PUP Optional Conduit is reappearing

[PatB]

I got infected by this malware.  I put all elements in quarantine, reboot the computer and run another scan.  It will still be detected.

Thank you for your help,

Addition.txt

FRST.txt

[Aura]

Hi PatB

Can you follow the instructions in the thread below, and see if that solves your issue?

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Make sure that Google Chrome is closed when running the scan with Malwarebytes and removing the threat (make sure that no chrome.exe processes are running in the Task Manager. If there are, you can kill them).

[PatB]

I followed your insctructions step by step making sure Chrome was closed after disabling and reseting the sync and it is still reappearing.

I see in that link that the current up to date MBAM version is 3.3.3.  My version is 3.2.2.2018.

But when I click "update" from the dashboard it says: "up to date"

What should I do now?

[Aura]

Hi,

First of all, for more explanation about why this issue is occurring, read Fatdcuk's post below.

https://forums.malwarebytes.com/topic/214438-chrome-web-data-pup-wont-go-away/?do=findComment&comment=1180550

Now, if you aren't running the latest version of Malwarebytes already (which is 3.3.1 at this time), please download and install the latest (in-place upgrade) from the website directly.

https://downloads.malwarebytes.com/file/mb3/

Alternatively, you can open Malwarebytes, go to the Settings tab, and under the Application tab, click on the Install Application Updates button. This way, Malwarebytes will look for a newer version of the program and if found, asks you if you want to install it (do so).

Once done, follow the instructions in the thread below and see if that solves your issue. Please note that, as stated in the thread below, these steps will most likely have to be executed on every single computer where you are logged in Google Chrome with your Google account, and where the sync feature is enabled.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

If the guide above didn't help you, you can try to manually clean your Google Chrome settings, as to remove the threat Malwarebytes is detecting (the one(s) that keeps coming back). There are three main areas that you can clean: the New Tab page, the Search engine, and the On start-up (start page):

• On the top-right corner of Google Chrome, click on the three little dots, and then click on Settings (or simply access chrome://settings from the navigation/URL bar)
• Under Appearance and Show Home button, make sure that either New Tab page is selected, or that you know and trust the website in the second option (ex: google.com)
  
• Under Search engine, make sure that the Search engine used in the address bar is set to Google or another trusted search engine (such as DuckDuckGo)
  
• Click on the Manage search engines button, and under Default search engines, delete every other options (by clicking on the three little dots on the right, followed by Remove from list) other than Google
  
• You are also free to remove the search engines under Other search engines if wanted
• Once done, go back and under On start-up, make sure that the Open the New Tab page option is selected OR, if the Open a specific page or set of pages option is selected, make sure that only knowns and trusted websites are listed. Otherwise, delete them by clicking on the three little dots on the right and select Remove
  

Another possible solution at the moment, is to add the detected file(s) (either Web Cache, Secure Preferences or both) to Malwarebytes' scan exclusion list, so it won't get detected anymore. For more information on how to proceed, follow the instructions in the support article below.

https://forums.malwarebytes.com/topic/214438-chrome-web-data-pup-wont-go-away/

The two possible files to add are:

C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Web Cache

For instance, the full path for these two files on my system would be:

C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Web Cache

Let me know if any of that worked for you. If it that, let me know which solution worked. If you need assistance with the instructions above, 

 

Edited November 9, 2017 by Aura

[PatB]

Thank you for your support. 

I have updated MBAM to version: 3.3.1.2183

I have done each and every suggested points in both the link https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/ and the following by cleaning : the New Tab page, the Search engine, and the On start-up (start page)

I have two other devices that have my gmail synced with my PC but they are both not connected to Chrome.

Then I shut down these two devices, deleted all history in Chrome on my PC, ran CCleaner, put the PUP Optional Conduit in quarantine, re-booted my compter and rerun a scan with MBAM.  I still get the same detection.

I still could try to set my two other devices on a "virgin'" gmail account" to see if that helps or/and add the detected files to MBAM exclusion list.  

Although, putting them in the exclusion list would mean that the "PUP.Optional.Conduit" malware is ignored, right?

[Aura]

Quote

Although, putting them in the exclusion list would mean that the "PUP.Optional.Conduit" malware is ignored, right?

 

Yes, it would be ignored.

Can you try deleting all the search engines under "Other search engines", as instructed below? It seems like this option helped most users.

Quote

• You are also free to remove the search engines under Other search engines if wanted

 

[PatB]

Yes, I already did delete all other search engines, except google.ca set per default.

Are you telling me that there is zero risk in setting PUP.Optional.Conduit as an exclusion?

[Aura]

There's no risk of your data being compromised with a PUP detection, that's right. Can you provide me screenshots of your home page, new tab and search engines sections in Google Chrome settings? Maybe I'll notice something you might have overlooked.

[PatB]

Here are the requested screenshots.

[Aura]

Ah... I see what's up. Can you provide me the Malwarebytes log where the detections are showing up?

[PatB]

As per requested..

17-11-09 MBAM log.txt

[Aura]

As expected. Alright, close Google Chrome, and make sure that no chrome.exe processes are running. Once done, rename this folder:

C:\USERS\BLAIS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default

For this:

C:\USERS\BLAIS\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default_old

Now, open Google Chrome. Are your settings, bookmarks, extensions, etc. still there?

[PatB]

yes

[Aura]

Good. Now, delete the Default_old folder, and run a scan with Malwarebytes. Is the detection still showing up?

[PatB]

No more detection.

Merci infiniment !!!

[Aura]

De rien PatB, ça fait plaisir!

Si jamais le problème revient, tu peux m'envoyer un message privé et je rouvrirais ce sujet.

Stay safe!

[Aura]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!