You are viewing stevenroy

"Always just a concussion away." - SProtector.dll and why you shouldn't have it. [entries|archive|friends|userinfo]
StevenRoy

SProtector.dll and why you shouldn't have it. [Sep. 28th, 2012|03:39 am]
Previous Entry Share Next Entry
[Tags|]

Just typing this up for the benefit of others who have the same problem and have to resort to a Google search. (The next-best thing to knowing stuff!)

Here's the problem I encountered on a relative's computer:
  Several programs would not start at all, instead giving the typical "This program died" error message right off the bat. In most (but not all) cases, rundll32.exe will crash in ntdll.dll with exception code 0xC0000374 (This is the "STATUS_HEAP_CORRUPTION" error) yada-yada-yada...
Here's a partial list of the programs that were affected:
• Internet Explorer (and it probably would've affected Firefox and Chrome too if they had been installed)
• Security Center in Control Panel
• Windows Firewall in Control Panel
• Internet Settings in Control Panel
• Various other components...
Even GMER, the experts-only use-at-your-own-risk tool for digging out all evidence of rootkit-like virus activity, gets partway through the scan and then crashes. (UPDATE: Turns out that was an unrelated issue.)

This one had me stumped for a few days. (Plus the time it took to run the virus scans; several different programs, each taking a full day each because it was a Windows Vista system. Damn, I hate Vista!)

The culprit turned out to be this file:
C:\Program Files\SProtector\SProtector.dll
AKA
C:\progra~1\sprote~1\Sprote~1.dll

Neither AVG, Microsoft Security "let's look like we're trying" Essentials, Windows Malicious Software Removal Tickler, Spybot S&D, nor Malwarebytes' Anti-Malware identify this file as dangerous. Even some determined Google searching yielded no useful clues as to what this file actually is, or what it does... aside from one report, just one, that it might, just might, be a trojan of some sort.

I didn't even suspect that file until I noticed some interesting things about it: The file loads automatically by using the "AppInit_DLLs" registry section (easy to notice because HijackThis scans there), it contains no version information, it has no other files aside from an "uninstall.exe" in its directory, and there's a "SProtector" section in the registry that contains some sort of encrypted data. Put together, these are enough warning signs to be called "warning signs". (UPDATE: Later investigation showed that the DLL file was compressed with UPX as well, just to make its contents slightly harder to examine!)

Deleting the file, and the reference to it in AppInit_DLLs, fixed the problem.

Now that all doubt's been removed, all that's missing is a way to report my findings to the makers of AVG, MBAM, Spybot S&D, Microsoft's MRT team, et cetera, et cetera, et cetera...
LinkReply

Comments:
[User Picture]From: marmoe
2012-09-28 01:01 pm (UTC)

(Link)

Intersting. Thanks.

Could it be, that it is not actually malware, but simply part of software that is incompatible with Vista? See:

https://bugzilla.mozilla.org/show_bug.cgi?id=785940#c13
http://www.safend.com/65-en/Safend%20Protector.aspx

The software described would on the one hand hook into anything running on the PC and on the other hand low level enough to seriously depend on the version of the system (crappy installer that would allow such a thing to happen in the first place). Looks like a recipe for a disaster of the likes that happened in your case.

Edited at 2012-09-28 01:01 pm (UTC)
[User Picture]From: stevenroy
2012-09-28 11:35 pm (UTC)

(Link)

That's not likely, considering that the name "Safend" doesn't appear anywhere in the DLL file, the uninstaller program, any file paths, the "Add/remove Programs" list (It's listed as "SProtector 1.62" and nothing else)... or anywhere else on the computer.

Also, that page you linked to says "Safend Protector is a component of the Safend Data Protection Suite". One DLL file and one "uninstaller.exe" file hardly constitutes a "suite"!
[User Picture]From: marmoe
2012-09-29 10:59 am (UTC)

(Link)

Point taken. Good sleuthing in any case.
From: (Anonymous)
2013-01-22 03:04 pm (UTC)

Sprotector.dll

(Link)

hey there ^^. I just ran a Norton power eraser and it showed that I have a sprotector.dll though it doesn't have any info on what it is should I delete it or should I just ignore it? thanks ^^, Lately I've been having errors on some apps and after searching I found out that it the .dll could be the prob
[User Picture]From: stevenroy
2013-01-23 08:29 am (UTC)

Re: Sprotector.dll

(Link)

Yeah, if it's the same sprotector.dll that I'm talking about here (and it probably is), you should remove it.
From: (Anonymous)
2012-12-11 12:50 am (UTC)

(Link)

i really got to hand it to you man,
ive this problem for a few months now, where any of my installed browsers would start, you'd have to try a few (more like 10) time just to open 1 page..
and no one could help me solve it!!
was just gonna delete a program i recently installed (office) to see it MAYBE that would solve it, and i happened to stumble on this one program (sprotector 1.62) which had no other information on it other than its name.
googled it up, and found your post.
deleted all the related files like you suggested and now everything is back in order!

sorry for the long post, just wanted to thank you.

with regards, konkrash.
[User Picture]From: stevenroy
2012-12-11 07:22 am (UTC)

(Link)

Hooray for Google, am I right? I'm glad I was able to help!
From: (Anonymous)
2012-12-26 06:50 pm (UTC)

sprotector.dll

(Link)

Hi! Thank you for sharing that info.
I was unable to start iexplore.exe, firefox.exe and chrome.exe. The former two I was able to run after i renamed the files. I found a folder named Mocaflix in Program files, renamed that folder and after restart it's all ok. It's strange that I did't found any references to sprotector.dll in registry but i found sprote~1.dll after searching for mocaflix
From: (Anonymous)
2013-01-21 03:45 am (UTC)

Sprotector 1.62

(Link)

I really hope just removing it will fix some of my problems. I am no where near awesome understanding things on the computer like going into the registry so if anyone would wanna help me by fixing my computer that would be great please mikki54740@yahoo.com I do not have the money to bring it in.
From: (Anonymous)
2013-02-06 03:30 pm (UTC)

Re: Sprotector 1.62

(Link)

Well I have just run a copy of Avast Antivirus and it has detected it straight away, Of course I have deleted the file. Its amazing that all the other antivirus programmes that are supposed to be good fail. BTW my copy of Avast is the free version.
From: (Anonymous)
2013-03-23 08:21 pm (UTC)

Re: Sprotector 1.62

(Link)

I was alerted to this by a trusty program call Winpatrol. I highly recommend the program as I have used it for a dozen years and always caught something before it was implemented. This look funny so I did not allow it to run and as StevenRoy pointed out ( and yes I googled thus found your points) it is linked to fishy stuff on my hard drive. I found under Program files (86) the directory sprotector which I deleted then in program apps I found highly suspicious \Bruowse2saavee directory housing the file 514d52d4c3d62.dll which is linked to sprotector (as pointed out by Winpatrol)

Lastly I used Registry workshop to scan my registry or just regedit if you like looking for both dll's and deleted their instances. I did get a dire warning about clearing the sprotector.dll from my registry so did a reg backup, relocated the $%#$% file again in registry and went ahead and deleted it.

Hope this helps. P.S. I like registry workshop instead of regedit because it makes backup,search and restore so much easier.

P.S.S. I do not own stock in any program I mentioned, ha ha. I am an unbiased techie.
From: (Anonymous)
2013-05-02 02:00 am (UTC)

Thanks

(Link)

Hi, I had the same trouble...

just one difference, the two files Sprotector.dll and uninstall.exe were in the folder C:\Program (x86)\SimpleSpeed.

So to remove, as ytou adviced us :

1) search the key Applini_DLLs in the registeer with the reference corresponding to sprotector.dll file (you have to serach next one until you find)

2) To delete the two files in SipleSpeed folder, you have to change security autorisation (right click on the file, last line of the menu.

Thank you Steven for your advice about this malware.
[User Picture]From: iEliteTester
2013-12-09 07:28 pm (UTC)

(Link)

I found I had this cause AVAST stopped it from doing something. When I seached on my programs list it was called Search Assistant WebSearch 1.74.
The AVAST "report" read:
Object: http://cybeitrapp.info/get
Infection: URL:Mal
Proccess: C\PROGRA-1\WEBSEA-1\SPROTE-1.DLL
I hope this helps somehow :)