False Positive?

[CrimsonMoon]

Help! did a scan earlier on my system using malwarebytes and it detected C:\Users\torres\AppData\Local\Google\Chrome\User Data\Default\Preferences as a Pup.Optional.Terraclicks.shrtcln

was in a hurry so i didn't bother to clean it yet and just closed the scan and even forgot to export it, when i got back home I did a re-scan and it showed nothing, and did a scan on the file using virustotal and it was a negative. was it possible that it was a false positive and it just went away due to a more recent update? since today was the first time in at least a week that I logged on/turned on the pc due to being busy. 

[CrimsonMoon]

here are recent logs btw from the system.

Addition.txt

FRST.txt

[shadowwar]

14 minutes ago, CrimsonMoon said:

C:\Users\torres\AppData\Local\Google\Chrome\User Data\Default\Preferences

 

Hard to say without a copy of this file. If its no longer detected then though it probably wont show anything.

 

This is the google preferences file and it could of been a visit to a site that may have triggered it,

 

 

 

 

 

 

 

[CrimsonMoon]

should I upload it here? i've done a malwarebytes scan 3 times now and nothing came up. 

[shadowwar]

If it comes back let us know. No need to upload it if mbam isnt detecting it now.

 

[CrimsonMoon]

I will Thanks!

might I ask why it was detected? and how it suddenly also disappeared without me even putting it into quarantine?

[blender]

It was likely a URL within the Preferences file due to caching or DNS Prefetching (which helps speed up searches & loading of pages, etc). Typically caching/Prefetching is fairly limited so once a certain number of cached URLs have been reached, the older ones are "evicted" to make room for the new.

So if you visited a site that had an advert for terraclicks, because the browser still needs to resolve that URL (even though you didn't click it - it just does this so it can load quicker if you did) it will cache it along with the resolved info. (It does not care if it is an advert URL or a URL you might click every day from a specific web page)

You probably closed the browser at some point & re-opened it, visited some other sites which loaded some new URLs. This would have cleared the terraclicks one & therefore no more detection by MBAM.

In your case, it did not quarantine the URL within Preferences because you just closed the scan (without taking action). The URL was removed already when you ran the scan again.

Either way - no harm done. Chrome cleaned itself up just because of how it limits its cache. If you had let MBAM clean it, no harm would have been done either.

If you had the "full" infection of Terraclicks, your shortcuts would likely have been messed up causing advertisements to load every time you clicked your browser shortcut. (we can clean that too if it happened)

This page may help to explain how the caching/prefetching works in Preferences: (sorry, it is a bit teckky)

https://www.chromium.org/developers/design-documents/dns-prefetching

 

Hope that helps.

[CrimsonMoon]

That's why! thank you for that info blended! It really cleared up my mind. so it does not matter if it was an advert which i didn't click correct and didn't even get infected.

At least it also re-assures me that MBAM detects almost anything even infected or possible malware advertisements! 

[blender]

You're very welcome.

Nope - it doesn't really matter. The advert URL was simply on some web site you visited & your browser cached it. Because it was something you didn't bother to click or interact with, the browser just cleared that (and likely others) URL.

Indeed. We are pretty aggressive not only with true malware but also unwanted programs and other junk. We are aggressive against malvertising too by blocking URLs/IPs and so on that deliver this junk.

[CrimsonMoon]

1 hour ago, blender said:

You're very welcome.

Nope - it doesn't really matter. The advert URL was simply on some web site you visited & your browser cached it. Because it was something you didn't bother to click or interact with, the browser just cleared that (and likely others) URL.

Indeed. We are pretty aggressive not only with true malware but also unwanted programs and other junk. We are aggressive against malvertising too by blocking URLs/IPs and so on that deliver this junk.

Thanks a bunch! this really cleared it up! must've been a hijacked ad on a legit website. 

[CrimsonMoon]

Btw, if the website that contained the malicious malvertisement would be (accidentally) re-visited would the PUP re-appear on the scans?

[blender]

Possibly but not likely... they often change the adverts so you might not see the same ones each visit. (cookies are stored on your computer that can basically tell them which ads were viewed)

[CrimsonMoon]

Did a re-scan and it picked it up again.. here's the txt file

scanresultmbam.txt

[CrimsonMoon]

now it's gone again.. 

[blender]

If MBAM finds it again, be sure to exit the browser & let MBAM clean up. The cleanup goes through a few other routine checks and so on which works best if Chrome is closed. It may require a reboot to finish.

In any case, it isn't a false positive.

If you still have trouble after, please follow instructions at this page to get additional help to clean up any remains if any.

 

[CrimsonMoon]

12 hours ago, blender said:

If MBAM finds it again, be sure to exit the browser & let MBAM clean up. The cleanup goes through a few other routine checks and so on which works best if Chrome is closed. It may require a reboot to finish.

In any case, it isn't a false positive.

If you still have trouble after, please follow instructions at this page to get additional help to clean up any remains if any.

 

Will post there thanks blender!

[CrimsonMoon]

18 hours ago, blender said:

If MBAM finds it again, be sure to exit the browser & let MBAM clean up. The cleanup goes through a few other routine checks and so on which works best if Chrome is closed. It may require a reboot to finish.

In any case, it isn't a false positive.

If you still have trouble after, please follow instructions at this page to get additional help to clean up any remains if any.

 

I found a "cookie" regarding terraclicks.com.. maybe that's what's causing the detection? 

[shadowwar]

Its possible as we use it in this case to clean the rest of the infection. Being terraclicks doesnt leave any infected files behind.