Jump to content

Recommended Posts

On 7/17/2020 at 11:09 PM, AdvancedSetup said:

Hello @Metal_Man_From_Mars

If the Google Chrome clean up does not correct the issue for you please let me know and we can run some other scans to clean up the system.

Thanks

 

Hi,

I have been having this same issue for the past 24 hours, with the exact same threat name, type, and code, as the user above.

I have tried following the full steps to clear Google Chrome in the link above twice, and it helps for an hour or two, but the issue always returns. I have also quarantined and removed the files many times.

Could you please provide further advice on this? I'm quite concerned because I'm very careful about security and I've never had any issue like this before. Are you sure this isn't some kind of false positive?

Link to post
Share on other sites

I've been having an issue for the past 24 hours or so with Malwarebytes detecting threats from Google Chrome with the following details:

Name: PUP.Optional.PushNotifications.Generic

Code: 841288 (see below for full threat log)

I found other threads about dealing with similar issues, and I have tried the following steps several times:

- Quarantining and deleting the threats

- Disabling and fully resetting Google Chrome Sync

- Clearing History, Cookies, Cache, etc.

Whenever I follow these steps it solves the issue for a while, but within an hour or two it will always return.

I would really appreciate further advice on this issue. I am somewhat concerned because I am very careful about online security, and I have never had any issues like this before.

Is it possible this is some kind of false positive?

All advice appreciated.

 

-Log Details-
Scan Date: 7/19/20
Scan Time: 4:32 AM
Log File: 68fa2de4-c970-11ea-aa62-7085c257bfb6.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.979
Update Package Version: 1.0.27015
License: Premium

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS
User: PCNAME\NAME

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 504425
Threats Detected: 11
Threats Quarantined: 0
Time Elapsed: 2 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.PushNotifications.Generic, C:\USERS\NAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, No Action By User, 201, 841288, , , , 

File: 10
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.ldb, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.log, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.ldb, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000001, No Action By User, 201, 841288, , , , 
PUP.Optional.PushNotifications.Generic, C:\USERS\NAME\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, No Action By User, 201, 841288, 1.0.27015, , ame, 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

  • Root Admin

Hello @Firstprime

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

  • Root Admin

The log shows this is coming from the Google Chrome folder structure.

C:\Users\NAME\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.ldb

Again, I highly recommend that you look at cleaning Google Chrome.  Sync data is due to a Google login account setup to Sync.

 

https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/

 

Are you sure you have not enabled or allowed Push Notifications on your browser?

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

I would also recommend that you uninstall Bonjour

What exactly is mDNSResponder.exe?

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

I can write a clean up script to do some general cleaning, but this detection indicates it's due to Google Chrome SYNC being enabled.

 

 

Link to post
Share on other sites

I have left Google Chrome sync turned off - as well as notifications turned off - since I followed your instructions in the last post, yet this issue is still reoccurring.

It seems to be less that before. Only 1 PUP detected this time, but it's happened three times since we last spoke. Each time I quarantined the file and it keeps coming back. 

It really doesn't look like this is just a sync issue.

I have attached the results of my most recent scan. Any further advice much appreciated.

 

Link to post
Share on other sites

I can't really disable all of my extensions because I need some of them for productivity reasons - Password manager, adblocker, Google Keep, etc. I have disabled all unnecessary extensions and I'll see how the next scan goes. It seems to take a few hours each time before the remaining PUP returns.

The only other Google software I use is Backup and Sync, to regularly backup some documents to Google Drive.

Could you please explain to me exactly how much risk is involved with this type of threat? I've been reading about them, but every article I've found doesn't seem to offer any definite answers. Can these PUPs damage my computer? Steal my data? Monitor my connections? Or can they just create fake and potentially malicious push notifications? It would be very helpful to know what level of risk we're talking about with these concerns.

Thanks again for your assistance.

Link to post
Share on other sites

  • Root Admin

PUPs, or Potentially Unwanted Programs, are programs that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often come bundled with other software that you installed.

In most cases they are not a direct threat to your system. In some cases it can lead to additional linking to sites that may attack your system. In most cases it's recommended to remove but in some cases users do decide they want to keep, which is their choice.

 

Link to post
Share on other sites

I haven't had a chance to test changing the DNS yet, I will try that tomorrow. But I just had something a bit odd happen.

I was going to run another scan just now, so I went and hovered my mouse over the Malwarebytes icon in my task bar. I right-clicked on the icon, and the quickly left-clicked accidentally before the menu popped up. Instead of the program opening I got a notification that said something like "Exclusion Added". When I opened the app and checked under the Allow List there was an exclusion added for an IP address. I was concerned so I immediately deleted it before I had a chance to take not of the IP. I scanned after this happened and nothing showed, but I have some queries about this situation:

1. I haven't been able to repeat what happened, or figure out any way that I could have done it. I know how to add an exclusion, but I can't figure out how I could have added an IP exclusion with only one or two clicks down by the toolbar icons. Could you please advise me on this? Is there some option or shortcut I may have accidentally hit there? Perhaps I could have somehow accidentally added an exclusion for my own IP or the IP of the current website I had open? If none of these things are possible I am concerned this may have been caused by some kind of malicious software, even though nothing showed on the last scan. It's possible I'm being paranoid here, but I have never had anything like this happen before, and it is suspicious that it has happened following the other issues.

2. Is there any way I could recover the exclusion details after it has been deleted, or check which IP/website this was related to?

Thanks Again.

Link to post
Share on other sites

  • Root Admin

It would probably be located in the mbamservice log file if you want to upload a new set of logs I can review and see if I can locate it or not

The odd thing here is that cleaning Chrome normally works but there appears to be something else possibly network related that might be part of the issue as well. Why I've asked to try using a different DNS provider.

 

Link to post
Share on other sites

I've just been researching some other threads and it looks like when a website/IP is blocked Malwarebytes will add an option that says "Add [Blocked Website/IP] to exclusions" to the right-click menu when you click the toolbar icon. I had never noticed that before -  Is this correct? If that's the case I think I may have simply right clicked and then accidentally clicked on that option accidentally as soon as the menu popped up. I would appreciate if you could confirm if that's how it works.

And a followup question: It looks like the last website/IP that was blocked was an address blocked due to a potential Trojan yesterday while I was downloading something. If what I stated above is correct, do you think it could do any harm to have momentarily added that address to the exclusion list? Or would it only cause problems if it was excluded while I was actively trying to connect to that site/IP? I only had it excluded for about 1 minute before deleting it. I will add the log file for this threat below just in case it is needed.

Sorry to be specific. I just want to be sure that I am protected. Once more, I appreciate the excellent support.

 

Link to post
Share on other sites

Thanks for the response. I was just hitting enter on that last message as your response came in. I would appreciate if you could let me know if I'm on the right track with my assumptions there.

I will continue scanning anyway, and try the DNS change as soon as I get a chance. Nothing found so far since that last scan I uploaded, but sometimes it's taken a while for the issue to reoccur. Hoping for the best.

Link to post
Share on other sites

  • Root Admin

Yes, all is good. Using Torrenting software often has IP blocks due to the Peer2Peer networks used. They often have threats on there as well because there are always means and methods that someone is trying to infect you and if possible try to force you to pay them to get your data back.

Personally I'd recommend against torrenting but if you must then you can try adding the program as an exclusion to help prevent some IP blocks

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is very much illegal, and there is always a chance of getting caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. We have seen an increase in malware being bundled with software downloads over P2P.
Please keep this in mind when sharing files that you're increasing the risk that your system might get infected. Scan all files prior to running them.

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

Link to post
Share on other sites

I've completed the ESET full scan. It found 0 threats, and 1 potentially unwanted program, which was removed. I don't think that should have been causing any problems, as it was just an old .exe from a game on an external hard-drive. I have attached the scan log below.

I also completed the Windows Defender full scan, which was clean. I am still running chrome with all extensions disabled, sync disabled, and I have changed my recommended DNS to the one you recommended. I ran a Malwarebytes scan after I changed the DNS, but before I started the Windows Defender and ESET scans, and the PUP reoccurred in that scan. I quarantined it again, and I will also attach that log below. I just performed another scan after completing all the tests, and nothing shows, but it usually takes more time to re-occur.

I will continue to monitor and scan over the next 24 hours, but I have a feeling it will be back. If you have any further advice I would appreciate it.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.