Yontoo

Updated:
October 15, 2014 8:28:35 AM
Type:
Potentially Unwanted App
Name:
Yontoo
Publisher:
Yontoo LLC
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
This potentially unwanted application must be downloaded and executed manually. It may also arrive bundled with other software.

When the program is executed, it creates the following files:
  • %Temp%\YontooFFClient.xpi
  • %Temp%\YontooIEClient.dll
  • %Temp%\YontooLayers.crx
  • %Temp%\YontooLayers.pem
  • %Temp%\YontooSetup-Silent.exe
  • %ProgramFiles%\Yontoo Layers Runtime\YontooIEClient.dll

Next, it creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\"AppID" = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\"Default" = "YontooIEClient"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{FC1DD4E4-688F-4E9B-BAE5-BFB6A956AE51}\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}"Default" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{A8F0AD53-1AEE-447E-89CD-71C325796F84}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"

It also creates the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

The program will then install PageRage, a browser extension that modifies the skin layout of Facebook but also displays advertisements which appear to be from Facebook.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver