protectservice.exe

XTab

Giner Tech Inc

The application protectservice.exe by Giner Tech Inc has been detected as adware by 18 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “IHProtect Service”. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages.
Publisher:
XTab system  (signed by Giner Tech Inc)

Product:
XTab

Description:
ProtectSvc.exe

Version:
4.0.1.2072

MD5:
6bf369670e9b005424540cb1fae67241

SHA-1:
f547e0982ec4d39d0cc2eabdc587ee12edfafd0a

SHA-256:
5519daa42d7fb373c374b07aa476dabaf2e86c97a947aa1601050506f2a39e10

Scanner detections:
18 / 68

Status:
Adware

Analysis date:
12/29/2024 12:04:01 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SearchProtect.W
5675400

AhnLab V3 Security
PUP/Win32.SearchProtect
2015.04.13

Avira AntiVirus
PUA/SearchProtect.Gen
3.6.1.96

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15413

Bitdefender
Adware.SearchProtect.W
1.0.20.515

Dr.Web
Adware.Mutabaha.266
9.0.1.0103

Emsisoft Anti-Malware
Adware.SearchProtect.W
9.0.0.4799

ESET NOD32
Win32/ELEX.BM potentially unwanted application
7.0.302.0

F-Prot
W32/SearchProtect.C.gen
v6.4.7.1.166

F-Secure
Adware.SearchProtect.W
5.13.68

G Data
Adware.SearchProtect
15.4.25

K7 AntiVirus
Trojan
13.202.15572

Malwarebytes
PUP.Optional.XTab.A
v2015.04.13.11

MicroWorld eScan
Adware.SearchProtect.W
16.0.0.309

NANO AntiVirus
Riskware.Win32.SearchProtect.dpvtwk
0.30.10.952

nProtect
Adware.SearchProtect.W
15.04.10.01

Reason Heuristics
Threat.Thinknice.GinerTech
15.4.13.11

Vba32 AntiVirus
AdWare.SearchProtect
3.12.26.3

File size:
155.1 KB (158,816 bytes)

Product version:
4.0.1.2072

Copyright:
Copyright (C) 2014

Original file name:
ProtectSvc.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, PRC)

Common path:
C:\Program Files\xtab\protectservice.exe

Digital Signature
Signed by:

Authority:
GlobalSign nv-sa

Valid from:
3/24/2015 9:40:38 AM

Valid to:
12/2/2015 5:23:38 AM

Subject:
CN=Giner Tech Inc, O=Giner Tech Inc, L=Wilmington, S=Delaware, C=US

Issuer:
CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE

Serial number:
112167537F02B71858D5AA3FC5D6CBB4265C

File PE Metadata
Compilation timestamp:
4/9/2015 4:47:22 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:HUBSk9KzH+b1qXoa9tAy+B9KCGWm0GxIr1iCD4xeyLY:HUBSjXoa7+BACGW5GxQMCDxWY

Entry address:
0x18D5A

Entry point:
E8, C2, 03, 00, 00, E9, 4C, FE, FF, FF, FF, 25, 44, B3, 41, 00, 6A, 0C, 68, 00, D3, 41, 00, E8, 5A, 01, 00, 00, 83, 65, E4, 00, 8B, 5D, 0C, 8B, C3, 8B, 7D, 10, 0F, AF, C7, 8B, 75, 08, 03, F0, 89, 75, 08, 83, 65, FC, 00, 4F, 89, 7D, 10, 78, 0C, 2B, F3, 89, 75, 08, 8B, CE, FF, 55, 14, EB, EE, 33, C0, 40, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 14, 00, 00, 00, E8, 5B, 01, 00, 00, C2, 10, 00, 8B, 7D, 10, 8B, 5D, 0C, 8B, 75, 08, 8B, 45, E4, 85, C0, 75, 0B, FF, 75, 14, 57, 53, 56, E8, 01, 00, 00, 00, C3, 6A...
 
[+]

Entropy:
6.2503

Code size:
103.5 KB (105,984 bytes)

Service
Display name:
IHProtect Service

Type:
Win32OwnProcess


Remove protectservice.exe - Powered by Reason Core Security