Jump to content

Reoccurring PUP detections from Malwarebytes


Recommended Posts

Hey all,

So I ran a random scan of Malwarebytes today and it picked up three threats classified as "PUP.Optional.Gameo", a file, folder, and a registry key.  They all seem to be related to something called "GoldenGate"", I have not seen the program anywhere installed.  After removing the files and restarting the computer, I ran Malwarebytes again and the same three files popped up.  Is this a false positive or should I be worried?

FRST logs attached.

Addition.txt

FRST.txt

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 12/14/16
Scan Time: 3:53 AM
Logfile:
Administrator: Yes
-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.726
License: Trial
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-UVMT3IS\Keith
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 366579
Time Elapsed: 11 min, 19 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 1
PUP.Optional.Gameo, HKU\S-1-5-21-3517273881-430385543-2654065728-1001\SOFTWARE\GoldenGate, Delete-on-Reboot, [8068], [185307],1.0.726
Registry Value: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 1
PUP.Optional.Gameo, C:\USERS\KEITH\APPDATA\ROAMING\GOLDENGATE, Delete-on-Reboot, [8068], [185305],1.0.726
File: 1
PUP.Optional.Gameo, C:\USERS\KEITH\APPDATA\ROAMING\GOLDENGATE\8EFF1C3BD40938FB0157CBAC0E790571.LOGIC.DB, Delete-on-Reboot, [8068], [185305],1.0.726
Physical Sector: 0
(No malicious items detected)

(end)
Link to post
Share on other sites

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

Edited by TwinHeadedEagle
Link to post
Share on other sites

# AdwCleaner v6.040 - Logfile created 14/12/2016 at 17:59:30
# Updated on 02/12/2016 by Malwarebytes
# Database : 2016-12-14.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Keith - DESKTOP-UVMT3IS
# Running from : C:\Users\Keith\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support
 
***** [ Services ] *****
[-] Service deleted: netfilter2

***** [ Folders ] *****
 
***** [ Files ] *****
[-] File deleted: C:\WINDOWS\SysNative\drivers\netfilter2.sys

***** [ DLL ] *****
 
***** [ WMI ] *****
 
***** [ Shortcuts ] *****
 
***** [ Scheduled Tasks ] *****
 
***** [ Registry ] *****
[-] Key deleted: HKU\S-1-5-21-3517273881-430385543-2654065728-1001\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23
[#] Key deleted on reboot: HKCU\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\AppXrh6feys59dqfzsv9p3s9p6aep0hwtb23

***** [ Web browsers ] *****
 
*************************
:: "Tracing" keys deleted
:: Winsock settings cleared
*************************
C:\AdwCleaner\AdwCleaner[C0].txt - [1145 Bytes] - [14/12/2016 17:59:30]
C:\AdwCleaner\AdwCleaner[S0].txt - [1401 Bytes] - [14/12/2016 17:58:21]
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1291 Bytes] ##########
Link to post
Share on other sites

Since the second restart I noticed the "GoldenGate" folder and registry key returned (the file that used to be contained the folder did not).  I ran AdwCleaner again and here are the results of that
*******
# AdwCleaner v6.040 - Logfile created 14/12/2016 at 18:21:24
# Updated on 02/12/2016 by Malwarebytes
# Database : 2016-12-14.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Keith - DESKTOP-UVMT3IS
# Running from : C:\Users\Keith\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support
 
***** [ Services ] *****
 
***** [ Folders ] *****
[-] Folder deleted: C:\Users\Keith\AppData\Roaming\GoldenGate

***** [ Files ] *****
 
***** [ DLL ] *****
 
***** [ WMI ] *****
 
***** [ Shortcuts ] *****
 
***** [ Scheduled Tasks ] *****
 
***** [ Registry ] *****
[-] Key deleted: HKU\S-1-5-21-3517273881-430385543-2654065728-1001\Software\GoldenGate
[#] Key deleted on reboot: HKCU\Software\GoldenGate
[#] Key deleted on reboot: [x64] HKCU\Software\GoldenGate

***** [ Web browsers ] *****
 
*************************
:: "Tracing" keys deleted
:: Winsock settings cleared
*************************
Link to post
Share on other sites

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition.txt option is checked. option is checked.

    2873ryc.png

  • Press Scan button and wait.

  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.


Please attach report into your next reply.

Link to post
Share on other sites

Sorry for the late response, I ended up having to do a clean reinstall of Windows 10 to resolve it. What happened was further Malwarebytes and Adwcleaner scans revealed more PUPs showing up in my registry. I ended up having to Reset everything twice to no avail, so I did the clean reinstall. The issue has not returned yet.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.