The two items detected were Adware-DealPly and PUP-XAO-ME.
The McAfee website provided the following information on Adware-DealPly:
| Date Discovered: | 6/18/2014 |
| Date Added: | 6/18/2014 |
| Origin: | Unknown |
| Length: | Varies |
| Type: | PUP |
| Subtype: | Adware |
Description
This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.
Aliases:
| Avira | - | APPL/DealPly.Q.17 |
| Nod32 | - | a variant of Win32/DealPly.R |
Virus Characteristics
"Adware-Dealply" is detection for PUP which is from PriceMeter ad-supported program that injects advertisements with its affiliate ad providers in order to serve a number of ad types including banner, inline text links and popups. It utilizes the InstallCore download manager. This is the same product as the DealPly from DealPly Technologies Ltd / IronSource.
(pme.exe) usually installed with PriceMeter software, pme.exe is one of the component of PriceMeter software.
pme.exe can be found in following path:
or
[Note: %Application Data% / %Appdata% is the current user's Application Data folder]
"Adware-Dealply" may arrive in the system from following ways
However, I didn't see the directory referenced on the system, nor
could I find pme.exe anywhere on the system, so it may have
been removed previously during a scan by another antimalware product, but
McAfee Total Protection may have been detecting some other remnant of that
adware.
C:\WINDOWS\system32>cd \ C:\>dir /s pme.exe Volume in drive C is OS Volume Serial Number is D6DD-50D8 File Not Found C:\>
When I clicked on the rightward pointing arrowhead next to Adware-DealPly,
McAfee Total Protection showed that it had found one file, uninstall.exe
associated with the adware. I found that file was about 415 KB in size.
C:\>dir %USERPROFILE%\AppData\Local\{70B146ED-5419-2A55-3981-0FBD1DE9F325}\uninstall.exe
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of C:\Users\Jeanne.mayberry\AppData\Local\{70B146ED-5419-2A55-3981-0FBD1DE9F325}
04/19/2013 02:31 PM 415,232 uninstall.exe
1 File(s) 415,232 bytes
0 Dir(s) 226,446,860,288 bytes free
C:\>I turned on the display of hidden and system files and folders and navigated to the location of that file using the Windows File Explorer. I then right-clicked on the file and chose Properties and then clicked on the Details tab to see if there was any indication of who produced the file. There was no copyright information displayed, so I couldn't tell if the file was associated with a company that produces adware.
When I clicked on the link on the McAfee results window for PUP-XAO-ME , I was taken to a page at the McAfee website where I saw "Sorry, we found 0 results matching your search criteria." McAfee Total Protection showed that it detected one file associated with that malware when I clicked on the arrowhead next to it.
I checked on the details for the file with the dir command
from a command prompt; it appeared to have been placed on the system about
a week ago on December 8, 2016.
C:\>dir %APPDATA%\Setup40512.exe
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of C:\Users\Jeanne.mayberry\AppData\Roaming
12/08/2016 11:13 AM 122,880 Setup40512.exe
1 File(s) 122,880 bytes
0 Dir(s) 226,578,821,120 bytes free
C:\>When I checked the copyright information for that file, I didn't see any displayed.
There was a WB.CFG file placed in the same directory at the
same time as Setup40512.exe.
C:\>dir %APPDATA%\wb.cfg
Volume in drive C is OS
Volume Serial Number is D6DD-50D8
Directory of C:\Users\Jeanne.mayberry\AppData\Roaming
12/08/2016 11:13 AM 418 WB.CFG
1 File(s) 418 bytes
0 Dir(s) 226,578,460,672 bytes free
C:\>I had McAfee Total Protection quarantine both items it found by clicking
on Quarantine All. But I wondered if that setup file had been able
to install any malware on December 8, so I searched the system for any files
with a December 8 modification date using the steps noted at
Finding files by modification
date in Windows. I quickly scanned through the list of files returned
by that search looking for any others with a time stamp near the 11:13 AM
time stamp on Setup40512.exe. The only one I saw was the
WB.CFG file I had seen earlier. I then put
datemodified:12/8/2016 11:13 AM in the search field to search
specifically for files created at the same minute to be sure I hadn't
overlooked any when scanning through the results of the prior search.
Only WB.CFG was returned.
When I checked the Security History Report for McAfee Total Protection, I found it had detected Setup40512.exe as a potentially unwanted program (PUP) on December 8. I'm assuming it blocked the program from executing then, though it didn't delete it.
