Avira Virus Lab

Adware/Elex.170184

  • Name
    Adware/Elex.170184
  • Date discovered
    Dec 16, 2015
  • Type
    Adware
  • Impact
    Low 
  • Reported Infections
    Low 
  • Operating System
    Windows
  • VDF version
    7.12.36.176 (2015-12-16 09:03)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

This class of detection flags software that display ads, usually in the internet browser by modifying displayed pages or opening aditional pages with ads. These adware programs are usually installed by the users themselves or come with other software that the users install themselves (usually in exchange for using the software for free or as a default install option). Users might be unaware that this software was installed or of its behaviour. This detection is meant to flag the file and the behaviour as part of legitimate ad displaying software.This detection can be disabled and is recommended if the user is aware of the software installed on his/her system and doesn't want this type of software to be detected.

  • VDF
    7.12.36.176 (2015-12-16 09:03)
  • Aliases
    Dr. Web: Adware.Mutabaha.452
    Kaspersky Lab: HEUR:Trojan.Win32.Generic
    ESET: Win32/ELEX.FO application
  • Files
    The following files are created:
    • %PROGRAM FILES%\SFK\SFK.ini
    • %temporary internet files%\Content.IE5\QH9ZEEV0\z[1].php
    • %temporary internet files%\Content.IE5\QH9ZEEV0\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].61
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OL2NK16B\SSFK[1].htm
    • %PROGRAM FILES%\SFK\GIRF
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OL2NK16B\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].htm
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S9IRK9QF\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].htm
    The following files are changed:
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    • %DISKDRIVE%\Documents and Settings\LocalService\Cookies\index.dat
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
    The following files are deleted:
    • %temporary internet files%\Content.IE5\QH9ZEEV0\z[1].php
    • %temporary internet files%\Content.IE5\QH9ZEEV0\VMwareXVirtualXIDEXHardXDrive_00000000000000000001[1].61
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OL2NK16B\SSFK[1].htm
    • %PROGRAM FILES%\SFK\GIRF
    The following copies of itself are created:
    • %PROGRAM FILES%\SFK\SSFK.exe
  • Registry
    The following registry entries are added:
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSFK ("Type": dword:00000010; "Start": dword:00000002; "ErrorControl": dword:00000001; "ImagePath": "%PROGRAM FILES%\SFK\SSFK.exe -s"; "DisplayName": "SSFK"; "ObjectName": "LocalSystem"; "Description": "System Agent Service"; "FailureActions": %hex values%)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSFK\Security ("Security": %hex values%)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SSFK ("NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SSFK\0000 ("Service": "SSFK"; "Legacy": dword:00000001; "ConfigFlags": dword:00000000; "Class": "LegacyDriver"; "ClassGUID": "{8ECC055D-047F-11D1-A537-0000F8753ED1}"; "DeviceDesc": "SSFK")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SSFK\0000\Control ("*NewlyCreated*": dword:00000000; "ActiveService": "SSFK")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSFK\Enum ("0": "Root\LEGACY_SSFK\0000"; "Count": dword:00000001; "NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent (@: dword:00000011)
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A ("BaseClass": "Drive")
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C ("BaseClass": "Drive")
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D ("BaseClass": "Drive")
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ("SavedLegacySettings": %hex values%)
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    The following registry entries are changed:
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("UNCAsIntranet": dword:00000001)
  • HTTP Requests
    • www.*****rch123.com/logic/z.php
    • xa.*****loud.com/v4/sof-everything/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action0=xa.geoip&action1=visit&action2=install.SSFK&update0=ref,SSFK&update1=nation,us&update2=language,en&update3=version,2.0.6.61
    • www.*****.com/inf/eve/SSFK?ver=2.0.6.61
    • xa.*****loud.com/v4/sof-everything/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=visit.SSFK.heartbeat&update3=version,2.0.6.61
    • xa.*****loud.com/v4/sof-everything/VMwareXVirtualXIDEXHardXDrive_00000000000000000001?action=visit.SSFK.heartbeat

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.