SppExtComObj.Exe  

stevenson53 said:

Hi There,
My Malwarebytes (recently installed) has been blocking an outbound connection to a website 94.242.206.249 using the process SppExtComObj.Exe.
I have searched and it seems that this file is a valid process.
The file version is dated 30.10.15, 10.0.10586.10.
Is this something I should be worried about?
Thanks for any help
Paul

Hi Paul,
SppExtComObj.Exe is a KMS Connection Broker (Key Management Services by MS).

It's trying to connect to a non-MS server:

This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.

% Information related to '94.242.206.0 - 94.242.206.255'

% Abuse contact for '94.242.206.0 - 94.242.206.255' is 'abuse@as5577.net'

inetnum: 94.242.206.0 - 94.242.206.255
netname: IPSERVER
descr: IPSERVER WORLD LTD
country: LU
remarks: abuse-mailbox: abuse@ipserver.su
admin-c: ON929-RIPE
tech-c: ON929-RIPE
status: ASSIGNED PA
mnt-by: ROOT-MNT
created: 2015-05-28T11:12:52Z
last-modified: 2015-05-28T11:12:52Z
source: RIPE

person: Oleg Nikol'skiy
address: British Virgin Islands, Road Town, Tortola, Drake Chambers
phone: +18552100465
nic-hdl: ON929-RIPE
mnt-by: IPSERVER-MNT
created: 2015-05-28T11:11:09Z
last-modified: 2015-05-28T11:11:09Z
source: RIPE # Filtered

% Information related to '94.242.192.0/18AS5577'

route: 94.242.192.0/18
descr: root SA (Hosting, Dedicated Servers and Domain Names | root S.A.)
origin: AS5577
mnt-by: ROOT-MNT
created: 2009-10-19T07:44:58Z
last-modified: 2016-07-05T12:21:50Z
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.87.4 (DB-1)

MBAM is correct to block this. If you are using illegal software, I suggest you remove it, then run a custom full scan with MBAM.

stevenson53 said:

Thank you for your quick response and I hope nothing is illegal on my machine! I will do a full check with MBAM to make sure all is well and will permanently block this site.
Thanks!

Sounds good. Let us know if it finds anything. :)

stevenson53 said:

I'm a bit paranoid due to getting a Crypto locker a few months back (I clicked on a bad email drrr and the backup was connected double drrr and it cost me plenty to get the files back that I lost), so ran the following:
- MBAM
- Spybot
- Sophus
- ESET
- SFC /scannow
- Panda
- CCleaner

Ok some things were found but all seemed to be low risk stuff, missing links, cookies etc but, the website block now doesn't come up so maybe I got it.

I have a feeling that I really should rebuild this computer from scratch, painful as that will be.

Paul

Oh dear - I am sorry to hear that. Those are all good programs to run (although I would use SuperAntiSpyware Free over Spybot). I assume now you have only ONE active anti-virus running on the machine?

You might want to add these:
RKILL

TDSSKiller (Kaspersky-onetime run for rootkits)
Make sure to tick all the boxes and let the computer reboot so it can run the scan fully.

RKILL (again) Because everything RKILL does is undone by a reboot.

ADWCleaner (will reboot to clean)
Feel free to post the log after you run it and I'll have a looksee for what's leftover. Usually these crypto malware are easy to clean or even remove themselves after they've delivered their payload.

RKILL again

JRT

Note: RKILL will put a log on your desktop called rkill.txt, and will overwrite it each time you run the scan, so if you want to keep them, rename them rkill01.txt, rkill02.txt, etc.

For future protection against these encryption nasties (and a lot of others), I would make the following recommendations:

One good active anti-virus (ESET is excellent, if you can afford it - usually on sale at Newegg on a regular basis)
MBAM (free or pro)
MBAE (free)
CryptoPrevent Free
SuperAntiSpyware Free

A file backup system which uses "versioning".
Alternating backups: 2 drives, one disconnected at all times, and rotate them on a regular basis.

Note: MBAM have an anti-encryption BETA right now, which will eventually be rolled into their paid version of MBAM Pro.

Of course, nothing beats common sense. But, if you were using, say, gmail, and collecting your emails online using your browser (and not an email client), a lot of this stuff would never even reach your inbox, and if it did, it would likely be flagged. (Not to plug gmail, but they have pretty aggressive email scanning, and ferret out quite a bit, and warn you with other stuff.)

Depending on the infection you had (if you know the name, or can provide all scan logs), I could research it to see if it warrants a clean install.

stevenson53 said:

Thanks again and you are being a big help. The cryptolocker cost me US$1200 in ransom and computer expert help and a full week of down time. I didn't know anything about Bitcoin, I do now!

Ouch! You're lucky you got your files back - some of these creeps take the money and run.

stevenson53 said:

I have paid for ESET and also run MBAM free and their BETA anti encryption program.

Great. When they roll that into their paid version, it may be worth looking at a subscription.

stevenson53 said:

i will give the other suggested programs a go too although it might take a few days to do it all.

No problem. Actually, they all run pretty quickly. But, no rush.

stevenson53 said:

i have been using Second Copy 8 for backup. I like it because it's simple and saves the files in their normal format so that I can get at them easily. Since the cyptolocker, I have 3 backups, 2 daily that I rotate and a master weekend one which backups both my data disk and an OS image. I work from home BTW.

That sounds like a good setup. :)

stevenson53 said:

I have been having problems with this program recently as well as other weird things. Do you know another good easy to use backup software which saves files as they are. I have a lot of very big Outlook files and even if I don't open them, they get backed up anyway because outlook loads them and this is seen as a changed file by SC8.
My current thought is to uninstall SC8 and some other troublesome programs, then do a Windows 10 repai install, run all the scans, then reload the problem programs. I expect that it hasn't helped messing with the registry lol.
Your thoughts please?
thanks again!

Hmmm... I am not familiar with Second Copy 8 - have never used it. I do know that Macrium Reflect Free allows you to mount the images and even extract specific files from the images (just did this on a system I was working on that wouldn't boot). I personally have 2 backup schemes in addition to my Operating System backup, (for which I use Macrium): CrashPlan and Robocopy. CrashPlan compresses and provides versioning, while Robocopy is basically a copy function (so data is in original state). But, you really could do everything with Macrium, and backups would be smaller since they're compressed, and can be verified as they're made. Really, since you can extract files from the images, it makes things quite nice. You can also set it up for incremental and differential images, although I don't do that - I always make full images (makes life easier if I have to restore).

Here's some info on it:
Solved Tell your backup software, win Macrium Reflect Home license! - Windows 10 Forums

To get started with system imaging, see these tutorials:

• System Image - Create in Windows 10 - Windows 10 Forums
• Macrium Reflect - Backup Restore - Windows 10 Forums

Was it really Cryptolocker that you had? or Torrentlocker? or something else? Because Cryptolocker was taken down, and a possible decryption scheme was released (for free). Torrentlocker made copies of your data, encrypted it, and then deleted the original, so many people got their data back by using recovery software or ShadowExplorer. Just curious - not that it makes any difference now...