PUP.Optional.Yontoo

Short bio

PUP.Optional.Yontoo is Malwarebytes’ detection name for a large family of adware that uses different methods of browser hijacking and monetizing to get their message across. Their search applications are known to bundle “Yahoo Search.”

The bundled installer is usually different from the official one. The bundled installers require arguments for a full installation and are sometimes even aware of running on a virtual machine, both to hinder researchers.

Protection

Malwarebytes protects users from PUP.Optional.Yontoo by using real-time protection.

block PUP.Optional.Yontoo

Malwarebytes blocks PUP.Optional.Yontoo

Remediation

Malwarebytes can detect and remove PUP.Optional.Yontoo without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

  • Open Malwarebytes for Windows.
  • Click the Detection History
  • Click the Allow List
  • To add an item to the Allow List, click Add.
  • Select the exclusion type Allow a file or folder and use the Select a folder button to select the main folder for the software that you wish to keep.
  • Repeat this for any secondary files or folder(s) that belong to the software.

If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use the Browse button to select the file you wish to grant access.

Traces/IOCs

Associated files:

  • SHA256 1a97e0539db3742e81b682a7bf6f6c3d6e100ca1534ef1377b23082835d56128
  • SHA256 b5dd0317cafa2f4f9151b52d2f267f9067d3a84d1066e52287bc468b2e3f3ee1
  • SHA256 3db3aa1738590bbaece6f77208f5539255df66172f316c2bcf4fe5143bce5813
  • SHA256 fc8b6a198202bd88fc5a027415c0886627fc55cf07b6af129c30de7224010f00
  • SHA256 5bb433277a273d95730a2f5dd5371c75407d49442a419617abda590119f1d91b
  • SHA256 c0a80ecfe8f83ede768b7d7d4aabdc5138c23d863e78af6f7e37eece2776804a
  • SHA256 75c00081cd8a47244821bfeeade8589d5649c542278e611299f3df89d43680d1
  • SHA256 183294e68824f5381d1eb00eaac04452bc38ece2020a646fd5efba4b7d0c1e23
  • SHA256 e114f06b47870439956f9a62784f9492b0fbba416396fcce4bbd5dc9a9c5c7b7
  • SHA256 064566cd05b8f3927a1f6019af09a9b54b5b3f8875cb3a5c908448d2b210c23a
  • SHA256 7a3c091798248a306c8ba1ecbc0edd4648ce5fce0f8be8d9bc44ad3b6445feb7
  • SHA256 c7fb83e04240851f817e441741decf110a9c9c649f7c61924553bf3dec743e7d
  • SHA256 be216ca8d1bc51e61419c552ee6d49fc3f6bff71bba826fdd61d58fd9854abd9
  • SHA256 5a7f567454800cfecefbe33f96139341eed691b8396ef72064b8f09a88a7486c
  • SHA256 15f963f9643f0b6c0852a52cb005afb0444420847fb86fc19abd9b33101c8982
  • SHA256 f6809d5bb689e1d8b6afe7105890e1a4e55d4c61178b89d5c44406e2ce6a43e1
  • SHA256 4400c2e1ccdfdd16d085db262bf67071ff4817c537e466afa818e69c5f317cc4
  • SHA256 883748c7c3c2d3d362212cc9be2d5a168a0da60291f970be5181df05b5af33a6
  • SHA256 a8a66aa7226d7fbefe4b66685f01f8806d425d0c6fab26926056d487729426ac
  • SHA256 d7d97924054f75228bbfa32b51312d1291c9b9b0af50ebf207a2d4c85f289225
  • SHA256 a5b1a42c286e3bc5f8634c19a0d64cde7a95aa015d7ebc21d09bab3ffeaf6ab5
  • SHA256 29d631986926b0aa90ca6b9d2b473cc948ce87ffc8ebb6f030481d3c773dea92
  • SHA256 31c46e8883883d8794f5dc253e4c526fd27c9e981a396898b208d45100d0114a
  • SHA256 9d8ad1b089fca1fd9d4130d1ba2a47fa3dd46f1fa1ecdf6e767dc4635fd284e1

Associated Threats

  • PUP.Optional.BrowseFox
  • PUP.Optional.Sanbreel

Screenshots

Related blog content

Yontoo: PUPs with two faces

The next generation Yontoo browser hijacker

Select your language