home

SearchProtection.exe

Search Protection

Lavasoft Limited

The application SearchProtection.exe by Lavasoft Limited has been detected as a potentially unwanted program by 3 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Search Protection’. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages.
Publisher:
Lavasoft  (signed by Lavasoft Limited)

Product:
Search Protection

Version:
2,0,5,00

MD5:
807eeedc836be4f94725d4813a04a09e

SHA-1:
f9a0559d876e51ed4e58c73650cdcc635120ccfd

SHA-256:
d9cef4dbcdf9636f0a3a51aba6c150d728da7f786765e44657884f4c004b05a1

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
4/18/2024 8:47:53 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Evo-gen [Susp]
160118-1

Dr.Web
Adware.BGuard.52
9.0.1.05190

Reason Heuristics
PUP.SearchProtect
16.2.28.13

File size:
927.3 KB (949,512 bytes)

Product version:
2,0,5,00

Copyright:
(c) 2013 Visicom Media Inc. All rights reserved.

Original file name:
SearchProtection.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\ProgramData\search protection\searchprotection.exe

Digital Signature
Signed by:
Lavasoft Limited

Authority:
VeriSign, Inc.

Valid from:
8/8/2013 7:00:00 AM

Valid to:
7/25/2015 6:59:59 AM

Subject:
CN=Lavasoft Limited, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Lavasoft Limited, L=sliema, S=Malta, C=MT

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0E13B3A79AA60B7EA934163F5237606B

File PE Metadata
Compilation timestamp:
6/5/2013 1:16:09 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:sEnRN28OVh8p5+/gjZupEYYZrrWAPEfl9zbwVyt/C7/Zt/lot9r9RZZMuq5LRM:sE728SSp5+/lArjSnjF9RUuq5

Entry address:
0x837CD

Entry point:
E8, E0, 06, 01, 00, E9, 79, FE, FF, FF, CC, 68, 90, 03, 48, 00, 64, FF, 35, 00, 00, 00, 00, 8B, 44, 24, 10, 89, 6C, 24, 10, 8D, 6C, 24, 10, 2B, E0, 53, 56, 57, A1, 70, D5, 4B, 00, 31, 45, FC, 33, C5, 50, 89, 65, E8, FF, 75, F8, 8B, 45, FC, C7, 45, FC, FE, FF, FF, FF, 89, 45, F8, 8D, 45, F0, 64, A3, 00, 00, 00, 00, C3, 8B, 4D, F0, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, C3, CC, CC, CC, 68, 90, 03, 48, 00, 64, FF, 35, 00, 00, 00, 00, 8B, 44, 24, 10, 89, 6C, 24, 10, 8D, 6C, 24, 10, 2B...
 
[+]

Entropy:
6.0537

Code size:
641.5 KB (656,896 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Search Protection

Command:
C:\ProgramData\search protection\searchprotection.exe


Remove SearchProtection.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.