Help with removing PUP.Optional.MailRu from Chrome User Data folder

[Hndy]

Dear all,

Often, I keep finding PUP.Optional.MailRu in my scan results.

It seems it resides from Chrome: Chrome\User Data\Default\Sync Data\LevelDB, Chrome\User Data\Profile 1\Sync Data\LevelDB, or Chrome\User Data\Profile 2\Sync Data\LevelDB.

Even after deleting the quarantaine, it keeps returning after several days. 

Could anyone help me remove the strange malware(?) from my computer? 

Attached a .txt from the scan results today.

MailRu.txt

[nasdaq]

Hello, Welcome to MALWARETIPS.
I'm nasdaq and will be helping you.

===

If Chrome is Synced with other Devices reset it.

https://forums.malwarebytes.com/topic/258886-chrome-secure-preferences-detection-always-returns/

https://support.google.com/chrome/answer/185277

Execute the suggested fix.

Restart the computer normally.

If the problem persists run this tool.
===========

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Choose a File.
Navigate to the location of the File.
Click the file. It will appear in section.
Click the Saving button.

Please attach the logs for my review.

Wait for further instructions

p.s.
This program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====

[Maurice Naggar]

Heel @Hndy   How is the situation ?   Please advise.

[Maurice Naggar]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

[Hndy]

Hi nasdaq,

Thank you for your help! I will try out your solution immediately and will update you on the progress. 

I hadn't been able to answer earlier due to workload.

Kind regards.

[Hndy]

I have followed the steps on the computer I am on, but have seen that it should be done on all computers where the google account is signed into chrome. 

Since my family's computers are in different locations, I should collect them and repeat the steps tomorrow on all of them together. Will update. 

[Maurice Naggar]

Hello @Hndy   I have a few tips for you and new advice.

First, looking at the Malwarebytes for Windows scan report you sent, dated from 3rd December....Malwarebytes indicated 

Geen actie door gebruiker

which in English is

No action by user

That means you did not TICK all the lines detected.   Further to that, the issue is that your machine has the Google SYNC feature on.

First step, is, to get that turned OFF.   Lets do all that follows on your Windows machine.   Let us move forward.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

In Malwarebytes for Windows program, we want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color
.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click  ( tick )   the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

 

 

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

We will do more later.  Please know that I volunteer here on this forum.  I am not online all the time.

[Hndy]

Dear Maurice, 

Thank you very much for your detailed explanation and for your help!!!

Tomorrow evening, I will follow these steps again on this computer and on my family's laptops where Chrome is currently syncing the same accounts to ensure that the issue will get solved.

Afterwards, I will export the report after quaranting the malware, and get back to you. 

Kind regards.

[Maurice Naggar]

Hello.  How is the situation ?

[Hndy]

Hi Maurice, 

My family has not yet brought their laptops home. I expect the laptops tomorrow. 

Will keep you updated. Thank you for your interest and help!

Kind regards

[Maurice Naggar]

Thanks.  You refer to more than one machine.  So just know that it is imperative that we work on just one machine at a time.  Not all at once.  One at a time till it gets resolved, one way or other.

[Hndy]

Hi Maurice, 

I planned to do it on all machines at once since the very last step in the link (LINK) posted by nasdaq earlier in the thread said: "If you use Chrome to log in to any Google service from any other computer, please follow these steps before turning on Chrome sync on those computers as well. Failure to do this will cause this problem to continually reoccur."

If you think one machine at a time is better, I'll do that instead. 

Kind regards.

[Maurice Naggar]

Just one machine at a time.   Start with the main-problem machine that you have.  My colleague did not intend that you had to do all machines.

[Hndy]

Hi Maurice,

I followed the steps above, and scanned the computer once again. This time, no malware.

Attached the scan results.

Is it save to sign back into our chrome accounts on this pc, or are there other steps that have to be done first?

Thank you for your help.

Kind regards.

Scanresults_dec.txt

[Maurice Naggar]

The scan result is very good.   I have one more suggestion to better guard the Google Chrome web browser.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

[   ALSO  ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

and,

Yes, you may do what you need for Google and Chrome.    Just always practice safe use best behavior on your computers and on the web.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

I am very happy to have helped.     Let me know if you need anything else at this point.   😎

Sincerely,

 

[Hndy]

Dear Maurice,

Perfect, thank you very much for the well-explained tips and for your help!!! Much appreciated. 

I'm glad to say that I had already installed the malwarebytes browser guard on all machines. Love all your other tips as well!

Again, thank you for your help and have a great new year's celebration! 

Kind regards.

 

[Maurice Naggar]

Hello.  You are most welcome.  Happy New Year.  Stay safe.

I wish you all the best.

 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you