Jump to content
Halford2wo

"PUP.Option.MindSpark" blocking and/or removal

Recommended Posts

In our organiztion we are continually experiencing hundreds/thousands of log entries for PUP.Option.MindSpark in various forms within Chrome. Wondering how best to either block these or if this is something we need to worry about? Below is a sample from a Management Console report. Please let me know if I should be looking in a different area.

Thank you

PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk\13.855.14.50873_0 Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk\13.855.14.50873_0\config Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk\13.855.14.50873_0\icons Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk\13.855.14.50873_0\js Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk\13.855.14.50873_0\_locales Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk\13.855.14.50873_0\_locales\en Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\mallpejgeafdahhflmliiahjdpgbegpk\13.855.14.50873_0\_metadata Anti-Malware
PUP.Optional.MindSpark 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mallpejgeafdahhflmliiahjdpgbegpk Anti-Malware
PUP.Optional.MindSpark.Generic 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajldmnbefgjhdcpcgppaiimhbdfjoedp\13.855.14.53017_0\config Anti-Malware
PUP.Optional.MindSpark.Generic 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajldmnbefgjhdcpcgppaiimhbdfjoedp\13.855.14.53017_0 Anti-Malware
PUP.Optional.MindSpark.Generic 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajldmnbefgjhdcpcgppaiimhbdfjoedp\13.855.14.53017_0\icons Anti-Malware
PUP.Optional.MindSpark.Generic 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajldmnbefgjhdcpcgppaiimhbdfjoedp\13.855.14.53017_0\js Anti-Malware
PUP.Optional.MindSpark.Generic 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajldmnbefgjhdcpcgppaiimhbdfjoedp\13.855.14.53017_0\_locales Anti-Malware
PUP.Optional.MindSpark.Generic 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajldmnbefgjhdcpcgppaiimhbdfjoedp\13.855.14.53017_0\_locales\en Anti-Malware
PUP.Optional.MindSpark.Generic 02/27/2019 14:13 Quarantined C:\Users\sagerval\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajldmnbefgjhdcpcgppaiimhbdfjoedp\13.855.14.53017_0\_metadata Anti-Malware

 

Share this post


Link to post
Share on other sites

Usually repeated detection, removal and detection again of an object is a sign of a rootkit infection, however the path here is for Google's browser, this is a Google profile sync issue.

Chrome has an autosync feature that automatically places browser extensions and settings from a users home machine(s) to whichever other machine(s) they use and are signed into with Chrome.

For a more complete removal you need to have the users sign out of Chrome and then rescan, and use ADWCleaner - https://www.malwarebytes.com/adwcleaner/ -  which is much more aggressive against browser objects. ADWCleaner's abilities are not built into your MBES product, you'll need to use the standalone tool.

To prevent this from coming back repeatedly, you'll need to make a decision; scan and clean up your user's home machine(s) in addition to their work machines - not very many admins are willing to do that (though now you can now at least see the true risk your users present to your environment on all fronts), so the next option is - disable this functionality entirely. Google support has an article on how to disable the autosync feature via Group Policy.

Edited by djacobson

Share this post


Link to post
Share on other sites

one more question....could the same be said for "PUP.Optional.Spigot.Generic" and "PUP.Optional.SearchEncrypt.Genereic"?

Thanks!

PUP.Optional.Spigot.Generic 02/27/2019 14:06 Quarantined C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfkojpkekaiblehdinjpmndobbfobhde\1.1_0 Anti-Malware
PUP.Optional.Spigot.Generic 02/27/2019 14:06 Quarantined C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfkojpkekaiblehdinjpmndobbfobhde\1.1_0\css Anti-Malware
PUP.Optional.Spigot.Generic 02/27/2019 14:06 Quarantined C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfkojpkekaiblehdinjpmndobbfobhde\1.1_0\html Anti-Malware
PUP.Optional.SearchEncrypt.Generic 02/20/2019 14:05 Quarantined C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\oodblefojaocanejnikhhjcglbaelpbp\3.2.6_0 Anti-Malware
PUP.Optional.SearchEncrypt.Generic 02/20/2019 14:05 Quarantined C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\oodblefojaocanejnikhhjcglbaelpbp\3.2.6_0\css Anti-Malware
PUP.Optional.SearchEncrypt.Generic 02/20/2019 14:05 Quarantined C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\oodblefojaocanejnikhhjcglbaelpbp\3.2.6_0\img Anti-Malware

 

Share this post


Link to post
Share on other sites

Yes, anything tied to that Google Chrome path can do this autosync thing, C:\Users\[USERNAME]\AppData\Local\Google\Chrome\.

Mindspark and that Spigot / Search Encrypt place extra ad links on search results, change the default search function, and can poison your users search results to land them on compromised pages. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.