What the hell is bProtector Engine?

Discussion in 'Security and Viruses' started by jurx, Mar 17, 2012.

  1. jurx
    Offline

    jurx New Member

    Joined:
    Mar 5, 2010
    Messages:
    9
    Trophy Points:
    1
    Ratings:
    +0 / 0 / -0
    Hi!

    Yesterday I had a look over the processes list in task manager and what I saw there was a process called "bProtect.exe"(bProtector Engine). There is one System process and one user process listed, file location is C:\ProgramData\bProtector. There are 2 files inside that folder, namely "bProtect.exe" and "bProtect.settings". Did a full scan with malwarebytes, no viruses/adware found. Uploaded to virustotal, no virus found, but I dont think I have ever seen a process like this thats why i'm asking. A day ago I got some trojan-clickers and it seems the files in that folder are created the same day. Is it safe to remove it?

    Any help would be appreciated
  2. Guest Ads
    Online

    Google King of the Internet

  3. leofelix
    Offline

    leofelix Distinguished Member

    Joined:
    Dec 27, 2008
    Messages:
    5,812
    Trophy Points:
    266
    Ratings:
    +0 / 0 / -0
    Hello
    if you have Warcraft III installed do not worry as bProtector.exe is part of that game.
    If you do not have Warcraft III installed, have a look here

    http://www.threatexpert.com/files/bprotect.exe.html

    moreover: MalwareBytes' Antimalware isn't an antivirus.


    Please download HitManPro, double click it and run a scan.
    Activate HitManPro only if malware has been found
    Last edited: Mar 17, 2012
  4. sujay
    Offline

    sujay Prominent Member

    Joined:
    Feb 23, 2010
    Messages:
    3,507
    Trophy Points:
    168
    Ratings:
    +15 / 0 / -0
    Hi! Can you upload those two files in Virustotal?
    https://www.virustotal.com/
    Tell us the scan results with link.
  5. leofelix
    Offline

    leofelix Distinguished Member

    Joined:
    Dec 27, 2008
    Messages:
    5,812
    Trophy Points:
    266
    Ratings:
    +0 / 0 / -0
    ehr

    ; )
  6. sujay
    Offline

    sujay Prominent Member

    Joined:
    Feb 23, 2010
    Messages:
    3,507
    Trophy Points:
    168
    Ratings:
    +15 / 0 / -0
    Ups sorry.. :p
    But can you please give us the link to Virustotal?
    I need to know the MD5 hash..!!
    If you where/how to know the MD5 or SHA-1 hash can you please search for that in here?
    http://www.isthisfilesafe.com/

    It could be one of the following
    http://www.isthisfilesafe.com/company/bProtector_details.aspx
    http://www.isthisfilesafe.com/product/bProtector%20Engine_details.aspx
  7. jurx
    Offline

    jurx New Member

    Joined:
    Mar 5, 2010
    Messages:
    9
    Trophy Points:
    1
    Ratings:
    +0 / 0 / -0
    https://www.virustotal.com/file/f56...76b0b4bf539c38a7cba4146f291e179dcd0/analysis/
    https://www.virustotal.com/file/3d7...a97442ab666f30faa40973da/analysis/1332012786/

    MD5 hash: 86825c57cfd7babc8ab861aa0cff5212
    SHA256: f5607cbed88bc66d8b56cdcef09a276b0b4bf539c38a7cba4146f291e179dcd0

    ---------- Post added at 03:39 AM ---------- Previous post was at 03:39 AM ----------

    Version is 1.0.0.1

    ---------- Post added at 03:41 AM ---------- Previous post was at 03:39 AM ----------

    And under digital signatures, there is Performersoft LLC, hmm...

    ---------- Post added at 03:49 AM ---------- Previous post was at 03:41 AM ----------

    Interesting.


    isthisfilesafe.com
    ......................................
    bprotect.exe Details: Trusted
    • First seen: February 9, 2012
    • Last seen: March 17, 2012
    Properties
    • Company: bProtector
    • Product: bProtector Engine
    • Version: 1
    • Description: bProtector Engine
    • Copyright: Copyright (C) 2011
    Size
    • File Size:773624 bytes (755.49 KB)
    Hashes
    • MD5:86825C57CFD7BABC8AB861AA0CFF5212
    • SHA-1:EAEE211319514BBDB7216EA0D42C3AB4E2D3D496
    Certificate
    • Status: VALID
    • Company: Performersoft LLC
    • Start: July 13, 2011
    • End: June 25, 2012
    • Serial: 277B96F94D20C1
    • Authority: Go Daddy Secure Certification Authority
    Reported Behavior


    • Action: Inject code to other applications - 1 x
    • Action: Spyware like activity - 1 x
    -------------------------------------------------------------------
  8. sujay
    Offline

    sujay Prominent Member

    Joined:
    Feb 23, 2010
    Messages:
    3,507
    Trophy Points:
    168
    Ratings:
    +15 / 0 / -0
    Last edited: Mar 17, 2012
  9. jurx
    Offline

    jurx New Member

    Joined:
    Mar 5, 2010
    Messages:
    9
    Trophy Points:
    1
    Ratings:
    +0 / 0 / -0
    There is also a bProtector service under service manager, i'll try to remove it manually as malwarebytes, kaspersky and PC tools Anti Malware could not do it.

    ---------- Post added at 03:54 AM ---------- Previous post was at 03:53 AM ----------

    ups didnt see the last post

    ---------- Post added at 03:55 AM ---------- Previous post was at 03:54 AM ----------

    But still, what if I would like to remove it? May I do it

    ---------- Post added at 03:57 AM ---------- Previous post was at 03:55 AM ----------

    The problem is, I dont have warcraft installed. huh.
  10. sujay
    Offline

    sujay Prominent Member

    Joined:
    Feb 23, 2010
    Messages:
    3,507
    Trophy Points:
    168
    Ratings:
    +15 / 0 / -0
    I would not prefer you to remove it. It may cause problems with your other software that has dependence on it.

    And the behavior is of course not suspicious :lol: Try searching for Firefox and see how many suspicious activities does it have. Actually those activities were derived from Emsisoft Mamutu Behavioral detection.
  11. jurx
    Offline

    jurx New Member

    Joined:
    Mar 5, 2010
    Messages:
    9
    Trophy Points:
    1
    Ratings:
    +0 / 0 / -0
    What did I just see... Under service description it says "your browser protector service", really, really strange. I'll try "hitman".

    ---------- Post added at 04:16 AM ---------- Previous post was at 03:59 AM ----------

    Thank you all!!