Inactive New Adware_CriminalFinancial_SProtector Thread

[Philemon]

To anyone else out there Googling around, trying to figure this Adware_CriminalFinancial_SProtector junk out...

I have been following the conversation with Broni and bo_reddude because I've gotten the same notification from Comcast. I've done everything on my computer that Broni told him to do - and I'd go to the amibotted site and see the bot was still there. I started downloading other popular antimalware software and kept trying. I noticed on the amibotted site that there is a button that says "Export Data" - so I clicked on that and it downloaded an Excel file. When I looked at that, it told me that Adware_CriminalFinancial_SProtector is a "FakeSecSen" type of malware. I googled "FakeSecSen" and discovered that it is a family of virus that is based on a fake antivirus plot - basically it makes popups appear on your computer telling you that you need to purchase some fake antivirus software. I don't remember this ever happening on my machine, but whatever. One antimalware program that promoted itself as being good at getting rid of FakeSecSens was IObit Security 360. So, I tried that. LO AND BEHOLD! - it found a FakeSecSen type of file on my computer - here's the logfile:

IObit Security 360

OS:Windows 7
Version:1.6.1.2
Define Version:2501
Time Elapsed:00:04:18
Objects Scanned:49999
Threats Found:1

|Name|Type|Description|ID|
Misleading.WindowPolicePro, File, C:\windows\system32\Macromed\Flash\mms.cfg, 4-10186

Anyway, I figured I'd share this triumph with everyone and recommend trying the same software. Hopefully it will work out for you too. I'm sure tons of other people are also trying to figure this out and are lurking around the TechSpot Forums since Googling this bot name basically only brings up this forum in the results. Hopefully this solves the situation and is the end of it!

Take care,
P

 

[Broni]

Thanks for sharing

If you still have this file: C:\windows\system32\Macromed\Flash\mms.cfg could you upload it here: https://www.virustotal.com/en/ for security check?

 

[Philemon]

Hi Broni,

Unfortunately I won't have access to my computer until I return home this evening - I will check to see if the mms.cfg file might be in some quarantine somewhere and I will upload it to the site you suggested to check it out if it hasn't been deleted.

I've done some further snooping around the internet and found this forum where WindowPolicePro and the mms.cfg file are discussed: http://forums.iobit.com/showthread.php?t=12130

In this forum, an apparent representative of IObit states that the C:\windows\system32\Macromed\Flash\mms.cfg file is a false positive - here's the direct link to that comment: http://forums.iobit.com/showpost.php?p=71920&postcount=26:

[FONT=verdana][LEFT][FONT=tahoma]
[RIGHT] #25 [/RIGHT]

Dec. 29th, 2011, 03:28[/FONT]

enoskype

Mediator®

Join Date: 27 Oct 2006
Posts: 9,289

@edat362007,
When found by IMF, you can put mms.cfg into Ignore List by right clicking on it until IObit corrects the false positive status of it. When done, you can delete it from the Ignore List.

MEL,
I think we should let Superdave decide what to do with C:\sh4ldr folder/file.

Cheers.
__________________
氣 enoskype

- Beauty lies in the eye of the beholder and belongs to the man who can appreciate it. -
[/LEFT][/FONT]
[FONT=verdana][LEFT][FONT=tahoma]
[RIGHT] #26 [/RIGHT]

Dec. 29th, 2011, 09:04[/FONT]

Cicely

IObit Support

Join Date: 27 Jul 2009
Posts: 1,828

Hi edat362007,

Sorry for the inconvenience, it's a false positive, we will fix it in next update.

__________________
IObit Support Team--

If you're happy with our products, please tell your friends, families and colleagues about IObit and IObit products! We'd be very grateful![/LEFT][/FONT]

Notice the conversation took place a year and a half ago. I suppose IObit may have forgotten to correct the false positive - or perhaps they decided against it intentionally. If you check out the Wikipedia article on Windows Police Pro (I know, not necessarily authoritative) it lists the mms.cfg file as being a portion of the infection: http://en.wikipedia.org/wiki/Windows_Police_Pro:

[FONT=sans-serif]Windows Police Pro files [edit][/FONT]

• c:\Program Files\Windows Police Pro\
• C:\Windows\svchast.exe
• C:\Windows\svchasts.exe
• C:\Windows\svohost.exe
• c:\WINDOWS\wf3.dat
• c:\WINDOWS\wf4.dat
• c:\WINDOWS\system32\minix32.exe
• C:\WINDOWS\system32\dddesot.dll
• c:\WINDOWS\system32\nuar.old
• c:\WINDOWS\system32\plugie.dll
• c:\WINDOWS\system32\pump.exe
• c:\WINDOWS\system32\skynet.dat
• c:\WINDOWS\system32\Macromed\Flash\mms.cfg

I'm thinking if IObit thinks mms.cfg is Windows Police Pro, then perhaps Comcast does as well? - Or maybe it really IS some left over portion of the infection.

OR... perhaps we're dealing with some infection that is so rare or new no one knows about it yet...

OR... Comcast is full of ish and doesn't know what they're talking about.

I will keep you updated as to whether or not Comcast alerts me to any further bot activity on my computer. When I checked it this morning, the last activity was previous to running IObit Security 360.

Interestingly, the first reference I can find to Adware_CriminalFinancial_SProtector is from April 4, 2013. It can be found found here: http://ibot.rikers.org/#utah/20130404.html.gz

[FONT=Times New Roman]23:44.52 mheath Has anyone else had problems with Comcast/XFinity's new 'security/bot monitoring' thing?
23:45.36 fadein mheath: I had it tell me that I had a malware a week or so ago
23:46.03 mheath My dad has xfinity, and keeps getting this. Initially it was a "we suggest you take action now" warning he could close
23:46.15 fadein https://amibotted.comcast.net/
23:46.19 mheath Now it's a "Fix this now!" thing you can't get rid of
23:46.41 mheath fadein: wow, thank you
23:46.44 mheath Exactly what I needed
23:46.55 fadein I think they just want you to sign up for McAfee or Norton or whatever they're pushing this quarter
23:47.05 mheath My dad (though he's not super technical) spent like 3 hours on the phone with Comcast, and was never given that
23:47.08 mheath Yeah
23:47.34 mheath That was what they kept telling him. He woud tell them he had ran a thorough virus scan, with a competent virus scan program from a major company..
23:47.51 mheath They would respond and tell him that must just mean that program sucks
23:48.02 mheath and the only support they can provide is to charge him for their program, if he wants his internet connection back
23:48.15 fadein wait, what?
23:48.24 fadein they disconnected him?
23:48.30 mheath Kind of.
23:48.45 mheath It hijacks non-secure HTTP connections, and covers up the webpage with a message from Comcast.
23:48.54 mheath Initially it had an "X" you could click on to close it
23:49.23 mheath Now, it basically says that sine he hasn't fixed the problem after previous warnings, he can't close it until the problem is resolved
23:49.48 mheath He's not 'disconnected'....It doesn't effect HTTPs, obviously, and theres other ways around it. It even seems to show up and effect different computers/OSs/Operating Systems differently
23:51.03 fadein that would be a solution to botnets ... if it was more helpful in assisting you to fix the problem
23:51.19 mheath Yeah, no kidding
23:51.41 mheath That website isn't much more helpful, either. It gives a name of the 'bot'...
23:51.48 mheath But its a name that has 0 results on a google search
23:51.57 fadein that's what I got
23:52.02 mheath And it has no other details
23:52.02 fadein which one was it...
23:52.20 mheath "Adware_CriminalFinancial_SProtector"
23:52.21 fadein umbraloader_generic
23:52.50 mheath I would have thought if this was a legitimate, accepted security threat, someone on the entire internet other than Comcast would know about it.
23:53.15 fadein I was hoping for a malware encyclopedia - I remember a virus scanner from the 90's that had a description for each virus it recognized
23:53.28 fadein maybe that's too much work for people to keep up with
23:53.34 mheath Theres entire sites that are dedicated to that now
23:53.43 fadein but I wanted to know what sorts of things I could to do look for it other than "install a virus scanner"
23:53.59 mheath Several of the big Virus scanner and Virus-interested companies dedicate huge resources to publishing thorough details about all the known threats in the wild
23:54.01 fadein there may be entire sites, but none that I could find that could tell me much about what umbraloader does
23:54.23 fadein from what I gathered, it is some scriptkiddie tool that you use to build a malware package
23:54.35 mheath Well, thats my point. If the name Comcast gives literally doesn't show up ANYWHERE on the internet....
23:55.02 mheath Chances are it's either a wrong/made up/etc name, or its status as a 'virus' is not accepted by the entire industry[/FONT]

We're about 3 months out from that point now and unless mms.cfg turns out to be the culprit (false positive or not) it looks like we haven't learned anything further. I'll be in touch.

Take care,
P

 

[Philemon]

Alright, I ran the file on virustotal.com. They say it's benign

SHA256: e6e24f01c6c96a8cbcba9cf85859ed85ec1bccb522443e6aeff7d5f92b9d86b7
SHA1: d67e52dc1359b29bb231ea1dc3ea15898618ac20
MD5: d2a14dbed0856bd4e370152947f906c4
File size: 47 bytes ( 47 bytes )
File name: mms.cfg
File type: Text
Detection ratio: 0 / 45
Analysis date: 2013-06-19 21:54:51 UTC ( 0 minutes ago )
[RIGHT]

[/RIGHT]
1

1

Less details

• Analysis
• Additional information
• Comments
• Votes

AntivirusResultUpdate
Agnitum 20130619
AhnLab-V3 20130619
AntiVir 20130619
Antiy-AVL 20130619
Avast 20130619
AVG 20130619
BitDefender 20130619
ByteHero 20130613
CAT-QuickHeal 20130619
ClamAV 20130619
Commtouch 20130619
Comodo 20130619
DrWeb 20130619
Emsisoft 20130619
eSafe 20130616
ESET-NOD32 20130619
F-Prot 20130619
Fortinet 20130619
GData 20130619
Ikarus 20130619
Jiangmin 20130619
K7AntiVirus 20130619
K7GW 20130619
Kaspersky 20130619
Kingsoft 20130506
Malwarebytes 20130619
McAfee 20130619
McAfee-GW-Edition 20130619
Microsoft 20130619
MicroWorld-eScan 20130619
NANO-Antivirus 20130619
Norman 20130619
nProtect 20130619
Panda 20130619
PCTools 20130521
Rising 20130619
Sophos 20130619
SUPERAntiSpyware 20130619
Symantec 20130619
TheHacker 20130619
TotalDefense 20130619
TrendMicro 20130619
TrendMicro-HouseCall 20130619
VBA32 20130619
VIPRE 20130619
ViRobot 20130619
Blog | Twitter | contact@virustotal.com | Google groups | ToS | Privacy policy

I'm not sure what to think now. Sorry for the premature enthusiasm.

-P

 

[Philemon]

Oh, I should add that I checked amibotted.comcast.net and received this:

Constant Guard Reports

No Bots Detected ✓

Good news! Constant Guard™ has not detected any bots, or reports of bots from your IP address.
Learn More about Constant Guard ▶

Though, I should add, this has been happening - one day I'm clear and another day I'm not. I don't get it .

-P

 

[Broni]

They're *****s...lol

Thank you for all your work here

I have to tell you that bot warning from Comcast happened even to me.
It's like telling a sniper he has no clue how to shoot....hehehe.
I was really upset when I called them with my complain.

 

[Philemon]

Yeah, I think they might be playing fast and loose with what they define as a bot in this case in order to trump up some business - but maybe not.

Apparently the IObit Security 360 was some way out of date version of IObit Malware Fighter 2.0. I thought I had updated it to the max last night before running it but apparently not - I had even downloaded it directly from their website, so I don't know how I managed to install old software.

In any case, after running that this evening, I got these results:

IObit Malware Fighter

OS: Windows 7
Version: 2.0.1.8
Define Version: 1244
Time Elapsed: 00:54:16
Objects Scanned: 87983
Threats Found: 3
Save Time: 6/19/2013 7:02:34 PM

|Name|Type|Description|ID|
Trojan.Generic, FILE, C:\Windows\SysWOW64\dXCtrls.dll, 4072549
Trojan.Generic, FILE, C:\Windows\System32\dXCtrls.dll, 4072549
Trojan.Agent, FILE, C:\Program Files\Audio Recorder for Free\filemerger.exe, 4058286

We'll see what happens now.

-P

 

[Broni]

Again get those files to VirusTotal to see.
Just by a look at them I suspect another false positives.

On a side note I'm not a big fan of iObit.

 

[Philemon]

Yeah, I'm thinking you might be right - here's what I've got for dxCtrls.dll from VirusTotal - TrendMicro is the only one picking it up:

SHA256: 71c65315f99271930086802d8589117e7595c1a9d6ac450b51698f3df3e7ec81
SHA1: 70ccd57cc1bf9c5c4fef43d19a173398a7f12704
MD5: 742f07a053b3886b62fdf7fc570b1f5a
File size: 121.5 KB ( 124416 bytes )
File name: dXCtrls.dll
File type: Win32 DLL
Detection ratio: 2 / 47
Analysis date: 2013-06-20 01:44:00 UTC ( 0 minutes ago )
[RIGHT]

[/RIGHT]

Here's a link to the analysis: https://www.virustotal.com/en/file/...1698f3df3e7ec81/analysis/1371692640/#analysis

 

[Broni]

iObit as a company should be ignored by all computer users due to them stealing database from Malwarebytes: http://forums.malwarebytes.org/index.php?showtopic=33217

 

[Philemon]

And here's the results for the filemerger.exe:

SHA256: 6fdf112eafde1ad2c625d4c64933514b4fc1bd79cf28dd858d99d89bbd4d3a33
SHA1: ef0ef12a4a30f8a3ddcf445717aba7c22ebf9d0e
MD5: b82e01b7a95429e337c92b7c4d04b901
File size: 658.5 KB ( 674304 bytes )
File name: filemerger.exe
File type: Win32 EXE
Detection ratio: 0 / 46
Analysis date: 2013-06-20 01:48:51 UTC ( 1 minute ago )

[RIGHT] [/RIGHT]

So that's clean too... here's the link: https://www.virustotal.com/en/file/...d99d89bbd4d3a33/analysis/1371692931/#analysis

Man, I'm stumped.

 

[Philemon]

iObit as a company should be ignored by all computer users due to them stealing database from Malwarebytes: http://forums.malwarebytes.org/index.php?showtopic=33217

Well, you see, that's the thing - I'm running Malwarebyte's Antimalware Pro, full-time. I've got Norton Security Suite through Comcast and I have them set to run without conflicting with one another. I ran all the stuff you told bo_reddude to run, plus I ran numerous other programs - like Spybot Search & Destroy, various microsoft utilities... you name it. In any case, MB never gave me false positives - apparently all these IObit results are false positives... they need to do some serious retooling.

 

[Broni]

No question about it.
At some point they may whack some important system file.