Malware scan of a system with McAfee Total Protect on 2016-12-14

I ran a malware scan of a Microsoft Windows 10 system yesterday after the user of the system reported that she was having problems with QuickBooks and Internet Explorer on the system and that the system had been performing poorly for some time. SUPERAntiSpyware detected Cartwheel Shopping, et al. potentially unwanted software on the system. I had SUPERAntispyware remove everything it detected, but this evening decided to also run a scan of the system with the antivirus software, McAfee Total Protection, which has been on the system since it was purchased. That antivirus software reported it detected two items.
DJI Phantom 3 Drone

McAfee Total Protection scan completed

The two items detected were Adware-DealPly and PUP-XAO-ME.

McAfee Total Protection found 2 items

The McAfee website provided the following information on Adware-DealPly:

Date Discovered:6/18/2014
Date Added: 6/18/2014
Origin: Unknown
Length: Varies
Type: PUP
Subtype: Adware

Description

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Aliases:

Avira-APPL/DealPly.Q.17
Nod32-a variant of Win32/DealPly.R

Virus Characteristics

"Adware-Dealply" is detection for PUP which is from PriceMeter ad-supported program that injects advertisements with its affiliate ad providers in order to serve a number of ad types including banner, inline text links and popups. It utilizes the InstallCore download manager. This is the same product as the DealPly from DealPly Technologies Ltd / IronSource.

(pme.exe) usually installed with PriceMeter software, pme.exe is one of the component of PriceMeter software.

pme.exe can be found in following path:

[Note: %Application Data% / %Appdata% is the current user's Application Data folder]

"Adware-Dealply" may arrive in the system from following ways

  1. Downloaded unknowingly when user visits malicious websites
  2. Dropped by other malwares
  3. Installed with some free packaged software‘s or potentially unwanted program.

However, I didn't see the directory referenced on the system, nor could I find pme.exe anywhere on the system, so it may have been removed previously during a scan by another antimalware product, but McAfee Total Protection may have been detecting some other remnant of that adware.

C:\WINDOWS\system32>cd \

C:\>dir /s pme.exe
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8
File Not Found

C:\>

When I clicked on the rightward pointing arrowhead next to Adware-DealPly, McAfee Total Protection showed that it had found one file, uninstall.exe associated with the adware. I found that file was about 415 KB in size.

C:\>dir %USERPROFILE%\AppData\Local\{70B146ED-5419-2A55-3981-0FBD1DE9F325}\uninstall.exe
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8

 Directory of C:\Users\Jeanne.mayberry\AppData\Local\{70B146ED-5419-2A55-3981-0FBD1DE9F325}

04/19/2013  02:31 PM           415,232 uninstall.exe
               1 File(s)        415,232 bytes
               0 Dir(s)  226,446,860,288 bytes free

C:\>

I turned on the display of hidden and system files and folders and navigated to the location of that file using the Windows File Explorer. I then right-clicked on the file and chose Properties and then clicked on the Details tab to see if there was any indication of who produced the file. There was no copyright information displayed, so I couldn't tell if the file was associated with a company that produces adware.

Uninstall properties details

When I clicked on the link on the McAfee results window for PUP-XAO-ME , I was taken to a page at the McAfee website where I saw "Sorry, we found 0 results matching your search criteria." McAfee Total Protection showed that it detected one file associated with that malware when I clicked on the arrowhead next to it.

McAfee details for PUP-XOA-ME.png

I checked on the details for the file with the dir command from a command prompt; it appeared to have been placed on the system about a week ago on December 8, 2016.

C:\>dir %APPDATA%\Setup40512.exe
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8

 Directory of C:\Users\Jeanne.mayberry\AppData\Roaming

12/08/2016  11:13 AM           122,880 Setup40512.exe
               1 File(s)        122,880 bytes
               0 Dir(s)  226,578,821,120 bytes free

C:\>

When I checked the copyright information for that file, I didn't see any displayed.

Setup40512.exe properties

There was a WB.CFG file placed in the same directory at the same time as Setup40512.exe.

C:\>dir %APPDATA%\wb.cfg
 Volume in drive C is OS
 Volume Serial Number is D6DD-50D8

 Directory of C:\Users\Jeanne.mayberry\AppData\Roaming

12/08/2016  11:13 AM               418 WB.CFG
               1 File(s)            418 bytes
               0 Dir(s)  226,578,460,672 bytes free

C:\>

I had McAfee Total Protection quarantine both items it found by clicking on Quarantine All. But I wondered if that setup file had been able to install any malware on December 8, so I searched the system for any files with a December 8 modification date using the steps noted at Finding files by modification date in Windows. I quickly scanned through the list of files returned by that search looking for any others with a time stamp near the 11:13 AM time stamp on Setup40512.exe. The only one I saw was the WB.CFG file I had seen earlier. I then put datemodified:12/8/2016 11:13 AM in the search field to search specifically for files created at the same minute to be sure I hadn't overlooked any when scanning through the results of the prior search. Only WB.CFG was returned.

When I checked the Security History Report for McAfee Total Protection, I found it had detected Setup40512.exe as a potentially unwanted program (PUP) on December 8. I'm assuming it blocked the program from executing then, though it didn't delete it.

McAfee detected PUP-XAO-ME on
2016-12-08

 

Firstrade newegg.com

Justdeals Daily Electronics Deals1x1 px