PUP.Optional.ProductKeyFinder [retired]
Short bio
PUP.Optional.ProductKeyFinder is Malwarebytes' detection name for a tool that can be used as a Hacktool called ProduKey and which is published by NirSoft to be used on Windows systems.
Type and source of infection
PUP.Optional.ProductKeyFinder is Malwarebytes' detection name for NirSofts' ProduKey. A utility that can be used to retrieve Microsoft productkeys from the affected system.
Aftermath
The unexpected presence of this utility on a system may indicate that the productkeys have been retrieved by someone with unauthorzied access.
Protection
Malwarebytes blocks PUP.Optional.ProductKeyFinder
Remediation
Malwarebytes can detect and remove PUP.Optional.ProductKeyFinder without further user interaction.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
Malwarebytes removal log
A Malwarebytes log of removal will look similar to this:
Malwarebytes www.malwarebytes.com
-Log Details- Scan Date: 3/28/19 Scan Time: 10:45 AM Log File: 28b2a439-513e-11e9-b6bf-00ffdcc6fdfc.json
-Software Information- Version: 3.7.1.2839 Components Version: 1.0.563 Update Package Version: 1.0.9892 License: Premium
-System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username}
-Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 235716 Threats Detected: 4 Threats Quarantined: 4 Time Elapsed: 3 min, 40 sec
-Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect
-Scan Details- Process: 1 PUP.Optional.ProductKeyFinder, C:\USERS\{username}\APPDATA\LOCAL\TEMP\PV.EXE, Quarantined, [12696], [86094],1.0.9892
Module: 1 PUP.Optional.ProductKeyFinder, C:\USERS\{username}\APPDATA\LOCAL\TEMP\PV.EXE, Quarantined, [12696], [86094],1.0.9892
Registry Key: 0 (No malicious items detected)
Registry Value: 0 (No malicious items detected)
Registry Data: 0 (No malicious items detected)
Data Stream: 0 (No malicious items detected)
Folder: 0 (No malicious items detected)
File: 2 PUP.Optional.ProductKeyFinder, C:\USERS\{username}\APPDATA\LOCAL\TEMP\PV.EXE, Quarantined, [12696], [86094],1.0.9892 PUP.Optional.ProductKeyFinder, C:\USERS\{username}\DESKTOP\PV.EXE, Quarantined, [12696], [86094],1.0.9892
Physical Sector: 0 (No malicious items detected)
WMI: 0 (No malicious items detected)
(end)
Add an exclusion
Should users wish to keep this program and exclude it from being detected in future scans, they can add the program to the exclusions list. Here's how to do it.
The Exclusions tab includes a list of items to be excluded from scans. The items may include files, folders, websites, or applications that connect to the Internet, as well as previously detected exploits.
To access the exclusions in Malwarebytes:
- Click on the Settings tab in the left pane.
- Click on the Exclusions tab.
- Click the Add Exclusion button.
- Select the exclusion type Exclude a File or Folder and use the Browse button to select the main folder for the software that you wish to keep.
- Repeat this for any secondary folder(s) that belong to the software.
- If you want to allow the program to connect to the Internet, for example to fetch updates, add an exclusion of the type Exclude an application that Connects to the Internet and use the Browse button to select the file you wish to grant access.
Traces/IOCs
You may see these entries in FRST logs:
(NirSoft) [File not signed] C:\Users\{username}\AppData\Local\Temp\pv.exe
(NirSoft) [File not signed] C:\Users\{username}\AppData\Local\Temp\ProduKey.exe