1. /
  2. Security Response/
  3. Adware.DelFin

Adware.DelFin

Updated:
February 13, 2007 11:37:23 AM
Type:
Adware
Publisher:
PromulGate
Risk Impact:
High
File Names:
adl_mteststub.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.DelFin is installed, it does the following:
  1. Downloads adware to the computer.

  2. Creates the following folders:

    • %UserProfile%\Application Data\nsv\cache
    • %UserProfile%\Application Data\\picsvr
    • %UserProfile%\Application Data\\tatss
    • %UserProfile%\Application Data\\Dpi
    • %UserProfile%\Application Data\\pcsvc
    • %UserProfile%\Application Data\\vmss
    • %UserProfile%\Application Data\\wsxs
    • %UserProfile%\Application Data\\wsxs\Adverts
    • %System%\nsvsvc
    • %System%\wsxsvc
    • %System%\vmss
    • %CommonProgramFiles%\dpi
    • %ProgramFiles%\DelFin
    • %ProgramFiles%\DelFin\PromulGate\Adverts
    • %ProgramFiles%\DelFin\PromulGate
    • %UserProfile%\Start Menu\Programs\DelFin Media Viewer
    • %UserProfile%\Local Settings\Temp\vmstmp
    • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\vmstmp
    • %UserProfile%\Start Menu\Programs\DelFin Media Viewer
    • %Windir%\system32\pgtools
    • %Windir%\system32\pcs

      Notes:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files
    • %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
    • %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Creates the following files:

    • %ProgramFiles%\DelFin\PromulGate\delfinAF.edx
    • %ProgramFiles%\DelFin\PromulGate\delfinAD.ebd
    • %ProgramFiles%\DelFin\PromulGate\delfinBD.edx
    • %ProgramFiles%\DelFin\PromulGate\delfinCO.edx
    • %ProgramFiles%\DelFin\PromulGate\delfinDL.edx
    • %ProgramFiles%\DelFin\PromulGate\delfinED.edx
    • %ProgramFiles%\DelFin\PromulGate\delfinID.edx
    • %ProgramFiles%\DelFin\PromulGate\delfinLD.edx
    • %ProgramFiles%\DelFin\PromulGate\delfinLO.edx
    • %ProgramFiles%\DelFin\PromulGate\Description.txt
    • %ProgramFiles%\DelFin\PromulGate\License.txt
    • %ProgramFiles%\DelFin\PromulGate\PgMonitr.exe
    • %ProgramFiles%\DelFin\PromulGate\PgSDK.dll
    • %ProgramFiles%\DelFin\PromulGate\preference.dat
    • %ProgramFiles%\DelFin\PromulGate\uninstall.log
    • %ProgramFiles%\DelFin\PromulGate\user.html
    • %ProgramFiles%\DelFin\PromulGate\PgMonitr.exe
    • %CommonProgramFiles%\dpi\Dpi.exe
    • %UserProfile%\Local Settings\Temp\uppicsvr.exe
    • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\vmstmp\vmstmp.exe
    • %System%\picsvr\picsvr.exe
    • %System%\nsvsvc\nsvs.dll
    • %System%\vmss\vmss.exe
    • %System%\wsxsvc\wsx.dll
    • %System%\wsxsvc\wsx.ocx
    • %System%\wsxsvc\wsxsvc.exe
    • %System%\nsvsvc\nsvsvc.exe
    • %Windir%\Temp\uppicsvr.exe
    • %Windir%\SYSTEM32\pgtools\init.dll
    • %Windir%\SYSTEM32\pgtools\tatss.dll
    • %Windir%\SYSTEM32\pgtools\tatss.exe
    • C:\keys.ini

  4. May add the values:

    "Dpi" = "[PATH TO ADWARE]"
    "Tat" = "[PATH TO ADWARE]"
    "Pcsv" = "[PATH TO ADWARE]"
    "Nsv" = "%System%\nsvsvc\nsvsvc.exe"
    "pgstub.exe" = "[PATH TO ADWARE]"
    "picsvr" = "%System%\picsvr\picsvr.exe"
    "Promulgate" = "[PATH TO ADWARE]"
    "vmss" = "%System%\vmss\vmss.exe"
    "Dvx" = "[PATH TO ADWARE]"
    "vcmpin" = "[PATH TO ADWARE]"


    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs every time Windows starts.

  5. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\Interface\{41700749-A109-4254-AF13-BE54011E8783}
    HKEY_CLASSES_ROOT\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839}
    HKEY_CLASSES_ROOT\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073} HKEY_CLASSES_ROOT\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} HKEY_CLASSES_ROOT\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865} HKEY_CLASSES_ROOT\VCCPGDATAACCESS.PgDataAccessCtrl.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PgTools
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PGate
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DMVLite
    HKEY_LOCAL_MACHINE\SOFTWARE\Dvx
    HKEY_LOCAL_MACHINE\SOFTWARE\Tat
    HKEY_LOCAL_MACHINE\SOFTWARE\Pcsv
    HKEY_LOCAL_MACHINE\SOFTWARE\Mvu
    HKEY_LOCAL_MACHINE\SOFTWARE\picsvr
    HKEY_LOCAL_MACHINE\SOFTWARE\DelFin
    HKEY_LOCAL_MACHINE\SOFTWARE\skin
    HKEY_LOCAL_MACHINE\Software\Dpi
    HKEY_LOCAL_MACHINE\SOFTWARE\vmss
    HKEY_ALL_USERS\Software\Dvx  
    HKEY_ALL_USERS\Software\Tat
    HKEY_ALL_USERS\Software\Pcsv
    HKEY_ALL_USERS\SOFTWARE\Mvu
    HKEY_ALL_USERS\SOFTWARE\picsvr
    HKEY_ALL_USERS\Software\skin
    HKEY_ALL_USERS\Software\DelFin
    HKEY_CURRENT_USER\Software\DelFin

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver