home

ntsvc.exe

Navigation

Navigation network co.,limited

The application ntsvc.exe, “Net Service Event Handler” by Navigation network co.,limited has been detected as adware by 9 anti-malware scanners. This is a setup program which is used to install the application. It runs as a separate (within the context of its own process) windows Service named “Net Service Event Handler”. This file is typically installed with the program searchult by Navigation. The file has been seen being downloaded from dp8uklaiq5180.cloudfront.net and multiple other hosts.
Publisher:
Navigation Co., Ltd.  (signed by Navigation network co.,limited)

Product:
Navigation

Description:
Net Service Event Handler

Version:
2.0.1.12189

MD5:
ad0ac4db71079d8ee386f13ffa09a38d

SHA-1:
05872da53510a2bb8916ad9d93618371da6209c7

SHA-256:
f4a72a07cc0999ae7619de5f6f10b107c972fd4eafce133dcf51053d8fb88e57

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
5/4/2024 8:13:50 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.Navegaki
4.0.3.151012

Bkav FE
W32.HfsAdware
1.3.0.7237

ESET NOD32
Win32/Adware.Navegaki (variant)
9.11030

IKARUS anti.virus
PUA.Navegaki
t3scan.1.6.1.0

Panda Antivirus
PUP/Navegaki
15.10.12.09

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Navigationnetworkcolimited (M)
15.10.12.21

Rising Antivirus
PE:Worm.Rebhip!1.64F0
23.00.65.151010

Trend Micro House Call
Cryp_Xin1
7.2.285

File size:
259.9 KB (266,104 bytes)

Product version:
2.0.1.12189

Copyright:
Navigation Copyright (C) 2013

Original file name:
ntsvc.exe

File type:
Executable application (Win32 EXE)

Language:
Çince (Basitlestirilmis, Çin)

Common path:
C:\users\{user}\appdata\roaming\ntsvc\ntsvc.exe

Digital Signature
Signed by:
Navigation network co.,limited

Authority:
VeriSign, Inc.

Valid from:
2/19/2014 2:00:00 AM

Valid to:
2/20/2016 1:59:59 AM

Subject:
CN="Navigation network co.,limited", OU=Software Department, OU=Digital ID Class 3 - Microsoft Software Validation v2, O="Navigation network co.,limited", L=Hongkong, S=Hongkong, C=HK

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2617E71F3DD61639E291AD2D048E1D8A

File PE Metadata
Compilation timestamp:
10/11/2015 10:41:16 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
3072:khEt1VFCiGPSAnKWtne4Mj9/Dq+MkY2mR0kQB25SGnf+/bs2WMwU6UM/0SWprwU9:kitj4iGxP/0k5SGfzPW+qdqmsqktUz

Entry address:
0x19D33

Entry point:
E8, 67, 9F, 00, 00, E9, 7F, FE, FF, FF, FF, 25, 58, F2, 42, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 44, 24, 0C, 53, 85, C0, 74, 52, 8B, 54, 24, 08, 33, DB, 8A, 5C, 24, 0C, F7, C2, 03, 00, 00, 00, 74, 16, 8A, 0A, 83, C2, 01, 32, CB, 74, 72, 83, E8, 01, 74, 32, F7, C2, 03, 00, 00, 00, 75, EA, 83, E8, 04, 72, 12, 57, 8B, FB, C1, E3, 08, 03, DF, 8B, FB, C1, E3, 10, 03, DF, EB, 1B, 5F, 83, C0, 04, 74, 0E, 8A, 0A, 83, C2, 01, 32, CB, 74, 40, 83, E8, 01, 75, F2, 5B, C3, 83, E8, 04, 72, E5, 8B...
 
[+]

Code size:
180.5 KB (184,832 bytes)

Service
Display name:
Net Service Event Handler

Service name:
Sed

Description:
Network service event handler for system.

Type:
Win32OwnProcess

Group:
Event log


The file ntsvc.exe has been discovered within the following program.

searchult  by Navigation
About 9% of users remove it
 
Powered by Should I Remove It?

The file ntsvc.exe has been seen being distributed by the following 6 URLs.

http://dp8uklaiq5180.cloudfront.net/seed_storage//.../ntsvc.exe

http://d4dhk4221cz7n.cloudfront.net/seed_storage//.../ntsvc.exe

http://df7w3ytxcdxth.cloudfront.net/seed_storage//.../ntsvc.exe

http://d3ih1jowwmnf4t.cloudfront.net/seed_storage//.../ntsvc.exe

http://d385c1n0o64nql.cloudfront.net/seed_storage//.../ntsvc.exe

http://jesecdn.brotlab.net/seed_storage//.../ntsvc.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-91-52-229.compute-1.amazonaws.com  (52.91.52.229:80)

TCP (HTTP):
Connects to ec2-52-201-213-112.compute-1.amazonaws.com  (52.201.213.112:80)

TCP (HTTP):
Connects to ec2-52-28-109-1.eu-central-1.compute.amazonaws.com  (52.28.109.1:80)

TCP (HTTP):
Connects to ec2-52-28-112-137.eu-central-1.compute.amazonaws.com  (52.28.112.137:80)

TCP (HTTP):
Connects to anubisnetworks.com  (195.22.26.248:80)

Remove ntsvc.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.