Jump to content

Two Possible F/P's, **Need some help finding out.**


HH89
 Share

Recommended Posts

I play online poker quite frequently as a hobby. There where two sites that I was going to sign up to play at, but MBAM is flagging their software as being malware.

One site is 888poker the other is William Hill Poker. Both are legit poker sites that have been in the industry for years. The parent company of William Hill Poker is "William Hill" which is also one of the UK's largest bookmakers and is listed on the London Stock Exchange (more information here http://en.wikipedia.org/wiki/William_Hill_(bookmaker)). 888poker is owned by "888 Holdings PLC" which also owns and operates one of the biggest online casinos as well as several other gambling websites and is also traded on the London Stock Exchange (more information here http://en.wikipedia.org/wiki/888_Holdings). So I believe they are most likely F/Ps, but wanted to verify with you guys.

MBAM seems to be flagging their software as Application.Casino and Adware.Casino as shown below in the log:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 5358

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

12/19/2010 8:56:32 PM

dlog_fullscan_Dec19_mbam-log-2010-12-19 (20-56-11).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)

Objects scanned: 439586

Time elapsed: 47 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Carl\AppData\Local\Mozilla\Firefox\Profiles\2t7fsgke.default\Cache\3d60f963d01 (Adware.Casino) -> No action taken. [05e9c64e03fd1ae6a06b32f81fe607f9]

c:\Users\Carl\AppData\Local\Mozilla\Firefox\Profiles\2t7fsgke.default\Cache\4645d17bd01 (Application.Casino) -> No action taken. [be301afae818ac54bc4ebee4a163da26]

c:\Users\Carl\AppData\Local\Temp\ep4+fvk1.exe.part (Application.Casino) -> No action taken. [16d8130146ba9b65ea201a88867eac54]

c:\Users\Carl\Desktop\new poker sites\888poker.exe (Application.Casino) -> No action taken. [25c943d1d32d926e50ba59499f650af6]

c:\Users\Carl\Desktop\new poker sites\setuppoker_51a6b9_en.exe (Adware.Casino) -> No action taken. [c9251400d12ffc04a16a200afd080af6]

"888poker.exe" is the install file for 888poker.com's online poker client software.

"Setuppoker_51a6b9_en.exe" is the install file for William Hill's online poker client software. FWIW, the name of the install file for William Hill Poker changes everytime you reload their website.

The two files in question can be downloaded from the following websites: www.888poker.com and poker.williamhill.com

The two infected files located in the Mozilla Firefox are what I believe to be the cached versions of those two install files (that got saved in the Mozilla Firefox cache when I downloaded them). As when I clear Firefox's browsing history and cache, MBAM no longer picks up anything malicious in the Firefox cache folder.

The other file located in my Temp folder called "ep4+fvk1.exe.part" that shows the infection (Application.Casino) is a file that gets generated and placed into my Temp folder every time I initiate the download of the 888poker.exe software from the 888poker site, but then cancel it. What I mean by that is if I click the download link for the 888poker software, then click "save file" and then when Mozilla Firefox asks me where I want to save the file I click "cancel" instead of save. If I do that, then a ".exe.part" file with a random name will get generated in my Temp folder; which in this case it was called "ep4+fvk1.exe.part". A new file with a different name will appear each time I do that (initiate the download, then click cancel when Firefox asks me where to save the file). And MBAM also flags each one of those files as being malicious with the same infection as "888poker.exe" (Application.Casino). Those temp files are also digitally signed by "888 Holdings PLC". Also, if I just download the install file (and not cancel it when Firefox asks me where I want to save it) then those files won't get generated in the Temp folder.

Anyways, I just had two questions:

1. Are these two infections F/Ps?

2. If they aren't F/Ps, what exactly is "Application.Casino" and "Adware.Casino" and what do they do?

For what its worth, I have like 12 different poker sites installed on this computer and MBAM never finds anything malicious with them or their installation files. 3 of those even run on the same network as William Hill Poker (which is the iPoker network) and use the same software platform.

I was really looking forward to playing poker on those two sites but would rather not if their install files are infected with malware that could harm me or my computer in any way. Avast Anti-virus doesn't seem to pick up anything wrong with these install files, but upon uploading them to VirusTotal, there are several different other programs that do. But since they are from legitimate companies, I'm not really sure what to think.

I will await your reply.

Kind regards,

- Carl

Link to post
Share on other sites

  • Staff

Adware. or Application. are not trojans. These are potentially unwanted programs (PUP). They can be safely added to your ignore list.

These Prefixes are correct.

Adware(meaning its just adware.. popups etc)

Application( its just a application that most users may not want on the computer)

We are going to change the classification to PUP. on these detections.

PUP.Adware.Casino

PUP.Application.Casino

Thanks for pointing them out.

Link to post
Share on other sites

Adware. or Application. are not trojans. These are potentially unwanted programs (PUP). They can be safely added to your ignore list.

These Prefixes are correct.

Adware(meaning its just adware.. popups etc)

Application( its just a application that most users may not want on the computer)

We are going to change the classification to PUP. on these detections.

PUP.Adware.Casino

PUP.Application.Casino

Thanks for pointing them out.

Hey Shadow,

So these two programs are safe then? I won't have to worry about any Registry/Memory getting infected if I install these applications?

And does Adware mean it just gives popups while the poker software application is open? Or random popups if I just have my internet browser open, with the poker software closed?

Thanks for the help and Happy Holidays!

Kind regards,

- Carl

Link to post
Share on other sites

  • Staff

That's what it means.. We are slowly converting the old defs name over to PUP to make this easier to understand. anytime you normally see adware or application it is not malicous but something you may or may not want on the computers. If you want it you can add it to the ignore list safely.

Think along the lines a business and it detects a poker app.. You playing poker at work..

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.