protectservice.exe

XTab

Minidigital Technology Co., Limited

The application protectservice.exe by Minidigital Technology Co., Limited has been detected as adware by 9 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “IHProtect Service”. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages.
Publisher:
XTab system  (signed by Minidigital Technology Co., Limited)

Product:
XTab

Description:
ProtectSvc.exe

Version:
4.0.1.2611

MD5:
6b556d3d4392a2a3762da41f3968bac0

SHA-1:
8a84725e8a71dae63aa70b6ab666bbecfa2fd818

SHA-256:
c23a7880a6d154f657fe0bef7c406bf4df70e1b67ce92bf83634e755854f0295

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
12/25/2024 8:00:32 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.SearchProtect
2015.06.18

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15618

ESET NOD32
Win32/ELEX.EE potentially unwanted (variant)
9.11801

G Data
Win32.Application.SearchProtect.AA@gen
15.6.25

K7 AntiVirus
Riskware
13.205.16276

Malwarebytes
PUP.Optional.XTab.A
v2015.06.18.02

Panda Antivirus
Trj/Genetic.gen
15.06.18.02

Reason Heuristics
Threat.Win.Reputation.IMP
15.6.18.14

Zillya! Antivirus
Adware.SubTab.Win32.8
2.0.0.2231

File size:
122.2 KB (125,112 bytes)

Product version:
4.0.1.2611

Copyright:
Copyright (C) 2014

Original file name:
ProtectSvc.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\Program Files\miuitab\protectservice.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
5/15/2015 12:08:22 PM

Valid to:
6/21/2016 4:55:40 PM

Subject:
CN="Minidigital Technology Co., Limited", O="Minidigital Technology Co., Limited", L=Hong Kong, S=Hong Kong, C=HK

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11210712821AC785E8F9E8B1563A07DCC38A

File PE Metadata
Compilation timestamp:
6/16/2015 4:31:23 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
1536:R+3UUwNrWgqrD3bZkplN/5XeC0B0CpIhBfxHzhGRyuu:R60NWgcONxXn0B06IhBfxHtGRyR

Entry address:
0x11620

Entry point:
E8, 8C, 03, 00, 00, E9, 4C, FE, FF, FF, FF, 25, 3C, 43, 41, 00, 6A, 0C, 68, E8, 61, 41, 00, E8, 54, 01, 00, 00, 83, 65, E4, 00, 8B, 5D, 0C, 8B, C3, 8B, 7D, 10, 0F, AF, C7, 8B, 75, 08, 03, F0, 89, 75, 08, 83, 65, FC, 00, 4F, 89, 7D, 10, 78, 0C, 2B, F3, 89, 75, 08, 8B, CE, FF, 55, 14, EB, EE, 33, C0, 40, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 14, 00, 00, 00, E8, 55, 01, 00, 00, C2, 10, 00, 8B, 7D, 10, 8B, 5D, 0C, 8B, 75, 08, 8B, 45, E4, 85, C0, 75, 0B, FF, 75, 14, 57, 53, 56, E8, 01, 00, 00, 00, C3, 6A...
 
[+]

Entropy:
6.2250

Code size:
73 KB (74,752 bytes)

Service
Display name:
IHProtect Service

Type:
Win32OwnProcess


Remove protectservice.exe - Powered by Reason Core Security