protectservice.exe

XTab

Thinknice Co., Limited

The application protectservice.exe by Thinknice Co., Limited has been detected as adware by 10 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “IHProtect Service”. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages.
Publisher:
XTab system  (signed by Thinknice Co., Limited)

Product:
XTab

Description:
ProtectSvc.exe

Version:
4.0.1.1685

MD5:
93faf870f13c310cd8fe3b58979ee8d5

SHA-1:
79430c8f9b5c429f4c845e381ed5ba15e35ea958

SHA-256:
1e46e609c9b3027c2cabc0f4348d3bb0214852bb15c1c3416b2bad0006bf1d49

Scanner detections:
10 / 68

Status:
Adware

Analysis date:
12/25/2024 7:32:36 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.SearchProtect
2015.01.09

Avira AntiVirus
PUA/SearchProtect.Gen
8.3.2.2

Emsisoft Anti-Malware
Adware.SearchProtect.W
8.15.10.28.05

ESET NOD32
Win32/ELEX.BM potentially unwanted
9.12361

F-Secure
Adware.SearchProtect.W
11.2015-28-10_4

Malwarebytes
PUP.Optional.XTab.A
v2015.01.10.07

Microsoft Security Essentials
BrowserModifier:Win32/SupTab
1.1.12101.0

Reason Heuristics
PUP.Service.Thinknice
15.3.11.17

Sophos
Generic PUA KD (PUA)
4.98

VIPRE Antivirus
Adware.SearchProtect
44320

File size:
155.1 KB (158,864 bytes)

Product version:
4.0.1.1685

Copyright:
Copyright (C) 2014

Original file name:
ProtectSvc.exe

File type:
Executable application (Win32 EXE)

Language:
Çince (Basitlestirilmis, ÇHC)

Common path:
C:\Program Files\xtab\protectservice.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
10/20/2014 10:26:52 AM

Valid to:
10/21/2015 10:26:52 AM

Subject:
CN="Thinknice Co., Limited", O="Thinknice Co., Limited", L=香港, S=香港, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11217B1525408E122E96F2FC3CB018A64466

File PE Metadata
Compilation timestamp:
1/6/2015 7:04:43 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:3UBSk9KzH+b1qXoa9tAy+B9KCGWm0GxIr1NCD4xexsD:3UBSjXoa7+BACGW5GxA7CDxmD

Entry address:
0x18D5A

Entry point:
E8, C2, 03, 00, 00, E9, 4C, FE, FF, FF, FF, 25, 44, B3, 41, 00, 6A, 0C, 68, 00, D3, 41, 00, E8, 5A, 01, 00, 00, 83, 65, E4, 00, 8B, 5D, 0C, 8B, C3, 8B, 7D, 10, 0F, AF, C7, 8B, 75, 08, 03, F0, 89, 75, 08, 83, 65, FC, 00, 4F, 89, 7D, 10, 78, 0C, 2B, F3, 89, 75, 08, 8B, CE, FF, 55, 14, EB, EE, 33, C0, 40, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 14, 00, 00, 00, E8, 5B, 01, 00, 00, C2, 10, 00, 8B, 7D, 10, 8B, 5D, 0C, 8B, 75, 08, 8B, 45, E4, 85, C0, 75, 0B, FF, 75, 14, 57, 53, 56, E8, 01, 00, 00, 00, C3, 6A...
 
[+]

Code size:
103.5 KB (105,984 bytes)

Service
Display name:
IHProtect Service

Type:
Win32OwnProcess


Remove protectservice.exe - Powered by Reason Core Security