McAfee > Theat Center > Virus Detail Page

Overview

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Aliases

• Adware.Purityscan - Symantec

• Adware/PurityScan - Panda

Characteristics

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary

This is not a virus or a Trojan. It is a direct marketing adware application. On execution of the application it silently installs itself. It makes multiple internet connections with "ads.mediaurf.net", "ad.yieldmanager.com", "ad.oinadserver.com", "update2.outerinfo.com" etc. It creates few BHO entries for the internet explorer. It may give pop-up ads while browsing the internet.

Privacy

No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application.

System Changes

File Name: “ndrv.dll”
MD5Hash: “a848b75c5e69e1428b527433ba559607”

File Name: “QLYKDNB.DLL”
MD5Hash: “44fcff3220c1a667196106971db1027a”

File Name: “!update.exe”
MD5Hash: “ad376edc97af3412a271e27b426fd064”

File Name: “ndrv.exe”
MD5Hash: “93e031dfdb622d656195dba5e6b21333”

File Name: “PURSCA-N.exe”
MD5Hash: “510e19cfe3738387324f559f828a4d8d”

File Name: “tmsw.exe”
MD5Hash: “e1480f4ea955dabf4198b937710960a5”

File Name: “XSS.EXE”
MD5Hash: “d4a89ff92aa807e21743f58118a0f02c”

Following files are added in %APPLICATIONDATA% directory:

• eceo.exe

The following registry entries are added:

• HKEY_CURRENT_USER\Software\Cewu
• HKEY_CLASSES_ROOT\CLSID\
  {19A73B3A-D984-C903-80CF-F00A050EA09E}
• HKEY_CLASSES_ROOT\CLSID\
  {1B7D753B-1981-4bd2-91F3-6D055EE113A0}
• HKEY_CLASSES_ROOT\Context1.Curl
• HKEY_CLASSES_ROOT\Context1.Curl.1
• HKEY_CLASSES_ROOT\Interface\
  {20F13844-04BC-4987-9964-2502F0DA54D3}
• HKEY_CLASSES_ROOT\Interface\
  {3E43040C-73C1-4898-A4F8-E2C9428B1167}
• HKEY_CLASSES_ROOT\TypeLib\
  {EE6F3F6A-AD8E-48DA-9B1D-D5204B2D227D}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects\
  {19A73B3A-D984-C903-80CF-F00A050EA09E}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects\
  {1B7D753B-1981-4bd2-91F3-6D055EE113A0}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run | "Amsu"

Network Impact

Additional overhead in bandwidth may occur due to download of content.

Symptoms

N/A. Not a virus or trojan.

Method of Infection

N/A. Not a virus or trojan.

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants

N/A

All Information

Overview -

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Aliases

• Adware.Purityscan - Symantec

• Adware/PurityScan - Panda

Characteristics

Characteristics -

McAfee(R) AVERT™ recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.
See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.
See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Summary

This is not a virus or a Trojan. It is a direct marketing adware application. On execution of the application it silently installs itself. It makes multiple internet connections with "ads.mediaurf.net", "ad.yieldmanager.com", "ad.oinadserver.com", "update2.outerinfo.com" etc. It creates few BHO entries for the internet explorer. It may give pop-up ads while browsing the internet.

Privacy

No license agreement is displayed during installation, although one could be displayed by another installer if bundled with another application.

System Changes

File Name: “ndrv.dll”
MD5Hash: “a848b75c5e69e1428b527433ba559607”

File Name: “QLYKDNB.DLL”
MD5Hash: “44fcff3220c1a667196106971db1027a”

File Name: “!update.exe”
MD5Hash: “ad376edc97af3412a271e27b426fd064”

File Name: “ndrv.exe”
MD5Hash: “93e031dfdb622d656195dba5e6b21333”

File Name: “PURSCA-N.exe”
MD5Hash: “510e19cfe3738387324f559f828a4d8d”

File Name: “tmsw.exe”
MD5Hash: “e1480f4ea955dabf4198b937710960a5”

File Name: “XSS.EXE”
MD5Hash: “d4a89ff92aa807e21743f58118a0f02c”

Following files are added in %APPLICATIONDATA% directory:

• eceo.exe

The following registry entries are added:

• HKEY_CURRENT_USER\Software\Cewu
• HKEY_CLASSES_ROOT\CLSID\
  {19A73B3A-D984-C903-80CF-F00A050EA09E}
• HKEY_CLASSES_ROOT\CLSID\
  {1B7D753B-1981-4bd2-91F3-6D055EE113A0}
• HKEY_CLASSES_ROOT\Context1.Curl
• HKEY_CLASSES_ROOT\Context1.Curl.1
• HKEY_CLASSES_ROOT\Interface\
  {20F13844-04BC-4987-9964-2502F0DA54D3}
• HKEY_CLASSES_ROOT\Interface\
  {3E43040C-73C1-4898-A4F8-E2C9428B1167}
• HKEY_CLASSES_ROOT\TypeLib\
  {EE6F3F6A-AD8E-48DA-9B1D-D5204B2D227D}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects\
  {19A73B3A-D984-C903-80CF-F00A050EA09E}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Explorer\Browser Helper Objects\
  {1B7D753B-1981-4bd2-91F3-6D055EE113A0}
• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run | "Amsu"

Network Impact

Additional overhead in bandwidth may occur due to download of content.

Symptoms

Symptoms -

N/A. Not a virus or trojan.

Method of Infection

Method of Infection -

N/A. Not a virus or trojan.

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

N/A