Adware.DelFin

Printer Friendly Page

Updated: February 13, 2007 11:37:23 AM

Type: Adware

Publisher: PromulGate

Risk Impact: High

File Names: adl_mteststub.exe

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.DelFin is installed, it does the following:

Downloads adware to the computer.
Creates the following folders:
- %UserProfile%\Application Data\nsv\cache
- %UserProfile%\Application Data\\picsvr
- %UserProfile%\Application Data\\tatss
- %UserProfile%\Application Data\\Dpi
- %UserProfile%\Application Data\\pcsvc
- %UserProfile%\Application Data\\vmss
- %UserProfile%\Application Data\\wsxs
- %UserProfile%\Application Data\\wsxs\Adverts
- %System%\nsvsvc
- %System%\wsxsvc
- %System%\vmss
- %CommonProgramFiles%\dpi
- %ProgramFiles%\DelFin
- %ProgramFiles%\DelFin\PromulGate\Adverts
- %ProgramFiles%\DelFin\PromulGate
- %UserProfile%\Start Menu\Programs\DelFin Media Viewer
- %UserProfile%\Local Settings\Temp\vmstmp
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\vmstmp
- %UserProfile%\Start Menu\Programs\DelFin Media Viewer
- %Windir%\system32\pgtools
- %Windir%\system32\pcs
  
  Notes:
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files
- %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
- %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates the following files:
- %ProgramFiles%\DelFin\PromulGate\delfinAF.edx
- %ProgramFiles%\DelFin\PromulGate\delfinAD.ebd
- %ProgramFiles%\DelFin\PromulGate\delfinBD.edx
- %ProgramFiles%\DelFin\PromulGate\delfinCO.edx
- %ProgramFiles%\DelFin\PromulGate\delfinDL.edx
- %ProgramFiles%\DelFin\PromulGate\delfinED.edx
- %ProgramFiles%\DelFin\PromulGate\delfinID.edx
- %ProgramFiles%\DelFin\PromulGate\delfinLD.edx
- %ProgramFiles%\DelFin\PromulGate\delfinLO.edx
- %ProgramFiles%\DelFin\PromulGate\Description.txt
- %ProgramFiles%\DelFin\PromulGate\License.txt
- %ProgramFiles%\DelFin\PromulGate\PgMonitr.exe
- %ProgramFiles%\DelFin\PromulGate\PgSDK.dll
- %ProgramFiles%\DelFin\PromulGate\preference.dat
- %ProgramFiles%\DelFin\PromulGate\uninstall.log
- %ProgramFiles%\DelFin\PromulGate\user.html
- %ProgramFiles%\DelFin\PromulGate\PgMonitr.exe
- %CommonProgramFiles%\dpi\Dpi.exe
- %UserProfile%\Local Settings\Temp\uppicsvr.exe
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\vmstmp\vmstmp.exe
- %System%\picsvr\picsvr.exe
- %System%\nsvsvc\nsvs.dll
- %System%\vmss\vmss.exe
- %System%\wsxsvc\wsx.dll
- %System%\wsxsvc\wsx.ocx
- %System%\wsxsvc\wsxsvc.exe
- %System%\nsvsvc\nsvsvc.exe
- %Windir%\Temp\uppicsvr.exe
- %Windir%\SYSTEM32\pgtools\init.dll
- %Windir%\SYSTEM32\pgtools\tatss.dll
- %Windir%\SYSTEM32\pgtools\tatss.exe
- C:\keys.ini
May add the values:

"Dpi" = "[PATH TO ADWARE]" "Tat" = "[PATH TO ADWARE]" "Pcsv" = "[PATH TO ADWARE]" "Nsv" = "%System%\nsvsvc\nsvsvc.exe" "pgstub.exe" = "[PATH TO ADWARE]" "picsvr" = "%System%\picsvr\picsvr.exe" "Promulgate" = "[PATH TO ADWARE]" "vmss" = "%System%\vmss\vmss.exe" "Dvx" = "[PATH TO ADWARE]" "vcmpin" = "[PATH TO ADWARE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the adware runs every time Windows starts.
Creates the following registry subkeys:

HKEY_CLASSES_ROOT\Interface\{41700749-A109-4254-AF13-BE54011E8783} HKEY_CLASSES_ROOT\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839} HKEY_CLASSES_ROOT\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073} HKEY_CLASSES_ROOT\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} HKEY_CLASSES_ROOT\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865} HKEY_CLASSES_ROOT\VCCPGDATAACCESS.PgDataAccessCtrl.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PgTools HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PGate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMVLite HKEY_LOCAL_MACHINE\SOFTWARE\Dvx HKEY_LOCAL_MACHINE\SOFTWARE\Tat HKEY_LOCAL_MACHINE\SOFTWARE\Pcsv HKEY_LOCAL_MACHINE\SOFTWARE\Mvu HKEY_LOCAL_MACHINE\SOFTWARE\picsvr HKEY_LOCAL_MACHINE\SOFTWARE\DelFin HKEY_LOCAL_MACHINE\SOFTWARE\skin HKEY_LOCAL_MACHINE\Software\Dpi HKEY_LOCAL_MACHINE\SOFTWARE\vmss HKEY_ALL_USERS\Software\Dvx HKEY_ALL_USERS\Software\Tat HKEY_ALL_USERS\Software\Pcsv HKEY_ALL_USERS\SOFTWARE\Mvu HKEY_ALL_USERS\SOFTWARE\picsvr HKEY_ALL_USERS\Software\skin HKEY_ALL_USERS\Software\DelFin HKEY_CURRENT_USER\Software\DelFin

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}