Is bprotect.exe a virus/malware or trojan?

I was out of town for the weekend and I came home to see that bprotect.exe was running as a process. I looked around on the web but couldn’t determine for sure 1. How it got there (but I have a family) 2. Is it a threat?

I found where the program is location but could not remove it in normal mode. If you terminated the process, it immediately restarts.

Any advice would be appreciated.

Darrell

bprotect.exe
2. Is it a threat?
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/

Well, here is what they said:

SHA256: f5607cbed88bc66d8b56cdcef09a276b0b4bf539c38a7cba4146f291e179dcd0
SHA1: eaee211319514bbdb7216ea0d42c3ab4e2d3d496
MD5: 86825c57cfd7babc8ab861aa0cff5212
File size: 755.5 KB ( 773624 bytes )
File name: bProtect.exe
File type: Win32 EXE
Detection ratio: 0 / 42
Analysis date: 2012-03-05 19:20:03 UTC ( 2 minutes ago )

So I guess it isn’t a virus. However, I see no way to remove this file and see nothing that it does.

Darrell

what we do is posting the scan link, like this :wink:

https://www.virustotal.com/file/f5607cbed88bc66d8b56cdcef09a276b0b4bf539c38a7cba4146f291e179dcd0/analysis/

First seen by VirusTotal 2012-02-07 06:59:28 UTC ( 3 uker, 6 dager ago )

Sigcheck

publisher…: bProtector
product…: bProtector Engine
internal name…: bProtector
copyright…: Copyright (C) 2011
original name…: bProtector
signing date…: 6:47 PM 2/2/2012
signers…: Performersoft LLC
Go Daddy Secure Certification Authority
Go Daddy Class 2 Certification Authority
file version…: 1, 0, 0, 1
description…: bProtector Engine

so this Go Daddy…is that anything you know ?

Just see what we can find in the realm of file info.

Also consider this info: http://www.threatexpert.com/files/bprotect.exe.html
and http://systemexplorer.net/db/bprotect.exe.html
and this contradicting that: http://www.freefixer.com/library/file/74747/
Also check against this: http://www.backgroundtask.eu/Systeemtaken/taakinfo/100195/bProtect.exe/

polonus

bprotect.exe obviously isn’t a malicious file… it is a part of a file in Warcraft III

bProtector is DEFINITELY a virus. It is cleverly ‘signed’ (fraudulently) with a GoDaddy certificate and makes you think that it is a legitimate file by sitting hidden away in nested files. If you delete it, it replicates itself within seconds. If you plug in a usb memory stick or other offboard device, it replicates itself there also. It is associated with the Babylon plugin.
Most virus software and malware checkers do NOT catch it due to it’s clever setup. I have gotten rid of it manually several times, but it seems to find it’s way back somehow. Still working on how to prevent it from reappearing. What would make that simple is if the virus and malware programs would add it to their list and prevent it from getting access.
The person who posted that it ‘obviously’ was not a virus because it was on World of Warcraft most likely has a pirate copy of WoW as this worm travels freely within the pirated files domain…so beware!!

can u send the file to virus@avast.com for analysis so avast can protect u and detect it

So… any resolution to this? I’m got a machine that has this… is there a removal tool somewhere?

Thanks

According to Threat Expert this has always been malicious: http://www.threatexpert.com/files/bprotect.exe.html
For removal instruction a qualified removal expert has been notified,

polonus

if you are infected start your own topic and see the “Logs to assist in cleaning malware” guide at top in this forum section
attach logs in your new topic and help will arrive