BREAKING NEWS: Windows Defender Advanced Threat Protection (Windows Defender ATP) to include AI-driven automated investigation and remediation capabilities later this year.Learn more
Alert level: Severe Detected with Windows Defender Antivirus
Also detected as: No associated aliases
Windows Defender detects and removes this threat.
This family of trojans install browser addons that claim to protect you from other addons. These addons can make changes to your home page and also install Win32/Sefnit.
These trojans are commonly installed by Win32/Brantall.
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
- Microsoft Windows Malicious Software Removal Tool
You should also run a full scan. A full scan might find other, hidden malware.
Get more help
If you’re using Windows XP, see our Windows XP end of support page.
Win32/Rotbrow might be installed on your PC by other software. For example, we have seen Rotbrow installed alongside the clean program Babylon Toolbar by a variant of Win32/Brantall.
Win32/Rotbrow installs itself in a folder under <commonappdata>, for example:
- <commonappdata>\BitGuard\<version number>
- <commonappdata>\BrowserDefender\<version number>
- <commonappdata>\browserprotect\<version number>
- <commonappdata>\bprotectorforwindows\<version number>
- <commonappdata>\browser manager\<version number>
- <commonappdata>\~browser manager\<version number>
- <commonappdata>\video doer manager\<version number>
- <commonappdata>\codecs pack manager\<version number>
- <commonappdata>\pc doer manager\<version number>
The family consists of multiple components, whose file names vary from one version to another. We have seen variants use the following file names for the main component:
It might install itself as a Firefox extension with one of the following names:
- "bProtector", bprotector.xpi
- "Browser Manager", Babylonmngr.xpi
In Chrome, it might use these names:
- "BrowserProtect", BrowserProtect.crx
- “BrowserProtect”, mngr.crx
- “Settings Protector”, browsemngr.crx
- “Settings Protector”, spext.crx
In Internet Explorer, it might use this name:
- "ProtectorBHO Class", kerberos_bho.dll
You might see it in the Manage Add-ons window in Internet Explorer:
It installs itself as a service so that it runs each time you start your PC.
It might use the service name bProtector with the description "Your browser protector service".
It might also create a scheduled task that runs once every minute to start this service if it has stopped.
Installs other files, including malware
The trojan then runs setup_fsu_cid.exe, which is an installer for a program called FileScout.
In many cases, this installer also contains Win32/Sefnit, which it installs silently alongside FileScout.
Win32/Rotbrow hooks a number of APIs to:
- Prevent itself from being stopped or removed
- Prevent the "MindSpark Toolbar Platform IE Search Box Protector" from hooking functions in the current process
- Prevent OLE objects matching to a product named "SweetPacks" from being loaded
- Monitor registry and file system changes to prevent certain registry keys and files from being modified
- AVG Safeguard Toolbar
Your browser startup homepage is modified to refer to a different variable by replacing browser.startup.homepage with browser.startup.homepage.CT.
The trojan also supports the blacklisting and whitelisting of URLs and domains based on a remote configuration.
Analysis by Hamish O'Dea
Alerts from your security software may be the only symptom.