PUP.Optional.SearchProtect.A Keept showing up in Malwarebytes scans yesterday

[Jamonbread]

 

I had an adware infestation after installing a program from an official website from a developer I thought after years of use was safe. There was no toolbar or addon warnings during install and windows defender never detected a anything.  

 

I uninstalled all the addons first removed everything from my browsers and reset them both and then ran malwarebytes, rogueKiller and adwCleaner.

After cleaning rebooting I checked through the registry manually looking for any left over entries and couldn't find anything.

 

I then ran mallwarebytes again and PUP.Optional.SearchProtect.A  kept showing up when I quarantine it and delete it reboot and scan malwarebytes finds in again with every scan.

 

Today I've rescanned with malwarebytes and got these quarantined and removed them. Mostly junk that Adwcleaner quarantined. Adwcleaner doesn't even show up in installed programs for some reason. 

 

 

Files: 8

PUP.Optional.Skytech.A, C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\DpInterface32.dll.vir, , [abf6663a85f60f27ad91a4ea80811be5], 

PUP.Optional.Skytech.A, C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\DpInterface64.dll.vir, , [633e712fe3987cbadf5f7e1026db52ae], 

PUP.Optional.IEPluginService.A, C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\RSHP.exe.vir, , [e9b85b457cffb08679f5acc545bc41bf], 

PUP.Optional.Skytech.A, C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\SearchProtect32.dll.vir, , [aff24c54adcee1553d016e20f9085ba5], 

PUP.Optional.Skytech.A, C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\SearchProtect64.dll.vir, , [1f820e9264175cda231beba320e1847c], 

PUP.Optional.IePluginService.A, C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\SupIePluginServiceUpdate.exe.vir, , [5051fda31c5f999dbc320d51e021ee12], 

PUP.Optional.SupTab.A, C:\AdwCleaner\Quarantine\C\Program Files (x86)\SupTab\SupTab.dll.vir, , [8e13158bea9192a4fe690c29619f0000], 

PUP.Optional.ISearch.A, C:\Users\Jam Ie\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://isearch.omiga-plus.com/?type=hp&ts=1406163926&from=smt&uid=SanDiskXSDSSDXP120G_132004403735" ],), ,[475afba56e0d05315320c61be42053ad]

 

I just completed another scan and now Malwarebytes is detecting 

Files: 1

PUP.Optional.ISearch.A, C:\Users\Jam Ie\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://isearch.omiga-plus.com/?type=hp&ts=1406163926&from=smt&uid=SanDiskXSDSSDXP120G_132004403735" ],), Replaced,[3d64346cf18a47ef096af5ec4fb516ea]

 

I located the preference file in chrome user data and deleted the chrome preference file and rebooted. I'm running another scan now.

 

 

[TwinHeadedEagle]

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
    
 
    
Before we start please read and note the following:
    
Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
Do not paste the logs in your posts, attachments make my work easier. There is a Attach Files option below which you can use to attach your reports. Always attach reports from all tools.
Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
Note that we may live in totally different time zones, what may cause some delays between answers.
Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
    
I can't foresee everything, so if anything unexpected happens, please stop and inform me!
There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
 
P2P/Piracy Warning:

• If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
• Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
• If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

Scan with Malwarebytes' Anti-Malware
 
Please re-run Malwarebytes' Anti-Malware.

• First of all, select update.
• Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
• Click the Scan tab, choose Threat Scan is checked and click Scan Now.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the newest Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[Jamonbread]

Hi thanks for the fast response. Malwarebytes keeps detecting the same single file in chrome's user preferences. 

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 24/07/2014

Scan Time: 15:13:00

Logfile: scan log.txt

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.07.24.03

Rootkit Database: v2014.07.17.01

License: Trial

Malware Protection: Enabled

Malicious Website Protection: Enabled

Self-protection: Disabled

 

OS: Windows 8.1

CPU: x64

File System: NTFS

User: Jam Ie

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 279338

Time Elapsed: 4 min, 30 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 1

PUP.Optional.ISearch.A, C:\Users\Jam Ie\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://isearch.omiga-plus.com/?type=hp&ts=1406163926&from=smt&uid=SanDiskXSDSSDXP120G_132004403735" ],), Replaced,[f4ad257b502be74f176027bae71d15eb]

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

[TwinHeadedEagle]

Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Jamonbread]

I've attached both txt files.

FRST.txt

Addition.txt

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
• After the scan has finished click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.

  Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Post logfile will also be saved in the C:\AdwCleaner folder.

fixlist.txt

[Jamonbread]

Fix with Farbar Recovery Scan Tool

 

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.

  (XP users click run after receipt of Windows Security Warning - Open File).

• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
• After the scan has finished click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.

  Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Post logfile will also be saved in the C:\AdwCleaner folder.

 

 

Sorry but I just had to do a system restore to the 18th because yesterday I removed a windows process called WindowsMangerProtect.exe just after I installed and attempted to remove the adware.  I thought it seemed suspicious at the time because I never noticed it before but now its not in services anyway. I've just rescanned Farbar and it only gave me 1 txt document now without errors. 

FRST.txt

[TwinHeadedEagle]

Ok, then only proceed with Adwcleaner.

[Jamonbread]

I've just run Adwcleaner and it detected the same entry in chrome preferences file that malwarebytes does after a reboot boot its detected again. I think it might just be some sort of trace configuration file info left in chrome's settings from when the adware changed my default search engine. I managed to remove all traces off it from IE by resetting to default after manual removal in home page settings and tools. I did the same for chrome as well as deleteing its preferacence files but it shows up every time I scan reboot or not? I've attached the Adwcleaner result file that opened after a reboot.

AdwCleanerS0.txt

[TwinHeadedEagle]

Can I see that fresh report. As well as, tell me how is your PC now?

[Jamonbread]

Its seems fine now. The malwarebytes scan is attached below in txt. document again. Its basically the same no detections but one non malware file in chrome settings preference 

omiga-plus was the search provider installed hidden in the adware riddled program I installed. It seems be a stuck link in chromes settings.

 

Files: 1

PUP.Optional.ISearch.A, C:\Users\Jam Ie\AppData\Local\Google\Chrome\User Data\Default\Preferences, Good: (), Bad: (      "startup_urls": [ "http://isearch.omiga-plus.com/?type=hp&ts=1406163926&from=smt&uid=SanDiskXSDSSDXP120G_132004403735" ],), Replaced,[168bbce4c8b3a98d31d7885a10f46c94]

malwarebytes.txt

[TwinHeadedEagle]

Try this

http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/

[Jamonbread]

I don't  think I want to delete all my book marks I'll lose some important links.

[TwinHeadedEagle]

I am afraid, there is no other way to fix this. You can try to delete chrome preferences file.

Or you can try to reset your settings --> https://support.google.com/chrome/answer/3296214?hl=en

[Jamonbread]

I'll try un-sync and delete the google cloud backup then delete the preferences file in chrome's app folder and then turn back on sync.   Is it an actual threat or risk for the link to be in the preferences setting file. Its not an actual program is it? Malwarebytes labels it as non malware,

 

If only I could open up the preferences file and edit the file itself. I'll check what the format of the file is.

[TwinHeadedEagle]

You can open it using Notepad. It is located here

C:\Users\username\AppData\Local\Google\Chrome\User Data\Default

This isn't a big problem, just Potentially Unwanted setting, cannot harm you.

[Jamonbread]

I tried deleting and then saving the changes but it just re-syncs. Thanks for all your help much appreciated. I'll leave you a small donation but its not a lot. Thanks again.

[TwinHeadedEagle]

As I have said, you need to delete your sync data, or to try to modify it somehow, not to sync this unneeded entry. But if you do not have some big problems, leave it like this.

 

Thanks

 

 

 

 

Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

 

 

Recommended reading:

MUST READ - security tips: Computer Security - a short guide to staying safer online.Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance: What to do if your Computer is running slowly?

 

 

 

Recommended additional software:

TFC - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

CryptoPrevent - to secure yourself from very severe CryptoLocker infection.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

 

 

• The following will implement some post-cleanup procedures:

 

=> Please download DelFix by Xplode to your Desktop.

 

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.

At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

 

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix

Tool deletes old system restore points and create a fresh system restore point after cleaning.

 

 

 

Stay safe,

TwinHeadedEagle

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!