PUP.Optional.FindingDiscount

Short bio

PUP.Optional.FindingDiscount is a potentially unwanted program (PUP), specifically a browser hijacker. Some also categorize it as adware. PUP.Optional.FindingDiscount targets Windows systems.

Type and source of infection

PUP.Optional.FindingDiscount is advertised as a helpful program that displays coupons for sites that users are visiting. It also displays ads that lead to the installation of more questionable programs. PUP.Optional.FindingDiscount comes bundled with other programs. It can be downloaded with software hosted on third-party software providers.

Protection

Malwarebytes protects users from PUP.Optional.FindingDiscount by using real-time protection.

Malwarebytes blocks the bundlers that include PUP.Optional.FindingDiscount

Remediation

Malwarebytes can detect and remove PUP.Optional.FindingDiscount without further user interaction.

1. Please download Malwarebytes to your desktop.
2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
3. Then click Finish.
4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
7. Restart your computer when prompted to do so.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

The Exclusions tab includes a list of items to be excluded from scans. The items may include files, folders, websites, or applications that connect to the Internet, as well as previously detected exploits.

To access the exclusions in Malwarebytes:

• Click on the Settings tab in the left pane.
• Click on the Exclusions tab.
• Click the Add Exclusion button.
• Select the exclusion type Exclude a File or Folder and use the Browse button to select the main folder for the software that you wish to keep.
• Repeat this for any secondary folder(s) that belong to the software.
• If you want to allow the program to connect to the Internet, for example to fetch updates, add an exclusion of the type Exclude an application that Connects to the Internet and use the Browse button to select the file you wish to grant access.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/13/2015
Scan Time: 2:43:58 PM
Logfile: mbamPriceFindings.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.13.04
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 330755
Time Elapsed: 27 min, 18 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
PUP.Optional.FindingDiscount.A, C:\Program Files (x86)\Windows Discount\FindingDiscount\findingdiscount.exe, 720, Delete-on-Reboot, [ef096ab38208b383970c6c28cc37a759]
PUP.Optional.RuntimeManager.A, C:\Program Files (x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe, 4816, Delete-on-Reboot, [8c6c7da0573368ceebba2e66f50e6f91]

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.FindingDiscount.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\FindingDiscount, Quarantined, [ef096ab38208b383970c6c28cc37a759], 
PUP.Optional.RuntimeManager.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RuntimeManager, Quarantined, [8c6c7da0573368ceebba2e66f50e6f91], 

Registry Values: 1
PUP.Optional.RuntimeManager.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNTIMEMANAGER|ImagePath, C:\Program Files (x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe -service, Quarantined, [8c6c7da0573368ceebba2e66f50e6f91]

Folders: 3
PUP.Optional.FindingDiscount.A, C:\Program Files (x86)\Windows Discount, Delete-on-Reboot, [0bed61bc7317152156f8265f60a335cb], 
PUP.Optional.FindingDiscount.A, C:\Program Files (x86)\Windows Discount\FindingDiscount, Delete-on-Reboot, [0bed61bc7317152156f8265f60a335cb], 
PUP.Optional.RuntimeManager.A, C:\Program Files (x86)\Windows NT\Accessories\RuntimeManager, Delete-on-Reboot, [7f795bc21872ba7c0153790cdc27d52b], 

Files: 3
PUP.Optional.OpenSoftwareUpdater, C:\Users\{username}\Desktop\gpsetup2.exe, Quarantined, [ab4d120bc4c6cc6a111e41a3c53cf30d], 
PUP.Optional.FindingDiscount.A, C:\Program Files (x86)\Windows Discount\FindingDiscount\findingdiscount.exe, Delete-on-Reboot, [ef096ab38208b383970c6c28cc37a759], 
PUP.Optional.RuntimeManager.A, C:\Program Files (x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe, Delete-on-Reboot, [8c6c7da0573368ceebba2e66f50e6f91], 

Physical Sectors: 0
(No malicious items detected)


(end)

Traces/IOCs

You may see these entries in FRST logs:

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:47574
ProxyEnable: [HKCU] => Internet Explorer proxy is enabled.
ProxyServer: [HKCU] => http=127.0.0.1:47574
R2 FindingDiscount; C:\Program Files (x86)\Windows Discount\FindingDiscount\FindingDiscount.exe [345088 2015-02-05] () [File not signed]
R2 RuntimeManager; C:\Program Files (x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe [214016 2015-02-05] () [File not signed]