Advertising Spyware: WinServs / PurityScan / sear1

Your generous donations help keep this site online! ~~Click here~~ to support cexx.org.

Advertising Spyware: Clickspring WinServs / Winservn / PuritySCAN / sear1
(WINSERVS.EXE, sear1.exe)
PurityScan is a program distributed by Clickspring LLC, an advertising company. Its stated purpose is to scan your computer for hidden pornographic materials and allow you to remove them.

Upon first loading, PuritySCAN (often named PuritySCAN.exe or sear1.exe) will scan your IE files (browser cache, history, and cookies) for occurances of "dirty words" relating to pornography. (To avoid getting myself branded as a porn site, the list of words will be left to the reader's imagination.) The program will then display a list of any files found to contain the words. It will also drop a copy of itself in the Windows StartUp folder as "WINSERVS.EXE" or "WINSERVN.EXE". This copy will load at start-up and spawn massive quantities of large popup ads when the user is online. On our test installation, the parasite spawned 14 popup windows in a 45-minute idle period, averaging one popup every 3.2 minutes.

NOTE: "Winservs.exe" may go under different names, a now common one being "winservn.exe". Keep this in mind when following removal instructions.

Infection method:
The WINSERVS task is typically installed by running the Purity Scan program from purityscan.com. However, Clickspring offers an affiliate program that pays Webmasters to get people to run the program, which may provide incentive for sites to attempt to load it in a dishonest manner. The specimen we obtained did not display the License Agreement and reported back what appeared to be an affiliate's username.

More recently it has come to my attention that porn sites, of all places, are also installing this. Using a "drive-by-download" or a mislabeled link claiming to be for a Webcam or porn viewer, it installs PurityScan on your system and they get referral money.

Removal Procedure:
Press Ctrl-Alt-Del once to bring up the End Task dialogue. Highlight "WINSERVS" and select End Task. (It may take a few moments for a "not responding" warning to appear. Press End Task again.)
Now remove WINSERVS.EXE from your StartUp folder. This can be done by going to Start > Settings > Taskbar, and clicking on the Start Menu tab. Select "Remove". Find the StartUp folder on the list that appears, select it if necessary, and delete the WINSERVS entry that appears there.

Clickspring provides the following uninstaller to remove PurityScan: ~~http://www.purityscan.com/ps_uninstaller.exe~~

More Information:
The Privacy Policy states that Clickspring will sell information you provide (name, email address, age, gender, zip code, country of residence) to third parties for marketing purposes.

On our test installation, the program found only 1 'objectionable' file (an non-pornographic image file, whose binary data happened to contain the string 'pics'), even after intentionally visiting a pornographic Web site and sites containing terms in the program's "naughty word list".