Y_Soitenly Posted November 1, 2013 ID:748708 Share Posted November 1, 2013 I did a scan today with Malwarebytes and it found a PUP in the Foxit Reader installer. This is a new Windows 7 Computer I got last week. I used Foxit on an old XP machine for around 3 years and Malwarebytes had never picked up anything before from Foxit. Has anyone else reported this? I let Malwarebytes remove the installer and I have also uninstalled Foxit from the Computer. Is there anything else I need to do? This is what it picked up. Files Detected: 1C:\Downloaded Setup Files\foxit reader setup.exe (PUP.Soft32Downloader) -> Quarantined and deleted successfully. Thanks for any help! Link to post Share on other sites More sharing options...
daledoc1 Posted November 1, 2013 ID:748711 Share Posted November 1, 2013 Hi: PUP = Potentially Unwanted ProgramThis KB topic explains what they are AND how to decide whether to delete them or keep/ignore them: What are the 'PUP' detections, are they threats and should they be deleted? Has anyone else reported this?I don't see any similar reports here on the forum, but the staff may have more information on this specific detection. I let Malwarebytes remove the installer and I have also uninstalled Foxit from the Computer. Is there anything else I need to do?Probably not.But, without the full scan logs (before and after removing it), it's a bit hard to say. If you want an expert to have a look under the hood to be sure all PUP/malware traces are gone, please follow the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.A malware analyst will guide you for free through scanning and any needed cleanup.Thanks,daledoc1 Link to post Share on other sites More sharing options...
Y_Soitenly Posted November 1, 2013 Author ID:748744 Share Posted November 1, 2013 Thank you Daledoc1, I'll check that out. Here's the scan before I removed it. I did run a scan with my Anti-Virus and it came up with nothing. Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.10.31.08Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16721Miller :: MILLER-PC [administrator]10/31/2013 7:21:02 PMmbam-log-2013-10-31 (19-21-02).txtScan type: Custom scan (C:\Downloaded Setup Files\foxit reader setup.exe|)Scan options enabled: File System | Heuristics/Shuriken | PUP | PUMScan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2PObjects scanned: 1Time elapsed: 2 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 1C:\Downloaded Setup Files\foxit reader setup.exe (PUP.Soft32Downloader) -> Quarantined and deleted successfully.(end) And here is the scan after removing it. Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.10.31.08Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16721Miller :: MILLER-PC [administrator]10/31/2013 8:16:34 PMmbam-log-2013-10-31 (20-16-34).txtScan type: Full scan (C:\|F:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 285172Time elapsed: 16 minute(s), 6 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2013 Root Admin ID:748755 Share Posted November 1, 2013 Actually it should be in our Quarantine. If you can or want to you could restore it and then upload it to http://www.virustotal.com and have them scan it and then post back a link to that scan please. My guess is that it is inside a wrapper installer and why it was flagged. Thanks Link to post Share on other sites More sharing options...
Y_Soitenly Posted November 1, 2013 Author ID:748759 Share Posted November 1, 2013 The site said it had already been analysed, but I went ahead and had it reanalysed. The first link is of the scan before and the second is the one I did. It looks to be ok. If so, does that mean it's safe to use Foxit? https://www.virustotal.com/en/file/ad1e0bab388ebf363aa554420d1c7623e06371cbbc8049cc1f8f2bae1a9ae7a4/analysis/ https://www.virustotal.com/en/file/ad1e0bab388ebf363aa554420d1c7623e06371cbbc8049cc1f8f2bae1a9ae7a4/analysis/1383279213/ Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2013 Root Admin ID:748769 Share Posted November 1, 2013 Yes it should be safe. Can you do me a favor and put the file in the same location as it used to be.Then check for updates for MBAM and run a Quick Scan using the /developer switch as shown in this post. Please read before reporting a false positive Then post back that log so that I can have the Research Team check on it to confirm if it is a PUP or not. Thank you again. Link to post Share on other sites More sharing options...
Y_Soitenly Posted November 1, 2013 Author ID:749051 Share Posted November 1, 2013 Well, I don't know what happened when I installed Foxit last week, but I've redownloaded it and installed it and I'm not getting the PUP files from the scan now. In my first post I mentioned that I had uninstalled Foxit, well at that time I had already deleted the PUP files from Malwarebytes. When I install a program, I always download the file and save it in a folder on the Computer. That way if something happens and I have to uninstall one I don't have to redownload it. Last week when I downloaded Foxit, there was another file (I don't know what it was) besides the Foxit Application (.exe) file that showed up in my folder that I save them in. I had never seen that file when I used Foxit on the old XP Computer. That other file is where the (PUP.Soft32Downloader) came from. When I deleted it out of Malwarebytes, it deleted that file out of the Computer. This time when I downloaded Foxit, I didn't get the other file. All I have now is the Application (.exe) file like I had in the XP machine. Wished I hadn't deleted it now. Sorry for the long post, but here's the scan using the developer switch. As you can see it didn't pick up anything. Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.11.01.06Windows 7 Service Pack 1 x64 NTFSInternet Explorer 10.0.9200.16721Miller :: MILLER-PC [administrator]11/1/2013 4:07:31 PMmbam-log-2013-11-01 (16-07-31).txtScan type: Full scan (C:\|F:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 286638Time elapsed: 6 minute(s), 49 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 1, 2013 Root Admin ID:749064 Share Posted November 1, 2013 Okay, well it's possible that we've recently added it to our rules to stop detection as well. All's good it seems Thanks again. Ron Link to post Share on other sites More sharing options...
Y_Soitenly Posted November 1, 2013 Author ID:749069 Share Posted November 1, 2013 Ok, thank you very much! I sure wished that I would have kept that file that came in with the Foxit Application (.exe) install file, but when the scan picked up the PUP, I got a little scared and deleted it out real quick. If I happen to get it again, I will leave it and post in here. At least everything is ok now. Again, thank you very much for your help!!! Link to post Share on other sites More sharing options...
Recommended Posts