Jump to content

Possible false positive - PriceFountain


trevoralf

Recommended Posts

Hi,  

 

A few machines here this weekend (21/02/2016) have reported detections of PUP.Optional.PriceFountain.  These machines aren't internet connected and are actually 'headless' machines used for controlling weighing software.

 

It's detecting registry entries in HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS.  Launching Task Scheduler (without restoring the quarantined detections) results in a minor error mentioning that task '8.1 auto install v2' has been deleted, which appears to be an Windows 8.1 upgrade related task.  If needed for further investigation I will restore the quarantined items to see what happens.

 

 

 

 

Link to post
Share on other sites

Hi, We're using the enterprise version which doesn't seem to have the history button visible to client machines.  I've included the contents below of the relevant archived-mbam-log XML file.  If you need further information then let me know which specific files you need from the client i'll provide them.

 

<?xml version="1.0" encoding="UTF-16" ?>
<!DOCTYPE mbam-log SYSTEM "mbam-log.dtd">
<mbam-log>
<header>
<version>1.80.1.1011</version>
<database>v2016.02.21.02</database>
<windows>Windows 8</windows>
<arch>x64</arch>
<filesys>NTFS</filesys>
<msie>Internet Explorer 10.0.9200.17492</msie>
<username>SYSTEM</username>
<cpuname>W-CBMX5Y1</cpuname>
<date>Sun, 21 Feb 2016 13:15:18 GMT</date>
<log>mbam-log-2016-02-21 (13-15-18).xml</log>
<summary>
<type>quick</type>
<objects>452668</objects>
<time>927</time>
<processes>0</processes>
<modules>0</modules>
<keys>1</keys>
<values>1</values>
<datas>0</datas>
<folders>0</folders>
<files>0</files>
</summary>
</header>
<items>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8742384C-76A7-40EA-B269-91347F276B0C}</path><vendor>PUP.Optional.PriceFountain</vendor><action>success</action></key>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{8742384C-76A7-40EA-B269-91347F276B0C}</path><valuename>Path</valuename><vendor>PUP.Optional.PriceFountain</vendor><action>success</action><valuedata>\Microsoft\Windows\Setup\8.1 auto install v2</valuedata></value>
</items>
</mbam-log>
Link to post
Share on other sites

I also received this detection on my scan today.

 

 

Thank you for the log. This should be fixed. You'll have to update the database and rescan if you want to see that the detection was removed.

 

The database is updated to v2016.02.27.05 but it still detects it... before I got to read this thread I already removed it and so I see the same 8.1 auto install v2 no longer exists prompt in task scheduler.

 

Restoring the quarantined items still shows the prompt.

Link to post
Share on other sites

Hello!

 

Can you provide the log from Malwarebytes? It's accessible from the JjbIVcS.png button and then "Application Logs".

 

Thanks!!

 

Here is the scanning history log from the application logs, I copied it to clipboard and pasted it here:
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 2/28/2016
Scan Time: 10:05 AM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.02.27.05
Rootkit Database: v2016.02.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: 
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 465834
Time Elapsed: 24 min, 51 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.PriceFountain, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6A327E47-0C59-4F18-9CA7-70010461F867}, Delete-on-Reboot, [02afafb6eeabda5c03052e42da2a34cc], 
 
Registry Values: 1
PUP.Optional.PriceFountain, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{6A327E47-0C59-4F18-9CA7-70010461F867}|Path, \Microsoft\Windows\Setup\8.1 auto install v2, Delete-on-Reboot, [02afafb6eeabda5c03052e42da2a34cc]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.