home

ppsvc.exe

PP Client Service

Phrase Professor

The application ppsvc.exe by Phrase Professor has been detected as a potentially unwanted program by 11 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “PP 1.10.0.22 Client Service”. It uses the Solimba download manager to push adware offers during the download and setup process. Bundled adware includes search and shopping web browser toolbars.
Publisher:
PhraseProfessor  (signed by Phrase Professor)

Product:
PP Client Service

Version:
1.10.0.22

MD5:
596500f9fefbff1cc0fa9d2bfff2524f

SHA-1:
095b6348c4f0dd45b89da3c997d2e1ec1a59e442

SHA-256:
2e3b833380f88aaff6f433c334badc8682f7da4ee9d4f30e0ad6b684357eaf4b

Scanner detections:
11 / 68

Status:
Potentially unwanted

Explanation:
Uses the Solimba installer to bundle adware offers.

Analysis date:
12/26/2024 12:09:24 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Vitruvian-B [PUP]
2014.9-150818

AVG
Generic
2016.0.3014

Baidu Antivirus
Adware.Win32.Solimba
4.0.3.15818

Dr.Web
Adware.Plugin.1136
9.0.1.0230

ESET NOD32
Win32/Adware.Vitruvian (variant)
9.12109

Kaspersky
not-a-virus:AdWare.Win32.Vitruvian
14.0.0.1565

Malwarebytes
PUP.Optional.PhraseProfessor.A
v2015.08.18.02

Panda Antivirus
Generic Suspicious
15.08.18.02

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.8.18.2

VIPRE Antivirus
InfoAtoms
42978

File size:
293.1 KB (300,128 bytes)

Product version:
1.10.0.22

Copyright:
Copyright (C) 2015

Original file name:
ppsvc.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\phraseprofessor_1.10.0.22\service\ppsvc.exe

Digital Signature
Signed by:
Phrase Professor

Authority:
GlobalSign nv-sa

Valid from:
6/23/2015 12:12:16 AM

Valid to:
6/23/2017 12:12:16 AM

Subject:
E=support@phraseprofessor.com, CN=Phrase Professor, O=Phrase Professor, L=San Diego, S=California, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11212ECCBE8A08CD220DFDB8DF22D0081744

File PE Metadata
Compilation timestamp:
8/14/2015 8:51:54 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
6144:TagcVKY018YuEkulXmC5AczTBaCIX/sNn:TagcVKB17kulXmTczTaX/y

Entry address:
0x253E5

Entry point:
E8, 28, 65, 00, 00, E9, 7B, FE, FF, FF, 55, 8B, EC, 53, 8B, 5D, 10, 57, 33, FF, 85, DB, 75, 14, E8, 1C, 1F, 00, 00, C7, 00, 16, 00, 00, 00, E8, 6A, 39, 00, 00, 33, C0, EB, 73, 56, 68, BC, 03, 00, 00, 6A, 01, E8, 44, 3B, 00, 00, 8B, F0, 59, 59, 85, F6, 74, 49, E8, C8, 30, 00, 00, FF, 70, 6C, 56, E8, 46, 31, 00, 00, 8B, 45, 14, 83, 4E, 04, FF, 89, 46, 58, 8B, 45, 1C, 59, 59, 89, 5E, 54, 85, C0, 75, 03, 8D, 45, 10, 50, FF, 75, 18, 56, 68, 4F, 55, 42, 00, FF, 75, 0C, FF, 75, 08, FF, 15, 48, 31, 43, 00, 85, C0...
 
[+]

Code size:
198.5 KB (203,264 bytes)

Service
Display name:
PP 1.10.0.22 Client Service

Service name:
ppsvc_1.10.0.22

Description:
This service enables PP 1.10.0.22 on HTTP websites

Type:
Win32OwnProcess


Remove ppsvc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.