New Adware_CriminalFinancial_SProtector Thread

Inactive
By Philemon
Jun 18, 2013
  1. To anyone else out there Googling around, trying to figure this Adware_CriminalFinancial_SProtector junk out...

    I have been following the conversation with Broni and bo_reddude because I've gotten the same notification from Comcast. I've done everything on my computer that Broni told him to do - and I'd go to the amibotted site and see the bot was still there. I started downloading other popular antimalware software and kept trying. I noticed on the amibotted site that there is a button that says "Export Data" - so I clicked on that and it downloaded an Excel file. When I looked at that, it told me that Adware_CriminalFinancial_SProtector is a "FakeSecSen" type of malware. I googled "FakeSecSen" and discovered that it is a family of virus that is based on a fake antivirus plot - basically it makes popups appear on your computer telling you that you need to purchase some fake antivirus software. I don't remember this ever happening on my machine, but whatever. One antimalware program that promoted itself as being good at getting rid of FakeSecSens was IObit Security 360. So, I tried that. LO AND BEHOLD! - it found a FakeSecSen type of file on my computer - here's the logfile:

    IObit Security 360

    OS:Windows 7
    Version:1.6.1.2
    Define Version:2501
    Time Elapsed:00:04:18
    Objects Scanned:49999
    Threats Found:1

    |Name|Type|Description|ID|
    Misleading.WindowPolicePro, File, C:\windows\system32\Macromed\Flash\mms.cfg, 4-10186

    Anyway, I figured I'd share this triumph with everyone and recommend trying the same software. Hopefully it will work out for you too. I'm sure tons of other people are also trying to figure this out and are lurking around the TechSpot Forums since Googling this bot name basically only brings up this forum in the results. Hopefully this solves the situation and is the end of it!

    Take care,
    P
  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Thanks for sharing :)

    If you still have this file: C:\windows\system32\Macromed\Flash\mms.cfg could you upload it here: https://www.virustotal.com/en/ for security check?
  3. Philemon

    Philemon Newcomer, in training Topic Starter

    Hi Broni,

    Unfortunately I won't have access to my computer until I return home this evening - I will check to see if the mms.cfg file might be in some quarantine somewhere and I will upload it to the site you suggested to check it out if it hasn't been deleted.

    I've done some further snooping around the internet and found this forum where WindowPolicePro and the mms.cfg file are discussed: http://forums.iobit.com/showthread.php?t=12130

    In this forum, an apparent representative of IObit states that the C:\windows\system32\Macromed\Flash\mms.cfg file is a false positive - here's the direct link to that comment: http://forums.iobit.com/showpost.php?p=71920&postcount=26:

    Notice the conversation took place a year and a half ago. I suppose IObit may have forgotten to correct the false positive - or perhaps they decided against it intentionally. If you check out the Wikipedia article on Windows Police Pro (I know, not necessarily authoritative) it lists the mms.cfg file as being a portion of the infection: http://en.wikipedia.org/wiki/Windows_Police_Pro:

    I'm thinking if IObit thinks mms.cfg is Windows Police Pro, then perhaps Comcast does as well? - Or maybe it really IS some left over portion of the infection.

    OR... perhaps we're dealing with some infection that is so rare or new no one knows about it yet...

    OR... Comcast is full of ish and doesn't know what they're talking about.

    I will keep you updated as to whether or not Comcast alerts me to any further bot activity on my computer. When I checked it this morning, the last activity was previous to running IObit Security 360.

    Interestingly, the first reference I can find to Adware_CriminalFinancial_SProtector is from April 4, 2013. It can be found found here: http://ibot.rikers.org/#utah/20130404.html.gz

    We're about 3 months out from that point now and unless mms.cfg turns out to be the culprit (false positive or not) it looks like we haven't learned anything further. I'll be in touch.

    Take care,
    P
  4. Philemon

    Philemon Newcomer, in training Topic Starter

    Alright, I ran the file on virustotal.com. They say it's benign :(

    I'm not sure what to think now. Sorry for the premature enthusiasm.

    -P
  5. Philemon

    Philemon Newcomer, in training Topic Starter

    Oh, I should add that I checked amibotted.comcast.net and received this:

    Though, I should add, this has been happening - one day I'm clear and another day I'm not. I don't get it :( .

    -P
  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    They're *****s...lol

    Thank you for all your work here :)

    I have to tell you that bot warning from Comcast happened even to me.
    It's like telling a sniper he has no clue how to shoot....hehehe.
    I was really upset when I called them with my complain.
  7. Philemon

    Philemon Newcomer, in training Topic Starter

    Yeah, I think they might be playing fast and loose with what they define as a bot in this case in order to trump up some business - but maybe not.

    Apparently the IObit Security 360 was some way out of date version of IObit Malware Fighter 2.0. I thought I had updated it to the max last night before running it but apparently not - I had even downloaded it directly from their website, so I don't know how I managed to install old software.

    In any case, after running that this evening, I got these results:

    We'll see what happens now.

    -P
  8. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Again get those files to VirusTotal to see.
    Just by a look at them I suspect another false positives.

    On a side note I'm not a big fan of iObit.
  9. Philemon

    Philemon Newcomer, in training Topic Starter

    Yeah, I'm thinking you might be right - here's what I've got for dxCtrls.dll from VirusTotal - TrendMicro is the only one picking it up:
    Here's a link to the analysis: https://www.virustotal.com/en/file/...1698f3df3e7ec81/analysis/1371692640/#analysis
  10. Broni

    Broni Malware Annihilator Posts: 46,132   +251

  11. Philemon

    Philemon Newcomer, in training Topic Starter

    And here's the results for the filemerger.exe:
    So that's clean too... here's the link: https://www.virustotal.com/en/file/...d99d89bbd4d3a33/analysis/1371692931/#analysis

    Man, I'm stumped.
     
  12. Philemon

    Philemon Newcomer, in training Topic Starter

    Well, you see, that's the thing - I'm running Malwarebyte's Antimalware Pro, full-time. I've got Norton Security Suite through Comcast and I have them set to run without conflicting with one another. I ran all the stuff you told bo_reddude to run, plus I ran numerous other programs - like Spybot Search & Destroy, various microsoft utilities... you name it. In any case, MB never gave me false positives - apparently all these IObit results are false positives... they need to do some serious retooling.
  13. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    No question about it.
    At some point they may whack some important system file.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.