Question about a few PUP's in TEMP occasionally

Patrick

Sysnative Staff
Joined
Jun 7, 2012
Posts
4,618
Hello security analysts,

A few weeks ago on this machine I downloaded a freeware program that I was going to use to convert .flv's to .whatever. Unbeknownst to me, this was your typical freeware loaded with a bunch of garbage during the install, and I X'd the install rather than clicking anything else (friendly tip from Corrine that I never forgot!) before it installed any of its other stuff and just moved on. The mistakes I make when I'm tired....

After uninstalling it and restarting and ensuring it was gone + any remnants, I ran a MBAM scan and had a PUP in my TEMP. I figured it was just something it dropped in there that it 'would' have executed if I kept going with the installation. Needless to say I cleared my TEMP, restarted, ran MBAM again and it didn't show up.

Well, I ran MBAM again a bit ago just to do my biweekly scanning and it found 2 PUP's in TEMP again:

Code:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.26.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
bsod :: BSOD-PC [administrator]

10/26/2013 7:44:13 AM
MBAM-log-2013-10-26 (07-49-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202136
Time elapsed: 2 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\bsod\AppData\Local\Temp\GXwSCpKD.exe.part (PUP.Optional.InstallMonetizer) -> No action taken.
C:\Users\bsod\AppData\Local\Temp\vmlUv9GO.exe.part (PUP.Optional.InstallMonetizer) -> No action taken.

(end)

With this said, I did the same thing.. just cleaned TEMP, restarted, ran a Quick Scan again and they were gone the next time (here is the log right after the cleaning TEMP and restarting):

Code:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.26.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
bsod :: BSOD-PC [administrator]

10/26/2013 7:52:05 AM
mbam-log-2013-10-26 (07-52-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196598
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

(To clarify when I say 'I cleaned TEMP' I didn't take any action with MBAM, I just used it as a scanner. I flushed my temporary files myself, restarted, and then scanned again afterwards and they were gone).

I then ran a Full Scan with MBAM and that was clean as well, here's the log:

Code:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.26.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
bsod :: BSOD-PC [administrator]

10/26/2013 7:58:34 AM
mbam-log-2013-10-26 (07-58-34).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 401436
Time elapsed: 29 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Given that they are not reappearing after a cleaning of TEMP and rescanning (or new ones), there is no obvious decrease whatsoever in system performance, all processes are regular and none are sketchy, etc, would you say that these PUP's that I sometimes see in scans are just sometimes being caught from browsing the occasional not-so-safe website, and I am not infected and these are being dropped in there by a trojan, let's say?

Regards,

Patrick
 
Last edited:
Hi, Patrick.

I would suggest running TFC. Then, if the randomly named files reappear, we'll need to take a closer look.

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

More info:
TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
-- TFC only cleans temp folders.
-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
 
Hi Corrine, thanks for your reply.

I downloaded TFC, dragged to Desktop, clicked Start, it took a little under 5 seconds and then was finished. It did not prompt me for a Restart after completion or clicking 'Exit', so I did it manually. Are there any logs I need to show you that generated anywhere?

Regards,

Patrick
 
You're welcome, Patrick.

No, there is no log. Since you had already cleared temp files, TFC likely didn't have a lot to remove but I suspect did find some files. It is very thorough.

Let us know if any strange PUPs show up again.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top