This page shows details and results of our analysis on the malware Adware-Bprotect

Download Current DAT

Threat Detail

  • Malware Type: PUP
  • Malware Sub-type: Adware
  • Protection Added: 2013-06-25

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Aliases –

Fortinet    -    Adware/Bprotect
Symantec    -    Adware.GoonSquad

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

AdWare-Bprotect is a fake performersoft installer. It drops a dll which works as BHO named "Browserprotect.dll"

Browserprotect.dll is BHO extension installed on Google Chrome, Firefox or Internet explorer, this application tends to provide your security and protect your browser from harms and damages but in reality, the Browserprotect.dll is a fake and corrupt program. Websites are automatically opened on the computer after a frequent interval.

AdWare-Bprotect also disables the following:
  • Folder options
  • Task manager
  • Registry editing tools
  • Active Desktop
  • SaveZoneInformation.
The following are the registry key values added to the system:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “DisableTaskMgr” = 1
The above registry key value confirms that the application disables the Task Manager.

  • [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=[path]\browse~1.dll [path]\browserprotect.dll
The above registry key value confirms that the application loads upon every system boot.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden” = 0
The above registry key value confirms that the application hides itself from the user by disabling “ShowSuperHidden” option.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop “NoChangingWallPaper” = ’1
The above registry key value confirms that the application Turn off the “Active Desktop”.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ’1
The above registry key value confirms that the Adware enables the “SaveZoneInformation”. Enabling this policy setting, the Windows does not mark file attachments by using their zone information. 

It copies its own file in the following location

  • %Profile%\Local Settings\Temp\
  • %ProgramFiles%\
  • %UserProfile%\
Presence of above mentioned activities.

This is not a virus or Trojan. PUPs do not "infect" systems. They may be installed by a user individually or possibly as a part of a software package (in a bundle, for example).

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).