Re: Superantispyware - false positives?

Ron Lopshire · 10-24-2006, 09:40 AM

lessmalwareiscool@nohotmail.org wrote:

> A recent scan found (and REMOVED!) these items:
>
> Trojan.Media-Codec
> E:\PROGRAM FILES\AV\TOOLS\AVICODEC\UNINST.EXE
> E:\DOCUMENTS AND SETTINGS\GIZENTA1\START MENU\PROGRAMS\AVICODEC
> \UNINSTALL.LNK
>
> Adware.Spyware Labs
> E:\PROGRAM FILES\UTILITIES\INTERNET\PROXYWAY\PROXYWAY.EXE
>
> AVICODEC is a highly recommended program on many sites for AV enthusiasts,
> and Proxyway is a legit anonymous proxy program. Both are freeware.

What makes you think that these are FPs? And recommended by whom? Free
CODECs are the Number One in the current list of malware vectors. And
you do have the option of having your scanners not automatically
delete suspected riskware.

> Looks like I'll have to reinstall them now.

You do that. I'll pass. Free CODECs give me the willies. [g]

BTW, unless you are affiliated with Eyad Hiyari and live in the Dubai,
you are doing them a disservice by using their domain name on Usenet.
See Kevin's page for info on how to mung your email address for
newsgroups.

(http://www.2kevin.net/munging.html)

Ron

lessmalwareiscool@knowhotmail.org · 10-24-2006, 01:53 PM

Ron Lopshire <notron@ovbl.org> wrote in
news:UBp%g.12259$Lv3.8275@newsread1.news.pas.earth link.net:

>> A recent scan found (and REMOVED!) these items:
>>
>> Trojan.Media-Codec
>> E:\PROGRAM FILES\AV\TOOLS\AVICODEC\UNINST.EXE
>> E:\DOCUMENTS AND SETTINGS\GIZENTA1\START MENU\PROGRAMS\AVICODEC
>> \UNINSTALL.LNK
>>
>> Adware.Spyware Labs
>> E:\PROGRAM FILES\UTILITIES\INTERNET\PROXYWAY\PROXYWAY.EXE
>>
>> AVICODEC is a highly recommended program on many sites for AV
>> enthusiasts, and Proxyway is a legit anonymous proxy program. Both
>> are freeware.
>
> What makes you think that these are FPs? And recommended by whom? Free
> CODECs are the Number One in the current list of malware vectors. And
> you do have the option of having your scanners not automatically
> delete suspected riskware.

So you're saying that CCCP, and the K-lite packs over at Free-codecs.com
are dangerous? AVICODEC is not a codec but a program that scans multimedia
files to see what codecs are in them. It's similar to G-spot.

Siteadvisor gives them clean ratings (I think). They're highly recommended
over at Videohelp.com and on most AV enthusiast forums.

Anyone else here have opinions?

Ron Lopshire · 10-25-2006, 02:52 AM

lessmalwareiscool@knowhotmail.org wrote:

> Ron Lopshire <notron@ovbl.org> wrote in
> news:UBp%g.12259$Lv3.8275@newsread1.news.pas.earth link.net:
>
>>>A recent scan found (and REMOVED!) these items:
>>>
>>>Trojan.Media-Codec
>>> E:\PROGRAM FILES\AV\TOOLS\AVICODEC\UNINST.EXE
>>> E:\DOCUMENTS AND SETTINGS\GIZENTA1\START MENU\PROGRAMS\AVICODEC
>>>\UNINSTALL.LNK
>>>
>>>Adware.Spyware Labs
>>> E:\PROGRAM FILES\UTILITIES\INTERNET\PROXYWAY\PROXYWAY.EXE
>>>
>>>AVICODEC is a highly recommended program on many sites for AV
>>>enthusiasts, and Proxyway is a legit anonymous proxy program. Both
>>>are freeware.
>>
>>What makes you think that these are FPs? And recommended by whom? Free
>>CODECs are the Number One in the current list of malware vectors. And
>>you do have the option of having your scanners not automatically
>>delete suspected riskware.
>
> So you're saying that CCCP, and the K-lite packs over at Free-codecs.com
> are dangerous? AVICODEC is not a codec but a program that scans multimedia
> files to see what codecs are in them. It's similar to G-spot.
>
> Siteadvisor gives them clean ratings (I think). They're highly recommended
> over at Videohelp.com and on most AV enthusiast forums.

Not in and of themselves. What I was trying to say is that those who
routinely download and play with free CODECs put themselves at risk
for malware infestation. The apps that you are using may be fine, it
is the downloads and (some of) the creeps who make them available that
are risky. As I said, free CODECs -> Number 1 malware vector. IIRC,
pr0n-surfing is now about Number 5 and dropping.*

And so, the fact that SAS flagged some of the executable files of
genuine applications, doesn't mean that the apps themselves are
suspect. The files themselves may or may not be legitimate. This is a
common MO for these creeps --- replacing legitimate executables with
their own, ideally transparently to the user. Google for svchost.exe.
What you mean it's malware? MS says I need it. Same idea.

I have yet to see an SAS FP on my WinXP box, but I know that they
occur from time to time. This happens with any AS/AV app. From the SAS
scanning controls, look at the quarantine. (I don't have any.) You
should be able to restore any quarantined files if you really think
that they are FPs. As Nick pointed out, start by submitting the file
to SAS for analysis. If you still aren't sure, re-install the app, and
rescan it.

BTW, if my OP appeared condescending, I apologize. Not my intent. I
have a tendency to be a little terse when I am pissed off at my wife.
[g] And when you said "AV enthusiasts"? That has a different meaning
around here. LOL.

I was, however, serious about your email address. Even though you
changed it, you didn't munge it. Please read Kevin's thoughts on the
subject.

Ron

*Email phishing, spoofing, and other social-engineering scams are a
different list. I am talking about the downloads themselves.

Ron Lopshire · 11-05-2006, 07:55 AM

Ron Lopshire wrote:

> lessmalwareiscool@knowhotmail.org wrote:
>
>> Ron Lopshire <notron@ovbl.org> wrote in
>> news:UBp%g.12259$Lv3.8275@newsread1.news.pas.earth link.net:
>>
>>>> A recent scan found (and REMOVED!) these items:
>>>>
>>>> Trojan.Media-Codec
>>>> E:\PROGRAM FILES\AV\TOOLS\AVICODEC\UNINST.EXE
>>>> E:\DOCUMENTS AND SETTINGS\GIZENTA1\START MENU\PROGRAMS\AVICODEC
>>>> \UNINSTALL.LNK
>>>>
>>>> Adware.Spyware Labs
>>>> E:\PROGRAM FILES\UTILITIES\INTERNET\PROXYWAY\PROXYWAY.EXE
>>>>
>>>> AVICODEC is a highly recommended program on many sites for AV
>>>> enthusiasts, and Proxyway is a legit anonymous proxy program. Both
>>>> are freeware.
>>>
>>> What makes you think that these are FPs? And recommended by whom? Free
>>> CODECs are the Number One in the current list of malware vectors. And
>>> you do have the option of having your scanners not automatically
>>> delete suspected riskware.
>>
>> So you're saying that CCCP, and the K-lite packs over at
>> Free-codecs.com are dangerous? AVICODEC is not a codec but a program
>> that scans multimedia files to see what codecs are in them. It's
>> similar to G-spot.
>>
>> Siteadvisor gives them clean ratings (I think). They're highly
>> recommended over at Videohelp.com and on most AV enthusiast forums.
>
> Not in and of themselves. What I was trying to say is that those who
> routinely download and play with free CODECs put themselves at risk for
> malware infestation. The apps that you are using may be fine, it is the
> downloads and (some of) the creeps who make them available that are
> risky. As I said, free CODECs -> Number 1 malware vector. IIRC,
> pr0n-surfing is now about Number 5 and dropping.*
>
> And so, the fact that SAS flagged some of the executable files of
> genuine applications, doesn't mean that the apps themselves are suspect.
> The files themselves may or may not be legitimate. This is a common MO
> for these creeps --- replacing legitimate executables with their own,
> ideally transparently to the user. Google for svchost.exe. What you mean
> it's malware? MS says I need it. Same idea.
>
> I have yet to see an SAS FP on my WinXP box, but I know that they occur
> from time to time. This happens with any AS/AV app. From the SAS
> scanning controls, look at the quarantine. (I don't have any.) You
> should be able to restore any quarantined files if you really think that
> they are FPs. As Nick pointed out, start by submitting the file to SAS
> for analysis. If you still aren't sure, re-install the app, and rescan it.
>
> BTW, if my OP appeared condescending, I apologize. Not my intent. I have
> a tendency to be a little terse when I am pissed off at my wife. [g] And
> when you said "AV enthusiasts"? That has a different meaning around
> here. LOL.
>
> I was, however, serious about your email address. Even though you
> changed it, you didn't munge it. Please read Kevin's thoughts on the
> subject.
>
> *Email phishing, spoofing, and other social-engineering scams are a
> different list. I am talking about the downloads themselves.

I will start a new thread for this since it has nothing to do with the
OP's use of SAS, but I will quote the original thread since it is
germane to my discussion with the OP. From Alex's blog,

A note on fake codecs
http://sunbeltblog.blogspot.com/2006...ke-codecs.html

Ron

Ron Lopshire · 11-05-2006, 08:01 AM

Ron Lopshire wrote:

> lessmalwareiscool@knowhotmail.org wrote:
>
>> Ron Lopshire <notron@ovbl.org> wrote in
>> news:UBp%g.12259$Lv3.8275@newsread1.news.pas.earth link.net:
>>
>>>> A recent scan found (and REMOVED!) these items:
>>>>
>>>> Trojan.Media-Codec
>>>> E:\PROGRAM FILES\AV\TOOLS\AVICODEC\UNINST.EXE
>>>> E:\DOCUMENTS AND SETTINGS\GIZENTA1\START MENU\PROGRAMS\AVICODEC
>>>> \UNINSTALL.LNK
>>>>
>>>> Adware.Spyware Labs
>>>> E:\PROGRAM FILES\UTILITIES\INTERNET\PROXYWAY\PROXYWAY.EXE
>>>>
>>>> AVICODEC is a highly recommended program on many sites for AV
>>>> enthusiasts, and Proxyway is a legit anonymous proxy program. Both
>>>> are freeware.
>>>
>>> What makes you think that these are FPs? And recommended by whom? Free
>>> CODECs are the Number One in the current list of malware vectors. And
>>> you do have the option of having your scanners not automatically
>>> delete suspected riskware.
>>
>> So you're saying that CCCP, and the K-lite packs over at
>> Free-codecs.com are dangerous? AVICODEC is not a codec but a program
>> that scans multimedia files to see what codecs are in them. It's
>> similar to G-spot.
>>
>> Siteadvisor gives them clean ratings (I think). They're highly
>> recommended over at Videohelp.com and on most AV enthusiast forums.
>
> Not in and of themselves. What I was trying to say is that those who
> routinely download and play with free CODECs put themselves at risk for
> malware infestation. The apps that you are using may be fine, it is the
> downloads and (some of) the creeps who make them available that are
> risky. As I said, free CODECs -> Number 1 malware vector. IIRC,
> pr0n-surfing is now about Number 5 and dropping.
>
> And so, the fact that SAS flagged some of the executable files of
> genuine applications, doesn't mean that the apps themselves are suspect.
> The files themselves may or may not be legitimate. This is a common MO
> for these creeps --- replacing legitimate executables with their own,
> ideally transparently to the user. Google for svchost.exe. What you mean
> it's malware? MS says I need it. Same idea.

I have renamed this topic since it has nothing to do with the OP's use
of SAS, but I will quote the original thread since it is germane to my
discussion with the OP. From Alex's blog,

A note on fake codecs
http://sunbeltblog.blogspot.com/2006...ke-codecs.html

Ron

Ron Lopshire · 11-20-2006, 08:48 AM

Ron Lopshire wrote:

> Ron Lopshire wrote:
>
> I have renamed this topic since it has nothing to do with the OP's use
> of SAS, but ... discussion with the OP. From Alex's blog,
>
> A note on fake codecs
> http://sunbeltblog.blogspot.com/2006...ke-codecs.html

More info on the idiots peddling this crap.

http://sunbeltblog.blogspot.com/2006...ew-codecs.html

Ron

David H. Lipman · 11-20-2006, 04:46 PM

From: "Ron Lopshire" <notron@ovbl.org>

| Ron Lopshire wrote:
|
>> Ron Lopshire wrote:
>>
>> I have renamed this topic since it has nothing to do with the OP's use
>> of SAS, but ... discussion with the OP. From Alex's blog,
>>
>> A note on fake codecs
>> http://sunbeltblog.blogspot.com/2006...ke-codecs.html
|
| More info on the idiots peddling this crap.
|
| http://sunbeltblog.blogspot.com/2006...ew-codecs.html
|
| Ron

And add...

Super Codec
and
Perfect Codec

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman · 11-23-2006, 01:04 PM

Dustin Cook · 11-29-2006, 09:24 PM

I've seen many systems in the past couple
of days which are... ehh, infected by them.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool -V1.9.4
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: November 22nd, 2006

David H. Lipman · 11-30-2006, 04:39 PM

From: "Dustin Cook" <spamfilterineffect.see.sig@nowhere.com>

| Very wild here it would seem.

I've seen many systems in the past couple
| of days which are... ehh, infected by them.
|

Silver and Gold are already down !

Now it has been replaced by Brain Codec and VAX - Video Active X

Also replaced by; mediaobjectsource.com and amediasoftware.com

Also I am seeing CrackZ sites renaming the BrainCodec EXE files as RUN.EXE either as a
direct download or included in pseudo Cracking packages in ZIP files.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Thread: Re: Superantispyware - false positives?

Thread Tools

Display