Jump to content

Unable to Remove PUP.Optional.DefaultSearch.A

saphicdrmr
 Share

Recommended Posts

saphicdrmr

saphicdrmr

Posted
Posted

Hi,

 

I actually initially posted this topic back in May but didn't receive notification of a response so it was closed. I e-mailed a moderator twice to have it reopened but that never happened so I'm opening a new topic. Seems like the only way to move forward.

 

My MBAM is finding PUP.Optional.DefaultSearch.A in my Chrome user preferences file. I quarantine and remove it, then the next time MBAM runs it finds the PUP again. So I go through the quarantine/remove cycle again.

 

Can you help me get this thing off my PC?

 

Thanks,

Saph 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello,

 

MrCharlie had replied to you on May 19 and I do not see that you had replied back to him.

 

Close all internet browsers before doing this next scan.  You may want to print out this part for handy reference before starting.

But closing the IE / Firefox / Chrome / Opera windows is a great idea so that a full cleaning is possible.

You may ( later ) also need to reset each browser to factory standard defaults.  Then put back your own preferences for Search.

 

Start the Anti-Malware program.

Click the Settings icon at the top bar.   Then click on Detection and Protection.

Look at yours selections there:

Especially look at the Non-Malware protection
For each of the lines marked
**PUP**
**PUM**

be sure your setting is made to Treat detections as malware


Click the Scan icon at the top bar.

Take a first look at the Scan window.

Do you see a green tick mark and a green line of text  ( like from the last scheduled scan).

If you see a button marked Main menu at the bottom right, then click it.

In any event, have the selection selected for Threat scan and then click Scan now.

If it displays a orange sign with Updates are available, press the Update now button.

Have lots of patience as it gets and processes the Update.  Even if your Windows bar shows ( not responding) keep patient and it eventually finishes after a bit.



A Threat Scan will begin.
When the scan is complete, if there have been detections, click **Apply Actions** to allow MBAM to clean what was detected.
In some cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.



Click on the History tab  > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click **'Copy to Clipboard'**
Paste the contents of the clipboard into your reply.

Link to post
Share on other sites
saphicdrmr

saphicdrmr

Posted
  • Author
Posted

Here is the content of the scan log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/13/2014
Scan Time: 2:25:08 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.07.13.05
Rootkit Database: v2014.07.09.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Sher
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 293334
Time Elapsed: 9 min, 50 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.DefaultSearch.A, C:\Users\Sher\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://www.default-search.net?sid=476&aid=100&itype=n&ver=12349&tm=345&src=hmp" ],), Replaced,[8e7b009fee8dc3739b75834a04004ab6]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

That's a good run.   Next then, do these procedures.

 

A

This is a free tool to check the desktop shortcut links and clean ( if any) the ones for internet browsers that were hijacked.

Download and SAVE Shortcut Cleaner to your Desktop from http://www.bleepingcomputer.com/download/shortcut-cleaner/dl/172/
On Windows 7 / 8 / Vista, do a Right-click on sc-cleaner.exe and select Run as Administrator.
On Windows XP, double-click to start.

 

 

B

if Chrome is  "having an issue" in standard mode:
You can force Chrome to start in reduced mode, called Incognito mode, by putting a parameter at startup.
First, close any prior instances of Chrome via Task Manager.
Then press Windows-key+R for the RUN option and then put a command line similar to this {adjusting for -your- Login account}
C:\Users\<Your-login>\AppData\Local\Google\Chrome\Application\chrome.exe -incognito

This is valid for Vista, Win 7, Win 8.   {Win XP will be slightly different}.
For Windows XP, use this:
C:\Documents and Settings\<your-login>\Local Settings\Application Data\Google\Chrome\Application\chrome.exe -incognito

Starting Chrome in Incognito mode may work for you, and allow you to make "changes" or tweaks in it.
Note also, Incognito mode is also an option in the Chrome menu  {as long as it can start}.


Other suggestions, for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys to get menu for clearing browsing data:

Check "Empty the cache"
"Delete cookies and other site and plug-in data"
and press Clear browsing data button

Still in Chrome, press ALT+F then Settings
Click Extensions on the left.
Closely review the browser extensions that are listed.  Disable any that you are not familiar with or that you do not trust.

Also see these Google - Chrome articles  and take appropriate measures !!
Reset browser settings
https://support.google.com/chrome/answer/3296214

Search engine and other settings taken over by an unwanted program
https://support.google.com/chrome/answer/2765944?hl=en&ref_topic=3227046


fyi, the general Google Chrome help online  http://support.google.com/chrome

 

 

Let me know how things are, after you get thru the above suggestions.

When all done, Copy & Paste the contents of "sc-cleaner.txt"into a reply.

Link to post
Share on other sites
saphicdrmr

saphicdrmr

Posted
  • Author
Posted

Hi. I ran a scan and quarantined the incidence of PUP.Optional.DefaultSearch.A that was found then went through all the steps above. When I was done, I ran another scan and quarantined the incidence of PUP.Optional.DefaultSearch.A that was again found.

 

Here's the content from the sc.cleaner.txt file:

 

Shortcut Cleaner 1.3.3 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 
Windows Version: Windows 7 Home Premium Service Pack 1
Program started at: 07/14/2014 08:59:55 PM.
 
Scanning for registry hijacks:
 
 * No issues found in the Registry.
 
Searching for Hijacked Shortcuts:
 
Searching C:\Users\Sher\AppData\Roaming\Microsoft\Windows\Start Menu\
 
Searching C:\ProgramData\Microsoft\Windows\Start Menu\
 
Searching C:\Users\Sher\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
 
Searching C:\Users\Public\Desktop\
 
Searching C:\Users\Sher\Desktop
 
 
0 bad shortcuts found.
 
Program finished at: 07/14/2014 09:00:10 PM
Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The shortcut cleaner did not find a messed-up shortcut.

But tell me, did you reset Chrome settings to default ?  especially the search option ?

 

also do this:

Set Windows 7 to Show all files  by doing this:
Press and hold **Windows-key+E key** on keyboard to start **Windows Explorer**   ( File Manager for Windows).
From the Windows Explorer menu options, Select Tools, then Folder Options.
Next click the View tab.
Locate and uncheck "Hide protected operating system files (Recommended).
Locate and click "Show hidden files and folders and drives. "
Click Apply > OK.

 

(b)

Close any open work documents, if any, saving your work.
Make sure to close any other programs that you started before.

Please download Junkware Removal Tool by Thisisu to your Desktop
http://thisisudax.org/downloads/JRT.exe

Please close your security software to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or 7 or 8, right-mouse click JRT.exe and select Run as administrator.
The tool will open and display information and disclaimer in a Command prompt window.

I'd suggest you close all internet browsers at this point.

 Press a key on keyboard to start scanning your system.

Please be very patient as this will take several minutes to complete, depending on your system's specifications.
There are approximatly 12 phases or so in this tool.  You will see each phase listed in the Command prompt window.
On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.  And the command prompt will have been closed.

Please attach JRT.txt into a new reply.
 

[ c ]

Please download **AdwCleaner** and save it to your desktop.
http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner

Now Close all browsers, all open apps.

Run **AdwCleaner** and click on "scan"
After the scan has completed I want you to click on "clean"
Once done it will ask to reboot, allow the reboot
On reboot a log will be produced, please attach the log to your next reply

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

How is ( are) your browsers now?  A reset to their default settings should have done wonders about resetting the search preference to default.

The Adwcleaner did a very good job of squashing some other search rogue settings.

 

Start the Anti-Malware program.

Click the Settings icon at the top bar.   Then click on Detection and Protection.

Look at yours selections there:

Especially look at the Non-Malware protection
For each of the lines marked
PUP
PUM

be sure your setting is made to Treat detections as malware


Click the Scan icon at the top bar.

Take a first look at the Scan window.

Do you see a green tick mark and a green line of text  ( like from the last scheduled scan).

If you see a button marked Main menu at the bottom right, then click it.

In any event, have the selection selected for Threat scan and then click Scan now.

If it displays a orange sign with Updates are available, press the Update now button.

Have lots of patience as it gets and processes the Update.  Even if your Windows bar shows ( not responding) keep patient and it eventually finishes after a bit.



A Threat Scan will begin.
When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
In some cases, a restart will be required.
Wait for the prompt to restart the computer to appear, then click on Yes.



Click on the History tab  > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Copy to Clipboard
Paste the contents of the clipboard into your reply.

 

At that point, advise me, How are things now?

Link to post
Share on other sites
saphicdrmr

saphicdrmr

Posted
  • Author
Posted

Hi,

 

I reset the the default settings. I wasn't having a lot of problems with the browsers except google occasionally wouldn't load the search results.

 

I've verified that MBAM is treating PUPs and PUMs as malware. I didn't have to make any changes when I double checked. It was already set that way.

 

I've included the copy of the MBAM log below, as you requested. I just quarantined the Defaultsearch.A PUP twice and it's still coming up on the MBAM scans.

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/20/2014
Scan Time: 7:15:51 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.07.20.07
Rootkit Database: v2014.07.17.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Sher
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 298632
Time Elapsed: 9 min, 5 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.DefaultSearch.A, C:\Users\Sher\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://www.default-search.net?sid=476&aid=100&itype=n&ver=12349&tm=345&src=hmp" ],), Replaced,[cafdfaa78bf042f4d7ba22b71de7f709]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello,

 

Do 2 things:   1 - post a copy of the last scan run

 

# 2:  I urge you re-do some checks on Google Chrome and perhaps get help at Google-Chrome support.

while Chrome is running:
Press & hold SHIFT+CTRL+Del keys to get menu for clearing browsing data:

Check "Empty the cache"
"Delete cookies and other site and plug-in data"
and press Clear browsing data button

Still in Chrome, press ALT+F then Settings
Click Extensions on the left.
Closely review the browser extensions that are listed.  Disable any that you are not familiar with or that you do not trust.

Also see these Google - Chrome articles  and take appropriate measures !!
Reset browser settings
https://support.google.com/chrome/answer/3296214

Search engine and other settings taken over by an unwanted program
https://support.google.com/chrome/answer/2765944?hl=en&ref_topic=3227046
 

Link to post
Share on other sites
saphicdrmr

saphicdrmr

Posted
  • Author
Posted

Here's a copy of the last scan log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/23/2014
Scan Time: 7:44:29 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.2.1012
Malware Database: v2014.07.24.01
Rootkit Database: v2014.07.17.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Sher
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 300925
Time Elapsed: 10 min, 18 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.DefaultSearch.A, C:\Users\Sher\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://www.default-search.net?sid=476&aid=100&itype=n&ver=12349&tm=345&src=hmp" ],), Replaced,[68e9485b057663d317ed974931d3d729]
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
I also regularly clear the browser history, including the cookies. The only extension running is Google Docs.
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Did you now look at the current settings in Chrome itself?

It is not  enough to have relied just on the re-install   ---- if there is a issue now.

 

also, take a visual look using Windows Explorer, into the contents at the folder  C:\Users\Sher\AppData\Local\Google\Chrome\User Data\Default\Preferences

 

+

Please download and SAVE RogueKiller 64 bit to your desktop from this next link
http://www.adlice.com/softs/roguekiller/RogueKillerX64.exe

Quit all running programs.

Do a right-click on the **roguekiller64.exe** , select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Please attach the report which should be located on your desktop:   **RKreport[1].txt**

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Download OTL by OldTimer to your desktop:
http://oldtimer.geekstogo.com/OTL.exe

Close all open windows on the Task Bar. Then run OTL
(for Vista, or Windows 7 or 8 Right click the icon and Run as Administrator) to start the program.

In the lower right corner, checkmark "LOP Check" and checkmark Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted.  It will take about 4 minutes or so.  In any event, have lots of infinite patience.

It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
Exit Notepad.  Remember where you've saved these 2 files as we will need both of them shortly!
Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: http://screen317.spywareinfoforum.org/SecurityCheck.exe
Run Security Check
Follow the onscreen instructions inside of the command window.
A Notepad document should open automatically called checkup.txt; close Notepad.  We will need this log, too, so remember where you've saved it!

Then attach the following into your post
OTL.txt
Extras.txt
checkup.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The Chrome browser "preferences" file seems to be glitched in some manner, as the OTL report shows here

CHR - plugin: Error reading preferences file


You should consider uninstalling all of Chrome by 1st doing a uninstall using Control Panel >> Programs and features.
Then restarting Windows.
Then looking at this folder location ( using Windows Explorer ) C:\Users\Sher\AppData\Local\Google\Chrome
If it is still there, delete that folder and all sub-folders.

Then if you wish to still have Chrome, get the latest released version from Google.
Or do without it, and possibly consider this alternate browser:  Pale Moon
http://www.palemoon.org/

As there is no malware infection on this box, we are done here as far as that goes.
I would recommend that you tighten up your security practices as relates to use of browsers and what you accept as free add-ons off the internet.

Pay close attention when installing 3rd-party programs.
It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet.
If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you cancel the install and not use the free software.

Plus, I would urge you to get our Anti-Exploit program to help guard your browsers.
http://www.malwarebytes.org/products/antiexploit/

 

Link to post
Share on other sites
saphicdrmr

saphicdrmr

Posted
  • Author
Posted

Hi,

 

Thanks so much for all your help. As you suggested, I also took this over to the Chrome forum. They suggested it might be a corrupt user profile so I closed Chrome and went to %LOCALAPPDATA%\Google\Chrome\User Data\. Once there I renamed the folder called "Default" to "Backup Default" then opened Chrome. When I did that, it created a new user profile. Of course, this meant all my bookmarks were gone, so I copied "bookmarks.bak" to the new "Default" folder, renamed it "bookmarks" and sat back to see what happened. I did all this last night. I've run 3 scans so far, and no detection of PUP.Optional.DefaultSearch.A.

 

I'd have never gone to Google forum without your suggestion, so thanks again. And thanks for putting so much time and effort into helping me solve this!

 

Best,

Sher

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Bravo !   Kudos to you for the checks with Google and relaying your findings to us here.

It makes good sense.

 

To cleanup after some of the tools I had you use.

Start OTL.exe and look for and press the CleanUp! button.

Delete RoguekillerX64.exe

 

Thank you again for your feedback notes.   As the case is resolved, I will now close it.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.