Tag Archives: PUP.Optional.Conduit.A

Orbiter, ORBTR, SPPD.sys and SearchProtect by ClientConnect LTD.

I was playing around with a download this morning to see if it bundled some software. When running the installer “Search Protect by Conduit” was offered. The installer also displayed a few links – as shown in the screenshot below – to learn more about the SearchProtect software and to the EULA and the privacy policy, but for some unknown reason, no browser popped up when clicking the links.

Conduit Search Protect

Search Protect is designed to change search settings in Firefox, Chrome and Internet Explorer to trovi.com and pop up a notification window when these settings are changed.

Since I more or less on a daily basis look on what’s being bundled with various downloads, I’m used to see Search Protect, but this was a new variant that I had not seen before. It also installed something called Orbiter in “c:\Program Files (x86)\ORBTR” or “c:\Program Files\ORBTR”. The files were named Orbiter.dll and Orbt.ext. A new driver name SPPD.sys also appeared on the hard drive located in “c:\Windows\System32\drivers“. All these files were digitally signed by ClientConnect LTD.

I was curious to see if the anti-virus programs over at VirusTotal detected the orbiter.dll file, and some of them did. As shown in the screenshot, 10 of the 55 anti-virus scanners detected the orbiter.dll file, under various detection names, such as PUP.Optional.Conduit.A and Adware.Orbiter.

orbiter.dll virustotal report

If you’d like to remove SearchProtect and Orbiter, you can do so from the Add/Remove programs dialog, by right-clicking on the Search Protect icon and selecting Uninstall. This also uninstalled the Orbiter software.

orbiter and search protect uninstall

Did you also get SearchProtect and Orbiter on your machine? Any idea how it was installed? Did the uninstaller work successfully?