Re: Superantispyware - false positives?

[Ron Lopshire]

Ron Lopshire wrote:

> lessmalwareiscool@knowhotmail.org wrote:
>
>> Ron Lopshire <notron@ovbl.org> wrote in
>> news:UBp%g.12259$Lv3.8275@newsread1.news.pas.earth link.net:
>>
>>>> A recent scan found (and REMOVED!) these items:
>>>>
>>>> Trojan.Media-Codec
>>>> E:\PROGRAM FILES\AV\TOOLS\AVICODEC\UNINST.EXE
>>>> E:\DOCUMENTS AND SETTINGS\GIZENTA1\START MENU\PROGRAMS\AVICODEC
>>>> \UNINSTALL.LNK
>>>>
>>>> Adware.Spyware Labs
>>>> E:\PROGRAM FILES\UTILITIES\INTERNET\PROXYWAY\PROXYWAY.EXE
>>>>
>>>> AVICODEC is a highly recommended program on many sites for AV
>>>> enthusiasts, and Proxyway is a legit anonymous proxy program. Both
>>>> are freeware.
>>>
>>> What makes you think that these are FPs? And recommended by whom? Free
>>> CODECs are the Number One in the current list of malware vectors. And
>>> you do have the option of having your scanners not automatically
>>> delete suspected riskware.
>>
>> So you're saying that CCCP, and the K-lite packs over at
>> Free-codecs.com are dangerous? AVICODEC is not a codec but a program
>> that scans multimedia files to see what codecs are in them. It's
>> similar to G-spot.
>>
>> Siteadvisor gives them clean ratings (I think). They're highly
>> recommended over at Videohelp.com and on most AV enthusiast forums.
>
> Not in and of themselves. What I was trying to say is that those who
> routinely download and play with free CODECs put themselves at risk for
> malware infestation. The apps that you are using may be fine, it is the
> downloads and (some of) the creeps who make them available that are
> risky. As I said, free CODECs -> Number 1 malware vector. IIRC,
> pr0n-surfing is now about Number 5 and dropping.
>
> And so, the fact that SAS flagged some of the executable files of
> genuine applications, doesn't mean that the apps themselves are suspect.
> The files themselves may or may not be legitimate. This is a common MO
> for these creeps --- replacing legitimate executables with their own,
> ideally transparently to the user. Google for svchost.exe. What you mean
> it's malware? MS says I need it. Same idea.

I have renamed this topic since it has nothing to do with the OP's use
of SAS, but I will quote the original thread since it is germane to my
discussion with the OP. From Alex's blog,

A note on fake codecs
http://sunbeltblog.blogspot.com/2006...ke-codecs.html

Ron

[Ron Lopshire]

Ron Lopshire wrote:

> Ron Lopshire wrote:
>
> I have renamed this topic since it has nothing to do with the OP's use
> of SAS, but ... discussion with the OP. From Alex's blog,
>
> A note on fake codecs
> http://sunbeltblog.blogspot.com/2006...ke-codecs.html

More info on the idiots peddling this crap.

http://sunbeltblog.blogspot.com/2006...ew-codecs.html

Ron

[David H. Lipman]

From: "Ron Lopshire" <notron@ovbl.org>

| Ron Lopshire wrote:
|
>> Ron Lopshire wrote:
>>
>> I have renamed this topic since it has nothing to do with the OP's use
>> of SAS, but ... discussion with the OP. From Alex's blog,
>>
>> A note on fake codecs
>> http://sunbeltblog.blogspot.com/2006...ke-codecs.html
|
| More info on the idiots peddling this crap.
|
| http://sunbeltblog.blogspot.com/2006...ew-codecs.html
|
| Ron

And add...

Super Codec
and
Perfect Codec


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[David H. Lipman]

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>


|
| And add...
|
| Super Codec
| and
| Perfect Codec
|

Now add Silver Codec and Gold Codec.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Dustin Cook]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in news:wol9h.3407
$JQ.456@trnddc06:

> From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
>
>
>|
>| And add...
>|
>| Super Codec
>| and
>| Perfect Codec
>|
>
> Now add Silver Codec and Gold Codec.
>

Very wild here it would seem. I've seen many systems in the past couple
of days which are... ehh, infected by them.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool -V1.9.4
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: November 22nd, 2006

[David H. Lipman]

From: "Dustin Cook" <spamfilterineffect.see.sig@nowhere.com>


| Very wild here it would seem. I've seen many systems in the past couple
| of days which are... ehh, infected by them.
|

Silver and Gold are already down !

Now it has been replaced by Brain Codec and VAX - Video Active X

Also replaced by; mediaobjectsource.com and amediasoftware.com

Also I am seeing CrackZ sites renaming the BrainCodec EXE files as RUN.EXE either as a
direct download or included in pseudo Cracking packages in ZIP files.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[Dustin Cook]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
news:kcIbh.22570$w37.21540@trnddc08:

> From: "Dustin Cook" <spamfilterineffect.see.sig@nowhere.com>
>
>
>| Very wild here it would seem. I've seen many systems in the past
>| couple of days which are... ehh, infected by them.
>|
>
> Silver and Gold are already down !

Ugh.. Madness!

> Now it has been replaced by Brain Codec and VAX - Video Active X
>
> Also replaced by; mediaobjectsource.com and amediasoftware.com

I've been seeing this at work too.

I'm working on the next revision to the BugHunter program; After all this
time, it will identify the files by popular name instead of just Full
Match.. It'll be a bit before v1.9.5 is released tho.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool -V1.9.4
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: November 30th, 2006