Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SPPD.SYS detected by Hitman Pro


  • Please log in to reply
9 replies to this topic

#1 splungee

splungee

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 15 April 2015 - 09:46 AM

I received a popup warning from Hitman Pro (DL'd here on Bleeping Computer) that I have SPPD.SYS installed and that it is a PUP. 

Elsewhere on the forums, someone else posted the same problem but did not post logs: http://www.bleepingcomputer.com/forums/t/571963/what-is-sppdsys-and-do-i-need-to-remove-it/

 

I recently installed PDF995, the sponsored version that posts ads, and Advanced System Care 8, that Avast thinks placed an unwanted toolbar (I think that was the warning).

 

I'm following the instructions offered to the poster of the above post and am reporting my logs here:

 

Adware Cleaner:

           "install_time": "13067541220987196",
            "last_active_pingday": "13003660804583441",
            "lastpingday": "13073554811799383",
            "location": 1,
            "manifest": {
               "app": {
                  "launch": {
                     "container": "tab",
                     "web_url": "hxxp://www.youtube.com/?

feature=ytca"
                  },
                  "web_content": {
                     "enabled": true,
                     "origin": "hxxp://www.youtube.com"
                  }
               },
               "current_locale": "en_US",
               "default_locale": "en",
               "description": "The world's most popular online video

community.",
               "icons": {
                  "128": "128.png"
               },
               "key":

"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC/HotmFly

uz5FaHaIbVBhhL4BwbcUtsfWwzgUMpZt5ZsLB2nW/Y5xwNkkPAN

YGdVsJkT2GPpRRIKBO5QiJ7jPMa3EZtcZHpkygBlQLSjMhdrAKevpK

gIl6YTkwzNvExY6rzVDzeE9zqnIs33eppY4S5QcoALMxuSWlMKqgF

QjHQIDAQAB",
               "manifest_version": 2,
               "name": "YouTube",
               "update_url":

"hxxp://clients2.google.com/service/update2/crx",
               "version": "4.2.7"
            },
            "page_ordinal": "n",
            "path": "blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.7_0",
            "preferences": {

            },
            "regular_only_preferences": {

            },
            "state": 1,
            "was_installed_by_default": true,
            "was_installed_by_oem": false
         },
         "coobgpohoikkiipiblmjeljniedjpjpf": {
            "ack_external": true,
            "active_bit": false,
            "active_permissions": {
               "api": [  ],
               "manifest_permissions": [  ]
            },
            "app_launcher_ordinal": "y",
            "commands": {

            },
            "content_settings": [  ],
            "creation_flags": 153,
            "events": [  ],
            "exclude_from_sideload_wipeout": true,
            "from_bookmark": true,
            "from_webstore": true,
            "granted_permissions": {
               "api": [  ],
               "manifest_permissions": [  ]
            },
            "incognito_content_settings": [  ],
            "incognito_preferences": {

            },
            "install_time": "13071965012158952",
            "last_active_pingday": "13005302418123728",
            "lastpingday": "13073554811799383",
            "location": 1,
            "manifest": {
               "app": {
                  "launch": {
                     "web_url": "hxxp://www.google.com/webhp?

source=search_app"
                  },
                  "urls": [ "*://www.google.com/search",

"*://www.google.com/webhp", "*://www.google.com/imgres" ]
               },
               "current_locale": "en_US",
               "default_locale": "en",
               "description": "The fastest way to search the web.

*************************

AdwCleaner[R0].txt - [5814 bytes] - [03/07/2014 21:05:09]
AdwCleaner[R1].txt - [1125 bytes] - [27/07/2014 13:55:51]
AdwCleaner[R2].txt - [1047 bytes] - [27/07/2014 14:02:46]
AdwCleaner[R3].txt - [4053 bytes] - [27/12/2014 21:07:28]
AdwCleaner[R4].txt - [2219 bytes] - [27/12/2014 21:37:08]
AdwCleaner[R5].txt - [1388 bytes] - [27/12/2014 22:50:02]
AdwCleaner[R6].txt - [1729 bytes] - [25/02/2015 22:42:03]
AdwCleaner[R7].txt - [12914 bytes] - [15/04/2015 08:18:07]
AdwCleaner[S0].txt - [5502 bytes] - [03/07/2014 21:32:02]
AdwCleaner[S1].txt - [1193 bytes] - [27/07/2014 13:56:44]
AdwCleaner[S2].txt - [1256 bytes] - [27/07/2014 14:03:50]
AdwCleaner[S3].txt - [4096 bytes] - [27/12/2014 21:09:19]
AdwCleaner[S4].txt - [2288 bytes] - [27/12/2014 21:46:06]
AdwCleaner[S5].txt - [1803 bytes] - [25/02/2015 22:45:37]

########## EOF - C:\AdwCleaner\AdwCleaner[R7].txt - [13328

bytes] ##########

 

JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.5.4 (04.13.2015:1)
OS: Windows 7 Home Premium x64
Ran by Valued Customer on Wed 04/15/2015 at  8:22:00.16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] C:\Users\Valued Customer\appdata\local\stronghold_llc
Successfully deleted: [Folder] C:\Windows\syswow64\ai_recyclebin

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/15/2015 at  8:24:36.29
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

ESET:

 

C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir a variant of Win64/Systweak.A potentially unwanted application deleted - quarantined
C:\AdwCleaner\Quarantine\C\Windows\System32\sasnative64.exe.vir Win64/AdvancedSystemProtector.A potentially unwanted application deleted - quarantined
C:\Users\Valued Customer\Downloads\rcpsetup_marvip_a.exe Win32/Systweak.D potentially unwanted application deleted - quarantined
K:\downloads k\SoftwareUpdater.exe Win32/Packed.VMDetector.O potentially unwanted application deleted - quarantined
K:\Old PC\Program Files\Conduit\Community Alerts\Alert.dll Win32/Toolbar.Conduit.Y potentially unwanted application deleted - quarantined
K:\Old PC\Program Files\Games_Bar_1\tbGame.dll a variant of Win32/Toolbar.Conduit.B potentially unwanted application deleted - quarantined

 

Please let me know what you think, what my next steps are.
Thank you!

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 16 April 2015 - 04:54 AM

VirusTotal Analysis of SPPD.SYS indicates it is related to Conduit/ClientConnect toolbar/extension distribution.

Please download RKill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log file will be created and saved to the root directory, C:\RKill.log
  • Copy and paste the contents of RKill.log in your next reply.
Important: Do not reboot your computer until you complete the next step.
.
Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.
  • Double-click on the setup file (mbam-setup.exe) to install, then follow these instructions for doing a THREAT SCAN in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • After the scan, make sure that everything is checked and then click the Remove Selected button to remove all the listed malware.
  • After rebooting the computer, copy and past the mbam.log in your next reply.
If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)
  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)
  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
-- Be sure to post the complete log to include the top portion which shows database version and your operating system. Refer to this topic for instructions on how to save/export a Scan log...How do I access and save logs from Malwarebytes Anti-Malware?.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 splungee

splungee
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 16 April 2015 - 07:40 PM

Thanks for the reply/advice!

 

RKill report:

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/16/2015 08:12:01 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 04/16/2015 08:12:15 PM
Execution time: 0 hours(s), 0 minute(s), and 14 seconds(s)

 

 

MBAM:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/16/2015
Scan Time: 8:15:07 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.04.16.06
Rootkit Database: v2015.03.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Valued Customer

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 357372
Time Elapsed: 5 min, 19 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 16 April 2015 - 07:47 PM


Perform a scan with emsisoft_emergency_kit.pnglogo.png

Please download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click on EmsisoftEmergencyKit.exe to install and create a shortcut on the desktop.
  • Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually C:\) as shown here.
  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
    rxYDlQ1.png
    .
  • When asked to run an online update, click Yes.
    dQaKPnk.png
    .
  • When the update is finished, click the Back to Security Status link in the left corner.
  • On the main screen click the Scan PC button.
  • Select Smart Scan, then click the Scan button.
  • When the scan is finished, click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
    g5ojhHp.png
    .
  • Click the View Report button and in the Reports window double-click on the most recent log. Logs are named as follows: a2scan_Date-Time.txt (YYMODY) and saved to C:\EEK\bin\Reports\.
  • Alternatively you can click Export and save the log to your Desktop, then open by double-clicking on it.
  • Copy and paste the contents of that logfile in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 splungee

splungee
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 17 April 2015 - 05:31 AM

Thanks again. 

Is it odd that every different scanner keeps finding stuff?

EEK found but could not remove SPPD, referring me to the experts on their site who would help me for free ( I don'dt copy the web site).

 

Here's the report:

Emsisoft Emergency Kit - Version 9.0
Last update: 4/17/2015 12:28:23 AM
User account: AVA-395819-1\Valued Customer

Scan settings:

Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\Windows\, C:\Program Files\, C:\Program Files (x86)\

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 4/17/2015 12:28:50 AM
C:\Windows\System32\Drivers\SPPD.sys  detected: Application.SearchProtect.BI (B)
C:\Program Files (x86)\DriverUpdate  detected: Application.InstallDrive (A)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate  detected: Application.InstallDrive (A)
C:\Users\Valued Customer\AppData\Local\SlimWare Utilities Inc\DriverUpdate  detected: Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SDP  detected: Application.Win32.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-1215559615-4072840042-3781464165-1000\SOFTWARE\SLIMWARE UTILITIES INC\DRIVERUPDATE  detected: Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SLIMWARE UTILITIES INC\DRIVERUPDATE  detected: Application.InstallDrive (A)
C:\Windows\System32\drivers\SPPD.sys  detected: Application.SearchProtect.BI (B)

Scanned 218509
Found 8

Scan end: 4/17/2015 12:37:45 AM
Scan time: 0:08:55

C:\Windows\System32\drivers\SPPD.sys Quarantined Application.SearchProtect.BI (B)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SLIMWARE UTILITIES INC\DRIVERUPDATE Quarantined Application.InstallDrive (A)
Key: HKEY_USERS\S-1-5-21-1215559615-4072840042-3781464165-1000\SOFTWARE\SLIMWARE UTILITIES INC\DRIVERUPDATE Quarantined Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\SDP Quarantined Application.Win32.InstallAd (A)
C:\Users\Valued Customer\AppData\Local\SlimWare Utilities Inc\DriverUpdate Quarantined Application.InstallDrive (A)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate Quarantined Application.InstallDrive (A)
C:\Program Files (x86)\DriverUpdate Quarantined Application.InstallDrive (A)

Quarantined 7

 

What now?



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 17 April 2015 - 05:40 AM

One characteristic of PUPs and other junkware is that they insert themselves (components) into various areas throughout a computer's operation system to include browsers, hidden folders and windows registry making it more difficult to remove.

After a security vendor updates its product version or releases an update to definition databases, it is not uncommon for subsequent scans to detect files or traces of remnants and registry entries which had previously gone undetected (not reported) by prior scans. Remnants are typically harmless pieces of leftovers (registry keys, file fragments, folders) generally found after the primary program has been removed by a security scanner or uninstall of the parent software.

Just repeat your scans again in a few days and you should be ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 splungee

splungee
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 17 April 2015 - 09:37 PM

I appreciate help, but I've still got SPPD, right?  Do I navigate to EEK's site to get help there?

 

Addendum- I re-ran EEK and it didn't find SPPD (or anything else)!  I guess it must have been a fragment or else it was removed by the scan.  Odd



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 18 April 2015 - 06:14 AM

There is not need to go to EEK's site to get help

From your EEE log... 

C:\Windows\System32\Drivers\SPPD.sys detected: Application.SearchProtect.B
C:\Windows\System32\drivers\SPPD.sys Quarantined Application.SearchProtect.BI


That indicates SPPD.sys was found and removed...moved into the quarantine folder. Are you saying it has returned or you are having further problems?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 splungee

splungee
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 20 April 2015 - 08:15 PM

No, just got confused when it said needed help to remove, then wasn't detected.  System never ran badly and not getting any more warnings.  Thnaks so much!



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 AM

Posted 20 April 2015 - 08:19 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users