Adware.Elex

Short bio

Adware.Elex is Malwarebytes’ generic detection name for a large family of Windows-oriented adware of Chinese origin.

Symptoms

Once executed, Adware.Elex displays ads by injecting them into visited sites and pops up browser windows.

Type and source of infection

Adware.Elex arrives on a system as a file downloaded from the Internet. Sometimes it disguises itself as a tool that can detect and remove adware. At times, it hides under the guise of an Adobe Flash or Java update. Adware.Elex can also be dropped by Trojan.Elex which has been known to use rootkits.

Protection

Malwarebytes protects users from Adware.Elex by using real-time protection.

block Adware.Elex

Malwarebytes blocks Adware.Elex

Home remediation

Malwarebytes can detect and remove Adware.Elex without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click MBSetup.exe and follow the prompts to install the program.
  3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantine to remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Business remediation

How to remove Adware.Elex with the Malwarebytes Nebula console

You can use the Malwarebytes Anti-Malware Nebula console to scan endpoints.

endpoint menu Nebula endpoint tasks menu

Choose the Scan + Quarantine option. Afterwards you can check the Detections page to see which threats were found.

Nebula detections

On the Quarantine page you can see which threats were quarantined and restore them if necessary.

Nebula Quarantaine

Malwarebytes removal log

An example Malwarebytes log for a member of this family called Youndoo:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/20/17
Scan Time: 2:10 PM
Logfile: mbamYoundoo.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1307
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 420585
Time Elapsed: 8 min, 58 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 4
Adware.Elex.Generic, HKLM\SOFTWARE\CLASSES\CLSID\{5AD340E8-F445-11E6-B566-64006A5CFC23}, Delete-on-Reboot, [2155], [356410],1.0.1307
Adware.Elex.Generic, HKLM\SOFTWARE\CLASSES\CLSID\{5AD340E8-F445-11E6-B566-64006A5CFC23}\InprocServer32, Delete-on-Reboot, [2155], [356410],1.0.1307
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{92C91B86-B20E-474B-A1D9-6B7D5AC229C4}, Delete-on-Reboot, [767], [182916],1.0.1307
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\youndooSoftware, Delete-on-Reboot, [767], [182849],1.0.1307

Registry Value: 4
Adware.Elex.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS|{5AD340E8-F445-11E6-B566-64006A5CFC23}, Delete-on-Reboot, [2155], [356410],1.0.1307
Adware.Elex.SHHKRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ENABLESHELLEXECUTEHOOKS, Delete-on-Reboot, [357], [-1],0.0.0
Adware.Elex.SHHKRST, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ENABLESHELLEXECUTEHOOKS, Delete-on-Reboot, [357], [-1],0.0.0
PUP.Optional.Youndoo, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{92C91B86-B20E-474B-A1D9-6B7D5AC229C4}|DISPLAYNAME, Delete-on-Reboot, [767], [182916],1.0.1307

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 3
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default, Delete-on-Reboot, [2786], [363173],1.0.1307
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles, Delete-on-Reboot, [2786], [363173],1.0.1307
PUP.Optional.FakeFFProfile, C:\USERS\{username}\APPDATA\ROAMING\Mozilla\Firefox\naweriweentcofise, Delete-on-Reboot, [2786], [363173],1.0.1307

File: 22
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\prefs.js, Delete-on-Reboot, [2786], [363173],1.0.1307
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\profiles.ini, Delete-on-Reboot, [2786], [363173],1.0.1307
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\search-metadata.json, Delete-on-Reboot, [2786], [363173],1.0.1307
PUP.Optional.FakeFFProfile, C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\search.json.mozlz4, Delete-on-Reboot, [2786], [363173],1.0.1307
Adware.Elex.Generic, C:\PROGRAM FILES (X86)\THULUCH\REUQUTAIN.DLL, Delete-on-Reboot, [2155], [356410],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS, Replaced, [767], [324487],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS, Replaced, [767], [324487],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS, Replaced, [767], [324487],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS, Replaced, [767], [324487],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS, Replaced, [767], [324487],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS, Replaced, [767], [324487],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS, Replaced, [767], [324487],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS, Replaced, [767], [302817],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS, Replaced, [767], [302817],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS, Replaced, [767], [302817],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS, Replaced, [767], [302817],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS, Replaced, [767], [302817],1.0.1307
Adware.Elex, C:\USERS\{username}\DESKTOP\WAK_MY.EXE, Delete-on-Reboot, [305], [363419],1.0.1307
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\SEARCHPLUGINS\JEBNKUVK.XML, Delete-on-Reboot, [767], [324489],1.0.1307
Adware.Elex.SHHKRST, C:\PROGRAM FILES (X86)\THULUCH\CRASHREPORT.DLL, Delete-on-Reboot, [357], [372356],1.0.1307
Adware.Elex.SHHKRST, C:\WINDOWS\SYSTEM32\TASKS\Gfakdutoing, Delete-on-Reboot, [357], [-1],0.0.0
PUP.Optional.Youndoo, C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\SEARCHPLUGINS\JEBNKUVK.XML, Delete-on-Reboot, [767], [302734],1.0.1307

Physical Sector: 0
(No malicious items detected)


(end)

Traces/IOCs

Domains:

istartpageing.com
omiga-plus.com
yoursites123.com
oursearching.com
yoursearchweb.com
youndoo.com
vi-view.com
tohotweb.com
webisawsome.info
webssearches.com
v9.com
trotux.com
swellsearch.info
so-v.com
searchqu.com
searchtotal.info
qvo6.com
qone8.com
pur-esult.info
ortalsepeti.com

Associated threats

  • Adware.Elex.ShrtCln

Select your language