Jkc73

PUP.Dealio

19 posts in this topic

Please shine some light on what Mbam has found here, thanks!

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5417

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/30/2010 3:33:40 AM

mbam-log-2010-12-30 (03-33-07).txt

Scan type: Quick scan

Objects scanned: 154850

Time elapsed: 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Application Updater (PUP.Dealio) -> No action taken. [a1886da814ecd0302815f7181ce4649c]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio) -> No action taken. [0326d83dea1652ae7c6cb4dd2fd37987]

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\APPLICATION UPDATER\APPLICATIONUPDATER.EXE (PUP.Dealio) -> Value: APPLICATIONUPDATER.EXE -> No action taken. [a1886da814ecd0302815f7181ce4649c]

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\application updater\applicationupdater.exe (PUP.Dealio) -> No action taken. [a1886da814ecd0302815f7181ce4649c]

mbam_log_2010_12_30__03_33_07_.zip

Share this post


Link to post
Share on other sites

Hi Jason,

This is no False Positive, but related with Dealio/Spigot, which is not recommended. We detect as PUP here (Potentially Unwanted Programs)

Share this post


Link to post
Share on other sites
Hi Jason,

This is no False Positive, but related with Dealio/Spigot, which is not recommended.

Thanks Mieke for your fast reply :lol:

Share this post


Link to post
Share on other sites
Hi Jkc73,

We detect as PUP here (Potentially Unwanted Programs)

respect-048.gif

Share this post


Link to post
Share on other sites
respect-048.gif

Hmm I found one aswell!

It is really harmfull to you pc? (keylogger or something?)

Share this post


Link to post
Share on other sites
It's not really harmfull, just not recommended.

MBAM removed it already, do I need to do another extra cleanup or something, or is it completely removed?

Share this post


Link to post
Share on other sites
No need for extra cleanup, it should be gone now :)

Ok thanks!

First time I actually posted in the 2 years I have MBAM.

Great community :)

Share this post


Link to post
Share on other sites

I received the same notification for PUP.Dealio today after a quick scan with MBAM v. 1.50.1.1100 - database version 5422 (see attached log).

I'm assuming this registry key for the CLSID E312764E-7706-43F1-8DAB-FCDD2B1E416D is associated with the Dealio Toolbar. Did Malwarebytes just add this fingerprint to the database recently? I am curious since I do not recall installing any software that warned me that the Dealio Toolbar was included in the installation.

I checked the add-ons in my IE 8 browser (Tools | Manage Add-ons | Toolbars and Extensions | Show All Add-ons) and I don't see any evidence that I've ever installed the Dealio toolbar on my PC. I found some information on the Dealio website (http://www.dealio.com/help/uninstall-dealio-toolbar.html) that the Dealio Toobar also installs a program called Search Settings (searchsettings.exe) but I checked Programs and Features in my Windows Control panel and can't see Search Settings in my list of installed programs.

I googled "Dealio Toolbar" and there are lots of people who have reported serious problems after installing this software, so kudos to Malwarebytes for adding the fingerprint to their malware database. I have Norton Internet Security 2011 on my PC and ran a full scan of my PC before I quarantined PUP.Dealio with MBAM, and NIS 2011 doesn't detect it as a threat.

________

MS Windows Vista Home Premium 32-bit SP2 * NIS 2011 v. 18.1.0.37 * MBAM v. 1.50.1.1100

HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS

mbam_log_2010_12_30__20_27_12_.txt

Share this post


Link to post
Share on other sites
Did Malwarebytes just add this fingerprint to the database recently?
Yes, this was added recently as PUP, which explains why you suddenly got this detection :)

Share this post


Link to post
Share on other sites
Yes, this was added recently as PUP, which explains why you suddenly got this detection :)

My problem with this detection is that there are absolutely zero other Dealio associated elements, files, toolbars, registry keys, etc. etc. only this single registry key:

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E312764E-7706-43F1-8DAB-FCDD2B1E416D} (PUP.Dealio)

I searched on the CLSID looking for other associated stuff and on Deelio, but there is nothing on my system. I hate toolbars with a vengeance, so there is absolutely no way I would go installing one. Not to mention I don't use IE as my default browser but firefox 3.6.13 with NoScript, RequestPolicy, AdBlock Plus add-ons and avast with its web and network shields enabled. I haven't had any malware infection in over 7 years, so I rather doubt I got hit with a driveby installation.

So I'm at a loss as to how this can get there without a single other piece of associated Dealio c**pware on my system.

Personally I feel this is some sort of FP on the CLSID if there are no other indications of Dealio ?

Share this post


Link to post
Share on other sites

Hi,

This is no FP though. Maybe you have installed pdfforge in the past or any other app that bundles dealio.

Share this post


Link to post
Share on other sites
Hi,

This is no FP though. Maybe you have installed pdfforge in the past or any other app that bundles dealio.

No, no pdfforge and I'm very hot on any bundled apps, notoriously ASK toolbars, etc. I have an absolute aversion to toolbars/ bundles software and am like a hawk in the various installs.

As I said before there are zero other indications of Dealio only this registry key. I also use SAS and no indications on that either. So I'm at a loss as to how only the registry key would be there if this truly were Dealio.

Share this post


Link to post
Share on other sites

The Vendio searchsettings also bundles these: http://www.systemlookup.com/search.php?typ...RCHSETTINGS.DLL

As I said, many apps are bundled with Dealio. It could be that this leftover was already present there for a long time on your pc.

I also use SAS and no indications on that either.

SuperAntispyware normally detects this one as well though, because I found a report where it does: http://www.computerhope.com/forum/index.php?topic=73598.0

Share this post


Link to post
Share on other sites

Same thing really, I don't have any search settings, freebies as I know that they aren't set to help me but the makers of the toolbar/settings, etc. so I do avoid them like the plague.

I have absolutely no explanation given my caution and proactive measures I take, how it would get on my system. Even with this item out of the MBAM Quarantine SAS doesn't detect this (scan just run). I have had SAS Pro (resident) for over three years before I tried MBAM which is on-demand only to avoid conflict of two resident anti-spy/malware applications running.

The topic you found from 2009 was within the time that I have had SAS and no detections, so perhaps that Unclassified.Unknown Origin detection was removed as I certainly didn't have the alert in my weekly .

So colour me confused.

post-4426-1294245857_thumb.gif

Share this post


Link to post
Share on other sites
Maybe you have installed pdfforge in the past or any other app that bundles dealio.

Mieke,

Have you guys confirmed that Dealio is covertly bundled with PDFCreator (pdfforge)?

Thanks!

Share this post


Link to post
Share on other sites

Hello everyone

I just joined as I have this as well (pup.dealio that is), I first got the results a few weeks ago and removed all with malawarebytes.

I scanned again today and it's all back, I've once again had malawarebytes remove but I assume it'll be back.

Is there a way to permanently remove, you mention PDF creator software and I only have Adobe reader, is it possible it comes in with updates to that.

Richard

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.