« Using GParted to Edit the Partion Table & Manage Partitions | Main

BProtector for Windows: A Case of Digitally Signed Malware

Recently, I was fixing an infected computer and discovered a very intrusive browser hijacker that tried to mimic a legitimate program on many levels.  The program is called "Bprotector for Windows", short for "Browser Protector for Windows", and as is often the case with Rogue Programs, it did just that opposite of what its name implies.  And yet, so complete is this ruse, that no security programs that I tested, recognized the program's EXE or accompanying DLL file as malware.  In fact, the detection rate at VirusTotal was a disappointing 0/42 for both of the infection's primary executable files: bProtect.exe and protector.DLL:

VirusTotal scan result for bProtect.EXE = 0/42

  

VirusTotal scan result for protector.DLL = 0/42

 

This was the case, despite, the fact that this malware completely took over Firefox and Internet Explorer, & left Google Chrome completely non-operational.  It partially accomplished all of the above by installing a "Babylon Plug-in for IE" and a Firefox Babylon Search add-on which virtually left both browsers beset with pop-ups and incapable of conducting any normal searches.

Hence, I was forced to use a clean computer to download analysis and removal tools (Process Explorer and Autoruns) to a USB flash drive to combat this infection.  And, since its detection rate was negligible, I knew I was unable to rely on any conventional scanners to rid the PC of this beast.  No, it would be manual removal all the way, based on the nearly fail-safe premise that most manual and automatic methods follow:

Locate & disable the infected startups (executable load points) and then remove the executable files they reference. 

SYSTEM CHANGES

Relevant File System Changes

Folder:

C:\ProgramData\bProtectorForWindows\2.2.453.59

Executable Files:

C:\ProgramData\bProtectorForWindows\2.2.453.59\bProtect.exe  1,677,856 bytes

C:\ProgramData\bProtectorForWindows\2.2.453.59\protector.dll  2,008,096 bytes

The most visible signs of this infection from an analysis perspective, are the process bprotect.exe that is viewable in Task Manager, and the library file protector.dll that is loaded under the AppInit_DLLs registry value located under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

 

The location of the BProtector Program folder was a dead giveaway that something was amiss, because no legitimate programs install themselves into a nested location within the ProgramData folder.  This is simply a hideaway location, selected to avoid detection.

Bprotect.exe loads as a Windows service with a display name of bProtector and a description of 'Your browser protector service".  The service is set to automatically start at system startup.

This is an export of the bprotector service registry key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bProtector]
"Type"=dword:00000020
"Start"=dword:00000002   
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,\
  44,00,61,00,74,00,61,00,5c,00,62,00,50,00,72,00,6f,00,74,00,65,00,63,00,74,\
  00,6f,00,72,00,46,00,6f,00,72,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\
  5c,00,32,00,2e,00,32,00,2e,00,34,00,35,00,33,00,2e,00,35,00,39,00,5c,00,62,\
  00,50,00,72,00,6f,00,74,00,65,00,63,00,74,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="bProtector"
"ObjectName"="LocalSystem"
"Description"="Your browser protector service"
"FailureActions"=hex:ff,ff,ff,ff,00,00,00,00,00,00,00,00,01,00,00,00,14,00,00,\
  00,01,00,00,00,30,75,00,00

The infection inserts a scheduled task called 'BProtector' into the Windows Task Scheduler, to ensure that the bProtector service runs continuously and restarts if it is stopped.  This BProtector task triggers the Service Control Manager (sc.exe) to start the BProtector service by running it once every minute, indefinitely. This task must be deleted by using Task Scheduler's  'Action' Menu', as part of the infection clean-up:

 

If you try to terminate the process bprotect.exe, it will immediately respawn by using a child process to accomplish this (I witnessed this happening by viewing bProtect.exe's child process in Process Explorer's Process Tree).  Upon viewing this perpetual respawning, I immediately decided the best course of action was to set the bProtector service Startup Type to “Disabled” by setting its Start value to 4. This prevents the service from restarting after a system reboot.

This can also be accomplished by directly editing this bProtector Service key in the Registry (refer to the export of this key above):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bProtector

 Just change the Start value from "Start"=dword:00000002 to "Start"=dword:00000004.  It can also be done by issuing the appropriate “SC” command from the command prompt (elevated in Windows 7, 8 & Vista) as follows:

sc config bProtector start= disabled

As mentioned above, in all versions of Windows released after XP that incorporate UAC (User Account Control), the command prompt must be "Run as Administrator" by selecting that option from the context menu of cmd.exe. 

Service Console showing disabled bProtector Service:

 

Before rebooting, it was also necessary to disable the Protector.dll startup loaded through the AppInit_DLLs. I did this by removing Protector.dll from the value field of the Windows key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

 

There can be legitimate Dlls loaded under the AppInit_DLLs separated by commas or spaces, so it is necessary to leave those that are determined to originate from legitmate programs intact by doing a little investigatory research beforehand.

 

Moral of the story - do NOT just delete the entire AppInit_DLLs data value if more than one DLL is listed there.   Target only those DLLs that are illegitimate for removal and leave the rest.   Above all, Do NOT delete the entire "Windows" registry key, and backup your registry before attempting any edits! 

 

With the infected start-ups set to disabled, it was time to restart the computer so the infection would no longer be running. After rebooting the computer, the infection was effectively rendered inactive, and what remained was cleaning up of the 'fall out'.  The fall out consisted of restoring all browsers to their pre-infection state by removing the Babylon Toolbar for IE, and the Babylon Firefox search add-on. I also had to uninstall and re-install the Google Chrome Browser as it became nonfunctional.

Before, I deleted the bProtector Folder, I did some research into the origin of this hijacker.

The following is an image of the Properties of bprotect.exe.  Observe the entry under the"language" field: "Ukrainian"- if you know anything about cybercrime and its source (the Ukraine is the epicenter of the Zeus Botnet) - well, enough said!!!!

I also used Microsoft's digital signature verification program called "Sigcheck" to determine whether the infected executable files were signed.  I had a hunch that this might be the reason why bProtect.exe and Protector.dll were not targetted by any anti-malware programs, resulting in a completely clean VirusTotal scan result.

The following is the Sigcheck output for bProtect.exe (protector.dll has a similar result) :  

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>sigcheck F:\TOOLS\bProtectorForWindows\2.2.453.59\bprotect.exe

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

f:\tools\bprotectorforwindows\2.2.453.59\bProtect.exe:
        Verified:       Signed
        Signing date:   9:48 AM 6/10/2012
        Publisher:      bProtector
        Description:    bProtector Engine
        Product:        bProtector Engine
        Version:        2,2,453,59
        File version:   2,2,453,59

Sure enough, this was a case of "digitally signed" malware (Protector.dll was also digitally signed), which is highly unusual in that only a very small proportion of malware files are digitally signed. However, a rise in the use of malware incorporating stolen and rogue (counterfeit) digital certificates has caused this number to rise recently. The reasoning behind this strategy is twofold: it enables malware to bypass Win 64K driver signing requirements allowing it to gain entry onto a system, and it also prevents it from being flagged as malware by most anti-malware programs since the assumption may be that a digitally signed file must be legitimate.

The bProtect.exe Digital Signature Details dialog revealed an expired certificate that lists 'Go Daddy Secure Certification Authority' as the digital signature certificate issuer and PerformerSoft LLC as the issuee.    

  

An inspection of the software sold on the PerformerSoft website gives no indication that they create or distribute anything called "BProtector for Windows" and their "Contact us" page shows they have an Oregonian (not a Ukrainian) address.... so not surprisingly, something is very fishy here.

All of the findings irrefutably point to this BProtector imposter being a case of digitally signed malware!!  It is true, there are a multitude of rogue security programs that masquerade as being something that is beneficial to your computer. However, it is quite rare, though not impossible, to find a digitally signed rogue program (the fake System Restore program being the only one I know of), and that is what makes BProtector for Windows so unique. 

BProtector Removal Instructions

Since my explanation of how to to remove BProtector was interwoven with a description of its "modus operandi", I will now briefly summarize BProtector removal instructions.

Note: Please remember to backup your registry before attempting any registry edits. A good program to use is ERUNT.  You can download it and read usage directions in this ERUNT Tutorial at Geekstogo.com.


1. Set bProtector service to disabled using Regedit, or invoke the relevant sc command, from an elevated command prompt (click start, type cmd into the Search box, right-click cmd.exe and select 'Run as Administrator'); next, type or copy/paste the following command into the command prompt window, and hit Enter:

sc config bProtector start= disabled


2. Delete the Protector.dll value data from AppInit_DLLs Registry value while preserving any legitimate DLLs.

  •  Open the Windows Registry Editor,  Regedit.exe, by clicking Start, type regedit into the search box, and click regedit.exe in the search results. Then, navigate to the following registry key by clicking the + or > symbol next to each registry key to expand it:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

  • Double-click on the AppInit_DLLs value in the right pane, delete Protector.dll from the Value data field, click OK, and then close Regedit


3. Reboot Computer to disable infected startups


4. Open Task Manager (Ctl +Shift + Esc), select 'Process' Tab,  and confirm that bprotect.exe is no longer running in Task Manager's list of active processes.

 

5. Open Task Scheduler (Start -> Adminstrative Tools -> Task Scheduler).

  • On the Menu, Click 'View' -> Show Hidden Tasks & ensure that it is checked

  • In the Task Status Window, use the pull down Window to set the Task Time Period to 30 days. The lower pane will refresh to show all Active Tasks run during the last 30 days

  • In the Active Tasks window, double-click the bProtector task, and select 'Delete' from Action Menu


6. Delete the following bProtector Folder and and all subfolders that appear within it:

C:\ProgramData\bProtectorForWindows\

Run this command from an elevated command prompt ('Run as Administrator') to do that:

rmdir /s C:\ProgramData\bProtectorForWindows\

7. Open Control Panel -> 'Programs and Features' and uninstall "Babylon Plug-in for IE"

8. If you use the Firefox browser, you will need to remove the Firefox Babylon Search Add-on under the list of Firefox Add-ons

9. If you use the Google Chrome browser, you will probably need to uninstall and reinstall it

10. Delete the bProtector service by launching an elevated command prompt (type cmd into the Start Search box, right-click cmd.exe and select 'Run as Administrator').  Then type the following sc command:

sc delete bprotector

Next as a double-check, Open the Services Console (Start -> Adminstrative Tools -> Services) and verify that bProtector does NOT appear in the alphabetical list of Services

  

TrackBack

TrackBack URL for this entry:
http://secure-computer-solutions.com/blog-mt/mt-tb.fcgi/65


Hosting by Yahoo!

Comments

So... how do I remove this nasty guy from my PC?

I tried deleting all folders and files but wasn't allowed to do so.

I tried using
sc stop "bProtector" in the Command Prompt, but couldn't find it

I deleted some keys in the registry, but I'm not sure I really got rid of it.

And as you mentioned, my anti-virus simply cannot see bProtector as being a bad guy.

Suggestions?
Thanks!

OMG - THIS WORKED !!!!!
There were a couple of steps that I didnt need to do. In Task Scheduler I could find bProtector in my Local list but not in the Library, so the delete button didnt come up in the Action list, so I had to skip this step. Also I couldn't find any Babylon Plug-ins so I had to skip that step too. also I totally uninstalled Firefox cos I am sure that is when my problem started with Findamo - not going to install it again. I will watch out for Babylon Plugins from no on and I have printed out your instructions just in case I need to go again. I have one question. Has my security and privacy been compromised by people in the Ukraine now because bProtector has been on my computer for months?

Thankyou more than you know for your assistance :)

Thank you very much. Your work is the only one I found in Internet that realy works

Hi,

I am a support representative with PerformerSoft LLC.

I wanted to reach-out and address your concerns.

bProtector is a third party technology we experimented with a few months ago. It sounds like you used that old version. We are no longer using this technology in our products.

If you'd like to remove the bProtector, you can easily do this from the Control Panel - Add/Remove Programs. It's a single click uninstall that completely removes bProtector from your machine.

After reading your detailed analysis, it sounds like you didn't try this simple approach? It's very easy to uninstall bProtector.

We have a page on our website that clearly explains how to uninstall our products: http://www.performersoft.com/contact-us.php?action=q8

Should you have any additional questions about PerformerSoft or our products, please feel free to contact us at support@performersoft.com

We are always here to help!

Sincerely,
PerformerSoft Support
http://www.performersoft.com

Blog Owner's Response:

The version of Bprotector for Windows I analyzed was NOT installed with the user's consent and it was also NOT removable through the Control Panel. The only program which did show up in the Control Panel was Babylon search for IE (also foistware).

Furthermore, BProtector did everything it could to resist removal. Its process was not killable and it perpetually relaunched itself by creating a scheduled task to run once every minute, indefinitely. If you Google bprotect.exe or BProtector for Windows, you'll find a multitude of well-warranted complaints about this program from users who do not know how it got on their computers. They only know one thing - they want it off! The program makes it impossible to use the internet because it cripples the browsing experience.

The only good thing I can say is that you are wise to have abandoned bundling such an undesirable rogue product with your products. However, the system that I personally disinfected, did not have any of your advertised programs on installed, so it must originate from other sources, as well .

Thanks for this post. It made me realise that i had downloaded a malware into my computer. I have tried to follow your instructions. i uninstalled bprotector from my computer and stopped it in the task manager. Since i took this actions, i have not seen any file bearing 'bprotector' or 'protector'. Yet it was still operating in my firefox browser. i uninstalled firefox and i re-installed it and this babylon browser is still there. it is also still operating in internet explorer. Though my google chrome is working. I have searched all the areas of the computer mentioned in your post but there is no 'bprotector' or 'protector' in all the places i checked. Please what else can i do to get rid of this malware from firefox and internet explorer. Does it mean i still have it on my computer? Thanks.

Hi negster22,

thank you very much for the very instructive outline to get rid of bprotectorforwindows. I followed your instruction and was able to delete this bad guy from my PC. Excellent help!!! Many thanks again!

ruediger

Same thing here: No uninstall, eventually used a linux boot CD to delete protector.dll before cleaning up.

Thanks for posting this, you saved me a lot of time finding out where to remove some weird reference.

Thank you so much! I've been searching for a solution for weeks now, nothing worked, even a call to my local tech support!

Hi.
Interesting story. I have been trying to recall when and where I got "protector". I am 99% sure I got it when downloading and installing the cad-software: Desigworks Lite 4 from a Site called: designworks-lite.en.softonic.com. flagfox indicated a Spanish server. Desigworks Lite 4 originated from capilano.com in Canada but is discontinued. I will now try to remove "bprotector". Thank You.
Sincerely yours.

Otto Nielsen

Do you know if this bprotector software is related to Findamo Manager ? I mean, on my RedEdit I found bProtector folder and it call some Findamo Manager DLL.

Also, is this the cause of the searchplugin folder everytime I open a Office file ?

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)