Jump to content
miekiemoes

Chrome Secure Preferences detection always comes back

Recommended Posts

When Malwarebytes finds some malicious (mostly adware or PUP) settings/startpages/searchengines in your Chrome, it will address this.

(Note, Malwarebytes doesn't really delete the Chrome Secure Preferences file when a detection occurs)

However, some of you may notice it will always come back after the Malwarebytes scan. In that case, it might be because you are still using an older version of Malwarebytes, and/or it's most likely because you have Chrome Sync enabled.

The following instructions need to be done in the EXACT order as outlined below in this post.

 

So first of all, make sure you have the latest version of malwarebytes installed (currently 3.4.5)https://www.malwarebytes.com/mwb-download/

Perform another scan, make sure Google Chrome is closed, have it remove what it has found, reboot if being asked to. Then verify if the detection is gone.

If not... then it's most probably because of Chrome Sync that is enabled.

To deal with this, please follow the steps below in the exact order as outlined:

  1. Open your Chrome. 
  2. Go to Settings > People > Sync (or alternatively, enter the following in the addressbar: chrome://settings/syncSetup)
  3. On the page, you'll see what synced data is enabled. Move all sliders to the left in order to disable all the syncing.
  4. 5a02af4740c66_2017-11-0808_13_51-Settings.thumb.png.4eb4b1a7e24f9a6885bc61ec45957a99.png
  5. Then click the "Manage synced data on Google Dashboard" (2) in order to open Google Dashboard.
  6. On Google Dashboard, at the bottom, click to "Reset Sync" - Click OK at the prompt.
  7. 5a02a9549d976_2017-11-0807_20_31-DatafromChromesync.png.54235d87af407fb1717fcf5afa766f14.png
  8. Close your Chrome browser.
  9. Do NOT enable sync yet, as you need to perform another scan with Malwarebytes first in order to fix Chrome.
  10. Perform a new scan with Malwarebytes and let it delete what it has found.
  11. Reboot in case it asks to reboot.

Verify after a next scan the detection doesn't occur anymore. If results come back clean, you can enable Google Sync again.

It will ask for your username first, in order to log in - Once that is done, it should automatically enable Sync again. You can adjust the sliders what you want to sync.

If you have multiple Operating systems, run malwarebytes on it first before logging back into Chrome. This to make sure the malware is also cleaned from the other PC(s). If not cleaned, it will sync the malware from the "uncleaned" PC back again to the server and then back to your clean PC.

 

Edited by miekiemoes

Share this post


Link to post
Share on other sites

If the instructions above didn't solve your issue (repeated detections), you can try to manually clean your Google Chrome settings, as to remove the threat(s) Malwarebytes is detecting (the one(s) that keeps coming back). There are three main areas that you can clean: the New Tab page, the Search engine, and the On start-up (start page):

  • On the top-right corner of Google Chrome, click on the three little dots, and then click on Settings (or simply access chrome://settings from the navigation/URL bar)
  • Under Appearance and Show Home button, make sure that either New Tab page is selected, or that you know and trust the website in the second option (ex: google.com)
    yuYmo5T.png
  • Under Search engine, make sure that the Search engine used in the address bar is set to Google or another trusted search engine (such as DuckDuckGo)
    QHcKrhr.png
  • Click on the Manage search engines button, and under Default search engines, delete every other options (by clicking on the three little dots on the right, followed by Remove from list) other than Google
    lxbWHn1.png
  • Remove the search engines under Other search engines as well
  • Once done, go back and under On start-up, make sure that the Open the New Tab page option is selected OR, if the Open a specific page or set of pages option is selected, make sure that only knowns and trusted websites are listed. Otherwise, delete them by clicking on the three little dots on the right and select Remove
    Ef7a38z.png

If the instructions above didn't do the trick for you, you can run AdwCleaner and delete the threats it detected and see if it works.

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it

Please note that the solution below isn't recommended, as it'll prevent Malwarebytes from cleaning Google Chrome settings (malicious ones) in the future, until you revert the changes you made. You should do this only if you want to disable the detection(s) for this/these specific file(s) while waiting for a fix to be released.

Another possible solution at the moment, is to add the detected file(s) (either Web Data, Secure Preferences or both) to Malwarebytes' scan exclusion list, so it won't get detected anymore. For more information on how to proceed, follow the instructions in the support article below.

https://support.malwarebytes.com/docs/DOC-1058

The two possible files to add are:

C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Web Data


For instance, the full path for these two files on my system would be:

C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Web Data

If the solution(s) listed above didn't work for you, please start a new thread in the Malware Removal for Windows section in order to get more assistance.

 

Edited by Aura

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.