Reoccurring Threats in Chrome - PUP.Optional.PushNotifications.Generic

[Firstprime]

On 7/17/2020 at 11:09 PM, AdvancedSetup said:

Hello @Metal_Man_From_Mars

If the Google Chrome clean up does not correct the issue for you please let me know and we can run some other scans to clean up the system.

Thanks

 

Hi,

I have been having this same issue for the past 24 hours, with the exact same threat name, type, and code, as the user above.

I have tried following the full steps to clear Google Chrome in the link above twice, and it helps for an hour or two, but the issue always returns. I have also quarantined and removed the files many times.

Could you please provide further advice on this? I'm quite concerned because I'm very careful about security and I've never had any issue like this before. Are you sure this isn't some kind of false positive?

[Firstprime]

I've been having an issue for the past 24 hours or so with Malwarebytes detecting threats from Google Chrome with the following details:

Name: PUP.Optional.PushNotifications.Generic

Code: 841288 (see below for full threat log)

I found other threads about dealing with similar issues, and I have tried the following steps several times:

- Quarantining and deleting the threats

- Disabling and fully resetting Google Chrome Sync

- Clearing History, Cookies, Cache, etc.

Whenever I follow these steps it solves the issue for a while, but within an hour or two it will always return.

I would really appreciate further advice on this issue. I am somewhat concerned because I am very careful about online security, and I have never had any issues like this before.

Is it possible this is some kind of false positive?

All advice appreciated.

 

-Log Details-
Scan Date: 7/19/20
Scan Time: 4:32 AM
Log File: 68fa2de4-c970-11ea-aa62-7085c257bfb6.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.979
Update Package Version: 1.0.27015
License: Premium

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS
User: PCNAME\NAME

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 504425
Threats Detected: 11
Threats Quarantined: 0
Time Elapsed: 2 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.PushNotifications.Generic, C:\USERS\NAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 201, 841288, , , , 

File: 10
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.ldb, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.log, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.ldb, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\USERS\NAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 201, 841288, 1.0.27015, , ame, 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[Firstprime]

@AdvancedSetup

I have also created my own topic for the issue here:

 

[Firstprime]

I have also fully disabled notifications in Chrome, and it didn't make a difference.

[AdvancedSetup]

Hello @Firstprime

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

[Firstprime]

Hi,

Thank you for your assistance.

I have followed all the steps you listed, and I have attached the requested files to this post.

 

[Firstprime]

Also, I have just run another Malwarebytes scan, and unfortunately the issue is still reoccurring.

[AdvancedSetup]

The log shows this is coming from the Google Chrome folder structure.

C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.ldb

Again, I highly recommend that you look at cleaning Google Chrome.  Sync data is due to a Google login account setup to Sync.

 

https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/

 

Are you sure you have not enabled or allowed Push Notifications on your browser?

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

I would also recommend that you uninstall Bonjour

What exactly is mDNSResponder.exe?

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

I can write a clean up script to do some general cleaning, but this detection indicates it's due to Google Chrome SYNC being enabled.

 

 

[Firstprime]

I have left Google Chrome sync turned off - as well as notifications turned off - since I followed your instructions in the last post, yet this issue is still reoccurring.

It seems to be less that before. Only 1 PUP detected this time, but it's happened three times since we last spoke. Each time I quarantined the file and it keeps coming back. 

It really doesn't look like this is just a sync issue.

I have attached the results of my most recent scan. Any further advice much appreciated.

 

[AdvancedSetup]

Please look at disabling all of your extensions in Google Chrome temporarily and rescan.

I cannot duplicate your issue and I've asked Research and they too say to clean up Chrome.

Do  you run any other software from Google besides Chrome?

 

 

[Firstprime]

I can't really disable all of my extensions because I need some of them for productivity reasons - Password manager, adblocker, Google Keep, etc. I have disabled all unnecessary extensions and I'll see how the next scan goes. It seems to take a few hours each time before the remaining PUP returns.

The only other Google software I use is Backup and Sync, to regularly backup some documents to Google Drive.

Could you please explain to me exactly how much risk is involved with this type of threat? I've been reading about them, but every article I've found doesn't seem to offer any definite answers. Can these PUPs damage my computer? Steal my data? Monitor my connections? Or can they just create fake and potentially malicious push notifications? It would be very helpful to know what level of risk we're talking about with these concerns.

Thanks again for your assistance.

[AdvancedSetup]

PUPs, or Potentially Unwanted Programs, are programs that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often come bundled with other software that you installed.

In most cases they are not a direct threat to your system. In some cases it can lead to additional linking to sites that may attack your system. In most cases it's recommended to remove but in some cases users do decide they want to keep, which is their choice.

 

[Firstprime]

Okay, I have disabled all extensions in Chrome, and I am still getting that single PUP reoccurring every few hours. Latest scan report attached.

Can you give me any further advice? I really need to figure out where this is coming from.

 

[AdvancedSetup]

Please try changing your DNS settings at least temporarily

https://developers.google.com/speed/public-dns

Let me know if that helps or not

 

[Firstprime]

I haven't had a chance to test changing the DNS yet, I will try that tomorrow. But I just had something a bit odd happen.

I was going to run another scan just now, so I went and hovered my mouse over the Malwarebytes icon in my task bar. I right-clicked on the icon, and the quickly left-clicked accidentally before the menu popped up. Instead of the program opening I got a notification that said something like "Exclusion Added". When I opened the app and checked under the Allow List there was an exclusion added for an IP address. I was concerned so I immediately deleted it before I had a chance to take not of the IP. I scanned after this happened and nothing showed, but I have some queries about this situation:

1. I haven't been able to repeat what happened, or figure out any way that I could have done it. I know how to add an exclusion, but I can't figure out how I could have added an IP exclusion with only one or two clicks down by the toolbar icons. Could you please advise me on this? Is there some option or shortcut I may have accidentally hit there? Perhaps I could have somehow accidentally added an exclusion for my own IP or the IP of the current website I had open? If none of these things are possible I am concerned this may have been caused by some kind of malicious software, even though nothing showed on the last scan. It's possible I'm being paranoid here, but I have never had anything like this happen before, and it is suspicious that it has happened following the other issues.

2. Is there any way I could recover the exclusion details after it has been deleted, or check which IP/website this was related to?

Thanks Again.

[AdvancedSetup]

It would probably be located in the mbamservice log file if you want to upload a new set of logs I can review and see if I can locate it or not

The odd thing here is that cleaning Chrome normally works but there appears to be something else possibly network related that might be part of the issue as well. Why I've asked to try using a different DNS provider.

 

[Firstprime]

I've just been researching some other threads and it looks like when a website/IP is blocked Malwarebytes will add an option that says "Add [Blocked Website/IP] to exclusions" to the right-click menu when you click the toolbar icon. I had never noticed that before -  Is this correct? If that's the case I think I may have simply right clicked and then accidentally clicked on that option accidentally as soon as the menu popped up. I would appreciate if you could confirm if that's how it works.

And a followup question: It looks like the last website/IP that was blocked was an address blocked due to a potential Trojan yesterday while I was downloading something. If what I stated above is correct, do you think it could do any harm to have momentarily added that address to the exclusion list? Or would it only cause problems if it was excluded while I was actively trying to connect to that site/IP? I only had it excluded for about 1 minute before deleting it. I will add the log file for this threat below just in case it is needed.

Sorry to be specific. I just want to be sure that I am protected. Once more, I appreciate the excellent support.

 

[Firstprime]

Thanks for the response. I was just hitting enter on that last message as your response came in. I would appreciate if you could let me know if I'm on the right track with my assumptions there.

I will continue scanning anyway, and try the DNS change as soon as I get a chance. Nothing found so far since that last scan I uploaded, but sometimes it's taken a while for the issue to reoccur. Hoping for the best.

[AdvancedSetup]

Yes, all is good. Using Torrenting software often has IP blocks due to the Peer2Peer networks used. They often have threats on there as well because there are always means and methods that someone is trying to infect you and if possible try to force you to pay them to get your data back.

Personally I'd recommend against torrenting but if you must then you can try adding the program as an exclusion to help prevent some IP blocks

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is very much illegal, and there is always a chance of getting caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. We have seen an increase in malware being bundled with software downloads over P2P.
Please keep this in mind when sharing files that you're increasing the risk that your system might get infected. Scan all files prior to running them.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

[Firstprime]

Thank you.

I am currently running a full scan using Windows Defender, which is estimating that it may take a few hours before it is complete.

Should I also try that ESET scan afterwards?

[AdvancedSetup]

Yes, please.

I do not think either scanner will find anything, but at least you'll have peace of mind.

 

[Firstprime]

I've completed the ESET full scan. It found 0 threats, and 1 potentially unwanted program, which was removed. I don't think that should have been causing any problems, as it was just an old .exe from a game on an external hard-drive. I have attached the scan log below.

I also completed the Windows Defender full scan, which was clean. I am still running chrome with all extensions disabled, sync disabled, and I have changed my recommended DNS to the one you recommended. I ran a Malwarebytes scan after I changed the DNS, but before I started the Windows Defender and ESET scans, and the PUP reoccurred in that scan. I quarantined it again, and I will also attach that log below. I just performed another scan after completing all the tests, and nothing shows, but it usually takes more time to re-occur.

I will continue to monitor and scan over the next 24 hours, but I have a feeling it will be back. If you have any further advice I would appreciate it.

 

[Firstprime]

I just ran another scan and, as I suspected, that single PUP has returned. Log file attached below.

Again, and further advice is very much appreciated.

 

[AdvancedSetup]

Can you please follow the directions from the following topic and post back the requested logs

Upload Malwarebytes Support Tool logs offline

Thank you

 

[Firstprime]

I have run that scan and attached the requested logs.