Adware-Bprotect

This page shows details and results of our analysis on the malware Adware-Bprotect

Overview

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Aliases –

Fortinet    -    Adware/Bprotect
Symantec    -    Adware.GoonSquad


Minimum Engine

5600.1067

File Length

Varies

Description Added

2013-06-25

Description Modified

2013-07-01

Malware Proliferation

Characteristics

AdWare-Bprotect is a fake performersoft installer. It drops a dll which works as BHO named "Browserprotect.dll"

Browserprotect.dll is BHO extension installed on Google Chrome, Firefox or Internet explorer, this application tends to provide your security and protect your browser from harms and damages but in reality, the Browserprotect.dll is a fake and corrupt program. Websites are automatically opened on the computer after a frequent interval.

AdWare-Bprotect also disables the following:
  • Folder options
  • Task manager
  • Registry editing tools
  • Active Desktop
  • SaveZoneInformation.
The following are the registry key values added to the system:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = 1
The above registry key value confirms that the application disables the Task Manager.

  • [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=[path]\browse~1.dll [path]\browserprotect.dll
The above registry key value confirms that the application loads upon every system boot.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0
The above registry key value confirms that the application hides itself from the user by disabling “ShowSuperHidden” option.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1
The above registry key value confirms that the application Turn off the “Active Desktop”.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1
The above registry key value confirms that the Adware enables the “SaveZoneInformation”. Enabling this policy setting, the Windows does not mark file attachments by using their zone information. 

It copies its own file in the following location

  • %Profile%\Local Settings\Temp\
  • %ProgramFiles%\
  • %UserProfile%\

Symptoms

Presence of above mentioned activities.

Method of Infection

This is not a virus or Trojan. PUPs do not "infect" systems. They may be installed by a user individually or possibly as a part of a software package (in a bundle, for example).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants