Sign in to follow this  
parkd1

Codec Packs

Recommended Posts

I have installed different Codec Packs that are out there and Ad-Aware stops them from installing. Can you check to see if this a false positive.

Share this post


Link to post
Share on other sites
Hello Black Ghost

Thank you for reporting this. For us to be able to investigate this any further we will need you to submit some more information. Could you start by submitting a log file from where the file(s) are being detected.
[url="http://www.lavasoftsupport.com/index.php?showtopic=18033"]http://www.lavasoftsupport.com/index.php?showtopic=18033[/url]

It would also be very helpful if you could zip (use password: infected) and upload the detected files here in this thread. This so that we could have a closer look at them.


Regards
LS Anders

Share this post


Link to post
Share on other sites
[quote name='LS Anders' post='125201' date='Feb 28 2011, 04:42 PM']Hello Black Ghost

Thank you for reporting this. For us to be able to investigate this any further we will need you to submit some more information. Could you start by submitting a log file from where the file(s) are being detected.
[url="http://www.lavasoftsupport.com/index.php?showtopic=18033"]http://www.lavasoftsupport.com/index.php?showtopic=18033[/url]

It would also be very helpful if you could zip (use password: infected) and upload the detected files here in this thread. This so that we could have a closer look at them.
Regards
LS Anders[/quote]

This is what I get when I install the codec packs Ad-Watch Live! has blocked the process. wecpsetup32.exe(6580) from starting on your system. The process has been identified as Zugo (fs). This is the install program that will download the setup file that it installs. For me it downloads the 32 bit version. Not sure if it does it to the 64 bit version too.

Share this post


Link to post
Share on other sites
Hi Black Ghost,

This isn't a false positive - the WECPSetup32.exe file is detected because Ad-Aware sees that its a "packed" file and scans the contents. If something is detected within the packed file Ad-Aware will flag the it, which is what happened here. In this case, there is a Zugo toolbar installer within WECPSetup32.exe.

You can see the Zugo elements (and a ton of other stuff you might not have realised was going to be installed!) by following along:

[b]Decompress Installer[/b][list]
[*]Install 7-zip from [url="http://www.7-zip.org/"]http://www.7-zip.org/[/url]
[*]Download the flagged file: hxxp://d2gj8fksp6kw8j.cloudfront.net/WECPSetup32.exe
[*]Right click on WECPSetup32.exe -> 7-zip -> Extract to WECPSetup32.. This will create a WECPSetup32 folder
[/list]
[b]Check What Else Is Included The Installer[/b][list]
[*]Go into the [i]WECPSetup32[/i] folder
[*]Go into the [i]$PLUGINSDIR[/i] folder
[*]Right click ori-mediacodec-us-silent.exe -> Properties -> Digital Signatures: You'll see its signed by Zugo
[*]Right click ori-mediacodec-us-silent.exe -> 7-zip -> Extract to ori-mediacodec-us-silent ..
[*]Go into the newly created [i]ori-mediacodec-us-silent[/i] folder and have a look around. You'll find Zugo toolbar installers, Ask.com stuff..
[/list]
If you still want to install the software bundle, temporarily disable Processes and Files in the Ad-Watch section and install. Run a scan with Ad-Aware and when it detects the various bits of Zugo, add them to your allowed. list. Turn Ad-Awatch back on when you're done.

Hope this helps.

Regards,

Andy
Lavasoft Malware Labs

Share this post


Link to post
Share on other sites
Black Ghost, you might want to try K-Lite Mega Codec Pack. I installed it a few years back and have never had any problems with malware or anti-virus scanners.

Share this post


Link to post
Share on other sites
Sign in to follow this