Jump to content
JJX

Pup.Optional.SearchManager & mal/behav-321

Recommended Posts

Hi,

Having an ongoing/recurring issue where multiple instances of PUP.Optional.SearchManager being detected by my Premium Edition of MalwareBytes.

Effected directories associated with the program settings for Chrome for both users on this PC.

Have also ran HitMan Pro (trial version expired) which is detecting mal/behav-321 malware on a number of files, as follows....

Malware _____________________________________________________________________

   C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\staging\sample.dll
      Size . . . . . . . : 524,488 bytes
      Age  . . . . . . . : 0.0 days (2020-01-30 02:38:43)
      Entropy  . . . . . : 0.4
      SHA-256  . . . . . : 128F608C72E94783AB18CF286F4B62C0C4FD7F7120465CA79E1A551791CB2970
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
    > SurfRight  . . . . : Mal/Behav-321
      Fuzzy  . . . . . . : 101.0
      Forensic Cluster
         1660.8s C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\
         1661.8s C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\staging\
         1661.8s C:\ProgramData\Malwarebytes\MBAMService\lkg_db\
         1662.8s C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\8DA.CAT
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\prot.mbdb
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\rdefs.mbdb
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\rules.mbdb
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\scan.mbdb
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\tids.mbdb
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\wprot2.mbdb
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\clean.mbdb
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\Global.sr
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\Global.nm
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\cfg.bin
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\staging\Actions.dll
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\staging\MBAMCore.dll
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\staging\BrowserSDKDLL.dll
         1663.2s C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\staging\ig.exe
         1663.3s C:\ProgramData\Malwarebytes\MBAMService\dbclsupdate\staging\sample.dll

Any help removing this beastie would be GREATLY appreciated.

 

Many Thanks...
JJX

Share this post


Link to post
Share on other sites

Update.

Have reset Google Chrome synch, as per guidance in other posts and re-ran MWBytes scan. DIDN'T REBOOT BEFORE THIS SCAN AND CHANGE TO RESET MY CHROME SYNC.

It's now returning PUP.Optional.SearchManger entry once, for the other user on this PC.

Path to that file is....

C:\users\username\appdata\loca\google\chrome\user data\web data

Thx...
JJX

Share this post


Link to post
Share on other sites

Hi,  JJX     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.  Let me know what first name you prefer to go by.


Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 

 

It is a safe bet that the Hitman pro tagging of some parts of Malwarebytes is a false positive.
  
Please only just attach   all report files, etc  that I ask for as we go along.
 

[  2  ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/
  
You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. 
Scroll down to the tips section "How do I disable them". 

 

[   3   ]

Using Chrome    need you to go to https://www.google.com/settings/chrome/sync     and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   4   ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.

Let Adwcleaner remove what it finds.  After that completes, do what follows.

 

[   5   ]

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
    Download Malwarebytes Support Tool

    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.3.749.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.
Thank you,


Sincerely.
 

Share this post


Link to post
Share on other sites

hi Maurice...will complete this steps over the next 24 hours. Thanks...

Share this post


Link to post
Share on other sites

Hi Maurice.

Tasks ran as per the above and results added. I all quarantined and deleted the repeating PUP.Optional.SearchManager entries found by most recent MalwareBytes Scan.

Results of support tool as per the attached...mbst-grab-results.zip

Share this post


Link to post
Share on other sites

Thanks for the Support tool report.  I should have noted before, that the Hitmanpro tagging Malwarebytes files is a false positive.

 

Using Chrome, i need you to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".
 

and

Other suggestions, for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"
Check mark the line "Download history"
Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

Still in Chrome, press ALT+F then Settings
Click Extensions on the left.
Closely review the browser extensions that are listed. Disable any that you are not familiar with or that you do not trust.
 

.

Next,

    Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

    Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

    and save it to your desktop.

close Chrome along with other web browsers just before starting the next special scan.

    RIGHT-click on the MBAR file and select RUN As administrator   & allow it to run.   Reply YES to allow it to proceed.

 

    •Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

    •mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

    •After reading the Introduction, click 'Next' if you agree.

    •On the Update Database screen, click on the 'Update' button.

    •Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

    With some infections, you may see two messages boxes:

    1.'Could not load protection driver'. Click 'OK'.
    2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

    •If malware is found, press the Cleanup button when the scan completes. .

    Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
      
 

Share this post


Link to post
Share on other sites

Hi Maurice.

Have already reset sync on all chrome sessions on this machine....do you need me to do so again?

Note that prior to your email, I ran full MWB scan, and its seems to find SearchManager on the ilals account on this machine

Thx...

JJX

Share this post


Link to post
Share on other sites

Hi Maurice.

All instance of chrome have had reset synch, and Malware Anti-rootkit BETA from url in my post has completed Scan, and no Malware found.

Thanks...
JJX

Share this post


Link to post
Share on other sites

The Chrome Sync only needed to be turned off one time.

You are reporting that the MBAR antirootkit reported no malware & the same for Malwarebytes for Windows.

Let me suggest 2 new scans with different tools.

[  1  ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

[    2   ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Share this post


Link to post
Share on other sites

HI Maurice,

 

Ran FULL SCAN and MSS results as attached.

Reported that it found and removed in VirTool:Win32/DefenderTamperingRestore, in attached dialog.

 

Running ESET next.msert.log

 

Thanks...

MS-SafeSCan-Results.jpg

Share this post


Link to post
Share on other sites

ok.  Thanks for that log.   I look forward to getting the log-report from ESET scan.

Cheers.

Share this post


Link to post
Share on other sites

You can get a more detailed report on each one by uploading a copy of each to Virustotal, who has scanners from many different security scanners, just as a precaution

( though it is more likely the tag by ESET is a false positive )

Just upload one at a time and save each output report

C:\Program Files (x86)\AVG\Antivirus\setup\aswOfferTool.exe

C:\Program Files (x86)\AVG\Antivirus\setup\offertool_x64_ais-c24.vpx

Using your web browser,  

Go to the link https://www.virustotal.com/gui/home/upload

 

You will see Choose file button.   Click that as a first step.   You will then see a dialog grid from Windows.

If you could, attach each VT report with next reply.   and let me know the overall status of this case.

Share this post


Link to post
Share on other sites

hi Maurice.

Ran both files via the website above, and both reporting as Undetected apart from ESET-NOD32, which both are detecting Win32/Bundled.Toolbar.Google.D Potentially Unsafe

SO looks like only ESET finding possible issue (maybe false positive?).

No sure how to extract file, so it that enough info here?

Thx 

JJX

Share this post


Link to post
Share on other sites

Yes,  it appears like a false positive by Eset.

By the name of those 2 files ( including "offer" in the named)   and both being in the "setup' sub-folder of AVG, I would be inclined to delete these 2 files.

Question now:  Is there anything else that you need at this point ?

Share this post


Link to post
Share on other sites

Hi Maurice.

Thanks so much for all the help here.

With results above running clear, and MalwareBytes now NOT returning SearchManager as found in Chrome,  I think we're done here.

One final question though - are we ok to continue to synch Chrome for each User?

Again...Many, Many Thanks for assist here.

Thx.

JJX

Share this post


Link to post
Share on other sites

Hi.   Very well then.

Whether to have Google Sync on is all up to you.  If you prefer to have the Google preferences kept the same across all your devices is up to you.  Your choice.

 

Cleanups.

You may delete the MBAR.exe  that you saved.

You may delete esetonlinescanner_enu.exe

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

 

If your security program alerts to Delfix either, accept the alert or turn your security off.

please right-click on Delfix  and choose run as administrator

Make Sure the following items are checked:

  Remove disinfection tools <----- this will remove tools we may have used.



Now click on "Run" and wait patiently until the tool has completed.

Any remaining  files/logs from tools we have used can be deleted.

.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

Also suggested for Chrome or Brave browser, the NoScript add-on extension for added protection from script exploits 

https://chrome.google.com/webstore/detail/noscript/doojmbjmlfjjnbmnoijecmcbfeoakpjm

 

.

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

All the very best wishes to you.   I am now closing this case.

Very Sincerely,

Maurice

 

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.