Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Adware/GoonSquad.A
Date discovered:17/09/2012
Type:Adware/Spyware
In the wild:No
Reported Infections:Medium
Distribution Potential:Low
Damage Potential:Low
VDF version:7.11.43.68 - Monday, September 17, 2012
IVDF version:7.11.43.68 - Monday, September 17, 2012

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification

 Files The following files are created:

– Non malicious files:
   • %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\traking_settings\00;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\traking_settings\01;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\traking_settings\10;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\traking_settings\11;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\traking_settings\20;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\traking_settings\21;
      %ALLUSERSPROFILE%\bProtectorForWindows\2.1.419.7\bProtect.settings;
      %ALLUSERSPROFILE%\bProtectorForWindows\2.1.419.7\protector.dll;
      %ALLUSERSPROFILE%\bProtectorForWindows\2.1.419.7\FirefoxExtension\chrome.manifest;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-10.0.2.dll;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-11.0.dll;
      %ALLUSERSPROFILE%\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-3.6.dll;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-3.6.xpt;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-5.0.dll;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-6.0.2.dll;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-7.0.1.dll;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-8.0.1.dll;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\components\bprotector-9.0.1.dll;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\content\bprotector.js;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\content\overlay.xul;
      %ALLUSERSPROFILE%\Application
      Data\bProtectorForWindows\2.1.419.7\FirefoxExtension\install.rdf

– Temporary files that might be deleted afterwards:
   • %temp%\protector.dll
   • %temp%\bProtect.exe

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent]
   • @=dword:00000009



The following registry keys are added:

– [HKCU\Software\bProtector]
   • "version"="2.1.419.7"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\
   bProtectSettings\{754FF233-5D4E-11D2-875B-00A0C93C09B3}]
   • "Flags"=dword:00000001
   • "Version"="*"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\
   bProtectSettings\{B1549E58-3894-11D2-BB7F-00A0C999C4C1}]
   • "Flags"=dword:00000001
   • "Version"="*"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\
   bProtectSettings\{BDD307C3-7BC0-4542-9F8F-A9611FE6C1BF}]
   • "Flags"=dword:00000001
   • "Version"="*"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\
   bProtectSettings\{C533ADF1-0C80-11D1-8C54-00A02468F316}]
   • "Flags"=dword:00000001
   • "Version"="*"

– [HKCU\Software\bProtector\2.1.419.7]
   • "cmpid"=""
   • "subid"=""
   • "iexplore homepages"="about:blank;"
   • "instance"="f90d803d7bb246b8a890d6d8b6800dd5"

– [HKCU\Software\DataMngr\List\Item1]
   • "Flag"=dword:00000000

– [HKCU\Software\DataMngr\List\Item2]
   • "Flag"=dword:00000000

– [HKCU\Software\DataMngr\List\Item3]
   • "Flag"=dword:00000000

– [HKLM\SOFTWARE\DataMngr\List\Item1]
   • "Flag"=dword:00000000

– [HKLM\SOFTWARE\DataMngr\List\Item2]
   • "Flag"=dword:00000000

– [HKLM\SOFTWARE\DataMngr\List\Item3]
   • "Flag"=dword:00000000

– [HKCU\Software\DataMngr\Toolbar]
   • "Flag"=dword:00000000

– [HKCU\Software\DataMngr\Files\ChromeHomepage]
   • "Flag"=dword:00000000

– [HKCU\Software\DataMngr\Files\Homepage]
   • "Flag"=dword:00000000

– [HKCU\Software\DataMngr\Files\SelectedSearch]
   • "Flag"=dword:00000000

– [HKCU\Software\DataMngr\Files\UrlbarSearch]
   • "Flag"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\
   bProtectSettings\{98889811-442D-49dd-99D7-DC866BE87DBC}]
   • "Flags"=dword:00000000
   • "Version"="*"

– [HKCU\Software\mozilla\Firefox\Extensions]
   • "{b64982b1-d112-42b5-b1e4-d3867c4533f8}"="C:\Documents and Settings\\All Users\\Application Data\\bProtectorForWindows\\2.1.419.7\\FirefoxExtension"

– [HKLM\SYSTEM\ControlSet001\Services\bProtector]
   • "Type"=dword:00000020
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"="C:\Documents and Settings\\All Users\\Application Data\\bProtectorForWindows\\2.1.419.7\\bProtect.exe"
   • "DisplayName"="bProtector"
   • "ObjectName"="LocalSystem"
   • "Description"="Your browser protector service"
   • "FailureActions"=hex:ff,ff,ff,ff,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\00,01,00,00,00,30,75,00,00

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_BPROTECTOR]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_BPROTECTOR\0000]
   • "Service"="bProtector"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="bProtector"

– [HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_BPROTECTOR\0000\
   Control]
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="bProtector"

– [HKLM\SYSTEM\ControlSet001\Services\bProtector\Enum]
   • "0"="Root\\LEGACY_BPROTECTOR\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Old value:
   • "AppInit_DLLs"=""
   New value:
   • "AppInit_DLLs"="C:\docume~1\\alluse~1\\applic~1\\bprote~1\\21419~1.7\\protec~1.dll "
   • "LoadAppInit_DLLs"=dword:00000001

 Miscellaneous In order to check for its internet connection the following DNS server is contacted:
   • guardstats.**********engine.com

Description inserted by Wensin Lee on Wednesday, September 19, 2012
Description updated by Wensin Lee on Wednesday, September 19, 2012

Back . . . .