1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.

PUP seems to be in sync with Google Account?

Discussion in 'General Malware And Security' started by liberty610, Nov 27, 2017.

  1. liberty610

    liberty610 Registered Members

    Joined:
    Sep 20, 2010
    Messages:
    48
    Location:
    Pa - USA
    Operating System:
    Windows 10
    Computer Brand or Motherboard:
    Gigabyte GA-X99-Ultra Gaming
    CPU:
    Intel Core i7-6800K
    Memory:
    G.Skill Ripjaws 4 series 32GB (4 x 8GB)
    Hard Drive:
    Samsung 950 PRO 512GB M.2
    Graphics Card:
    MSI GTX 1080
    Power Supply:
    Corsair Professional 750W 80+ Gold Certified Semi-Modular ATX Power Supply
    Okay guys, this one is a new one for me. I am running Google Chrome as my default browser on a Windows 10 64 bit PC.

    I just recently did a MalewareBytes scan the other day and it found 4 PUPs with 'Sweetpacks' in the description. Having to deal with the Sweetpacks toolbar in the past, I immediately quarantined the threats and looked into my control panel settings to remove the sweetpacks software that was installed. Problem was, there were not any. I am really careful anytime I installed software, especially if it is free, and I don't recall anything sweetpacks related getting installed. so I wasn't not able to find anything on my computer that was sweetpacks related.

    So I went among my marry way after I quarantined the threats, thinking not much of it. Until today, when Malewarebytes again found the same 4 threats. I again, quarantined them, deleted them, and then re-scanned. The same threats popped right back up again. In the description, it says these 4 threats are coming from one file. The file was located here:

    C:\Users\PCUSERNAMEHERE\AppData\Local\Google\Chrome\User Data\Default\Web Data

    This file is apparently a basic Google chrome file. I closed Chrome, went into the directory, and scanned the 'Web data' file by itself in maleware bytes. The 4 threats popped up. I then manually deleted the file, and re-scanned. The threats where gone. As soon as I opened chrome, it re-generated the 'Web Data' file, as I figured it would, and I scanned that file again with maleware bytes and the 4 PUP threats where back.

    I then reset Chrome so I was no longer syncing my Chrome browser with my google account. I then closed chrome, and deleted the 'Web Data' file. When i reopened chrome, it made another 'Web Data' file. I then scanned my computer with Maleware Bytes and no threats where found. I went a step further and scanned the Web Data file by itself, and no threats where found.

    I then went back into chrome and re-signed in so my Chrome browser was in sync with my google account, and the Maleware bytes scan told me the 4 threats where back. I then reset chrome again, un-syncing it from my account, Deleted the 'Web Data' file, re-opened chrome so it re-created the Web Data file, and scanned again with Maleware bytes. No threats found.

    I repeated this process a couple times and have come to the conclusion that, my Google account is syncing this sweetpacks ordeal to my computer in this 'Web Data' file. And I am not sure how or why this got started. I saw on another site's forums, that someone else was having the same issue, except it wasn't Sweetpacks in the threat names, but something else. But the same exact issue. 4 threats that would keep popping up after Malware bytes would quarantine them.

    As of right now, I have not synced my chrome browser to my account, and Maleware bytes says there are no threats. But apparently these 'threats' are somewhere on my account, because they keep syncing any time I log into my account with chrome and sync my settings. Now, I can go to goole.com and sign in to my account without any issues. But I can not tell my chrome browser on my pc to login and sync to my account becuse thats when these potential threats come back.

    Has anyone heard of this issue or know how to resolve it? I saw a few web searches that had simular issues, and the one person also stated the threats were gone until he syncs with his account. And that post was right on the maleware bytes forums.

    Any feedback would be great. Thanks!
     
  2. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    2,335
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    I'm reading where Starbuck replied to a similar thread where Chrome was re-creating the PUPs.

    He probably won't be responding until tomorrow due to time zone differences. In the meantime, here are two excerpts from one of his replies.

    Note: Where I inserted <Your User name> you would insert your user name.
     
    liberty610 and starbuck like this.
  3. liberty610

    liberty610 Registered Members

    Joined:
    Sep 20, 2010
    Messages:
    48
    Location:
    Pa - USA
    Operating System:
    Windows 10
    Computer Brand or Motherboard:
    Gigabyte GA-X99-Ultra Gaming
    CPU:
    Intel Core i7-6800K
    Memory:
    G.Skill Ripjaws 4 series 32GB (4 x 8GB)
    Hard Drive:
    Samsung 950 PRO 512GB M.2
    Graphics Card:
    MSI GTX 1080
    Power Supply:
    Corsair Professional 750W 80+ Gold Certified Semi-Modular ATX Power Supply
    Thanks for the reply, Tony.

    I figured the part about the user name. It's good to hear about it not being malicious, but being a tech hungry kinda fella, I'd like to learn more about it and why it's there. I haven't found tho much about it, so that's why I was curious as to what it was.
     
  4. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,203
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Hi liberty

    Search engines and plugins are stored in the file called "Web Data" ( C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Web Data )
    So you may well have removed 'Sweetpacks' at an earlier date, but Chrome will still have references stored in the 'Web Data' folder.
    But that's all they are.... references.
    That's why the items are not malicious.
    If you remove these entries with MalwareBytes, Google just re-creates the data files.
    This doesn't mean that 'Sweetpacks' is actually on your system.
    The newer version of MalwareBytes was meant to address this problem, but it seems that it may still be happening.
     
  5. Tony D

    Tony D Super-Moderator Super Moderators

    Joined:
    Sep 25, 2009
    Messages:
    2,335
    Location:
    SE Pennsylvania, USA
    Operating System:
    Windows XP Professional
    Could one simply delete the Web Data file? I assume Chrome would create a new one without the old references. My guess is that history, cookies, etc would also be lost.
     
  6. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,203
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Yes, of course... but you would need to reinstall some of your plugins to recreate the Web Data file (which is a SQL Lite file)
    Yep.
    Good question.
    I have Chrome on one of my systems, will give it a go and see what actually gets removed.
     
    liberty610 likes this.
  7. liberty610

    liberty610 Registered Members

    Joined:
    Sep 20, 2010
    Messages:
    48
    Location:
    Pa - USA
    Operating System:
    Windows 10
    Computer Brand or Motherboard:
    Gigabyte GA-X99-Ultra Gaming
    CPU:
    Intel Core i7-6800K
    Memory:
    G.Skill Ripjaws 4 series 32GB (4 x 8GB)
    Hard Drive:
    Samsung 950 PRO 512GB M.2
    Graphics Card:
    MSI GTX 1080
    Power Supply:
    Corsair Professional 750W 80+ Gold Certified Semi-Modular ATX Power Supply
    Thanks so much for the reply! I have not had sweetpacks installed on my current build, however, it was installed in the past and I'm sure I was synching my Chrome browser with my Google account at that time. Is it possible that's why these references are popping up? Because of the last time sweetpacks was installed? That was such a long time ago, I'm pretty sure it was a couple builds ago.

    As I stared I my original post, I did delete the web data file manually, and Google recreated it of course. The sweet packs reference didn't come back in the web data file until I re-logged in and chrome synced with my Google account. That's where I was getting confused and thought maybe something on Google's end was compromised.
     
  8. starbuck

    starbuck Administrator - Malware Removal Specialist Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,203
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Sounds very possible.
    I only use Chrome as a testing browser, it's not something that I use regularly, so not that familiar with it's settings/sync etc.

    For something to try..... I tried to read the Web Data file (which is a SQL Lite database file) on my system.
    It's not a user friendly database:
    Opening in notepad.....( gives nothing readable )

    e59e7a26c3e17d38958b203d8b846a1a.png

    So after installing a SqLite database browser.... then opening the file, we get:

    06639325c163e4810ef3c84a47d2dfc0.png

    Conclusion ....... you won't get any readable info from the file.
    Oh well, gave me something to do for awhile. :)
     
    liberty610 and Tony D like this.
  9. liberty610

    liberty610 Registered Members

    Joined:
    Sep 20, 2010
    Messages:
    48
    Location:
    Pa - USA
    Operating System:
    Windows 10
    Computer Brand or Motherboard:
    Gigabyte GA-X99-Ultra Gaming
    CPU:
    Intel Core i7-6800K
    Memory:
    G.Skill Ripjaws 4 series 32GB (4 x 8GB)
    Hard Drive:
    Samsung 950 PRO 512GB M.2
    Graphics Card:
    MSI GTX 1080
    Power Supply:
    Corsair Professional 750W 80+ Gold Certified Semi-Modular ATX Power Supply
    Well thanks for the help and the investigating! I will re-sync my chomre app and see if I can add those to the exception list. Thanks for taking the time to reply to me!
     

Share This Page