Jump to content

JS/Mindspark.E

CMS

By CMS
in Malware Finding and Cleaning

 Share

Recommended Posts

CMS

CMS 8

Posted
Posted

Hi All,

Had many alerts from 4 clients (out of 500) this morning. Seems to be an unwanted application, rather than a virus, but I'm guessing something new in the definitions means it's finding it.

Spotted someone else who had this also https://www.bleepingcomputer.com/forums/t/656585/eset-on-all-clients-suddenly-finding-mindspark-today/

Just checking if anyone else has this, should we be concerned?

Thanks

Link to comment
Share on other sites
Myrns

Myrns 0

Posted
Posted (edited)

Having the same alert on at least one machine today...no idea what it is, cant find anything else on the net other than bleepingcomputer.com post 

Untitled.jpg.fd56388be508b7097359590be4b91e39.jpg

Edited by Myrns
added attachment image, corrected text
Link to comment
Share on other sites
CMS

CMS 8

Posted
  • Author
Posted

I spoke to ESET support, and they say it's either a new threat or a change in classification that's now flagging it up. Not a virus though, just an unwanted app.

Link to comment
Share on other sites
Tech-Werks

Tech-Werks 0

Posted
Posted (edited)

Wikipedia: Mindspark is an adaptive-learning program (ITS) built by Educational Initiatives (EI). It is a cloud-based application that can run on computers, tablets, mobile phones and allows users to connect to Mindspark servers via a web browser.

Looks to me like it's a java based program for students taking E-Learning courses. The only users w/ these alerts that I have seen - just so happen to be interns in school still.

https://mindspark.in/

Not to be confused with PUP.Optional.Mindspark - an annoying adware system.

Might want to check with the clients before you rip out the PUP.

Edited by Tech-Werks
Link to comment
Share on other sites
bungleweed

bungleweed 0

Posted
Posted

I received a prompt from Eset last night telling me there was a file that was a possible threat (JS/Mindspark.E) it gave the option to clean but each time I would select "Clean" the message would reappear.  After selecting clean several times it requested a reboot which I did but when my computer came back up the message would appear again and would not move from my screen until I got to the reboot message. I downloaded two files yesterday that I purchased from a photography company and presumed that whatever this is,  possibly come from there but now that so many people are receiving this prompt I presume those files are safe.  It does not appear that Eset is clearing the malware if that is what it is since I continue to get the prompt.  So what do we do now?

Link to comment
Share on other sites
ofer1954

ofer1954 0

Posted
Posted

I have also reported two computers today with JS / Mindspark.E
Although this is "only" an application and not a virus,  is there a danger and what is its level of it?

JS_Mindspark.E.jpg

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,842

Posted
  • Administrators
Posted

It's a potentially unwanted application. A detection for the first variant (JS/Mindspark.A) was added in 2015 so the last one seems to be more popular than the previous ones.

If there's a problem cleaning it even with strict cleaning set, provide me with ELC logs from the particular computer. You can also choose to keep the extension and not to detect this particular PUA anymore. This is possible either via the advanced options in the yellow alert window (Exclude from detection), or via an ERA policy (Exlusions).

Link to comment
Share on other sites
Phatmista

Phatmista 0

Posted
Posted

Thanks Marcos. I originally posted in Bleeping computers as well. Put a link to here.

I didn't think it was anything big, just surprised by how many calls within 20 minutes we got. Still running in-depth virus scans on each of those computers just in case!

Thanks!

Link to comment
Share on other sites
RedSparr0w

RedSparr0w 0

Posted
Posted (edited)

Getting the same.

Everytime i clean it, just pops back up in "%LocalAppData%\Temp\...\CRX_INSTALL\" folder for multiple users on a server.

Quote

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
2017-09-09 12:36:38 PM;Real-time file system protection;file;C:\Users\<user>\AppData\Local\Temp\149\scoped_dir30020_28323\CRX_INSTALL\js\scriptInjector.js;JS/Mindspark.E potentially unwanted application;cleaned by deleting;<user>;Event occurred during an attempt to access the file by the application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (7394E09C7018A4E09A85D41C7589B42E95B43C9B).;0E8609F3C660D184BA23ABADD6826C9035B1BB5F;2017-09-09 12:36:07 PM

Was originally found in an extension folder which relates to this extension on chrome 

Edited by RedSparr0w
add log
Link to comment
Share on other sites
jtown82

jtown82 1

Posted
Posted (edited)

We have been getting the same thing have around 600 machines currently about 5-6 have been spamming this.  I guess I am blind as I do not see anything in the alert section in regards to "advanced options to whitelist this or ignore it ect.  Sadly Eset has one of the worst GUIs in the history anything.

  • file:///C:/Users/Benjamin.Beegle/AppData/Local/Google/Chrome/User Data/Default/Extensions/lgfehfbnofiffladdncogfobimealokp/1.300.11.57732_0/components/api/background/widget-api-impl.js
     
     
  •  

 

 

  • THREAT NAME
    JS/Mindspark.E
     
     
  • THREAT TYPE
    potentially unwanted application
     
     
  • SEVERITY
    Critical
     
     
  • OCCURRED
    2017 Sep 10 16:13:39
     
     
  • THREAT HANDLED
    No
     
     
  • RESTART NEEDED
    No
     
     
  • ACTION TAKEN
     
     
     
  • ACTION ERROR
    unable to clean
     
     
  • OBJECT TYPE
    file
     
     
  • OBJECT URI
    file:///Startup
     
     
  • CIRCUMSTANCES
     
     
     
  • SCANNER
    Startup scanner
     
     
  • ENGINE VERSION
    16061 (20170910)
     
     
  •  
Edited by jtown82
Link to comment
Share on other sites
CMS

CMS 8

Posted
  • Author
Posted

I spoke to support again yesterday, and after a long time looking at a PC that was generating the errors it was said that Virusradar essentially showed it as being recorded as a false positive over the weekend, and this was corrected on Sunday. I don't see this item listed at all on Virusradar though, so not sure if ESET support get a more detailed version.

Link to comment
Share on other sites
CMS

CMS 8

Posted
  • Author
Posted

I spoke to support again yesterday, and after a long time looking at a PC that was generating the errors it was said that Virusradar essentially showed it as being recorded as a false positive over the weekend, and this was corrected on Sunday. I don't see this item listed at all on Virusradar though, so not sure if ESET support get a more detailed version.

I've not had any more virus alerts since yesterday.

Link to comment
Share on other sites
Cp3p0

Cp3p0 6

Posted
Posted

The solution I found for this exact message was to open Chrome prompting the JS/Mindspark message leaving it open
Then drag this to the corner of your screen out of sight,
 
Now....

1)Chrome>More Tools>Removing all extensions except for Google related ones.
2)Clear cookies & cache under advanced settings
3)Drag the prompt back on screen and select "Clean" for all prompts..

You'll then be notified to restart the computer, select yes..

When the computers back up and running open Chrome and these messages will be gone.

If you then choose to do so, you can re-add the extensions later. 

Link to comment
Share on other sites
jtown82

jtown82 1

Posted
Posted (edited)

Still getting alerts in our system for the exact same thing. typical that Eset would try and blame virus radar.  in the end its ESET vault.  They are the vendor and need to resolve it regardless of what other 3rd party vendors have a hand in it.  Sadly When you have 1300 machines the above method is not a solution. ESET will be losing a fairly large customer when our contract comes back around if this isn't resolved quickly. 

Edited by jtown82
Link to comment
Share on other sites
Cp3p0

Cp3p0 6

Posted
Posted
7 hours ago, Edmund129 said:

OK, so what is the Fix?

Hey Edmund129,

Follow my above steps clearly, it's guaranteed to work. So far I've resolved at least 20 computers with this issue. 

Link to comment
Share on other sites
79YJ

79YJ 0

Posted
Posted

I tried Cp3p0's fix yesterday and it worked.  This morning when I started up my system, it is back and fix does not work now.  Anyone have js/mindspark.e return after using Cp3p0's fix?

Link to comment
Share on other sites
jtown82

jtown82 1

Posted
Posted

i also have a user with a Chrome Apps launcher shortcut using this string.  ""C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --show-app-list"    and the second its clicked on ESET flags it but doesn't actually stop it from opening up chrome and such.  still wish ESET would actually push a REAL fix to this.

Link to comment
Share on other sites
Dave B

Dave B 0

Posted
Posted (edited)

Actually I spoke too soon. 24 hours later, the alerts have returned.

Full details;

JS/Mindspark.E

Event occurred during an attempt to access the file.

Threat Handled - No

Location - %username%AppData/Local/Temp/scoped_dir7224_24928/CRX_INSTALL/js/scriptInjector.js

I navigated to that path and cannot find the file in question.

ESET What do you advise?

Edited by Dave B
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...