Malicious website outbound attack; persistent PUP.Optional.Spigot in Chrome

[LizinPa]

Looking for guidance on two potentially related problems:

1) Beginning around Nov. 8, Malwarebytes (Premium 3.3.1) has been identifying PUP.Optional.Spigot during its daily scan of our desktop. When I click "quarantine," Google Chrome abruptly shuts down. I restart Chrome, and then Malwarebytes finds Spigot again on its next scan. I did check my Google Chrome extensions, and nothing suspicious shows up there. I also went through the processes described in "Chrome Secure Preferences detection always comes back, " and it did not solve the problem. PUP.Optional.Spigot repeatedly comes back (in C:\USERS\ANN OR LIZ\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [647], [454814],1.0.3329). I also scanned our laptop, which is connected via home wifi network, and on which we use the same Google & gmail accounts as the desktop. The laptop had not been scanned in a long time; Malwarebytes found 55 threats -- many of them PUP.Optional.Spigot, in numerous locations. The Malwarebytes quarantine got rid of 54 of the 55; as with the desktop, the only one I can't get rid of is the one connected to Chrome. I did not re-enable sync. 

2) On Nov. 20, Malwarebytes repeatedly blocked a malicious website, outbound. All but one was from File: C:\Windows\System32\svchost.exe; the other, from File: C:\Windows\System32\spoolsv.exe. I've checked our DNS servers (router & local ones on both computers) and all seems to be fine.

On a possibly related note, a credit card number that had been stored in Chrome was stolen and a fraudulent charge attempted on Nov. 21.

Can someone offer guidance on how to permanently get rid of PUP.Optional.Spigot in Chrome? And is it plausible that PUP.Optional.Spigot was the cause of the malicious website outbound attack on Nov. 20? If not, what else should we be doing?

Logs created via FRST and MB-Check are attached.

Thanks in advance for any guidance/assistance!

 

mb-check-results.zip

[AdvancedSetup]

Hello @LizinPa

I would recommend you update to our latest beta following the directions from here. Then follow the scanning directions from this post and let me know if you're still having any issues.

Thank you

Ron

 

[LizinPa]

Thanks, Ron -- This seems to have done the trick! Just curious -- do you think PUP.Optional.Spigot could have been responsible for the malicious website outbound attack?

[AdvancedSetup]

Any one of the many could have caused it. Sync is often the culprit too as it brings it back after being cleaned.

Some additional reading if you like

The complexity of finding, preventing, and cleanup from malware

Let me know if you need anything else, otherwise I'll go ahead and close your topic as resolved.

Thanks and have a great upcoming Holiday Season

Ron

 

 

[LizinPa]

thanks, Ron! Happy holidays to you, as well -- Liz

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!