[SearchService.exe 30/68 on VirusTotal.com, virus?]

3 minutes ago, itman said:

Per the Hybrid-Analysis, this isn't necessary:

 

Okay, thank you.

[SearchService.exe 30/68 on VirusTotal.com, virus?]

15 minutes ago, itman said:

In all likehoodly, the perpetrator ran one of the Win utility processes that are increasingly being abused. A number of those can be run hidden and silently elevate to admin level.

Tip - if you run as a limited admin and don't have UAC set to maximum level, you need to do so. Most of these bypasses can be detected when UAC set to max.. Yes, you will receive additional UAC alerts but the increased security factor is worth the minor annoyance.

i have 1 more question: so if i use Wireshark, and put the filter as "dns" would i be able to get the persons IP and block it in the firewall?
also, i will set UAC to max.

[SearchService.exe 30/68 on VirusTotal.com, virus?]

Just now, itman said:

One other thing.

Malware should not be able to write to the C:\Windows directory w/o full admin privileges as shown in the below screen shot; at least for Win 10. So that is something you should check out.

 

Okay, so when i downloaded the RAT, the person disabled my "Administrator Permissions" I'm not really sure how, but i have it enabled now though.
He also kept opening up CMD and folders, so i kept pressing Alt + F4 so he could do anything,i believe he tried deleting ESET, thank god you can't delete it so easily, after that i restarted my computer, and it had an update, I'm not sure if the update was caused by the RAT or just a legit update. (it was a pretty small update)

[SearchService.exe 30/68 on VirusTotal.com, virus?]

1 minute ago, itman said:

Yes.

But I would zip it up in a folder in your download directory, etc. in the very remote chance its removal borks something in the near future. After a while with no issue related to its removal surfacing, you can then delete the folder.

Okay, thank you very much, and thanks for the very fast replies!

[SearchService.exe 30/68 on VirusTotal.com, virus?]

Just now, itman said:

With a behavior analysis score of 89/100 which is one point below the high confidence level, I would say this bugger is malicious. Especially so using the MITRE indicators noted.

Did AdwCleaner get rid of the Search Service.exe in the C:\Windows directory?

no, all it did was get rid of the startup.
so I'm guessing It's okay to delete?

[SearchService.exe 30/68 on VirusTotal.com, virus?]

5 hours ago, itman said:

What I do know is this.

Many of the detections for it on VT were for Gen:Variant.Mikey.24795. Gen:Variant.Mikey is a generic detection for adware/browser hijacker/etc..

Malwaretips.com has a few cleaning guides for earlier versions of it. Here's one: https://malwaretips.com/blogs/gen-variant-adware-mikey-10000-removal/ . Since AdwCleaner was recommended for removal of it, I would give it a shot on getting rid of this variant. You can download it here: https://www.bleepingcomputer.com/download/adwcleaner/ .

What I will say about Search Service.exe is that it is located in the Windows directory. As far as I am aware of, this is not a Windows system process or utility and has no business being in that directory. Additionally, the fact that it is located in a Windows directory significantly ups the probability that the process is dangerous.  

So i ran the adwcleaner and Searchservice no longer opens on start up like before.
and here is the link for the analysis: https://www.hybrid-analysis.com/sample/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/5be9cbea7ca3e132553fd388

[SearchService.exe 30/68 on VirusTotal.com, virus?]

11 hours ago, itman said:

I am not so sure that the search service.exe is a benign process. Here is a write up on the legit version: https://www.file.net/process/searchservice.exe.html .

The important point to note is the legit version is named searchservice.exe. Note there is no space between "search" and "service" in the process name. If the process running doesn't point back to this directory, C:\Program Files\Ticno\, I would be doubly suspicious.

Do you know if its supposed to open on startup?
edit: i just checked and my version of of searchservice.exe has a space..

[SearchService.exe 30/68 on VirusTotal.com, virus?]

11 minutes ago, Marcos said:

The file 490ff13c6e237ad51382426f9ef48ac44e2df540 is not malware. We won't add detection.

Ok, Thank you.

[SearchService.exe 30/68 on VirusTotal.com, virus?]

Recently I downloaded a RAT and the person started deleting things and downloading stuff, not too sure why but the person started to install AVAST Security on my PC? (maybe to override ESET so the RAT wouldn't get detected?) I think i did a pretty good job getting rid of the RAT? but, you can never be too sure so I installed Process Explore (alternative Task Manager) and then I checked everything with Virustotal.com, about 6 of the programs have like 1-3/60 detected, but SearchService.exe has 30/68, (i have never seen SearchService.exe before, until recently)
It's located in "C:\Windows" and is 198KB in size.
There isn't much info on it and I'm not quite sure what to do.
Here is the Virustotal link: https://www.virustotal.com/#/file/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/detection
It's also not verified by Microsoft.

[HIPS Is Not Functional]

thanks everyone, but it fixed itself? i have't done anything or updated anything and its working now?

[HIPS Is Not Functional]

So im on insiders build 17741.rs5_release.180814-1430 and eset updated today (1 hour ago from when i made this post) and the HIPS is not working? iv'e had this happen before but it was on windows part, not on esets part.