Showing results for 
Search instead for 
Do you mean 

Is Your Anti-Malware Finding a PUP? What Is It?

by Community Moderator Community Moderator on ‎02-14-2014 02:33 PM (95,668 Views)

PUP’s or PUA’s are Potentially Unwanted Programs (or Applications).  PUP’s range from registry cleaners that claim to speed up your PC, to various toolbars, convenience apps, and all-in-one PC performance boosters. These utilities can be simply annoying and misleading or harmful and dangerous.  That is why the output logs produced by scanners may use words such as “Potentially” and “Optional”.  Most of this software is not an infection such as a virus, but it may make false claims, serve ads, conflict with other installed applications, or is a trial with a goad to purchase a full version to finish the task it promised to do.

Recently we have noticed an increase in “software wrappers”.  That is a program that wraps or bundles another program with it.  Some users install these thinking that they will help their computer. If they find them useful, that’s fine. However, most victims have no idea that these applications have been installed.  The posts on our Malware Removal Forum confirm that.

Malwarebytes, ESET, and Emsisoft are a few of the security applications that are aggressive in detecting potentially unwanted applications. In some of the samples taken from logs Open Candy shows up. That is one such installer bundling legitimate applications with offers for additional third party applications that may be unwanted by the user.

-----------------------------------------------------
The following items are examples of potentially unwanted programs as they appeared in scans of various computers.

A Malwarebytes Scan Before Removal
(Sample not all-inclusive):

    C:\Users\User\AppData\Local\Temp\ct3289847 (PUP.Optional.Conduit.A) -> No action taken.
    C:\Program Files (x86)\BetterSurf (PUP.Optional.BetterSurf) ->  No action taken.
    C:\Program Files (x86)\Swift Browse\bin\utilSwiftBrowse.exe (PUP.Optional.SwiftBrowse.A) -> No action taken.
    C:\Program Files (x86)\weDownload Manager Pro\weDownload Manager Pro-bho.dll (PUP.Optional.WeDownload.A) -> No action taken.
    C:\Program Files (x86)\Swift Browse\SwiftBrowseBHO.dll (PUP.Optional.SwiftBrowse.A) -> No action taken.
    C:\Program Files (x86)\weDownload Manager Pro\Uninstall.exe (PUP.Optional.CrossRider) -> No action taken.
    C:\Program Files (x86)\weDownload Manager Pro\weDownload Manager Pro-bg.exe (PUP.Optional.WeDownload.A) -> No action taken.
    C:\Users\Username\Downloads\InternationalPrimoPDF.exe (PUP.Optional.OpenCandy) -> No action taken.
    C:\Users\Username\Documents\Optimizer Pro\CookiesException.txt (PUP.Optional.OptimizerPro.A) -> No action taken.
    C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\dosearches.xml (PUP.Optional.DoSearches.A) -> No action taken.
    C:\Documents and Settings\New User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.50\agent\stub_data\stubinst_pkg_en-us.cab (PUP.Optional.OpenCandy) -> No action taken


ESET’s Quarantined Items from Another PC
 (Sample not all-inclusive)

    C:\Program Files\Reviversoft\Registry Reviver\RegistryReviver.exe a variant of Win32/RegistryReviver application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\All Users\Application Data\ReviverSoft\Registry Reviver\InstallCache\{05B64610-ED45-40AC-89A3-507F6B6A25B9}\Registry Reviver.msi a variant of Win32/SlowPCfighter application (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\welcome\Application Data\OpenCandy\OpenCandy_81FDD31F09164422AAD48190CB489895\AFIRegistryReviverSetup.exe a variant of Win32/SlowPCfighter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

    C:\Documents and Settings\welcome\Application Data\OpenCandy\OpenCandy_81FDD31F09164422AAD48190CB489895\p1v1_AFIRegistryReviver_w.exe a variant of Win32/SlowPCfighter application (deleted - quarantined) 00000000000000000000000000000000 C
    

Malwarebytes PUP Criteria
http://www.malwarebytes.org/pup/

===================================
For additional details on this topic see:

* Problematic, Unloved and Argumentative: What is a potentially unwanted application (PUA)?
 by ESET’s Distinguished Researcher, Aryeh Grotsky: http://go.eset.com/us/resources/white-papers/Problematic-Unloved-Argumentative.pdf

* Have you been fooled by an installer?
http://www.hanselman.com/blog/DownloadWrappersAndUnwantedSoftwareArePureEvil.aspx

* How to Avoid Toolbars, Unwanted Software and Other Installer Tricks
http://www.geekstogo.com/2797/avoid-toolbars-unwanted-software-installer-tricks/

Was this information helpful?

Contributors