034245e70ac091167eea7b96 75
4 %APPDATA%\SoundcardAudiocodec.exe 643,072 7beac080a6ea9eee6ae67da366bf0005 30
5 %LOCALAPPDATA%\WideSearch\wsearch.exe 419,840 66529767fe6f9d9c2eb617a733e64c53 20
6 %SystemDrive%\RECYCLER\S-1-5-21-2626416508-434419615-3162726493-1006\$e147bd530acf0dfb79a40265a25de046\n. 51,200 f76f11e753ae6353f56be5b7c0e18d12 18
7 %APPDATA%\Microsoft\Windows\Templates\spsreng.exe 8,192 07f9bf43264060abcd3bb1686b78b66d 18
8 %APPDATA%\Blammi\Blammi.exe 1,687,552 c03154cddb74ccdda551fbbb80628605 14
9 %USERPROFILE%\Desktop\EZ_Sirefix.exe 2,033,481 9eef4ef1cf01c5a6567776a77079230a 6
10 %APPDATA%\Microsoft\Windows\Templates\mscorlib.exe 10,752 4ff56eb620defbbdbc13ff75708c1d81 5
11 %WINDIR%\SysWow64\config\systemprofile\appdata\roaming\adobe\sp.dll 160,256 7cc0fad47e5f5d329394e76935dcc0b0 5
12 %APPDATA%\winhost\winhost.exe 58,368 20c02c85181c98b3f136fba654ade5d6 5
13 %APPDATA%\PhrozenSoft\DCLegacyViewer\DCModule.exe 1,089,024 acd33a57f6bbc9cfdd729fce6fd16387 4
14 %PROGRAMFILES%\Yontoo\Y2Desktop.Updater.exe 23,552 24fb8db6d1d55e2c5d0a53dfe48e6af8 2,633
15 %PROGRAMFILES%\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll 192,960 4f214d5120bdda641b67c9da730ac315 2,522
16 OptChrome.exe N/A
17 %CommonAppData%\Yontoo Layers\YontooIEClient.dll N/A
18 %CommonAppData%\Temp\YontooTix2700750.log N/A
19 %Temp%\YontooSetup-Silent.exe N/A
20 %Temp%\YontooIEClient.dll N/A
21 %Temp%\YontooFFClient.xpi N/A
22 %Temp%\YontooLayers.crx N/A
23 %Temp%\YontooLayers.pem N/A
24 %ProgramFiles%\Yontoo Layers Runtime\YontooIEClient.dll N/A

More files

Registry Details

Yontoo Layers creates the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
YontooIEClient.Api
AppID\YontooIEClient.DLL
SOFTWARE\Wow6432Node\Google\chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-0B90_RASMANCS
SOFTWARE\Wow6432Node\Microsoft\Tracing\Yontoo-0554_RASAPI32
SOFTWARE\Wow6432Node\Microsoft\Tracing\Yontoo-0554_RASMANCS
SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooDesktop_RASAPI32
SOFTWARE\Classes\YontooIEClient.Api
SOFTWARE\Classes\YontooIEClient.Api.1
SOFTWARE\Classes\YontooIEClient.Layers
SOFTWARE\Classes\YontooIEClient.Layers.1
SOFTWARE\Wow6432Node\Classes\AppID\YontooIEClient.DLL
SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-1198_RASAPI32
SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-1198_RASMANCS
SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-07D4_RASAPI32
SOFTWARE\Microsoft\Tracing\yontoo-07D4_RASAPI32
SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-07D4_RASMANCS
SOFTWARE\Microsoft\Tracing\yontoo-07D4_RASMANCS
SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASAPI32
SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASMANCS
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
SOFTWARE\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASAPI32
SOFTWARE\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASMANCS
SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Software\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}
SYSTEM\ControlSet001\services\Yontoo Desktop Updater
Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
SOFTWARE\Wow6432Node\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
HKEY..\..\{Value}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\"Default" = "YontooIEClient"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\"AppID" = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{A8F0AD53-1AEE-447E-89CD-71C325796F84}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{FC1DD4E4-688F-4E9B-BAE5-BFB6A956AE51}\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}"Default" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
The following CLSID's were found:
HKEY..\..\{CLSID Path}
{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
{1AD27395-1659-4DFF-A319-2CFA243861A5}
{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
{9307081B-7444-494C-8CF6-2FA7C0E92BFB}
{9D9785E5-3424-40B6-A287-BA143AD53109}
{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
{D372567D-67C1-4B29-B3F0-159B52B3E967}
{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
{FE9271F2-6EFD-44b0-A826-84C829536E93}

More Details on Yontoo Layers

The following URL's were found:
Tip: We recommend blocking the domain names as well as the IP addresses associated with them.
  • yontoo.com

Site Disclaimer

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 3 + 13 ?