SearchProtect

Search Protect (Adware.MacOS.SearchProtect) is a potentially unwanted program (PUP) that installs automatically and without the user's consent. At the same time, it drops a bundle of other similar applications, and anti-malware programs detect it as Adware.MacOS.SearchProtect. Since the entire bundle that comes with this PUP contains many different tools that affect various parts of the infected machine, manual removal becomes very complicated for inexperienced users.

Search Protect has been flagged as a PUP because it has exhibited browser hijacker functionalities. Additionally, it has been developed by a questionable company that is held responsible for other browser hijackers, like Conduit, Trovi, and Search.conduit.com. All these programs have been observed to change browser settings, deliver intrusive ads, cause redirects to suspicious websites and fake search engines, etc. Search Protect affects all popular browsers, and apart from hijacking your browser, it can also track your browsing history, record your searches, and collect sensitive personal information. These features represent a serious threat to your online security.

To remove Search Protect from your MacOS computer entirely, it is advisable to use an automated tool to identify and fix all issues caused by this PUP, like disabled programs, altered registry entries, installed browser extensions, and modified browser settings, and so on.

Table of Contents

Toggle

Analysis Report

General information

Family Name:	Search Protect
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: c8977c7700601fcf3980fbd78c7ff1e9 SHA1: b27a52385211645234cb5ff24b9b3eb102c4e823 File Size: 198.41 KB, 198405 bytes

MD5: 3b83bf2fe3752186ef9b9cbf6d181a05 SHA1: b40df683a6398d80aca08aa246d1b19d81db42b2 SHA256: 8E3C8086E861FF34B6D54D28CCAF5FA9B2C8736788BC241077CF551B02F8AD67 File Size: 1.82 MB, 1824480 bytes

MD5: e7e0fc2fa970eaf007d495e66c752e8d SHA1: 295a79a8e1430e29e2c327d9a202b2c523288fd6 SHA256: 7C447059371CA35895489EFC406AA51585406545DBA92FA36CDDEE5EF68AEA3B File Size: 156.86 KB, 156864 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed

Show More

• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	Ad-Aware Security Add-on MyStart Toolbar
Company Name	Lavasoft Visicom Media Inc. Yahoo! Inc.
File Description	Ad-Aware Security Add-on Uninstaller MyStart Toolbar Installer Yahoo! Toolbar Setup
File Version	2007.11.07.01 5.5 3.5
Legal Copyright	Copyright (c) 2007 Yahoo! Inc. © Lavasoft © Visicom Media Inc.
Legal Trademarks	Lavasoft, All Rights Reserved Visicom Media Inc., All Rights Reserved
Product Name	Ad-Aware Security Add-on MyStart Toolbar
Product Version	5.5.0.2 3.5.0.3

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
Yahoo! Inc.	VeriSign Class 3 Code Signing 2004 CA	Root Not Trusted
Lavasoft Limited	VeriSign Class 3 Code Signing 2010 CA	Self Signed

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\temp\adaware-manifest.xml	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\adaware-toolbar.xml	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\adawaretb_uninstall_log.txt	Read Attributes,Synchronize,Append data
c:\users\user\appdata\local\temp\adawaretb_uninstall_log.txt	Read Attributes,Synchronize,Write Data
c:\users\user\appdata\local\temp\nshcff8.tmp\langdll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshcff8.tmp\logex.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshcff8.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshcff8.tmp\uac.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshcff8.tmp\xml.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk49b8.tmp\finish.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

Show More

c:\users\user\appdata\local\temp\nsk49b8.tmp\finish.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk49b8.tmp\installoptions.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk49b8.tmp\privacy.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsk49b8.tmp\privacy.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk49b8.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk49b8.tmp\toolbar.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk49b8.tmp\welcome.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsk49b8.tmp\welcome.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsqcc8c.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsqcd76.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsrcfe7.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsvcd96.tmp\ad-aware security add-on uninstall.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\nsvcd96.tmp\logex.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsvcd96.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsvcd96.tmp\uac.dat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\uncmdline.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\uncmdline.txt	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKLM\software\wow6432node\yahoo::ntatest	1	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKLM\software\wow6432node\adawaretb::campaignidie	I	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Keyboard Access	GetKeyState
Process Shell Execute	CreateProcess

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

"C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\

"C:\Users\Tamxoess\AppData\Local\Temp\nsvCD96.tmp\Ad-Aware Security Add-on uninstall.exe" /NCRC _?=c:\users\user\downloads