Jump to content

PUP.Optional.MailRu keep coming back


Recommended Posts

Malwarebytes web protection failed (once atleast, i couldnt enable it and it crashed)
i repaired with malwarebytes repair tool.

My problem is following:
Search engines @mail.ru and @yandex keep coming back even if i keep removing them. Also malwarebytes keep finding that in google web.data file theres a PUP.mail.ru file treath.
I made several clean installs but that seems not solve the problem. Also i asked few friends, do they have same thing in their search engines and what occurs, that they similary have same thing. Now im bit confused, is that detection from malwarebytes program false positive or i really have some kind of virus in my system that i cant get rid off.

doc.txt

Link to post
Share on other sites

Hello Antr,

It would seem the problem you have is related totally to Google Chrome, a very common problem indeed. Use the instructions at the following link, make sure to follow them to the letter...

 

When that completes continue:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Post those logs in your next reply...

Thank you,

Kevin...
Link to post
Share on other sites

thank you for answering
i searched answers for my own and found out next:
in estonia seems that google gives search engines ans yandex and mail.ru by default. Thats confirmed by asking several people-s search engines. Also doing clean google chrome installs on freshly installed pc. That may answer why malwarebytes keep popping up with that mail.ru thing cause it was a thing back then.
adwcleaner found nothing on my pc.
also i did several malware searching in my pc (with diffirent av-s) - nothing
i also deleted all my sync data from google, seems its mistake cause overally its still false positive result.

Link to post
Share on other sites

Im not ok that google gives mail.ru search engine by default. Also im not okay with that false positive result finding that threat. But seems i have nothing else to do then quit using google chrome.
But i cant do anything about that google decides what search engines i should have extra instead google itself. 

Link to post
Share on other sites

Hello again Antr,

I`ve spoken to one of the Admin guys, mail.ru is not a fp, it is clased as a "PUP" Potentially unwanted Program because of its history. If you want mail.ru on your system it can be added as an exclusion to Malwarebytes

https://support.malwarebytes.com/hc/en-us/articles/360038479234-Add-to-the-Allow-List-in-Malwarebytes-for-Windows-v4.

Thats all I can tell you. If you want to take it further you can raise a ticket for a more informative explanation..

https://support.malwarebytes.com/hc/en-us/requests/new

Thank you,

Kevin..

Link to post
Share on other sites

Hello again Antr,

I can close and lock the thread and move it. If you want logs removed etc you would have to contact an Administrator. I can only apologize for not giving the answers that you want. The only option is to contact customer service and submit a ticket...

Right click on FRST here: C:\Users\Arc\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...
 
Thank you,
 
Kevin...
Link to post
Share on other sites

  • Root Admin

Hello @Antr and @kevinf80

Sorry to butt in here, but you should be able to choose any search engine you want and delete any you don't want. Though I am not a fan of Google Chrome myself and would suggest using Firefox, if you do wish to continue to use Google Chrome then please review the following link which should give you full control back to what is set and used in Google Chrome.

https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/

 

Link to post
Share on other sites

thank you for answering.
I meant those files i uploaded here to make inacessible.
Also i really followed those instructions to reset all sync data all together with removing all data from chrome and reset and stuff. I did it before i even came here. I tried absolutely every trick u suggested those guys who had similar problem. That thing didnt go away. That is reason why i came here. 
Im thankful that response and suggestion but that gives same issue as described before. Like i assume its false positive alert from malwarebytes because of bad experience with those search engines. 

Link to post
Share on other sites

  • Root Admin

The article that Kevin sent you is like 1/5 of what this new link about Google Chrome is about. It is much more detailed by far with many options, features, etc to manage Chrome.

Clearing all local cache, cookies, site information, etc will stop this. If Google Chrome is cleaned up it is impossible to detect stuff that has been deleted. So obviously there are more steps you can follow. Please take your time and re-read the article in FULL that I referenced

Thank you again

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

issue is hidden there that im from europe and google keeps giving me those search engines. I never cant get rid of that issue, only with vpn or changing my location to western society. Since theres a malwarebytes office in tallinn, maybe its possible to redict that issue to there for further investigation. That would fall into that requirements to look into that issue little better. For now its 100% sure thats google itself that keeps giving those search engines. 
Thank you for answering and giving attention for that issue.
 

Link to post
Share on other sites

  • Root Admin

Please restart the computer. Then run FRST again and post back new logs.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Have you installed IDEMIA AWP 5.3.3 on purpose and use it ?

https://www.idemia.com/

Chrome Token Signing appears to be from them as well

 

You may want to reconsider if you want to be using CCleaner or not
https://www.howtogeek.com/361112/heres-what-you-should-use-instead-of-ccleaner/

https://www.howtogeek.com/172820/beginner-geek-what-does-ccleaner-do-and-should-you-use-it/

 

This entry here tells me that you missed the settings where we specifically talk about removing Policies from Google Chrome. This log entry shows there is some type of policy set on Google Chrome

CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

From the Resetting Chrome topic:

Part A - Remove Policies

In some cases you may find that Chrome says "Managed by your organization". If in fact it is managed by your work organization then you should first check with them before attempting to remove any policies. For users where Chrome has had some policy set by malware then you may need to remove that policy before you can make certain changes to Chrome.

 

Did you set these persistent routes yourself on purpose?

HKLM\System\...\Parameters\PersistentRoutes: [23.218.212.69,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [65.55.108.23,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [65.39.117.230,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [134.170.30.202,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [137.116.81.24,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [204.79.197.200,255.255.255.255,0.0.0.0,1]
HKLM\System\...\Parameters\PersistentRoutes: [0.0.0.0,0.0.0.0,192.168.1.1,-1]

 

You have old, compromised Java on the computer. Please go to Control Panel, Programs, Add/Remove and uninstall JAVA - if possible please try to use your computer without Java. If you really have to use it then make sure  you keep it up to date at all times.

 

Please FULLY disable your ESET Security and make a new System Restore Point and run the following fix.

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.