» search_protect.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (1)

search_protect.exe

StartNow Search Update

Zugo Ltd

The application search_protect.exe by Zugo has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘StartNow Search Protect’. This file is typically installed with the program StartNow Toolbar by StartNow.com which is a potentially unwanted software program. While running, it connects to the Internet address utrack1.zugo.com on port 80 using the HTTP protocol.

File name:

search_protect.exe

Publisher:

Zugo Ltd (signed and verified)

Product:

StartNow Search Update

Version:

1.0

MD5:

9fc90fe4883297aed915ce0c411b4156

SHA-1:

1c2c11aa7819c7545dce5496556e40f5ae45fc7f

SHA-256:

0e4d05d56cc5e14f13b5b0d5273ed204bee1ca0dbf395dffc6f13edde4d2a744

Scanner detections:

4 / 68

Status:

Adware

Analysis date:

4/25/2024 6:52:49 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Adware.Zugo.71

9.0.1.0109

Reason Heuristics

PUP.Startup.Zugo.O

14.8.7.17

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.24.3

VIPRE Antivirus

Zugo Ltd

26742

File size:

727.9 KB (745,368 bytes)

Product version:

1.0

File type:

Executable application (Win32 EXE)

Installer:

Nullsoft Install System

Language:

English (United States)

Common path:

C:\Program Files\startnow toolbar\search_protect.exe

Digital Signature

Signed by:

Zugo Ltd

Authority:

COMODO CA Limited

Valid from:

1/30/2013 7:00:00 PM

Valid to:

1/31/2016 6:59:59 PM

Subject:

CN=Zugo Ltd, O=Zugo Ltd, STREET=PO Box 36, STREET=1st Floor, STREET=37 Broad St., L=St Helier, S=Jersey, PostalCode=JE4 9NU, C=JE

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00FA860DF2AC924FC31176C787706F3824

File PE Metadata

Compilation timestamp:

12/7/2011 9:34:40 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.56

CTPH (ssdeep):

12288:Wur6DZL19RaVpqUdHO6zFVxwAabiBVCVGkZMmOo82krkxI1mPP9Ts:W1ZRYfJZzbUmO55Od2VHHls

Entry address:

0x4040

Entry point:

55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, E8, B3, 52, 00, 00, C7, 04, 24, 01, 80, 00, 00, E8, 5F, 4F, 00, 00, 56, C7, 04, 24, 00, 00, 00, 00, E8, C2, 52, 00, 00, 53, A3, 50, 5B, 42, 00, C7, 04, 24, 08, 00, 00, 00, E8, 3E, 32, 00, 00, A3, 00, 5C, 42, 00, 8D, 85, 84, FE, FF, FF, 51, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A4, B2, 40, 00, E8, EC, 51, 00, 00, 83, EC, 14, C7, 44, 24, 04, A5, B2, 40, 00, C7, 04, 24, 30, 5C... 
[+]

Entropy:

7.9112 (probably packed)

Code size:

33 KB (33,792 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

StartNow Search Protect

Command:

"C:\Program Files\startnow toolbar\search_protect.exe" \report \protect \relay

The file search_protect.exe has been discovered within the following programs.

StartNow Toolbar by StartNow.com

StartNow is a web browser toolbar that changes your homepage and redirects valid searches.

about.startnow.com

79% remove it

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to utrack1.zugo.com (66.45.230.62:80)

Remove search_protect.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.