Fred,
Since you have devoted a page on your site to removing our software, we
thought this would be helpful:
http://www.clickspring.net/CsUninstaller.exe
This uninstaller will remove any and all Clickspring applications from
your computer.
Sincerely,
The Clickspring Team
New variation (jimmysurf) as
March 4, 2004.
There's a new .exe name for the jimmysurf worm: wapisvtr.exe. I used the
typical steps found on your page to kill it. First I has to guess what file
name it had mutated to since none of the ones on your page were anywhere to
be found on my system, saw wapisvtr.exe running in processes, figured it has
to be a new mutation, found the P symbol in System 32 subdirectory next to
it, and then killed it in the registry. Couldn't have done the detective
work and solved the case without your page. Thanks.
PS: I was getting between 10 and 15 popups every couple minutes. Nasty
little bastard.
Michelle
Mr.
Fassett,
Just to let you know, clickbank has added another file to their arsenal. Not
just Winservs.exe. They now have “wnsapisv.exe”
that acts the exact same way. The good news is that the removal process is
the same as you outlined for Winservs.exe. Hope this helps people out.
v/r Rico S.
Hi Fred,
Have just deleted Purity from my system for the second time in three months
using your site as a reference. I used William's guide but.......my version
was wintsvsu.exe....worth
updating his contribution to include this as well as
winservs.exe.
Thanks for the help, Mike S.
In removing the PurityScan William talks about removing winservs.exe from
the task list and deleting the file. Thank God he wrote that the file had a
P for an icon because the offensive file on my system was NOT CALLED
winservs.exe it was called wintsu.exe and it
had that big P icon. Blamo! Blamo! Blamo! I wasted a day and a half with Ad
Ware and other free products that wouldn't solve the underlying problem with
PurityScan. Thanks William!!!!!!!! Right on! Tons of web pages say
PurityScan uses winservs.exe so I guess they're adapting.
Anthony
Hey Psychic Fred,
I just recently found your website. THANK GOODNESS and realized that
purityscan/clickspring got smart and changed their little virus name on my
computer, it was under "wintsu.exe" not "winservn.exe"
Hope that helps other people as well find the little freaking bug. Hopefully
all those popups will be gone.
Thanks! Patrick
I read some of the advice on your page, because I appear to have been
infected by this. The directions shown work fine, but my only difference is
that the file was called
WTSSVSU. Both in my system 32
folder & task manager, & under the msconfig startup tab. I recommend for
users to open their system 32 folder (C:\WINDOWS\system32),
& look for the big black P icon, as it appears the name isn’t always
consistent.
Andrew M.
Additional known variations:
Start with
these instructions: (SunsetWeb)
I just rid my computer of this DEMON! The name of the executable file was "wcpsu.exe".
On Windows XP, I located wcpsu.exe by doing the ctrl+alt+del and clicking
the processes tab. Next I went to Start/Search and typed in wcpsu.exe and
when it came up, it had a big "P" in front of it for Purity Scan. I single
clicked on it and deleted it. Next I went to Start/Run and typed "regedit"
and I went to hkey_current_user_software_purityscan. I deleted it. Finally,
I went to Start/Run and typed "msconfig" and went to the Startup tab. I
unchecked WCPSU and clicked APPLY and OK and re-booted. The problem was
gone!
From: Mark (makawright):
PurityScan is a program distributed by Clickspring
LLC, an
advertising company. Its stated purpose is to scan your
computer for hidden pornographic materials and allow you
to remove them.
Upon first loading, PuritySCAN (often named PuritySCAN.exe
or sear1.exe) will scan your IE files (browser cache,
history, and cookies) for occurances of "dirty words"
relating to pornography. (To avoid getting myself branded
as a porn site, the list of words will be left to the
reader's imagination.) The program will then display a
list of any files found to contain the words. It will also
drop a copy of itself in the Windows StartUp folder
as "WINSERVS.EXE". This copy will load at start-up and
spawn massive quantities of large popup ads when the user
is online. On our test installation, the parasite spawned
14 popup windows in a 45-minute idle period, averaging one
popup every 3.2 minutes.
Infection method:
The WINSERVS task is typically installed by running the
Purity Scan program from purityscan.com. However,
Clickspring offers an affiliate program that pays
Webmasters to get people to run the program, which may
provide incentive for sites to attempt to load it in a
dishonest manner. The specimen we obtained did not display
the License Agreement and reported back what appeared to
be an affiliate's username.
Removal Procedure:
Press
Ctrl-Alt-Del once to bring up the End Task dialogue.
Highlight "WINSERVS" and select End Task. (It may take a
few moments for a "not responding" warning to appear.
Press End Task again.)
Now remove WINSERVS.EXE from your StartUp folder. This can
be done by going to Start > Settings > Taskbar, and
clicking on the Start Menu tab. Select "Remove". Find the
StartUp folder on the list that appears, select it if
necessary, and delete the WINSERVS entry that appears
there.
More
Information:
The Privacy Policy states that Clickspring will sell
information you provide (name, email address, age, gender,
zip code, country of residence) to third parties for
marketing purposes.
On our test installation, the program found only 1
objectionable file (an image file containing the
string 'pics'), even after intentionally visiting a
pornographic Web site and sites containing terms in the
program's "naughty word list".
Windows XP Home Edition (may work
with other versions of Windows): Disable
winservn.exe from msconfig
As I recently fought against this time
wasting pain originated from the ClickSpring, I felt I should share my experience since it differs from what you describe on your page.
I guess who ever is behind this intentional negative influence has evolved in its field so that the remedy that got known by people and users would not be effective anymore.
What I discovered was the fact that "winservn.exe" was not visible on the windows
Task list (XP - Home Edition). So what triggered those annoying popup ? Well, I still followed the Windows
Task list and the well known Windows service processes gained process time, which yields to the Windows services. There are plenty of them and a coder can write its own services to be run in the Windows. BUT most of them are not on the Task list nor in the process list. SO I started to read the existing System Information (Accessories->Systems Tools->System Information), where I focused on Software Information->Loaded Modules -branch. So there it was: winservn.exe as a windows service.
Elimination had to be done by using some manual operations:
1) run msconfig program (Run Program)
2) open the Startup -tab
3) un-check the winservn.exe service
4) Windows instructs you to reboot, so go for it
5) After re-boot you can close the msconfig (since it automatically opened it for me at least)
6) open a file manager -window
7) go to Windows\System32 directory
8) remove winservn.exe -file
9) done...
These steps were effective for my case and I hope they contain sufficient amount of information to anybody who needs to get rid of this problem.
An additional discovery of this ClickSpring business model was that it actually proposes you a pop-up killer provided by www2.jimmysurf.com. So it's just an other version of
candy store (ClickSpring) and dentist (JimmySurf)...
I could provide some more details in technical terms to pinpoint the parties behind this hoax, but I really don't know if anybody would actually put a cause and resources in place to run this kind of activities and parties down...
Good luck and all the best ! - Anonymous
Removal Experience by George:
Having got Winservn on my XP Home system (and I can only think I got it
via an unsolicited email since there a restricted number of sites I visit),
I wondered how the program loaded and where it was located. A look through
all the usual spots for a program to load on boot up failed to reveal
anything untoward, so I went into Start, Search and searched for all .exe
files modified in the past month. The search turned up Winservn.exe in the
Windows/System32 directory as well as a reference in Windows/Prefetch and a
few other undesirable diallers and mysterious programs that had installed
themselves. Keep the list so you can delete the lot of them!
Knowing the name of the program allowed me to terminate the the process
safely from Task Manager (Alt - Ctrl - DEL brings it up quickly) , Processes
as described by other readers here.
However this left one little nagging question. How the heck was this
program loading and would the loading process reinstall the program if it
wasn't there?
There is only one sure fire way to deal with this problem and that is to
exterminate it completely from the registry of your machine (careful here as
I have heard the Registry described as a nuclear power plant in your
basement which is fairly accurate as if you screw up the Registry you screw
up your system faster than a virus could)
Click Start, Run and type in regedit to open the registry editor. Click
on the My Computer to highlight it and go to Edit, Find and type in
winservn.exe (you must type in the entire name of the file to be certain you
only target winservn.exe since regedit will find any matches that contain
that string of letters). Perform the search and you can safely delete any
bits that the search finds (which is why you have to type in the full filename) and press F3 to continue the search right to the end. When I did
the search I found 4 instances one of which was the Explorer search I had
done and one that seemed to have nothing to do with winservn.exe and two
that loaded it into the system on boot up.
Please be careful what you do in the Registry as this controls you whole
system and Microsoft do not offer any support for it since too many people
can add their own bits to the Registry. If you feel uncomfortable about
doing anything without backup when you have highlighted My Computer click
File, Export and that will make a backup copy of your entire Registry and
you can restore it by Importing it back at the same point, My Computer.
Preferably do it to removable media since you will need to be able to get to
it if you ever lose your hard drive completely - but that is another tale.
What I have told you to do here is perfectly safe since you are only
targeting a single file that you really don't want anyway. If you don't feel
confident don't do this Registry step, I only added it to make sure the
program doesn't even try and load in the future.
Remember I said I found unwanted dialers? Just check in the Registry
that they aren't loading at any point using the same method and delete them
too if they get found. Then delete them off your hard drive. Might be worth
doing that Search bit once a month to make sure your system remains clean.
You know what you have added to your system so it is easy to identify what
has been added without your knowledge. Incidentally if you live in the UK
altering or adding to the contents of a hard drive without the owner's
permission is a criminal offence under the Computer Misuse Act and carries a
6 month jail sentence. Pity Clickspring aren't UK based!
Cheers, George
Purityscan Windows 2000/XP:
Symptoms:
The virus is put into your computer by downloading the program: Purityscan.
After downloading it puts a program into your windows system 32 file. This
program then forces you to connect (it constantly asks you to connect until
you do, so it can send information to clickspring.net. It also opens pop up
ads to your desktop, even if you are not browsing the internet. It seems at
first impossible to get rid of it. (Note: you can use remove program, or
find program for Purity scan program, but it will not find the virus file
embedded in you windows 32 folder, so don't bother trying, follow the
instructions below.)
Solution:
First delete the program Purity scan from your system
and follow these steps:
American Express, Master, and
Visa cards accepted.