Rogue:W32/PurityScan is a program from ClickSpring LLC that can monitor the user's browsing habits and send back the collected data to its servers. It will also download content from its servers to display as pop-up advertisements.
PurityScan is another variant of ClickSpring. There have also been a few reports that the program may also be bundled with other spyware and/or adware programs and sometime it maybe installed together with freeware applications or games.
The user must accept the EULA in order to proceed with installation. After accepting the EULA, PurityScan is silently installed to the system.
During installation, the main executable and uninstaller is dropped at the following path:
- C:\Program Files\PurityScan\PuritySCAN.exe
- C:\Program Files\PurityScan\PuritySCANUninstall.exe
PurityScan will also drop files at:
- %UserProfile%\[user]\Local Settings\temp\wups.exe
- %UserProfile%\[user]\Application Data\[random file name].exe, for example
- %UserProfile%\[user]\Application Data\rcoa.exe
- %UserProfile%\[user]Application Data\neni
It then creates a shortcut item in start menu program:
- %UserProfile%\Start Menu\Programs\Purity Scan
Once installed, PurityScan registers itself by sending details of the system it has been installed on back to the server at fp.clickspring.net. It then retrieves advertising contents and updates of itself from www.clickspring.netand pisces.clickspring.net.
PurityScan creates the following registry subkey, so that it will execute automatically each time Windows starts:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run][Random name]=%UserProfile%\[user]\Application Data\[Random file name]
The following registry subkey is also created, so that it appears in the Add/Remove program list: