PUP.Optional.Yontoo

Short bio

This detection is for a large family of adware that uses different methods of browser hijacking and monetizing to get their message across. Their search applications are known to bundle “Yahoo Search.”

The bundled installer is usually different from the official one. The bundled installers require arguments for a full installation and are sometimes even aware of running on a virtual machine, both to hinder researchers.

Protection

Malwarebytes protects users from PUP.Optional.Yontoo by using real-time protection.

Malwarebytes blocks PUP.Optional.Yontoo

Remediation

Malwarebytes can detect and remove PUP.Optional.Yontoo without further user interaction.

Please download Malwarebytes to your desktop.
Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
Then click Finish.
Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
Restart your computer when prompted to do so.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

The Exclusions tab includes a list of items to be excluded from scans. The items may include files, folders, websites, or applications that connect to the Internet, as well as previously detected exploits.

To access the exclusions in Malwarebytes:

Click on the Settings tab in the left pane.
Click on the Exclusions tab.
Click the Add Exclusion button.
Select the exclusion type Exclude a File or Folder and use the Browse button to select the main folder for the software that you wish to keep.
Repeat this for any secondary folder(s) that belong to the software.

If you want to allow the program to connect to the Internet, for example to fetch updates, add an exclusion of the type Exclude an application that Connects to the Internet and use the Browse button to select the file you wish to grant access.

Traces/IOCs

Associated files:

SHA256 1a97e0539db3742e81b682a7bf6f6c3d6e100ca1534ef1377b23082835d56128
SHA256 b5dd0317cafa2f4f9151b52d2f267f9067d3a84d1066e52287bc468b2e3f3ee1
SHA256 3db3aa1738590bbaece6f77208f5539255df66172f316c2bcf4fe5143bce5813
SHA256 fc8b6a198202bd88fc5a027415c0886627fc55cf07b6af129c30de7224010f00
SHA256 5bb433277a273d95730a2f5dd5371c75407d49442a419617abda590119f1d91b
SHA256 c0a80ecfe8f83ede768b7d7d4aabdc5138c23d863e78af6f7e37eece2776804a
SHA256 75c00081cd8a47244821bfeeade8589d5649c542278e611299f3df89d43680d1
SHA256 183294e68824f5381d1eb00eaac04452bc38ece2020a646fd5efba4b7d0c1e23
SHA256 e114f06b47870439956f9a62784f9492b0fbba416396fcce4bbd5dc9a9c5c7b7
SHA256 064566cd05b8f3927a1f6019af09a9b54b5b3f8875cb3a5c908448d2b210c23a
SHA256 7a3c091798248a306c8ba1ecbc0edd4648ce5fce0f8be8d9bc44ad3b6445feb7
SHA256 c7fb83e04240851f817e441741decf110a9c9c649f7c61924553bf3dec743e7d
SHA256 be216ca8d1bc51e61419c552ee6d49fc3f6bff71bba826fdd61d58fd9854abd9
SHA256 5a7f567454800cfecefbe33f96139341eed691b8396ef72064b8f09a88a7486c
SHA256 15f963f9643f0b6c0852a52cb005afb0444420847fb86fc19abd9b33101c8982
SHA256 f6809d5bb689e1d8b6afe7105890e1a4e55d4c61178b89d5c44406e2ce6a43e1
SHA256 4400c2e1ccdfdd16d085db262bf67071ff4817c537e466afa818e69c5f317cc4
SHA256 883748c7c3c2d3d362212cc9be2d5a168a0da60291f970be5181df05b5af33a6
SHA256 a8a66aa7226d7fbefe4b66685f01f8806d425d0c6fab26926056d487729426ac
SHA256 d7d97924054f75228bbfa32b51312d1291c9b9b0af50ebf207a2d4c85f289225
SHA256 a5b1a42c286e3bc5f8634c19a0d64cde7a95aa015d7ebc21d09bab3ffeaf6ab5
SHA256 29d631986926b0aa90ca6b9d2b473cc948ce87ffc8ebb6f030481d3c773dea92
SHA256 31c46e8883883d8794f5dc253e4c526fd27c9e981a396898b208d45100d0114a
SHA256 9d8ad1b089fca1fd9d4130d1ba2a47fa3dd46f1fa1ecdf6e767dc4635fd284e1

Associated Threats

PUP.Optional.BrowseFox
PUP.Optional.Sanbreel