Full description

Virus:	Adware/Yontoo.A.13
Date discovered:	17/01/2012
Type:	Adware
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low
VDF version:	7.11.21.72 - Tuesday, January 17, 2012
IVDF version:	7.11.21.72 - Tuesday, January 17, 2012

General Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Files The following file is created:

– %PROGRAM FILES%\Yontoo Layers\YontooIEClient.dll

Registry It registers a browser helper object (BHO) by adding the following keys:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
   • @="Yontoo Layers"
   • "NoExplorer"=dword:00000001

– [HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
   • @="Yontoo Layers"

– [HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32]
   • @="C:\Programme\\Yontoo Layers\\YontooIEClient.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID]
   • @="YontooIEClient.Layers.1"

– [HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib]
   • @="{D372567D-67C1-4B29-B3F0-159B52B3E967}"

– [HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\
   VersionIndependentProgID]
   • @="YontooIEClient.Layers"
   •

– [HKCR\YontooIEClient.Layers.1]
   • @="Yontoo Layers"

– [HKCR\YontooIEClient.Layers.1\CLSID]
   • @="{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"

– HKCR\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}]
   • @="37af454d-7aee-4647-b526-55739782ced1"

– [HKCR\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
   • @="YontooIEClient"

– [HKCR\AppID\YontooIEClient.DLL]
   • "AppID"="{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"

– [HKCR\YontooIEClient.Api]
   • @="Yontoo Layers Api"
   •

– [HKCR\YontooIEClient.Api\CLSID]
   • @="{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"

– [HKCR\YontooIEClient.Api\CurVer]
   • @="YontooIEClient.Api.1"

– [HKCR\YontooIEClient.Api.1]
   • @="Yontoo Layers Api"

– [HKCR\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
   • @="Yontoo Layers Api"

– [HKCR\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32]
   • @="C:\Programme\\Yontoo Layers\\YontooIEClient.dll"
   • "ThreadingModel"="Apartment"

– [HKCR\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\
   VersionIndependentProgID]
   • @="YontooIEClient.Api"

– [HKCR\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID]
   • @="YontooIEClient.Api.1"

– [HKCR\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\TypeLib]
   • @="{D372567D-67C1-4B29-B3F0-159B52B3E967}"

– [HKCR\YontooIEClient.Layers]
   • @="Yontoo Layers"

– [HKCR\YontooIEClient.Layers\CLSID]
   • @="{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"

– [HKCR\YontooIEClient.Layers\CurVer]
   • @="YontooIEClient.Layers.1"

– [HKCR\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0]
   • @="YontooIEClient 1.0 Type Library"

– [HKCR\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\0\win32]
   • @="C:\Programme\\Yontoo Layers\\YontooIEClient.dll"

– [HKCR\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\FLAGS]
   • @="0"
   •

– [HKCR\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR]
   • @="C:\Programme\\Yontoo Layers"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
   • @="IApi"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\NumMethods]
   • @="16"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\
   ProxyStubClsid32]
   • @="{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib]
   • @="{D372567D-67C1-4B29-B3F0-159B52B3E967}"
   • "Version"="1.0"

– [HKCR\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
   • @="PSFactoryBuffer"

– [HKCR\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32]
   • @="C:\Programme\\Yontoo Layers\\YontooIEClient.dll"
   • "ThreadingModel"="Both"

– [HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
   • @="ILayers"

– [HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\NumMethods]
   • @="7"

– [HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\
   ProxyStubClsid32
   • @="{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"

– [HKCR\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib]
   • @="{D372567D-67C1-4B29-B3F0-159B52B3E967}"
   • "Version"="1.0"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}]
   • @="IApi"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\NumMethods]
   • @="16"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\
   ProxyStubClsid]
   • @="{00020424-0000-0000-C000-000000000046}"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\
   ProxyStubClsid32]
   • @="{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"

– [HKCR\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib]
   • @="{D372567D-67C1-4B29-B3F0-159B52B3E967}"
   • "Version"="1.0"

– [HKCR\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
   • @="b351d4c7-84f5-41a5-a6aa-f4837dd8ae49"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
   {889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
   • [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
   • "UninstallString"="%ALLUSERSPROFILE%\\ANWEND~1\\TARMAI~1\\{889DF~1\\Setup.exe /remove /q0"
   • "QuietUninstallString"="%ALLUSERSPROFILE%\\ANWEND~1\\TARMAI~1\\{889DF~1\\Setup.exe /remove /q"
   • "ModifyPath"="%ALLUSERSPROFILE%\\ANWEND~1\\TARMAI~1\\{889DF~1\\Setup.exe /q0"
   • "Version"=dword:010a0001
   • "VersionMajor"=dword:00000001
   • "VersionMinor"=dword:0000000a
   • "EstimatedSize"=dword:000002c7
   • "Language"=dword:00000409
   • "TSAware"=dword:00000001
   • "TinFolder"="%ALLUSERSPROFILE%\\Anwendungsdaten\\Tarma Installer\\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"
   • "TinVersion"="5021"
   • "InstallDate"="20110906"
   • "InstallLocation"="C:\Program Files\\Yontoo Layers"
   • "InstallSource"="C:\xxx"
   • "DisplayIcon"="%ALLUSERSPROFILE%\\Anwendungsdaten\\Tarma Installer\\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\\Setup.ico"
   • "DisplayName"="Yontoo Layers 1.10.01"
   • "DisplayVersion"="1.10.01"
   • "Publisher"=""
   • "URLInfoAbout"=""
   • "Contact"="support@yontoo.com"
   •

– [HKLM\SOFTWARE\Google\Chrome\Extensions\
   niapdbllcanepiiimjjndipklodoedlc]
   • "path"="C:\Temp\\YontooLayers.crx"
   • "version"="1.0.0"

Backdoor Contact server:
All of the following:
• www.yontoo.com
• download.yontoo.com

Description inserted by Jan-Eric Herting on Friday, February 17, 2012
Description updated by Andrei Ivanes on Wednesday, April 4, 2012

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools