Jump to content


Photo

PUP.Dealio


  • Please log in to reply
18 replies to this topic

#1 Jkc73

Jkc73

    New Member

  • Members
  • Pip
  • 20 posts
  • Gender:Male
  • Location:::1
  • Interests:Computers, Cooking, Sports.

Posted 29 December 2010 - 12:47 PM

Please shine some light on what Mbam has found here, thanks!

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5417

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/30/2010 3:33:40 AM
mbam-log-2010-12-30 (03-33-07).txt

Scan type: Quick scan
Objects scanned: 154850
Time elapsed: 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Application Updater (PUP.Dealio) -> No action taken. [a1886da814ecd0302815f7181ce4649c]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> No action taken. [0326d83dea1652ae7c6cb4dd2fd37987]

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\APPLICATION UPDATER\APPLICATIONUPDATER.EXE (PUP.Dealio) -> Value: APPLICATIONUPDATER.EXE -> No action taken. [a1886da814ecd0302815f7181ce4649c]

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\application updater\applicationupdater.exe (PUP.Dealio) -> No action taken. [a1886da814ecd0302815f7181ce4649c]


Attached File  mbam_log_2010_12_30__03_33_07_.zip   821bytes   71 downloads
~ Jkc73


-- Geek University --


Want to help others? Join the ClassRoom and learn how.


How to Prevent Malware: by �miekiemoes


#2 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 29 December 2010 - 01:08 PM

Hi Jason,

This is no False Positive, but related with Dealio/Spigot, which is not recommended. We detect as PUP here (Potentially Unwanted Programs)
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 Jkc73

Jkc73

    New Member

  • Members
  • Pip
  • 20 posts
  • Gender:Male
  • Location:::1
  • Interests:Computers, Cooking, Sports.

Posted 29 December 2010 - 01:14 PM

Hi Jason,

This is no False Positive, but related with Dealio/Spigot, which is not recommended.

Thanks Mieke for your fast reply :lol:
~ Jkc73


-- Geek University --


Want to help others? Join the ClassRoom and learn how.


How to Prevent Malware: by �miekiemoes


#4 Jkc73

Jkc73

    New Member

  • Members
  • Pip
  • 20 posts
  • Gender:Male
  • Location:::1
  • Interests:Computers, Cooking, Sports.

Posted 29 December 2010 - 01:31 PM

Hi Jkc73,

We detect as PUP here (Potentially Unwanted Programs)

Posted Image
~ Jkc73


-- Geek University --


Want to help others? Join the ClassRoom and learn how.


How to Prevent Malware: by �miekiemoes


#5 Yosika

Yosika

    New Member

  • Members
  • Pip
  • 4 posts

Posted 30 December 2010 - 08:17 AM

Posted Image


Hmm I found one aswell!
It is really harmfull to you pc? (keylogger or something?)

#6 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 30 December 2010 - 08:24 AM

It's not really harmfull, just not recommended.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 Yosika

Yosika

    New Member

  • Members
  • Pip
  • 4 posts

Posted 30 December 2010 - 08:26 AM

It's not really harmfull, just not recommended.


MBAM removed it already, do I need to do another extra cleanup or something, or is it completely removed?

#8 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 30 December 2010 - 08:44 AM

No need for extra cleanup, it should be gone now :)
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#9 Yosika

Yosika

    New Member

  • Members
  • Pip
  • 4 posts

Posted 30 December 2010 - 08:44 AM

No need for extra cleanup, it should be gone now :)


Ok thanks!
First time I actually posted in the 2 years I have MBAM.
Great community :)

#10 lmacri

lmacri

    New Member

  • Members
  • Pip
  • 40 posts
  • Gender:Female
  • Location:Canada

Posted 30 December 2010 - 10:40 PM

I received the same notification for PUP.Dealio today after a quick scan with MBAM v. 1.50.1.1100 - database version 5422 (see attached log).

I'm assuming this registry key for the CLSID E312764E-7706-43F1-8DAB-FCDD2B1E416D is associated with the Dealio Toolbar. Did Malwarebytes just add this fingerprint to the database recently? I am curious since I do not recall installing any software that warned me that the Dealio Toolbar was included in the installation.

I checked the add-ons in my IE 8 browser (Tools | Manage Add-ons | Toolbars and Extensions | Show All Add-ons) and I don't see any evidence that I've ever installed the Dealio toolbar on my PC. I found some information on the Dealio website (http://www.dealio.co...io-toolbar.html) that the Dealio Toobar also installs a program called Search Settings (searchsettings.exe) but I checked Programs and Features in my Windows Control panel and can't see Search Settings in my list of installed programs.

I googled "Dealio Toolbar" and there are lots of people who have reported serious problems after installing this software, so kudos to Malwarebytes for adding the fingerprint to their malware database. I have Norton Internet Security 2011 on my PC and ran a full scan of my PC before I quarantined PUP.Dealio with MBAM, and NIS 2011 doesn't detect it as a threat.
________

MS Windows Vista Home Premium 32-bit SP2 * NIS 2011 v. 18.1.0.37 * MBAM v. 1.50.1.1100
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

Attached Files



#11 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 31 December 2010 - 02:35 AM

Did Malwarebytes just add this fingerprint to the database recently?

Yes, this was added recently as PUP, which explains why you suddenly got this detection :)
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12 DavidR

DavidR

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male

Posted 04 January 2011 - 02:55 PM

Yes, this was added recently as PUP, which explains why you suddenly got this detection :)


My problem with this detection is that there are absolutely zero other Dealio associated elements, files, toolbars, registry keys, etc. etc. only this single registry key:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio)

I searched on the CLSID looking for other associated stuff and on Deelio, but there is nothing on my system. I hate toolbars with a vengeance, so there is absolutely no way I would go installing one. Not to mention I don't use IE as my default browser but firefox 3.6.13 with NoScript, RequestPolicy, AdBlock Plus add-ons and avast with its web and network shields enabled. I haven't had any malware infection in over 7 years, so I rather doubt I got hit with a driveby installation.

So I'm at a loss as to how this can get there without a single other piece of associated Dealio c**pware on my system.

Personally I feel this is some sort of FP on the CLSID if there are no other indications of Dealio ?

#13 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 04 January 2011 - 02:58 PM

Hi,

This is no FP though. Maybe you have installed pdfforge in the past or any other app that bundles dealio.
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#14 DavidR

DavidR

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male

Posted 04 January 2011 - 05:45 PM

Hi,

This is no FP though. Maybe you have installed pdfforge in the past or any other app that bundles dealio.


No, no pdfforge and I'm very hot on any bundled apps, notoriously ASK toolbars, etc. I have an absolute aversion to toolbars/ bundles software and am like a hawk in the various installs.

As I said before there are zero other indications of Dealio only this registry key. I also use SAS and no indications on that either. So I'm at a loss as to how only the registry key would be there if this truly were Dealio.

#15 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 05 January 2011 - 01:51 AM

The Vendio searchsettings also bundles these: http://www.systemloo...RCHSETTINGS.DLL
As I said, many apps are bundled with Dealio. It could be that this leftover was already present there for a long time on your pc.

I also use SAS and no indications on that either.

SuperAntispyware normally detects this one as well though, because I found a report where it does: http://www.computerh...p?topic=73598.0
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#16 DavidR

DavidR

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male

Posted 05 January 2011 - 11:44 AM

Same thing really, I don't have any search settings, freebies as I know that they aren't set to help me but the makers of the toolbar/settings, etc. so I do avoid them like the plague.

I have absolutely no explanation given my caution and proactive measures I take, how it would get on my system. Even with this item out of the MBAM Quarantine SAS doesn't detect this (scan just run). I have had SAS Pro (resident) for over three years before I tried MBAM which is on-demand only to avoid conflict of two resident anti-spy/malware applications running.

The topic you found from 2009 was within the time that I have had SAS and no detections, so perhaps that Unclassified.Unknown Origin detection was removed as I certainly didn't have the alert in my weekly .

So colour me confused.

Attached Images

  • scan_complete.gif


#17 coyodel

coyodel

    New Member

  • Members
  • Pip
  • 1 posts

Posted 07 January 2011 - 03:18 AM

Maybe you have installed pdfforge in the past or any other app that bundles dealio.


Mieke,

Have you guys confirmed that Dealio is covertly bundled with PDFCreator (pdfforge)?

Thanks!

#18 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 07 January 2011 - 03:40 AM

Yes, the pdfforge toolbar is still installed, which is dealio related.
Also see here: http://de.pdfforge.o...are-and-spyware
Thats why we detect as Potentially Unwanted Program (PUP). We only detect the toolbar though, not the other PDFCreator components, as they are fine to have. :blink:
Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#19 gardnerman

gardnerman

    New Member

  • Members
  • Pip
  • 3 posts

Posted 11 March 2011 - 11:55 AM

Hello everyone
I just joined as I have this as well (pup.dealio that is), I first got the results a few weeks ago and removed all with malawarebytes.
I scanned again today and it's all back, I've once again had malawarebytes remove but I assume it'll be back.
Is there a way to permanently remove, you mention PDF creator software and I only have Adobe reader, is it possible it comes in with updates to that.
Richard
Richard




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users