Fdf mod ad-aware warning

[33BO11OF00 10]

I don't know if this is a right place to announce this: In FDFMOD.EXE Ad-Aware spy ware removal program says this: In that exe file is WIN32.Adware.CasinoClient program. Is this a real or wrong alert? What do you say about this alert. Another question: My PC is bit jammed. Where can I ask help to solve this problem? Virus makers and adware writers should be hanged,shot or skinned alive! That's what I say.

[stgn 39]

Mine (AVIRA) has said it too don't know if its a fluke?

STGN

[33BO11OF00 10]

I have also found a tracking cookie with the same WIN32.Adware.CasinoClient name.

EVERYBODY!READ MY OTHER QUESTION ALSO:

Where can I find help for my jammed PC? Net is working. It's the file manager(Explorer.exe) which is jammed.

Edited October 16, 2009 by 33BO11OF00
INFO

[W0lle 1052]

False positive I guess, Kaspersky says its clean. At virustotal only 6 of 41 scanners say it contains adware:

http://www.virustotal.com/en/analisis/dc02106497fdee5edc3ed7cce1850e9f0098d67d0ddfeb83747d8099e81348c1-1255732612

I highly doubt that FDF Mod spreading adware. Besides that, the .exe is from around 2003 - that's 6 years. However you don't need the .exe at all, you can also start the mod by adding -mod=finmod to your OFP shortcut.

[JdB 151]

This is completely due to all anti-virus/anti-spyware developers using different methods and standards to track what they consider malicious code, sometimes marking stuff incorrectly. As W0lle pointed out, only a few recognize FDFMOD.exe as spyware. My McAfee AV (with Anti-Spyware module), and previously Panda AV and Norton AV that I used over the years have never given me that message when running any version of the FDF mod. If the executable is triggering your AV/anti-spyware software, it's probably because of the program that the FDF mod used to create the executable added some code that is also found in some forms of spyware.

Edit: nice feature that anti-double posting feature in the forum software. Accidentally hit the post button twice and nothing to see here, move along :D

[33BO11OF00 10]

:) :) How about my other question? Read the Post #3 about my jammed PC. You can also send files to analyze labs so these false alerts can be removed. AD-Aware have that Threat Work Alliance file sender/analyzer. Almost every virus scanner have that send a suspicious file button.

Edited October 16, 2009 by 33BO11OF00
info

[rellikki 7]

:) :) How about my other question? Read the Post #3 about my jammed PC.

We have a PC discussion thread in the off-topic section. This isn't the place for asking about general technical problems.

[sanctuary 19]

False positive I guess, Kaspersky says its clean. At virustotal only 6 of 41 scanners say it contains adware:

No it is not a false positive, it is the antivirus recognizing that there is a part of the FDFmod.exe code that is "calling home".

A behaviour spywares have, so it is natural most scanners report something is wrong in this executable.

Years ago some people have asked why the FDF mod was "calling home", the FDF team replied that it was to collect statistics on how much people were playing their mod, according to them the "spy" was doing nothing else.

But as i see no reason to trust a spy in an executable, an easy workaround to play the FDF mod is to delete the FDFmod.exe , and use a regular OFP shortcut with

-nomap -nosplash -mod=finmod

And no more spyware.

If you don't trust the FDF_installer.exe either, you can in fact just use 7zip or Winrar or anything like this to extract the content of this installer without having to launch it, and place manually the finmod folder and the mission in their correct location.

[33BO11OF00 10]

Thanks for all the info. I needed that. YEAH.

What is that "calling home" term in spy ware? Tell me this. Please.

Edited October 16, 2009 by 33BO11OF00
question added

[JdB 151]

Another question: My PC is bit jammed. Where can I ask help to solve this problem?

Depends. If you're sure it's actually due to a (collection of) virus/adware and spyware, you should unhook the drive and put it into another pc as a secondary drive (the jumper on the drive of the pc you're putting it into should be set to Master (it most likely already is), and the infected drive should temporarily be switched to Slave, so the OS with the scanners you want to run are on a clean drive. Remember to put the jumpers back into the original state after you're done!). Have Adaware and a virusscanner scan the entire drive from the infected pc. After it has finished running (either it handles infected automatically, or comes up with a dialog after scanning has finished to ask you what to do), you can put the drive back into the original pc.

The problem might also be due to too many (small) files being on the disc like pictures, not formatting regularly etc. Hard discs getting slower over time are not necessarily caused by malicious software, bad maintenance is another big factor.

[sanctuary 19]

For a security cleanup, you can refer to this specialised and trustable forum :

http://www.broadbandreports.com/forum/cleanup

But before posting there about your problems, be sure to read carefully their very important FAQs "Mandatory Steps Before Requesting Assistance", "What is SCU?" and "How To Post" if you want really some help you will need to follow those instructions entirely.

[W0lle 1052]

Years ago some people have asked why the FDF mod was "calling home", the FDF team replied that it was to collect statistics on how much people were playing their mod, according to them the "spy" was doing nothing else.

Interesting, either I missed or forgout about that. Thanks for pointing that out and good to know. Tells me to stay away from any FDF Mod executables from now on.

[sanctuary 19]

Important note about the "FDFmod.exe calling home" to be more complete i wanted to link to the discussion i was refering to, but after browsing the whole FDF 1.2 and 1.3 release thread, i have not been able to find it.

Only the mention of the FDF installer calling the FDF home once when installing "to check for updates", but no mention about the FDFmod.exe doing the same.

I've installed from the installer.exe file twice. Each time, at the very end of the install, there was a crash and a Win XP error report window, stating an exception error occurred. However, everything appears to be fully installed and working.

I ran an MD5 checksum against the file and it matches the checksum posted at the start of this thread.

edit: for the record, when ZoneAlarm prompted me to authorize the program's net access, a responded N

Hmm hmm. Our installer is just ordinary RAR self-extracting archive and should work fine with Windows XP. But with lovely Windows I guess everything is possible

Denying net access should not matter, it just tries to load "latest information about FDFMOD 1.3" page from our home site. Like right now it should (krhm, lazy me) probably point to instructions how to fix Uzi bug.

Also, in severe problems with installer, you can extract it with Winrar. Just right click at installer file and select "Extract to...". Same goes for non-Windows dedicated server installations, use Rar software to extract the files.

Edit: Why don't I ever learn: Always doublecheck for spelling mistakes.

While i am sure to have read it, and why i ceased to use the FDFmod.exe to use a regular OFP shortcut with the mod= instead, i can't find the reference. So don't take my word, there is the possibility (though i am sure to have read it) that it is my old memory playing with me.

Edited October 17, 2009 by Sanctuary

[kegetys 2]

No it is not a false positive, it is the antivirus recognizing that there is a part of the FDFmod.exe code that is "calling home".

A behaviour spywares have, so it is natural most scanners report something is wrong in this executable.

There is nothing like that in the exe, the FDFmod.exe's only purpose is to "intelligently" select wether it will launch flashpointresistance.exe or the beta patch exe with the appropriate mod parameters. A long time ago I posted the source of the exe somewhere on the fdfmod forums when someone else wanted to do the same thing, but I'm not 100% sure if it is there anymore.

The RAR SFX installer, being based on HTML "pages" has an iframe that grabs the latest news from the fdfmod website, purpose being that if you're installing an old version it can tell you that there is an update available etc.

edit: Here's the source of the exe:

#include <stdio.h>

#include <sys/stat.h>

#include <windows.h>

int APIENTRY WinMain(HINSTANCE hInstance,

HINSTANCE hPrevInstance,

LPSTR lpCmdLine,

int nCmdShow)

{

struct stat stat_p;

bool needbeta;

char wii[1024];

char exe[1024];

needbeta = false;

strcpy(wii,"-nomap -mod=finmod ");

strcat(wii,lpCmdLine);

if(-1 == stat("FLASHPOINTRESISTANCE.EXE", &stat_p)) { // Ei ou exeä

MessageBox(NULL,"FlashpointResistance.exe not found","FDFmod",MB_ICONWARNING );

return 1;

}

if(stat_p.st_size == 4418476 || stat_p.st_size == 3678208) { // Ressu 1.91 exe

strcpy(exe,"flashpointBeta.exe");

needbeta = true;

} else {

strcpy(exe,"flashpointResistance.exe");

needbeta = false;

}

if(-1 == stat("FLASHPOINTBETA.EXE", &stat_p) && needbeta) { // Ei ou betaa

MessageBox(NULL,"You seem to be using OFP version 1.91, installing\nthe latest version is highly recommended for FDFmod.","FDFmod",MB_ICONWARNING );

strcpy(exe,"flashpointResistance.exe"); // ajetaan tämä sittenkin

}

ShellExecute(NULL, "open", exe, wii, ".", 1);

return 0;

}

Edited October 17, 2009 by Kegetys

[sanctuary 19]

Thanks for confirming that my memory is not what is used to be, i was so sure it was both executable not only the installer.