Windows 10: Overrun by PUP's

I run 3 PC's
windows 10 32 bit
windows 10 64 bit
windows 7 32 bit
Whenever I run malwarebytes, say after 2-3 days interval - it records 325 PUP entries (applies to each machine)

This is a comparatively recent happening. Some guidance as to how to avoid this intrusion would be very much appreciated.
All three PC's are installed with Webroot Internet Security (but this happens regardless of whatever AV is installed)
I use google chrome a lot for my visits to the net etc
My ISP is talktalk, and I use Thunderbird as my email client.

I await any comments with interest - thanks in advance

EDIT / PS - I should have mentioned that the malwarebytes used is the free version - will the real-time version do the trick?

:)

 

PUPS

Answer-by-number:

1. Is Defender configured to detect PUPs & PUAs?

2. Have you purchased MBAM Premium?

3. Does this concern the same Dell 7559 laptop as in your
11 August 2017 thread and if so, had your Norton subscription already expired by the time you uninstalled it?

4. Have you ever run the Norton Removal Tool and/or the
McAfee Consumer Products Removal Tool?

5. What Version & OS Build of Windows 10 is currently installed?

• Press & hold the Windows Key and press the R
  key. In the RUN dialog, type WINVER and press the Enter key.

==================================

COMMENT: There isn't an anti-virus/anti-malware application in the world
that can stop a very determined user from infecting his/her own computer, intentionally or not.

Cite:

• About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)
  
  Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software
  

 

Desktop win10 user-preferences "overrun" by MS account/laptop settings

I used the "MS Store" application with my desktop PC for the first time recently. As verification it asked my user email and password. I assumed it ment my MS account password.

Both the laptop and the desktop have the same email as "user login". (Perhaps because some kind of legacy reason) My MS account password(A) is the same as in my old laptops password(A). Laptop has win8to10 upgrade. My newer recently installed win10 desktop
had a separate user password(B).

When I booted my desktop next time, old dekstop (B) password would not be accepted, instead I had to use password(A) to login. I also noticed my desktop "user personalization" had changed somewhat more like my laptops, "reddish menu colour tint" etc. As
far as I've checked all the device settings and privacy/internet settings seem to remain the same.

A) Is this a "glitch" or a feature related perhaps to win 10 user sync?

B) Is there a way to roll back my old dektop personalization? I cannot find any other user accounts in my PC to change to, such as my "old user login".

C) Could there be any major security/privacy settings changed by this episode? (If not, then i think rollback would not be needed, I could just change the password and desktop tint manually)

Thanks in advance.

---Mikko

 

Hi.
First of all, MBAM (Malwarebytes Antimalware) Free should do the job just fine getting rid of them, but you have to go into the settings and tick the box to scan for Rootkits. Then do the custom scan, selecting the entire C drive. The paid version should prevent them from getting on your system in the first place.
You may also want to run ADWCleaner, just to clean up things.

Please also have a look at your installed applications and make sure nothing shady is in there.

 

Try this program and then delete what you know doesn't belong there. If you don't know what belongs look up the pups individually. I have never seen that many pups or heard of that number unless some kind of virus attack occured. After a rootkit scan (done weekly here) I usually find 1 or 2 PUPs and they are always erroneously flagged. Good luck.

Program: Sophos Virus and Rootkit Scanner Free Antivirus System Tool for Conficker, Rootkit, Virus and Malware Detection and Removal | Sophos

 

Hi, @Skofab:

A bit of clarification...
As the others have pointed out, MBAM Free is only a manual, on-demand scanner that removes PUPs and malware already on the system.
MBAM Premium -- when properly configured -- can help to PREVENT PUPs/malware infection in the first place.

PUPs are not malware, in the strict sense of the term, as explained HERE. But they are generally junk that one likely does not not need or want and they can eventually get one into trouble with real malware.

Having said that, scanning for ROOTKITS and scanning for PUPs/PUMs are actually different settings.
In order to be sure MBAM is properly configured, open the dashboard > settings > detection and protection > non-malware protection and verify that both PUPs and PUMs are set to "treat detections as malware".

If your settings are correct, but the PUPs seem to come back with each scan, then the most likely explanations include:

• MBAM is having trouble removing them for some reason; and/or
• They are re-spawning, either from software/malware on the system, from Google sync or from another source.

If you would like, please follow the steps in THIS TUTORIAL to locate, export and post here as an ATTACHMENT to your next reply an MBAM SCAN LOG from one of the computers. That log may point to an explanation and possible solution.

Thanks,
MM

 

Get an adblocker for your browser too. And protect your browsers from zero day attacks with Malwarebytes Antiexploit or similar.

 

Thanks everyone for your responses to date.

I would explain that I am aware that Malwarebytes free is only of use 'after the fact' - it does it seems certainly remove the listed entries effectively.
I was unaware that there is a rootkit tickbox in malwarebytes settings - that has now been dealt with.

I will keep a log - which I will forward at the next convenient time. As already mentioned, the readout suggests 325 entries that revolve around 'mindspark'
Running ADWcleaner throws up just one entry (this I will try to include in next post)

From memory, I think the log list includes a reference to a google extension - but - when I navigate to the google extension list, no individual entry is marked a enabled.


I will return!

 

Me again..........
I have just found a saved log of a recent run of ADWCleaner - it was here that I found the references to Google/Chrome. Is this of any significance/help?






C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\bg.html->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\bg.html.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\bg.js->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\bg.js.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\content.js->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\content.js.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\content_lores.js->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\content_lores.js.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\htmlhelpers.js->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\htmlhelpers.js.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\icon128.png->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\icon128.png.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\icon48.png->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\icon48.png.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\manifest.json->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\manifest.json.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\_metadata\computed_hashes.json->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\_metadata\computed_hashes.json.vi r
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\_metadata\verified_contents.json->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkpejdfnpdkhifgbancbammdijojoffk\6.65.62_1\_metadata\verified_contents.json. vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d16fk4ms6rqz1v.cloudfront.net_0.localstorage.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_dulkizjkkg-a.akamaihd.net_0.localstorage->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_dulkizjkkg-a.akamaihd.net_0.localstorage.vir
C:\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fdkhngaioieemngifhcjghfankkmbpca_0.localstorage->C:\AdwCleaner\FileQuarantine\C\Users\CJE\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fdkhngaioieemngifhcjghfankkmbpca_0.localstorage.vir

 

Hi:

Just to be clear, the ROOTKIT scanning setting in MBAM is separate and different from the PUP/PUM settings.
It's certainly fine to enable the anti-rootkit feature, but it's not likely to directly impact the behavior you reported in your original post (recurring PUPs in sequential MBAM scans).
Adding MBAE (Free or Premium) is another fine suggestion, but it won't fix your original issue, either.

To more directly fix that particular problem, it would help to know if your PUP/PUM settings in MBAM are correctly configured, as suggested in my earlier reply #4 here.*Smile
And, yes, the partial AdwCleaner log suggests that the PUPs are likely re-spawning from Google sync/Chrome/a Chrome extension.
But it would also help to see the MBAM scan log, as previously suggested.*Smile

>>Some PUPs (and some malware) can be rather pesky, requiring the use of multiple, powerful tools, in the correct sequence, as well as other interventions (e.g. resetting/reinstalling Chrome), for complete removal.

HTH,
MM

 

Malwarebytes does not remove pup's much at all. I even believe they post that on their site. Download a program like SuperAntiSpyware free version which does a GREAT job of finding and removing pup's. Here is a link.
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

 

Just to reiterate:

Since the OP indicates that the PUP/PUM selections are being flagged in the MBAM scan, I assumed those were already set to "treat as malware". The problem is that they keep coming back, hence the need for the Rootkit option in MBAM, and the ADWCleaner log. Mindspark is notorious for respawns. The log clearly indicates problems with the Chrome browser extensions.

Now that ADWCleaner has been run, my recommendation would be to completely reset Chrome, Edge, and all other existing browsers on the system, removing all extensions, and then be very careful which ones you reintroduce to the browser(s).

You may also want to install Unchecky.

OldMike suggests a very good program here, which I use on all my systems, and those I work on as well.

Good luck! *Smile

 

Hi:

Actually, that's not true, as long as MBAM settings are correctly configured to "treat detections as malware".
That is the default setting, but some users disable it, because they want to keep their PUPs/PUMs.

Malwarebytes Adopts Aggressive PUP Policy
What are the 'PUP' detections, are they threats, and should they be deleted?
Malwarebytes Labs - PUPs

Having said that, no one program removes 100% of malware/PUPs 100% of the time.
And, because of legalities, some independently-authored anti-malware tools may be even more aggressive than MBAM at detecting and removing PUPs.

SAS is great for tracking cookies, something MBAM does not target.

Cheers,
MM

P.S. In the OP's case, they are likely re-spawning from Google sync or a Chrome extension. Until that is resolved, they are likely to reappear on scans.

 

Agreed.

 

Hi there

PUPS are quite different from typical Viruses.

One of the major problems is that a PUP can often seem like a legitimate program as it's a normal Windows executable -- so you have to consider how do these "PUP blocker" programs decide what's a legitimate Windows program say PHOTOSHOP.EXE and a PUP called say IMAGES.EXE - which might well be a legitimate alternative Windows valid executable file.

One would probably need a database of these rogue executables updated pretty regularly.

This is by no means a trivial task - which is why it's wrong to rely 100% on things like MBAM etc -- they won't have a hope in stopping all PUPS if you don't surface the web intelligently and safely.

I have to admit though getting THAT MANY PUPS on a computer -- that must qualify for a "Guinness Book of Records" entry.

People should understand also the difference between VIRUSES / MALWARE and PUPS -- totally different types of threats that need different solutions.

Cheers
jimbo