How to stop Snapdo ‘cold calling’

Topic

New Reply

Why do I continually get a potentially unwanted program – PUPOptional.Snapdo.A . It ends up in my AppDataLocalGoogleChromeUserDefaultPreferences.

Malwarebytes finds this on average two or three times a day and alerts me to quarantine it, which I do.

I see that SnapDo is a malicious browser hijacker, which is bundled by free downloads, and once installed it will add the SnapDo Toolbar to my browser.

Google lists tools to remove Snapdo, but so far – thanks to Malwarebytes – it has not (I think) installed.

But does anyone know how to stop Snapdo invading my PC in the first place? How come it knows I am a target? (It’s like trying to block ‘cold callers’ on my phone). I want to end the unnecessary ‘quarantine’ exercise three times a day. Can Malwarebytes just do it without asking my permission?

Reply | Quote

Replies

Have you run a scan with Malware bytes? If not do so and report back with the results. This thread may help http://malwaretips.com/blogs/snap-do-toolbar-removal/. Check Control Panel–>Programs and Features and uninstall Snap.do if found.

Reply | Quote

Have you run a scan with Malware bytes?

Yes. Just done it again now with yet again the same result, given in detail below. As I said, I do not believe Snapdo has been installed – it is not listed in the uninstall programs list and has not affected my browsers in anyway. It’s just the annoyance of the file being detected by Malwarebytes all the time and having to be quarantined.

The scan log:

Malwarebytes Anti-Malware
http://www.malwarebytes.org

Scan Date: 24/08/2014
Scan Time: 16:26:46
Logfile: mwbytes log.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.08.24.03
Rootkit Database: v2014.08.21.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Tim

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 336642
Time Elapsed: 5 min, 53 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
PUP.Optional.Snapdo.A, C:UsersTimAppDataLocalGoogleChromeUser DataDefaultPreferences, Good: (), Bad: ( “startup_urls”: [ “http://www.google.co.uk/”, “http://www.metoffice.gov.uk/”, “https://news.google.co.uk/nwshp?hl=en&tab=mn”, “http://feed.snapdo.com/?p=mKO_AwFzXIpYRbPBDDI6Pk-fpITtt_7-dx2uy24NiqVvkKen0VXX6DgNu1tCKM3e3YNAySM9HCx9FN8FLH1_-hT06F2dWTkoF1-bVug8pzrot9qALDc4Go9hKswqni_PQFBB0tVh9hRtGMGh7nZQKWnA94EmeFS4R7r2oU3jwWkWZiW0JA3Olg,,”, “about:newtab?source=home” ],), ,[86dd17b387f485b1a236ff1119ece31d]

Physical Sectors: 0
(No malicious items detected)

(end)

Reply | Quote

Instead of quarantining it, why not just delete it?

Reply | Quote

I suggest you start with step 3 and run Adwcleaner in the link I posted and work your way through the remaining steps.

Reply | Quote

Thank you thomasjk. Wow, hope all works ok after AdwCleaner and Hitman deletes! Their logs:

# AdwCleaner v3.308 – Report created 24/08/2014 at 17:11:41
# Updated 20/08/2014 by Xplode
# Operating System : Windows 8.1 (64 bits)
# Username : Tim – ASUSPC
# Running from : C:UsersTimDownloadsadwcleaner_3.308.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:ProgramDataDriverCure
Folder Deleted : C:ProgramDataNCH Software
Folder Deleted : C:ProgramDataParetoLogic
Folder Deleted : C:ProgramDataPartner
Folder Deleted : C:ProgramDataUniblue
Folder Deleted : C:Program Files (x86)Nosibay
Folder Deleted : C:Program Files (x86)SearchPredict
Folder Deleted : C:Program Files (x86)Common FilesParetoLogic
Folder Deleted : C:UsersTimAppDataLocalLowSimplyTech
Folder Deleted : C:UsersTimAppDataRoamingSimplyTech
File Deleted : C:END

***** [ Scheduled Tasks ] *****

Task Deleted : SomotoUpdateCheckerAutoStart

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLMSOFTWAREClassesiesmartbar.bandobjectattribute
Key Deleted : HKLMSOFTWAREClassesiesmartbar.dockingpanel
Key Deleted : HKLMSOFTWAREClassesiesmartbar.iesmartbar
Key Deleted : HKLMSOFTWAREClassesiesmartbar.iesmartbarbandobject
Key Deleted : HKLMSOFTWAREClassesiesmartbar.smartbardisplaystate
Key Deleted : HKLMSOFTWAREClassesiesmartbar.smartbarmenuform
Key Deleted : HKLMSOFTWAREMicrosoftInternet ExplorerExtension Compatibility{74F475FA-6C75-43BD-AAB9-ECDA6184F600}
Key Deleted : HKLMSOFTWAREMicrosoftTracingSnapDo_RASAPI32
Key Deleted : HKLMSOFTWAREMicrosoftTracingSnapDo_RASMANCS
Key Deleted : HKLMSOFTWAREClassesCLSID{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Deleted : HKLMSOFTWAREClassesCLSID{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Deleted : HKLMSOFTWAREClassesCLSID{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLMSOFTWAREClassesCLSID{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Deleted : HKLMSOFTWAREClassesCLSID{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Deleted : HKLMSOFTWAREClassesCLSID{E041E037-FA4B-364A-B440-7A1051EA0301}
Key Deleted : HKCUSoftwareMicrosoftWindowsCurrentVersionExtStats{AE07101B-46D4-4A98-AF68-0333EA26E113}
Value Deleted : HKLMSOFTWAREMicrosoftInternet ExplorerToolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Key Deleted : [x64] HKLMSOFTWAREClassesCLSID{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Deleted : [x64] HKLMSOFTWAREClassesCLSID{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Deleted : [x64] HKLMSOFTWAREClassesCLSID{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : [x64] HKLMSOFTWAREClassesCLSID{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Deleted : [x64] HKLMSOFTWAREClassesCLSID{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Deleted : [x64] HKLMSOFTWAREClassesCLSID{E041E037-FA4B-364A-B440-7A1051EA0301}
Value Deleted : [x64] HKLMSOFTWAREMicrosoftInternet ExplorerToolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Key Deleted : HKCUSoftwareOCS
Key Deleted : HKCUSoftwareSmartBar
Key Deleted : HKCUSoftwareSomoto
Key Deleted : [x64] HKLMSOFTWAREInstalledThirdPartyPrograms
Key Deleted : [x64] HKLMSOFTWAREMicrosoftWindowsCurrentVersionInstallerUserDataS-1-5-18Components8121C32A9C319F4CB0C11FF059552A4
Key Deleted : [x64] HKLMSOFTWAREMicrosoftWindowsCurrentVersionInstallerUserDataS-1-5-18Components3152E1F19977892449DC968802CE8964
Key Deleted : [x64] HKLMSOFTWAREMicrosoftWindowsCurrentVersionInstallerUpgradeCodes5E8031606EB60A64C882918F8FF38DD4

***** [ Browsers ] *****

-\ Internet Explorer v11.0.9600.17239

-\ Mozilla Firefox v31.0 (x86 en-GB)

[ File : C:UsersTimAppDataRoamingMozillaFirefoxProfilesr4akaqjd.defaultprefs.js ]

-\ Google Chrome v36.0.1985.143

[ File : C:UsersTimAppDataLocalGoogleChromeUser DataDefaultpreferences ]

Deleted [Startup_urls] : hxxp://feed.snapdo.com/?p=mKO_AwFzXIpYRbPBDDI6Pk-fpITtt_7-dx2uy24NiqVvkKen0VXX6DgNu1tCKM3e3YNAySM9HCx9FN8FLH1_-hT06F2dWTkoF1-bVug8pzrot9qALDc4Go9hKswqni_PQFBB0tVh9hRtGMGh7nZQKWnA94EmeFS4R7r2oU3jwWkWZiW0JA3Olg,,

*************************

AdwCleaner[R0].txt – [4369 octets] – [24/08/2014 17:08:48]
AdwCleaner[S0].txt – [4162 octets] – [24/08/2014 17:11:41]

########## EOF – C:AdwCleanerAdwCleaner[S0].txt – [4222 octets] ##########

—–

Code:

HitmanPro 3.7.9.221
www.hitmanpro.com

   Computer name . . . . : ASUSPC
   Windows . . . . . . . : 6.3.0.9600.X64/8
   User name . . . . . . : asuspcTim
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2014-08-24 17:21:03
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 3m 32s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 15

   Objects scanned . . . : 2,410,598
   Files scanned . . . . : 69,936
   Remnants scanned  . . : 946,985 files / 1,393,677 keys

Potential Unwanted Programs _________________________________________________

   session/startup_urls[3]
   C:UsersTimAppDataLocalGoogleChromeUser DataDefaultPreferences

   HKLMSOFTWAREClassesRecord{2009AF2F-5786-3067-8799-B97F7832FDD6} (FLV Player) -> Deleted
   HKLMSOFTWAREClassesRecord{425E7597-03A2-338D-B72A-0E51FFE77A7E} (FLV Player) -> Deleted
   HKLMSOFTWAREClassesRecord{915BB7D5-082E-3B91-B1E0-45B5FDE01F24} (FLV Player) -> Deleted
   HKLMSOFTWAREClassesRecord{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9} (FLV Player) -> Deleted
   HKLMSOFTWAREMicrosoftWindowsCurrentVersionInstallerUserDataS-1-5-18Components649A52D257CA5DB4EAAE8BA9EB23E467 (FLV Player) -> Deleted
   HKUS-1-5-21-4029867339-3856966008-3241174293-1001SoftwareMicrosoftInstallerUpgradeCodes5E8031606EB60A64C882918F8FF38DD4 (FLV Player) -> Deleted
   HKUS-1-5-21-4029867339-3856966008-3241174293-1001SoftwareMicrosoftInternet ExplorerApprovedExtensionsMigration{AE07101B-46D4-4A98-AF68-0333EA26E113} (FLV Player) -> Deleted

Cookies _____________________________________________________________________

   C:UsersTimAppDataLocalGoogleChromeUser DataDefaultCookies:atdmt.com
   C:UsersTimAppDataLocalGoogleChromeUser DataDefaultCookies:stats.paypal.com
   C:UsersTimAppDataLocalMicrosoftWindowsINetCookies3LTQ8LNX.txt
   C:UsersTimAppDataLocalMicrosoftWindowsINetCookiesIGTHEJOX.txt
   C:UsersTimAppDataLocalMicrosoftWindowsINetCookiesNEQAP7QP.txt
   C:UsersTimAppDataRoamingMozillaFirefoxProfilesr4akaqjd.defaultcookies.sqlite:doubleclick.net
   C:UsersTimAppDataRoamingMozillaFirefoxProfilesr4akaqjd.defaultcookies.sqlite:in.getclicky.com

Reply | Quote

Oh dear! After all that dramatic cleaning by AdwCleaner and HitmanPro yesterday, today Malwarebytes pops up after a few hours to warn me yet again that the Snapdo file has again wormed itself into the usual location and needs quarantining.

Baffling.

Reply | Quote

Have you removed the software that Snapdo came with?

cheers, Paul

Reply | Quote

Have you removed the software that Snapdo came with?

cheers, Paul

I haven’t the first idea what software that might be. Except for those security programs suggested above, I have not installed anything in the last week or so when this first started happening. There have been updates – java, Adobe and of course Windows-related ones.

Reply | Quote

Fire the computer up with nothing running as see if MBAM pops up the warning. If so list the running programs from MBAM here and we can suggest.

cheers, Paul

Reply | Quote

Fire the computer up with nothing running as see if MBAM pops up the warning. If so list the running programs from MBAM here and we can suggest.

MBAM?

I restarted. Nothing popped up but a Malwarebytes scan immediately found the offending file.

In Windows task manager, Malwarebytes is the only app running, but there is a long list of background processes, including Google Chrome.

Also checked out the Wikihow link, but all its instructions did not apply as Snapdo is not in my Chrome extensions and is not listed among the search engines.

As I have repeatedly said, Snapdo has not installed itself on my PC. It is just the continual appearance of THAT file which needs quarantining that bugs me.

Reply | Quote

Here is another webpage that may help sort this out http://www.wikihow.com/Get-Rid-of-Snap-Do.

Reply | Quote

MalwareBytes Anti Malware.

Something is putting the file on your PC and you need to stop programs one at a time until you find the offending program.

cheers, Paul

Reply | Quote

You can do what Paul T suggests by performing a clean boot http://support.microsoft.com/kb/929135 and then run AdwCleaner and Hitman again.

Reply | Quote

Thanks for the tips. Will try those (when I get time!) One thing that’s interesting: Add remove programs doesn’t see it, Revo uninstaller doesn’t list it, but CCleaner does see it (under tools>uninstall).

When CCleaner tries to uninstall I get the message:
The feature you are trying to use is on a network resource that is unavailable.

Means nothing to me, but a clue?

Reply | Quote

The free version of Revo only picks up 32 bit programs which is why it probably doesn’t see it – but not sure why it isn’t listed in Programs and Features unless it’s a Toolbar that would reside in the browser add-ons.

I rate IOBit Uninstaller better than Revo because of its ease of use and that has a deep clean and file shred function http://www.iobit.com/advanceduninstaller.html

Keep an eye out for anything else it would like you to download with it if you want to try it, as it would like to palm Advanced System Care onto you.

Reply | Quote

I have the paid-for RevoPro version. Anyway, it seems to be a file, not a program, that likes to keep on inserting itself. Guess that’s why CC sees it and not the other uninstallers.

Reply | Quote

The file is created by a program. Finding the recalcitrant program is your goal.

cheers, Paul

Reply | Quote

The file is created by a program. Finding the recalcitrant program is your goal.

cheers, Paul

Reply | Quote

I have un-installed Malwarebytes as i’d paid and they changed to annual subscription so by by, I have replaced it with the free version of Spybot, the same old and trusted program of yesteryear download free version here:
http://www.safer-networking.org/mirrors16/
Snap do toolbar had been installed in firefox and chrome by a downloaded program

Reply | Quote

If it’s running then you’ll probably be able to find it with Process Explorer and may be able to kill it in there http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

Click on Options and ensure that Verify Image Signatures is checked then hover over VirusTotal.com and ensure that Check VirusTotal.com is also checked.

If any of the processes that are running have a high value over ~50 in red, then that process is suspect and if you don’t recognize it, Google it and then kill it if undesirable or dangerous.

Reply | Quote

Judging by #12, it’s being reinstalled by Chrome after each boot.

Print out these instructions, or save them in a Notepad file on your Desktop to refer to, or open it in a different computer, you don’t want a browser open, it could to be reinfecting you as you work during the latter stages.

Download Autoruns: http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx and Process Explorer (suggested in #20). Save/copy them both to your Desktop.

Follow this routine: http://malwaretips.com/blogs/snap-do-toolbar-removal/ (it includes resetting the 3 main browsers).

Once done, reboot and start up Process Explorer, if Chrome is already running, right-click each Chrome process in turn in Process Explorer and select Suspend process. If any other browser is running, Suspend their processes as well.

Right-click Autoruns and select Run as Administrator, agree to the terms and as soon as it starts, click Esc. Go to Options > Filter options > check the boxes for both Verify code signatures and Hide Windows entries and then click Rescan.

Work through the resulting lists and uncheck anything by Snap.Do or from ReSoft Ltd.

When done, close Autoruns, kill the previously Suspended browser processes in Process Explorer.

Reboot.

Reply | Quote

Judging by #12, it’s being reinstalled by Chrome after each boot.

Print out these instructions……………
Follow this routine: ………..

OK, back in front of PC. Did your routine and sadly found no mention of Snap.do or Resoft Ltd in Autoruns. Checked through long list three times!

Reply | Quote

You worked through the http://malwaretips.com/blogs/snap-do-toolbar-removal/ routine first?

Are you still having problems? The above routine should have cleaned it, Autoruns, etc. was for a check for any leftovers.

Reply | Quote

You worked through the http://malwaretips.com/blogs/snap-do-toolbar-removal/ routine first?

I’ve done that M-Bytes very routine quite a few times already.

And yes M-Bytes still finds the file (and file ony) – PUPOptional.Snapdo.A – in my AppDataLocalGoogleChromeUserDefaultPreferences.

1 – Neither Windows or RevoUninstaller Pro find any Snapdo programs. 2 – I have reset Chrome’s settings. 3 – Adwcleaner finds plenty of Adobe files to ‘repair’, but not a single Snapdo. 4 – HitmanPro also only found a few tracking cookies. 5 – And as I said above, no sign of Snapdo or Resoft Ltd in Autoruns.

Reply | Quote

And yes M-Bytes still finds the file (and file ony) – PUPOptional.Snapdo.A – in my AppDataLocalGoogleChromeUserDefaultPreferences.

After you have chosen to quarantine it?

Bruce

Reply | Quote

After you have chosen to quarantine it?

Bruce

It reappears at next boot.

Reply | Quote

It reappears at next boot.

Maybe indicative of a Chrome process running while MBAM is removing the SnapDo reference?

Use Process Explorer to check for any running Chrome processes, if there are any, Suspend them all and then Kill them, run MBAM again and quarantine anything found, reboot, check.

Reply | Quote

Thank you satrow for your analysis and detailed instructions – greatly appreciated. I am away from home and my PC for a while, but once back will follow the routine and post back result.

I’m using Chrome on my tablet at the moment and I do not see the postings’ numbers – maybe will on PC. But I can always count through them to see which ones you refer to. Thanks again. (As an aside, I also notice on tablet no option to add signature).

Reply | Quote

I closed Chrome before running Process Explorer, which then did not show any Chrome processes. Ran M-bytes, and quarantined the Snap.do file. Rebooted and, yes, there it was again – before opening Chrome at all.

Satrow, thank you so much for your perseverance with my problem. I’m going to be away from home and PC for the next two weeks so will be unable to run any more tests until my return. Thanks again.

Reply | Quote

Some malware hides itself fairly well. Please post a screenshot of your Autoruns output for the Logon tab.

Joe

--Joe

Reply | Quote

Hi Joe. Will post screenshot in about two weeks time when I return home. Mind you, not sure how to attach pix to messages here, except by a link.

Reply | Quote

See http://windowssecrets.com/forums/showthread//152142-WSL-Tutorial-Attaching-a-file-to-a-post?p=891412&viewfull=1#post891412 for details on attachments.

Joe

--Joe

Reply | Quote

We’ll need much more than just the output from the Autoruns Logon tab to give us a fighting chance, filter Autoruns to hide Windows files and to Verfify, then Save as the default Autoruns.arn, zip it (right-click > Send to > Compressed folder) and attach the zip.

Also give the current location of Snapdo from MBAM.

Enjoy your break, Tim

Reply | Quote

We’ll need much more than just the output from the Autoruns Logon tab to give us a fighting chance, filter Autoruns to hide Windows files and to Verfify, then Save as the default Autoruns.arn, zip it (right-click > Send to > Compressed folder) and attach the zip.

Also give the current location of Snapdo from MBAM.

Enjoy your break, Tim

Had a great time!

Hope I’ve done it right – attached (I think) is the file.

37948-Tim-AutoRuns

Reply | Quote

When I open that arn file (some 3MB) with Autoruns (on XP) I can find no evidence of ‘snapdo’ (Autoruns has a text search capability), nor ‘snap.do’ nor ‘resoft’ (the masterminds behind it, apparently). Others more acquainted than I with Windows 8 may be able to shed some light. However, your first post seemed to show that snapdo was loading into Chrome, so I would suggest examining all extensions if you haven’t done so already – the link provided by thomasjk covers removing snap.do from Chrome. Good luck!

Reply | Quote

Enjoy your break, Tim

Thank you! I’m campervanning up the UK to Scotland (where I have family) and have with me my tablet on which I’m writing this. Useful – when I have a signal – not likely on Skye where’s there’s a lovey beach campsite.

The MBAM location of that file PUPOptional.Snapdo.A is where I’ve previously posted:
TimAppDataLocalGoogleChromeUserDefaultPreferences

Will follow your instructions on my return.

Tim

Reply | Quote

Interesting time to be doing the trip.

Never mind the signal, Tim, remember the water, especially when you get to sample the old cask strength versions

Reply | Quote