Jump to content

Malware.AI.3939612205 in Windows folder and persistent PUPs


Recommended Posts

Hi there,

Malwarebytes has identified a few PUP.Optional.PushNotifications.Generic threats on my computer a few times within a week. I am particularly cautious about what it's found within Windows folder today, which seems to be a new thing. Malwarebytes findings include:

1) Malware.AI.3939612205 in folder Disk:\Windows\Installer\F31E6D4.MSI
2) about 10 files PUP.Optional.PushNotifications.Generic in Disk:\Users\....\AppData\Local\Google\Chrome\User Data\Default\Sync Data\...

Any idea what the threat is all about and what may be its origin? Why does the same threat persist?

Thanks.

Link to post
Share on other sites
Hello Novosedoff and welcome to Malwarebytes,

Continue with the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

I have also checked my system with the use of Farbar, Adwcleaner and Kaspersky Virus Removal Tool (KVRT), but they've found nothing...

Should I still be worried about  Malware.AI.3939612205 and  PUP.Optional.PushNotifications.Generic?

What would be the most common reason for  PUP.Optional.PushNotifications.Generic to appear?

Link to post
Share on other sites

FRST was a diagnostic scan, so we could look an overview of your system.. Logs are saved here C:\FRST\Logs

AdwCleaner log shows 51 entries, did you not run the clean function..?

Edited by kevinf80
Link to post
Share on other sites
On 4/15/2021 at 11:28 PM, kevinf80 said:

AdwCleaner log shows 51 entries, did you not run the clean function..?

It's mostly software pre-installed by computer manufacturer when I purchased my notebook a few years ago. I find it no dangerous.

Link to post
Share on other sites
22 hours ago, kevinf80 said:

Do you intend posting logs from FRST...? Does Malwarebytes still flag same entries over and over..

It does, the problem persists, apart from the above listed PUPs I also occasionally get notification by Malwarebtes of Mailru PUP without even having opened mail.ru or vk.com websites (they are both owned by the same Russian financial group). I've already provided Malwarebytes and Adwcleaner's logs. Can we make a diagnosis without FRST log please? I ain't even asking for a solution yet, just curious about the possible triggers for those PUPs to penetrate my Chrome browser. None of my Chrome extensions are Russian-made except for Adguard. My router does enforce Family-level filtering protection by Yandex, which is also a Russian company (but they don't share business with mail group). So I am still a bit confused, where does that sh*t (pardon my French) come from? Any ideas?

Link to post
Share on other sites

The only suggestion I can give without seeing FRST logs is to make a clean install of Chrome....

Make clean install of Google Chrome, see if that clears the issue...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

For your Passwords go here:

https://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Continue for a clean install:

Download Chrome installer and save to install later:

https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Next,

Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings hit enter...


user posted image


In the new window that opens "Turn Off" option will show, select that option.


user posted image


You will then be given notice of what will be cleared. Checkmark the box that gives an option to clear bookmarks, passwords, history etc. Confirm that action by selecting "Turn Off" tab


user posted image


Next.

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/


user posted image


If you use Google Drive, open the Google folder, right click on Drive and select "Copy" then right click on your Desktop or a folder of choice and select "Paste" to save that folder and its contents.


user posted image


When you successfully saved Google drive go back to Local folder, delete the folder named Google


user posted image


Next,

Install Google Chrome :

Next,

Import your Bookmarks... (instructions in the first step)

Import Passwords... (instructions in second step above)

Next,

Install Malwarebytes Browser Extension (Free) https://chrome.google.com/webstore/detail/malwarebytes-browser-exte/ihcjicgdanjaechkgeegckofjjedodee

Next,

Install uBlock Origin for Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

If you previously had Google Drive you will nee to download and install again: https://www.google.com/intl/en_rw/drive/download/

When that is completed transfer the contents of the save google drive folder to the new one...

Does that help
  • Thanks 1
Link to post
Share on other sites
Posted (edited)

Thanks, Kevin. I did everything as advised, step-by-step. I've fully re-installed Chrome and cleaned everything that I could for all user accounts on my computer, including administrative. There is only one thing I could not do for my limited Windows user account that I usually use while browsing websites from Chrome: I could not completely remove the folder   C:\Users\Your user name\Appdata\Local\Google\Chrome\User Data\Default. I mean I've managed to have everything removed within that folder, so there were no files remaining. I would have used FileAssasin to kill the rest, but unfortunately FileAssasin doesn't delete the folders. I've tried to load my computer in a minimal configuration (by changing settings in msconfig), hoping it will allow me to remove the Google\Chrome\User Data\Default, but it didn't help. I've tried to remove the folder by logging into my administrative account, but it didn't help too. By the way, somehow I have managed to remove the C:\Users\Your user name\Appdata\Local\Google\ for my administrative Windows account completely, but for my limited Windows account I couldn't do that. Below attached you can see the screenshot that shows an error message reported by Far Manager while I tried to remove the Google folder: it says in Russian that the folder is not empty, but I swear there were nothing within that folder, not even hidden files that could be seen by simply changing the viewer's settings. Trying to do the same in Windows Explorer didn't help either.

Before re-installing Chrome I ran Malwarebytes to scan the system, but it didn't find anything at all.

So once I'd re-installed Chrome from a scratch I scanned my system again. Attached is the log file listing what Malwabytes has found.

FarMess.jpg

111.txt

Edited by Novosedoff
Link to post
Share on other sites
Posted (edited)

Yes, it is correct, except for I quarantined the objects once the log had been taken, but the objects keep coming back.

The funny thing is that I had not even visited mail.ru page after re-installing Chrome, but as can be seen the log has a few mailru entities..

Edited by Novosedoff
Link to post
Share on other sites

Hiya Novosedoff,

Not sure if you turned off sync within Chrome to clear all backed up data from Google servers, that could be where the the entries keep returning from... use the instructions from the following link, please note these instructions will need to be followed on any/all devices that are interlinked..

 
When complete run Malwarebytes to clear all found entries, reboot then try Malwarebytes again...
 
Thank you,
 
Kevin..
Link to post
Share on other sites
Posted (edited)
13 hours ago, kevinf80 said:

Hiya Novosedoff,

Not sure if you turned off sync within Chrome to clear all backed up data from Google servers, that could be where the the entries keep returning from... use the instructions from the following link, please note these instructions will need to be followed on any/all devices that are interlinked..

 
When complete run Malwarebytes to clear all found entries, reboot then try Malwarebytes again...
 
Thank you,
 
Kevin..

 

Actually the sync for all devices (incl. mobile ones) was turned off, I even cleaned all the data for Chrome apps (not just cache) and turned off access to Internet for them too.  

I could not remove the Default folder, even though it was empty (see below screenshots taken as evidence just in case)

The problem with PUPs repeated itself once I had re-installed Chrome on my Windows station and launched Malwarebytes to do the scan 

222.jpg

333.jpg

Edited by Novosedoff
Link to post
Share on other sites

Hiya Novosedoff,

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135  Leave your system in clean boot...
 
Uninstall Chrome, When complete reboot your system, run Malwarebytes and remove all found entries...
 
Reinstall Chrome, run Malwarebytes again, do the pups return with system in clean boot mode...?
 
Thanks,
 
Kevin..
Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.