Adware.Elex

Short bio

Adware.Elex is Malwarebytes' generic detection name for a large family of Windows-oriented adwareof Chinese origin.

Symptoms

Once executed, Adware.Elex displays ads by injecting them into visited sites and pops up browser windows.

Type and source of infection

Adware.Elex arrives on a system as a file downloaded from the Internet. Sometimes it disguises itself as a tool that can detect and remove adware. At times, it hides under the guise of an Adobe Flash or Java update. Adware.Elex can also be dropped by Trojan.Elexwhich has been known to use rootkits.

Protection

block Adware.Elex

Malwarebytes blocks Adware.Elex

Home remediation

Malwarebytes can detect and remove Adware.Elex without further user interaction.

  1. Please download Malwarebytesto your desktop.
  2. Double-click MBSetup.exeand follow the prompts to install the program.
  3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Business remediation

How to remove Adware.Elex with the Malwarebytes Nebula console

You can use the Malwarebytes Anti-Malware Nebula console to scan endpoints.

endpoint menuNebula endpoint tasks menu

Choose the Scan + Quarantine option. Afterwards you can check the Detections pageto see which threats were found.Nebula detectionsOn the Quarantine pageyou can see which threats were quarantined and restore them if necessary.Nebula Quarantaine

Malwarebytes removal log

An example Malwarebytes log for a member of this family called Youndoo:

Malwarebyteswww.malwarebytes.com-Log Details-Scan Date:2/20/17Scan Time:2:10PMLogfile:mbamYoundoo.txtAdministrator:Yes-Software Information-Version:3.0.6.1469Components Version:1.0.50Update Package Version:1.0.1307License:Premium-System Information-OS:Windows 10CPU:x64File System:NTFSUser:{computername}\{username}-Scan Summary-Scan Type:Threat ScanResult:CompletedObjects Scanned:420585Time Elapsed:8min,58sec-Scan Options-Memory:EnabledStartup:EnabledFilesystem:EnabledArchives:EnabledRootkits:DisabledHeuristics:EnabledPUP:EnabledPUM:Enabled-Scan Details-Process:0(Nomalicious items detected)Module:0(Nomalicious items detected)Registry Key:4Adware.Elex.Generic,HKLM\SOFTWARE\CLASSES\CLSID\{5AD340E8-F445-11E6-B566-64006A5CFC23},Delete-on-Reboot,[2155],[356410],1.0.1307Adware.Elex.Generic,HKLM\SOFTWARE\CLASSES\CLSID\{5AD340E8-F445-11E6-B566-64006A5CFC23}\InprocServer32,Delete-on-Reboot,[2155],[356410],1.0.1307PUP.Optional.Youndoo,HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{92C91B86-B20E-474B-A1D9-6B7D5AC229C4},Delete-on-Reboot,[767],[182916],1.0.1307PUP.Optional.Youndoo,HKLM\SOFTWARE\WOW6432NODE\youndooSoftware,Delete-on-Reboot,[767],[182849],1.0.1307Registry Value:4Adware.Elex.Generic,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS|{5AD340E8-F445-11E6-B566-64006A5CFC23},Delete-on-Reboot,[2155],[356410],1.0.1307Adware.Elex.SHHKRST,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ENABLESHELLEXECUTEHOOKS,Delete-on-Reboot,[357],[-1],0.0.0Adware.Elex.SHHKRST,HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ENABLESHELLEXECUTEHOOKS,Delete-on-Reboot,[357],[-1],0.0.0PUP.Optional.Youndoo,HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{92C91B86-B20E-474B-A1D9-6B7D5AC229C4}|DISPLAYNAME,Delete-on-Reboot,[767],[182916],1.0.1307Registry Data:0(Nomalicious items detected)Data Stream:0(Nomalicious items detected)Folder:3PUP.Optional.FakeFFProfile,C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default,Delete-on-Reboot,[2786],[363173],1.0.1307PUP.Optional.FakeFFProfile,C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles,Delete-on-Reboot,[2786],[363173],1.0.1307PUP.Optional.FakeFFProfile,C:\USERS\{username}\APPDATA\ROAMING\Mozilla\Firefox\naweriweentcofise,Delete-on-Reboot,[2786],[363173],1.0.1307File:22PUP.Optional.FakeFFProfile,C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\prefs.js,Delete-on-Reboot,[2786],[363173],1.0.1307PUP.Optional.FakeFFProfile,C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\profiles.ini,Delete-on-Reboot,[2786],[363173],1.0.1307PUP.Optional.FakeFFProfile,C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\search-metadata.json,Delete-on-Reboot,[2786],[363173],1.0.1307PUP.Optional.FakeFFProfile,C:\Users\{username}\AppData\Roaming\Mozilla\Firefox\naweriweentcofise\Profiles\mhc384j1.default\search.json.mozlz4,Delete-on-Reboot,[2786],[363173],1.0.1307Adware.Elex.Generic,C:\PROGRAM FILES (X86)\THULUCH\REUQUTAIN.DLL,Delete-on-Reboot,[2155],[356410],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS,Replaced,[767],[324487],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS,Replaced,[767],[324487],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS,Replaced,[767],[324487],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS,Replaced,[767],[324487],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS,Replaced,[767],[324487],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS,Replaced,[767],[324487],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\PREFS.JS,Replaced,[767],[324487],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS,Replaced,[767],[302817],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS,Replaced,[767],[302817],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS,Replaced,[767],[302817],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS,Replaced,[767],[302817],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\PREFS.JS,Replaced,[767],[302817],1.0.1307Adware.Elex,C:\USERS\{username}\DESKTOP\WAK_MY.EXE,Delete-on-Reboot,[305],[363419],1.0.1307PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\PROFILES\GHERLUWARDCOOZEIED.DEFAULT\SEARCHPLUGINS\JEBNKUVK.XML,Delete-on-Reboot,[767],[324489],1.0.1307Adware.Elex.SHHKRST,C:\PROGRAM FILES (X86)\THULUCH\CRASHREPORT.DLL,Delete-on-Reboot,[357],[372356],1.0.1307Adware.Elex.SHHKRST,C:\WINDOWS\SYSTEM32\TASKS\Gfakdutoing,Delete-on-Reboot,[357],[-1],0.0.0PUP.Optional.Youndoo,C:\USERS\{username}\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\MHC384J1.DEFAULT\SEARCHPLUGINS\JEBNKUVK.XML,Delete-on-Reboot,[767],[302734],1.0.1307Physical Sector:0(Nomalicious items detected)(end)

Traces/IOCs

Domains:istartpageing.comomiga-plus.comyoursites123.comoursearching.comyoursearchweb.comyoundoo.comvi-view.comtohotweb.comwebisawsome.infowebssearches.comv9.comtrotux.comswellsearch.infoso-v.comsearchqu.comsearchtotal.infoqvo6.comqone8.compur-esult.infoortalsepeti.com

Associated threats

  • Adware.Elex.ShrtCln

Select your language