Jump to content

Can't Remove PUPs


Recommended Posts

Hi,

First of all, for more explanation about why this issue is occurring, read Fatdcuk's post below.

https://forums.malwarebytes.com/topic/214438-chrome-web-data-pup-wont-go-away/?do=findComment&comment=1180550

Now, if you aren't running the latest version of Malwarebytes already (which is 3.3.1 at this time), please download and install the latest (in-place upgrade) from the website directly.

https://downloads.malwarebytes.com/file/mb3/

Alternatively, you can open Malwarebytes, go to the Settings tab, and under the Application tab, click on the Install Application Updates button. This way, Malwarebytes will look for a newer version of the program and if found, asks you if you want to install it (do so).
EEdmPfu.png

Once done, follow the instructions in the thread below and see if that solves your issue. Please note that, as stated in the thread below, these steps will most likely have to be executed on every single computer where you are logged in Google Chrome with your Google account, and where the sync feature is enabled.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

If the guide above didn't help you, you can try to manually clean your Google Chrome settings, as to remove the threat Malwarebytes is detecting (the one(s) that keeps coming back). There are three main areas that you can clean: the New Tab page, the Search engine, and the On start-up (start page):

  • On the top-right corner of Google Chrome, click on the three little dots, and then click on Settings (or simply access chrome://settings from the navigation/URL bar)
  • Under Appearance and Show Home button, make sure that either New Tab page is selected, or that you know and trust the website in the second option (ex: google.com)
    yuYmo5T.png
  • Under Search engine, make sure that the Search engine used in the address bar is set to Google or another trusted search engine (such as DuckDuckGo)
    QHcKrhr.png
  • Click on the Manage search engines button, and under Default search engines, delete every other options (by clicking on the three little dots on the right, followed by Remove from list) other than Google
    lxbWHn1.png
  • You are also free to remove the search engines under Other search engines if wanted
  • Once done, go back and under On start-up, make sure that the Open the New Tab page option is selected OR, if the Open a specific page or set of pages option is selected, make sure that only knowns and trusted websites are listed. Otherwise, delete them by clicking on the three little dots on the right and select Remove
    Ef7a38z.png

Another possible solution at the moment, is to add the detected file(s) (either Web Cache, Secure Preferences or both) to Malwarebytes' scan exclusion list, so it won't get detected anymore. For more information on how to proceed, follow the instructions in the support article below.

https://forums.malwarebytes.com/topic/214438-chrome-web-data-pup-wont-go-away/

The two possible files to add are:

C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\$YOUR_USERNAME\AppData\Local\Google\Chrome\User Data\Default\Web Cache


For instance, the full path for these two files on my system would be:

C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
C:\Users\Aura\AppData\Local\Google\Chrome\User Data\Default\Web Cache

Let me know if any of that worked for you. If it did, let me know which solution worked. If you need assistance with the instructions above, let me know.

 

Edited by Aura
Link to post
Share on other sites

Alright follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.

  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Make sure the Addition.txt box is checked
  • Click on the Scan button
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply

Link to post
Share on other sites

The start-up URLs is your problem.

CHR StartupUrls: Default -> "hxxp://search.babylon.com/?affID=112542&tt=120912_cpc_3812_7&babsrc=HP_ss&mntrId=ae6d02dd000000000000dc85de06bf22","hxxp://www.google.com","hxxp://news.searchonme.com/?v=m1","hxxp://start.toshiba.com/?cid=C001B2Y","hxxp://www.msn.com/?pc=UP21&ocid=UP21DHP&dt=041213","hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN40331721293049042&UM=2","hxxp://search.conduit.com/?ctid=CT3291327&SearchSource=48&CUI=UN14614295113548253&UM=2","hxxp://search.conduit.com/?ctid=CT3306061&SearchSource=48&CUI=UN39623767966443269&UM=2","hxxp://Lasaoren.com/?f=7&a=lrn_frg01_14_45_ch&cd=2XzuyEtN2Y1L1Qzu0FzztC0AyCyBtC0B0C0C0E0DzyyD0E0DtN0D0Tzu0StCtDyEtAtN1L2XzutAtFyCtFtCtFtDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyE0BtAtDyDyEzz0EtGtDtDtDyCtGyCtB0B0BtGtCzztByEtGyDtBtB0F0C0DyC0CtBzzzzyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0D0D0D0BtC0ByCtG0DzzyDtBtGyEtDtAtDtGzyzzyE0AtGyDtA0Bzy0ByBtDtC0C0Fzz0C2Q&cr=1166427630&ir=","hxxp://Vosteran.com/?f=7&a=vst_frg01_14_47_ch&cd=2XzuyEtN2Y1L1QzuzyyE0D0EzztD0A0EyB0F0C0EzyyD0E0DtN0D0Tzu0StCtDyDtAtN1L2XzutAtFyCtFtBtFtDtN1L1CzutCyEtBzytDyD1V1QtN1L1G1B1V1N2Y1L1Qzu2SyC0EyByCzzyC0FtAtGyEtAtCyDtGtCyCyEzztGtB0A0AtAtGyE0E0Ezz0C0FtAzy0CyCyBtA2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAyEzytAtAzyzzzytGtAyBtDtBtGyEzz0ByEtG0AtD0C0EtGyD0EtByCzz0ByDyBzz0DtDyE2Q&cr=345049119&ir=","hxxp://us.yhs4.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_frg01_15_15&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dus%26pa%3DWinYahoo%26cd%3D2XzuyEtN2Y1L1QzuzyyE0D0EzztD0A0EyB0F0C0EzyyD0E0DtN0D0Tzu0StCtCzytCtN1L2XzutAtFzytFzztFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StCtDtD0CyEtB0DzytGtCtAtD0BtG0C0FyDyEtG0AtCzytAtGyDyDtDzzzztBzzyB0CtCyBtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StB0DtA0D0D0EtDzztGzytC0BtDtGyE0DtBzytGzytD0CzytGzyyDyE0CtA0DzyyCzy0C0CyE2QtN0A0LzuyE%26cr%3D485406961%26a%3Dwny_frg01_15_15%26os%3DWindows 8.1 Pro with Media Center","hxxps://www.google.com/"

Can you set it to "Open the New Tab page", like instructed in my 1st post (at the end)?

Link to post
Share on other sites

Alright follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.