Adware.Yontoo (file analysis)

The Adware.Yontoo is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Adware.Yontoo virus can do?

Executable code extraction
Attempts to connect to a dead IP:Port (1 unique times)
Presents an Authenticode digital signature
Creates RWX memory
At least one IP Address, Domain, or File Name was found in a crypto call
Drops a binary and executes it
HTTP traffic contains suspicious features which may be indicative of malware related traffic
Performs some HTTP requests
Creates a copy of itself

Related domains:

ocsp.verisign.com

sf.symcd.com

install.specialboxsite.com

How to determine Adware.Yontoo?


File Info:
crc32: 85ECD906
md5: 937a836155e9a33e9e4902d2953ff167
name: SpecialBoxUninstaller.exe
sha1: 68efd3f9d9abb583bc4c641e68fff296b4acdc08
sha256: 8d0f57057f6fce840502b4e1628a9e16e021c4d4af5eadf4a9f54a895b4d48e3
sha512: b8b319744cbfd3073fe84194d1d60b55d468247ccd60ebc785c2b6a70e05d390e6685353da57c1850cd9c41ca5fb2cc7b6282689ffa9ab8eed6648e4f4036122
ssdeep: 6144:hcnpVZFphwVEufwj1hW6AAgKjIOvuJaL0NVXBVcmiaNbXPpUQ2cQr0tZ5/ai0kPG:hcnpVZFphwVEuIj1hVIeqRa/Qr5pbpc
type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Version Info:
Translation: 0x0000 0x04b0
LegalCopyright:  
Assembly Version: 1.0.0.0
InternalName: Special Box Uninstaller.exe
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
FileDescription:  
OriginalFilename: Special Box Uninstaller.exe

Adware.Yontoo also known as:

MicroWorld-eScan	Gen:Variant.Adware.MSILPerseus.1523
FireEye	Generic.mg.937a836155e9a33e
CAT-QuickHeal	PUA.AdwareFC.S7914100
ALYac	Gen:Variant.Adware.MSILPerseus.1523
Malwarebytes	Adware.Yontoo
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Adware ( 004c4fe71 )
BitDefender	Gen:Variant.Adware.MSILPerseus.1523
K7GW	Adware ( 004c4fe71 )
Cybereason	malicious.155e9a
TrendMicro	TROJ_GEN.R002C0GGU19
F-Prot	W32/S-4623373a!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Adware.BrowseFox.O
APEX	Malicious
GData	Gen:Variant.Adware.MSILPerseus.1523
Kaspersky	not-a-virus:HEUR:AdWare.MSIL.BrowseFox.gen
Alibaba	AdWare:MSIL/BrowseFox.f516eb5d
NANO-Antivirus	Riskware.Win32.Yontoo.eutrba
AegisLab	Adware.MSIL.Generic.2!c
Avast	MSIL:BrowseFox-IV [Adw]
Ad-Aware	Gen:Variant.Adware.MSILPerseus.1523
Emsisoft	Application.BrowserExt (A)
Comodo	Application.MSIL.BrowseFox.AO@60es5y
F-Secure	Adware.ADWARE/BrowseFox.Gen7
DrWeb	Trojan.Yontoo.1735
Zillya	Adware.BrowseFoxCRTD.Win32.5279
Invincea	heuristic
McAfee-GW-Edition	Artemis!PUP
Sophos	Generic PUA GI (PUA)
Ikarus	PUA.Multiplug
Cyren	W32/S-4623373a!Eldorado
Webroot	Pua.Browsefox
Avira	ADWARE/BrowseFox.Gen7
MAX	malware (ai score=60)
Antiy-AVL	Trojan/Win32.TSGeneric
Endgame	malicious (high confidence)
Arcabit	Trojan.Adware.MSILPerseus.D5F3
SUPERAntiSpyware	PUP.SpecialBox/Variant
AhnLab-V3	PUP/Win32.BrowseFox.R152414
ZoneAlarm	not-a-virus:HEUR:AdWare.MSIL.BrowseFox.gen
Microsoft	BrowserModifier:Win32/Foxiebro
McAfee	Artemis!937A836155E9
VBA32	TScope.Trojan.MSIL
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002C0GGU19
Tencent	Malware.Win32.Gencirc.10b618d4
Yandex	PUA.Agent!
SentinelOne	DFI – Malicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	Adware/Generic
AVG	MSIL:BrowseFox-IV [Adw]
Panda	Trj/CI.A
CrowdStrike	win/malicious_confidence_80% (D)
Qihoo-360	Generic/Virus.Adware.d0c

How to remove Adware.Yontoo?

Download and install GridinSoft Anti-Malware.
Open GridinSoft Anti-Malware and perform a “Standard scan“.
“Move to quarantine” all items.
Open “Tools” tab – Press “Reset Browser Settings“.
Select proper browser and options – Click “Reset”.
Restart your computer.

Adware.Yontoo (file analysis)