searchprotect64.dll

2.0.1.613

Zhang Ling

The module searchprotect64.dll by Zhang Ling has been detected as adware by 7 anti-malware scanners. Additionally, the file is typically installed by a number of programs including SupTab by Thinknice Co. Limited and Linkey by Aztec Media Inc., both potentially unwanted software. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages.
Publisher:
Skytech Co., Ltd.  (signed by Zhang Ling)

Product:
2.0.1.613

Description:
Skytech

Version:
2.0.1.613

MD5:
5dea5285dfa62e67fe128acae5cfef63

SHA-1:
3773d2a2ec251b978531c81a0f617195a769cb1a

SHA-256:
a10818171904c8970a7dd10bcdd9fc8492f72b1ec7104bda62834a0ae011bc56

Scanner detections:
7 / 68

Status:
Adware

Analysis date:
12/25/2024 12:02:04 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Zhangling
2015.0.3404

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.141223

ESET NOD32
Win64/Thinknice.F potentially unwanted application
8.7.0.302.0

G Data
Win64.Application.SearchProtect.AF
14.12.24

Malwarebytes
PUP.Optional.Skytech.A
v2014.07.24.08

Reason Heuristics
PUP.ZhangLing.P
14.7.31.23

VIPRE Antivirus
Threat.4788726
33706

File size:
108.9 KB (111,496 bytes)

Product version:
2.0.1.613

Copyright:
Copyright (C) 2014

Original file name:
SearchProtect.dll

File type:
Dynamic link library (Win64 DLL)

Language:
Chinese (Simplified, China)

Common path:
C:\Program Files\suptab\searchprotect64.dll

Digital Signature
Signed by:

Authority:
WoSign CA Limited

Valid from:
6/6/2014 4:29:18 AM

Valid to:
6/6/2015 4:29:18 AM

Subject:
CN=Zhang Ling, E=chloezhangling@gmail.com, L=北京市, S=北京市, C=CN

Issuer:
CN=WoSign Class 2 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
07DAC38DB37E09DF8C8634065592DFE3

File PE Metadata
Compilation timestamp:
7/16/2014 9:02:22 AM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:M2zBTJ3q3D7z40tVf0+8WBWM3HrPQJXGg5uRpu7LMw4Dds7PK+kEJS/QGjE5SYv8:M2tThckGt0j/SCc

Entry address:
0x3EE8

Entry point:
48, 89, 5C, 24, 08, 48, 89, 74, 24, 10, 57, 48, 83, EC, 20, 49, 8B, F8, 8B, DA, 48, 8B, F1, 83, FA, 01, 75, 05, E8, AB, 30, 00, 00, 4C, 8B, C7, 8B, D3, 48, 8B, CE, 48, 8B, 5C, 24, 30, 48, 8B, 74, 24, 38, 48, 83, C4, 20, 5F, E9, 03, 00, 00, 00, CC, CC, CC, 48, 8B, C4, 48, 89, 58, 20, 4C, 89, 40, 18, 89, 50, 10, 48, 89, 48, 08, 56, 57, 41, 56, 48, 83, EC, 50, 49, 8B, F0, 8B, DA, 4C, 8B, F1, BA, 01, 00, 00, 00, 89, 50, B8, 85, DB, 75, 0F, 39, 1D, 34, 46, 01, 00, 75, 07, 33, C0, E9, D2, 00, 00, 00, 8D, 43, FF...
 
[+]

Entropy:
5.6873

Code size:
47.5 KB (48,640 bytes)

The file searchprotect64.dll has been discovered within the following programs.

Linkey  by Aztec Media Inc.
Linkey is a potentially unwanted web browser search extension for the top browsers and designed to modify the user's search and home pages (www.default-search.com or www.linkeyproject.com/app/) in order to direct advertising via the linkeyproject.com portal.
linkeyproject.com
81% remove it
SupTab  by Thinknice Co. Limited
SupTab is an web browser advertisement injection extension that is designed with the core purpose of delivering ads to the user's web browser. Ads are in the form of banners (both static and videos) as well as context-hyper links.
80% remove it
 
Powered by Should I Remove It?

Remove searchprotect64.dll - Powered by Reason Core Security