PUP.Optional.FindingDiscount

Short bio

PUP.Optional.FindingDiscount is Malwarebytes' detection name for a potentially unwanted program (PUP), specifically a browser hijacker. Some vendors categorize it as adware. PUP.Optional.FindingDiscount targets Windows systems.

Type and source of infection

PUP.Optional.FindingDiscount is advertised as a helpful program that displays coupons for sites that users are visiting. It also displays ads that lead to the installation of more questionable programs. PUP.Optional.FindingDiscount comes bundledwith other programs. It can be downloaded with software hosted on third-party software providers.

Protection

block PUP.Optional.FindingDiscount

Malwarebytes blocks the bundlers that include PUP.Optional.FindingDiscount

 

Remediation

Malwarebytes can detect and remove PUP.Optional.FindingDiscount without further user interaction.

  1. Please download Malwarebytesto your desktop.
  2. Double-click MBSetup.exeand follow the prompts to install the program.
  3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

Add an exclusion

Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here’s how to do it.

  • Open Malwarebytes for Windows.
  • Click the Detection History
  • Click the Allow List
  • To add an item to the Allow List, click Add.
  • Select the exclusion type Allow a file or folderand use the Select a folderbutton to select the main folder for the software that you wish to keep.
  • Repeat this for any secondary files or folder(s) that belong to the software.
If you want to allow the program to connect to the Internet, for example to fetch updates, also add an exclusion of the type Allow an application to connect to the internet and use theBrowse button to select the file you wish to grant access.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:

MalwarebytesAnti-Malwarewww.malwarebytes.orgScanDate:2/13/2015ScanTime:2:43:58PMLogfile:mbamPriceFindings.txtAdministrator:YesVersion:2.00.4.1028MalwareDatabase:v2015.02.13.04RootkitDatabase:v2015.02.03.01License:FreeMalwareProtection:DisabledMaliciousWebsiteProtection:DisabledSelf-protection:DisabledOS:Windows8.1CPU:x64FileSystem:NTFSUser:{username}ScanType:ThreatScanResult:CompletedObjectsScanned:330755TimeElapsed:27min,18secMemory:EnabledStartup:EnabledFilesystem:EnabledArchives:EnabledRootkits:DisabledHeuristics:EnabledPUP:EnabledPUM:EnabledProcesses:2PUP.Optional.FindingDiscount.A,C:\Program Files(x86)\Windows Discount\FindingDiscount\findingdiscount.exe,720,Delete-on-Reboot,[ef096ab38208b383970c6c28cc37a759]PUP.Optional.RuntimeManager.A,C:\Program Files(x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe,4816,Delete-on-Reboot,[8c6c7da0573368ceebba2e66f50e6f91]Modules:0(Nomalicious items detected)RegistryKeys:2PUP.Optional.FindingDiscount.A,HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\FindingDiscount,Quarantined,[ef096ab38208b383970c6c28cc37a759],PUP.Optional.RuntimeManager.A,HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RuntimeManager,Quarantined,[8c6c7da0573368ceebba2e66f50e6f91],RegistryValues:1PUP.Optional.RuntimeManager.A,HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\RUNTIMEMANAGER|ImagePath,C:\Program Files(x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe -service,Quarantined,[8c6c7da0573368ceebba2e66f50e6f91]Folders:3PUP.Optional.FindingDiscount.A,C:\Program Files(x86)\Windows Discount,Delete-on-Reboot,[0bed61bc7317152156f8265f60a335cb],PUP.Optional.FindingDiscount.A,C:\Program Files(x86)\Windows Discount\FindingDiscount,Delete-on-Reboot,[0bed61bc7317152156f8265f60a335cb],PUP.Optional.RuntimeManager.A,C:\Program Files(x86)\Windows NT\Accessories\RuntimeManager,Delete-on-Reboot,[7f795bc21872ba7c0153790cdc27d52b],Files:3PUP.Optional.OpenSoftwareUpdater,C:\Users\{username}\Desktop\gpsetup2.exe,Quarantined,[ab4d120bc4c6cc6a111e41a3c53cf30d],PUP.Optional.FindingDiscount.A,C:\Program Files(x86)\Windows Discount\FindingDiscount\findingdiscount.exe,Delete-on-Reboot,[ef096ab38208b383970c6c28cc37a759],PUP.Optional.RuntimeManager.A,C:\Program Files(x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe,Delete-on-Reboot,[8c6c7da0573368ceebba2e66f50e6f91],PhysicalSectors:0(Nomalicious items detected)(end)

Traces/IOCs

You may see these entries in FRST logs:

ProxyEnable:[.DEFAULT]=>InternetExplorerproxy isenabled.ProxyServer:[.DEFAULT]=>http=127.0.0.1:47574ProxyEnable:[HKCU]=>InternetExplorerproxy isenabled.ProxyServer:[HKCU]=>http=127.0.0.1:47574R2 FindingDiscount;C:\Program Files(x86)\Windows Discount\FindingDiscount\FindingDiscount.exe [3450882015-02-05]()[Filenotsigned]R2 RuntimeManager;C:\Program Files(x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe [2140162015-02-05]()[Filenotsigned]

Select your language