Adware.Eszjuxuan

Short bio

Adware.Eszjuxuan is Malwarebytes’ generic detection name for a Chinese family of adware that targets Windows systems.

Symptoms

Adware.Eszjuxuan shows advertising in new browser tabs or windows through a redirect site. The adware opens a browser window to the redirect site, and from there you get different results based on fingerprinting and cookies.

Protection

Malwarebytes protects users from Adware.Eszjuxuan by using real-time protection.

block Adware.Eszjuxuan

Malwarebytes blocks Adware.Eszjuxuan

Remediation

Malwarebytes can detect and remove Adware.Eszjuxuan without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Malwarebytes removal log

An example Malwarebytes log for a member of this family called ServerTest:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/26/17
Scan Time: 8:53 AM
Log File: mbamServerTest.txt
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.2024
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {computername}\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332622
Threats Detected: 22
Threats Quarantined: 22
Time Elapsed: 1 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 1
PUP.Optional.YeaDesktop, C:\PROGRAM FILES (X86)\YEADESKTOP\YEADESKTOP.EXE, Quarantined, [1535], [393869],1.0.2024

Module: 1
PUP.Optional.YeaDesktop, C:\PROGRAM FILES (X86)\YEADESKTOP\YEADESKTOP.EXE, Quarantined, [1535], [393869],1.0.2024

Registry Key: 2
PUP.Optional.YeaDesktop, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YeaDesktop, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, HKCU\SOFTWARE\YeaDesktop, Delete-on-Reboot, [1535], [391400],1.0.2024

Registry Value: 2
PUP.Optional.YeaDesktop, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|YeaDesktop, Delete-on-Reboot, [1535], [393869],1.0.2024
PUP.Optional.YeaDesktop.ClnShrt, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|YEADESKTOP.EXE, Delete-on-Reboot, [1357], [396226],1.0.2024

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 3
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\common, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\PROGRAM FILES (X86)\YeaDesktop, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\YEADESKTOP, Delete-on-Reboot, [1535], [391395],1.0.2024

File: 13
PUP.Optional.YeaDesktop, C:\PROGRAM FILES (X86)\YEADESKTOP\YEADESKTOP.EXE, Delete-on-Reboot, [1535], [393869],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\common\apphoverbk.png, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\common\BkgSelectedHover.png, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\common\BkgSelectedNormal.png, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\common\BkgSelectedPressed.png, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\config.xml, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\HelpTool.dll, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\unins000.dat, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\Program Files (x86)\YeaDesktop\unins000.exe, Delete-on-Reboot, [1535], [391396],1.0.2024
PUP.Optional.YeaDesktop, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YeaDesktop\Uninstall YeaDesktop.lnk, Delete-on-Reboot, [1535], [391395],1.0.2024
PUP.Optional.YeaDesktop, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YeaDesktop\YeaDesktop.lnk, Delete-on-Reboot, [1535], [391395],1.0.2024
Adware.Eszjuxuan, C:\USERS\{username}\DESKTOP\LOADAPP.EXE, Delete-on-Reboot, [42], [401951],1.0.2024
PUP.Optional.YeaDesktop, C:\USERS\{username}\APPDATA\ROAMING\SERVERTEST\80887.EXE, Delete-on-Reboot, [1535], [391393],1.0.2024

Physical Sector: 0
(No malicious items detected)


(end)

Related blog content

How to remove adware from your PC

Fireball Chinese malware and you