Jump to content
Buddy777

Chrome PUP still active

Recommended Posts

Hello I have been looking at these post for a bit now and I have tried uninstalling Chrome twice and deleting the local app data competently by deleting it again in the trash can. In the post it keep saying see below but i keep going down the thread and it just keeps saying see below. I scanned, removed the PUP then uninstalled chrome deleted local data then scanned again after reinstalling chrome and the PUP is still there. Here is what I keep getting. What steps am I missing to remove these or are these things just not harmful.
PUP.Optional.Conduit, C:\USERS\TYLER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [579], [454832],1.0.3207
PUP.Optional.Conduit, C:\USERS\TYLER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [579], [454832],1.0.3207
PUP.Optional.Conduit, C:\USERS\TYLER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [579], [454832],1.0.3207
PUP.Optional.Linkury, C:\USERS\TYLER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [319], [455237],1.0.3207
PUP.Optional.Conduit, C:\USERS\TYLER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [579], [454832],1.0.3207
PUP.Optional.Linkury, C:\USERS\TYLER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [319], [455237],1.0.3207

Share this post


Link to post
Share on other sites

I'm having the same issue too. FYI it's the database that stores Chrome's autofill data. I don't have a solution yet, but wanted you to know you weren't alone. If I find out what to do I'll let you know though!

Share this post


Link to post
Share on other sites

it aint harmful is it, i took safety measure and completely uninstalled chrome just in case lel, its got rid of the issue but im just using Fire Fox until a solution is founded :')

Share this post


Link to post
Share on other sites

seems like a bug?

me too same thing

File: 1
PUP.Optional.ASK, C:\USERS\ME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\Web Data, Replaced, [527], [454824],1.0.3204

and there is another one here

same issue

Share this post


Link to post
Share on other sites

Hi guys,

First of all, for more explanation about why this issue is occurring, read Fatdcuk's post below.

https://forums.malwarebytes.com/topic/214438-chrome-web-data-pup-wont-go-away/?do=findComment&comment=1180550

Now, if you aren't running the latest version of Malwarebytes already (which is 3.3.1 at this time), please download and install the latest (in-place upgrade) from the website directly.

https://downloads.malwarebytes.com/file/mb3/

Alternatively, you can open Malwarebytes, go to the Settings tab, and under the Application tab, click on the Install Application Updates button. This way, Malwarebytes will look for a newer version of the program and if found, asks you if you want to install it (do so).
EEdmPfu.png

Once done, follow the instructions in the thread below and see if that solves your issue. Please note that, as stated in the thread below, these steps will most likely have to be executed on every single computer where you are logged in Google Chrome with your Google account, and where the sync feature is enabled.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

If the guide above didn't help you, you can try to manually clean your Google Chrome settings, as to remove the threat Malwarebytes is detecting (the one(s) that keeps coming back). There are three main areas that you can clean: the New Tab page, the Search engine, and the On start-up (start page):

  • On the top-right corner of Google Chrome, click on the three little dots, and then click on Settings (or simply access chrome://settings from the navigation/URL bar)
  • Under Appearance and Show Home button, make sure that either New Tab page is selected, or that you know and trust the website in the second option (ex: google.com)
    yuYmo5T.png
  • Under Search engine, make sure that the Search engine used in the address bar is set to Google or another trusted search engine (such as DuckDuckGo)
    QHcKrhr.png
  • Click on the Manage search engines button, and under Default search engines, delete every other options (by clicking on the three little dots on the right, followed by Remove from list) other than Google
    lxbWHn1.png
  • You are also free to remove the search engines under Other search engines if wanted
  • Once done, go back and under On start-up, make sure that the Open the New Tab page option is selected OR, if the Open a specific page or set of pages option is selected, make sure that only knowns and trusted websites are listed. Otherwise, delete them by clicking on the three little dots on the right and select Remove
    Ef7a38z.png

Another possible solution at the moment, is to add the detected file(s) (either Web Cache, Secure Preferences or both) to Malwarebytes' scan exclusion list, so it won't get detected anymore. For more information on how to proceed, follow the instructions in the support article below.

https://forums.malwarebytes.com/topic/214438-chrome-web-data-pup-wont-go-away/

The two possible files to add are:

C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Web Cache


For instance, the full path for these two files on my system would be:

C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Web Cache

Let me know if any of that worked for you. If it that, let me know which solution worked. If you need assistance with the instructions above, 

 

Edited by Aura

Share this post


Link to post
Share on other sites

Thanks Aura! That did the trick. I removed all of the search engine options too. None looked like sites I hadn't visited before, but perhaps there was one.:D

Share this post


Link to post
Share on other sites

Thank you for the feedback cmbarnett, it is really helpful :)

Share this post


Link to post
Share on other sites

 

I got the same issue but slightly different PUP I think. The PUP is in the Web Data file for chrome and malware bytes can't clean it. Still trying to understand how the PUP got there in the first place as I didn't install anything lately...

VkHudKM.png

 

Share this post


Link to post
Share on other sites

It's possible that this PUP has been on your system for a while. Since a bunch of definitions were added 2-3 days ago to Malwarebytes database. Did you follow the instructions I provided a few posts above?

Share this post


Link to post
Share on other sites
12 minutes ago, Aura said:

It's possible that this PUP has been on your system for a while. Since a bunch of definitions were added 2-3 days ago to Malwarebytes database. Did you follow the instructions I provided a few posts above?

I've deleted bing and some other search engine (i think it was yahoo). Didn't fix my problem. PUP.MailRu is still being detected and I think the only solution is to add the file to exclusions which I dont want to do

Share this post


Link to post
Share on other sites

Did you also delete every entries under the "Other search engines" section?

Share this post


Link to post
Share on other sites

I fixed this so it was not that hard after all. I saved my bookmarks under a separate file then unsynced all of my chrome settings. I uninstalled chrome then i deleted my app data fully then ran a scan again to remove the PUP. I reinstalled chrome did NOT allow Google to get data from me. I then re-uploaded my bookmarks and I was clean

Share this post


Link to post
Share on other sites
13 minutes ago, Aura said:

Did you also delete every entries under the "Other search engines" section?

Alright this is weird. I deleted all the other search engines and it doesnt detect anything anymore. However, I have copied the infected Web Data file prior to making any changes and it was being detected just fine around 15 minutes ago but now it's not detecting anything in an infected file...

edit: nvm it detects it again WTF?

Edited by nitrousable

Share this post


Link to post
Share on other sites
16 minutes ago, Buddy777 said:

I fixed this so it was not that hard after all. I saved my bookmarks under a separate file then unsynced all of my chrome settings. I uninstalled chrome then i deleted my app data fully then ran a scan again to remove the PUP. I reinstalled chrome did NOT allow Google to get data from me. I then re-uploaded my bookmarks and I was clean

I think I have figured it out. I found the search engine responsible for this PUP and removed it. As soon as I removed it, the copied infected file stops getting detected even though the only file that the deletion affected was the one in Google\Chrome\User Data

 

If I replace the file in Google\Chrome\User Data with the infected one it becomes detected again. Bug with malware bytes?

Share this post


Link to post
Share on other sites
10 minutes ago, nitrousable said:

Alright this is weird. I deleted all the other search engines and it doesnt detect anything anymore. However, I have copied the infected Web Data file prior to making any changes and it was being detected just fine around 15 minutes ago but now it's not detecting anything in an infected file...

edit: nvm it detects it again WTF?

Can you check your home page, new tab, search engines, etc. and see if any of these settings are back?

Share this post


Link to post
Share on other sites
Just now, Aura said:

Can you check your home page, new tab, search engines, etc. and see if any of these settings are back?

Nope doesn't seem to be back. But the detected file that I've copied earlier is being recognized as clean even though it's actually not.

Share this post


Link to post
Share on other sites

This file stores changes made in your Google Chrome settings. So if you removed the offending entries (that got this file flagged by Malwarebytes in the first place), then they were removed from the file after you copied it. Hence why it's considered clean now.

Share this post


Link to post
Share on other sites
1 minute ago, Aura said:

This file stores changes made in your Google Chrome settings. So if you removed the offending entries (that got this file flagged by Malwarebytes in the first place), then they were removed from the file after you copied it. Hence why it's considered clean now.

You misunderstood me. I have copied the infected Web Data file to my desktop. I ran a scan on it - it was detected.

Then I removed the offending search engine in Chrome - the copied file on desktop is no longer detected.

If I were to replace the clean file with infected file, the copy of the infected file would be detected again. 

Share this post


Link to post
Share on other sites
1 hour ago, nitrousable said:

You misunderstood me. I have copied the infected Web Data file to my desktop. I ran a scan on it - it was detected.

Then I removed the offending search engine in Chrome - the copied file on desktop is no longer detected.

If I were to replace the clean file with infected file, the copy of the infected file would be detected again. 

Hi its not a bug but by design :)

Detection technical data removed.

Edited by Fatdcuk

Share this post


Link to post
Share on other sites
37 minutes ago, Fatdcuk said:

Hi its not a bug but by design :)

* technical datawithdrawn oops! *

I see thanks. Just thought it would still be able to detect an infected file even if it's not an original and not in use by Chrome because I literally right clicked on the infected file and pressed scan and it still wouldn't detect anything.  But if it is by design then I concede my point :)

Edited by Fatdcuk

Share this post


Link to post
Share on other sites

Alright, since the OP's issue has been solved, I'll close this thread.

For everyone else experiencing the same problem, follow the instructions in my 1st post here and you should be fine :) 

Share this post


Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.