Getting same PUP daily. Can I auto quarantine?

[Caddyshack]

I am getting the same PUP everytime I run Malwarebytes Pro. 2.0.2.1012

 

C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\preferences

 

I quarantine it, but it comes back the next day. Is there a way to auto-quarantine it? 

MBAM.txt

[Caddyshack]

I have just run  AdwCleaner as suggested by another forum member and it found a lot of problems with Chrome and a few other things. As always I created a system restore point first.

 

However I just ran a MWB scan and the problem still exists. Got a popup, and quarantined. Still looking for help.

 

Bill 

[MrCharlie]

Reset Chrome and see if that helps, MrC

https://support.google.com/chrome/answer/3296214?hl=en

[Caddyshack]

Done. Lets see what that does. Will get back to you. 

 

I guess I should initialize settings one at a time?

 

Is there any way I can have MWB just quarantine this PUP automatically? It does not seem to be much of a threat, just aggravating. 

[MrCharlie]

For Malwarebytes 2.0, please run a Threat Scan

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Click Settings > Advanced Settings > Check: Automatically quarantine detected items

Quarantine all that's found

MrC

[Caddyshack]

Reset  Browser no help

 

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware
Same for PUM (Potentially Unwanted Modifications)
Click Settings > Advanced Settings > Check: Automatically quarantine detected items
Quarantine all that's found

 

No help - still have same problem.

 

​Automated Scan Settings shows "Threat Detection" and  "Check For Updates" (not checked) but seems to be working.I check them and they become unchecked.

 

Could there be a problem with Malwarebytes program? Should I run MWB Chameleon? 

[MrCharlie]

Please do this:

Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button. (make sure the Addition box is checked)
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

New window that comes up.

Then................

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

[Caddyshack]

Hope this is what you need.

 

 

RKreport_SCN_06052014_124650.log

Addition.txt

FRST.txt

[MrCharlie]

Did you willing install all of these:

Advanced SystemCare 7 (HKLM-x32\...\Advanced SystemCare 7_is1) (Version: 7.2.1 - IObit)
Advanced Uninstaller PRO - Version 11 (HKLM-x32\...\AU11_is1) (Version: 11 - Innovative Solutions)
Driver Booster (HKLM-x32\...\Driver Booster_is1) (Version: 1.4 - IObit)
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 3.1.8.2434 - IObit)
Surfing Protection (HKLM-x32\...\IObit Surfing Protection_is1) (Version: 1.0 - IObit)

 

---------------------------------------------

Download the attached fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

-----------------------------------------------

Chrome has to be manually reset:

CHR StartupUrls: "hxxp://www.google.com/ig", "hxxp://search.babylon.com/?affID=109221&tt=031012_IKAN_4012_6&babsrc=HP_ss&mntrId=a411db6100000000000000ffec6f78a8", [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48"

 

For Chrome...........

First make sure you have the latest version of Chrome:
Open up Chrome > Click on the 3 bars in the upper right hand corner
Click on About Google Chrome
If there's an update available it will automatically update


Next:
Go to Tools > Clear Browser Data
Put a check next to all of these:

• Clear browsing history
• Clear download history
• Delete cookies and other site and plug-in data
• Empty the cache

Click "Clear Browsing Data"

-------------------------------

Next:
Click the Chrome menu on the browser toolbar.
Select Settings.
In the "Search" section, click Manage search engines.
Check if (Default) is displayed next to your preferred search engine. If not, mouse over it and click Make default.
Mouse over any other suspicious search engine entries that are not familiar and click X to remove them.

-------------------------------------

Click the Chrome menu .
Select Settings.
In the "On startup" section, select Open a specific page or set of pages.
Click Set pages. (in blue to the right)
Remove any unfamiliar pages.

-----------------------

Click the Chrome menu .
Select Settings.
In the "Appearance" section, if the "Show Home button" checkbox is selected, see if the page listed below is the home page you’d like to use.
If the page isn't the home page you'd like to use, click Change and select your preferred page.

-------------------------

Let me know......MrC

[Caddyshack]

Complied with all the above and still have the same problem. I really do appreciate your help, MrC! ANy other ideas?

[MrCharlie]

Please re-scan with FRST (Make sure the Addition Box is checked)

Post or attach the logs.

 

MrC

[Caddyshack]

Here are requested files. I did not click on "fix". Did not know if you wanted me to do so or not.

 

 

Addition.txt

FRST.txt

Shortcut.txt

[MrCharlie]

You never answered this question:
 

Did you willing install all of these:

Advanced SystemCare 7 (HKLM-x32\...\Advanced SystemCare 7_is1) (Version: 7.2.1 - IObit)
Advanced Uninstaller PRO - Version 11 (HKLM-x32\...\AU11_is1) (Version: 11 - Innovative Solutions)
Driver Booster (HKLM-x32\...\Driver Booster_is1) (Version: 1.4 - IObit)
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 3.1.8.2434 - IObit)
Surfing Protection (HKLM-x32\...\IObit Surfing Protection_is1) (Version: 1.0 - IObit)

 

Some of these programs prevent any changes to your browsers and often responsible for setting the PUP in the first place.

It's still there:

CHR StartupUrls: "hxxp://www.google.com/ig", "hxxp://search.babylon.com/?affID=109221&tt=031012_IKAN_4012_6&babsrc=HP_ss&mntrId=a411db6100000000000000ffec6f78a8", [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48"

 

Reset it:
https://support.google.com/chrome/answer/95421?hl=en

MrC

[Caddyshack]

I uninstalled all the programs you mentioned using Software Informer that does a pretty complete job.

[MrCharlie]

Good....How do you make out with changing that setting in Chrome???
See if a scan with MB comes up clean after it's initially deleted.

If not...please give this a try:

Download zoek.exe to your Desktop:
http://hijackthis.nl/smeenk/

Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications Here
http://www.bleepingcomputer.com/forums/topic114351.html

On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
Give it a few seconds to appear

Next, copy/paste the entire script inside the codebox below to the input field of Zoek:

autoclean;
CHRdefaults;
emptyCHRcache;

Now...
Close any open programs.
Click the Run script button, and wait. It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

MrC

[Caddyshack]

Not sure what you want in "reset chrome" I went to the link and it says 

 

"

• Open a New Tab page: A New Tab page will open up when you first launch Chrome.
• Continue where you left off: See pages that were open at the end of your last browsing session. Chrome will also restore your browsing data and session cookies. Session cookies are the information that websites can use to keep you logged into sites such as Gmail. This can save you time from logging into your favorite sites every time after you've restarted Chrome. However, it’s recommended that you logout of websites when you’re using a public or shared computer.

  If you’d like Chrome to reopen all your pages but discard session cookies and other site data, go to Settings > Show advanced settings > Content settings > Keep local data only until I quit my browser.

• Open a specific page or set of pages: Click Set pages and enter the web addresses of the pages you want to see."

What should I do here?

 

I am now going to DL Zoek and give it a run

[Caddyshack]

MrC I really appreciate your persistence, but this is getting frustrating, possibly for us both.

 

The malware that  up is only a PUP. Is there some way I can autoquarantine or ignore it? 

 

Including Zoek-log

zoek-results.log

[MrCharlie]

If you can't clear it out of Chromes StartupUrls, Malwarebytes will continue to find it:
 

CHR StartupUrls: "hxxp://www.google.com/ig", "hxxp://search.babylon.com/?affID=109221&tt=031012_IKAN_4012_6&babsrc=HP_ss&mntrId=a411db6100000000000000ffec6f78a8", [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48"

 

It's harmless, you can have MB just ignore it next time.
You can also create a new user and delete the old one:

Open up Chrome > Settings > Users > Add New user. You would delete the old user and don't import anything from your old user profile.

-------------------------------------

We can try one more thing:
Zip this folder up and attach it:
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences

I'll edit it and remove all the PUPs and we'll put it back.

Let me know MrC

[Caddyshack]

I thought about creating new user profile, but wouldn't I lose all bookmarks and settings? This, I can do, but seems like it would take a lot of rebuilding? Or am I worng?

 

Have zipped up the preferences.

 

Also I had a lot of PUPS this morning. This seems to happen at random times, a week or so apart. See log attached. Usually it is only the PUP we have been discussing.

 

Could the problem be associated with my home network and coming from my other desktop or Chromebook.

Preferences.zip

June 8 log MWB.txt

[MrCharlie]

I thought about creating new user profile, but wouldn't I lose all bookmarks and settings? This, I can do, but seems like it would take a lot of rebuilding? Or am I worng?
Yes you would have to do that



Also I had a lot of PUPS this morning. This seems to happen at random times, a week or so apart. See log attached. Usually it is only the PUP we have been discussing.
They weren't on the system before, so you had to install them.

Could the problem be associated with my home network and coming from my other desktop or Chromebook.

Yes it could.

 

You can try this:

 

Go to Settings > Google Dashboard > Click Settings > Click Stop and Clear (left bottom of page)

 

 

Your Chrome shows this which is the problem:
CHR StartupUrls: "hxxp://www.google.com/ig", "hxxp://search.babylon.com/?affID=109221&tt=031012_IKAN_4012_6&babsrc=HP_ss&mntrId=a411db6100000000000000ffec6f78a8", [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48"
 
MrC

[MrCharlie]

How are we doing??

Do you still need help or can I close this post??

MrC

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!