1. Symantec/
  2. Security Response/
  3. Adware.Purityscan.D


February 13, 2007 11:51:17 AM
Risk Impact:
File Names:
Systems Affected:

When Adware.PurityScan.D is installed, it performs the following actions:
  1. Adds the values:

    "Itsh"=D4 11 51 50 57 F5 B4 D1 B4 00 E1 71
    "Ctsu"=24 13 51 50
    "Potd"=24 9E BE 52 85

    to the registry key:


  2. Adds the values:

    "Eech"="%SystemDrive%\Documents and Settings\[user name]\Application Data\hoor.exe"

    to the registry key:


    so that the spyware is run every time Windows starts.

  3. Creates the following files:
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\hoor.exe
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\rbap.exe

  4. Creates the following folders:
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\mbaa
      • %SystemDrive%\Documents and Settings\[user name]\Application Data\isrd

  5. Creates the registry key HKCU\Software\Aubt. This key has the following values:

    "Ieta"="24 1f 2f db"
    "Smci"="24 92 c0 d9 85"
    "Sust"="d4 1d 2f db 57 d1 4a 50 b4 9c 30 6f"

  6. Creates the reg value "Timb"="<%SystemDrive%>\Documents and Settings\<user name>\Application Data\rbap.exe.

  7. Scans Internet Explorer files, including browser files, cache, history, and cookies for adult-related keywords. It then displays advertisements.

  8. Downloads and displays ads from the following Web sites:
      • legend.psdtools.com
      • pisces.clickspring.com
      Note: %SystemDrive% is a variable that refers to the drive on which the Windows installation resides. By default, this is drive C.
[user name] refers to the current user name when the threat was installed.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube