Virus in usr/lib/codecs/

Forum rules
Before you post please read this

Virus in usr/lib/codecs/

Postby JOHHANSEN on Mon Jul 30, 2012 7:07 am

I have scan my computer today with clamtk and found 16 trades.
The linux mint 13 Maya Xfce is a new installation from scratch. (0)
Can it be true and please help :)
JOHHANSEN
Level 1
Level 1
 
Posts: 7
Joined: Mon Jul 30, 2012 6:49 am

Linux Mint is funded by ads and donations.
 

Re: Virus in usr/lib/codecs/

Postby marsh20 on Mon Jul 30, 2012 8:23 am

Sorry, can't answer your question, but what are "trades"?
Think about the "undo" before you "do".
User avatar
marsh20
Level 3
Level 3
 
Posts: 156
Joined: Thu Dec 15, 2011 5:44 am
Location: UK

Re: Virus in usr/lib/codecs/

Postby viking777 on Mon Jul 30, 2012 8:40 am

I have moved this to Xfce section as these are the people that should know about it, but fwiw my Main Edition Maya doesn't even have a file/folder called /usr/lib/codecs but that may be something to do with the no codec version, not sure (neither does it have any viruses - I just did a full scan).

I suggest in the meantime you copy the name of one of these supposed viruses and google it along with the word clamav. It is probably a false positive, but that is the only way to find out.
Fujitsu Lifebook AH532. Intel i5 processor, 6Gb ram, Intel HD3000 graphics, Intel Audio/wifi. Realtek RTL8111/8168B Ethernet.Lubuntu 13.10,Ubuntu12.10 (Unity), Mint16 (Cinnamon), Manjaro (Xfce).
Image
User avatar
viking777
Level 14
Level 14
 
Posts: 5153
Joined: Mon Dec 01, 2008 11:21 am

Re: Virus in usr/lib/codecs/

Postby GeneC on Mon Jul 30, 2012 9:46 am

Running XFCE, but LMDE tracking SID.

I do have a /usr/lib/codecs

But, scan with Clam yields

Code: Select all
ClamTk, v4.41
Mon Jul 30 09:42:02 2012
ClamAV Signatures: 1284076
Directories Scanned:
/usr/lib/codecs

Found 0 possible threats (3 files scanned).

No threats found.
---------------------------------------------


Perhaps you could post your results?
Viking is most likely correct 'false positive'.
GeneC

AMD Phenom2x4 3.2 ghz, 12GB DDR3, Nvidia GTX 460

Qiana (Cinnamon)
Sparky XFCE (Debian Testing)
Sparky Gnome 3.14 (SID)
EvolveOS (Budgie)
User avatar
GeneC
Level 7
Level 7
 
Posts: 1565
Joined: Fri Sep 03, 2010 1:59 pm
Location: Maine, USA

Re: Virus in usr/lib/codecs/

Postby JOHHANSEN on Mon Jul 30, 2012 5:30 pm

Try to set all 5 parameters (X) in preference in clamtk and make a new scan then see the resulte (Found trades).
Trades are infectet files.
See my attachment picture
JOHHANSEN
Level 1
Level 1
 
Posts: 7
Joined: Mon Jul 30, 2012 6:49 am

Re: Virus in usr/lib/codecs/

Postby GeneC on Mon Jul 30, 2012 5:40 pm

JOHHANSEN wrote:Try to set all 5 parameters (X) in preference in clamtk and make a new scan then see the results (Found trades).
Trades are infectet files.
See my attachment picture



Same result.. (both regular and recursive scans) and no infected files.

Can you post your 'history' here?

I would do as Viking suggested and 'google' clamtk+,<infected file>

Attached picture?? :wink:

=============

Can find no info on "trades' :?:
https://www.google.com/search?sugexp=ch ... mtk+trades
GeneC

AMD Phenom2x4 3.2 ghz, 12GB DDR3, Nvidia GTX 460

Qiana (Cinnamon)
Sparky XFCE (Debian Testing)
Sparky Gnome 3.14 (SID)
EvolveOS (Budgie)
User avatar
GeneC
Level 7
Level 7
 
Posts: 1565
Joined: Fri Sep 03, 2010 1:59 pm
Location: Maine, USA

Re: Virus in usr/lib/codecs/

Postby JOHHANSEN on Mon Jul 30, 2012 5:59 pm

I use clamTK 4.41 GUI version
All pereference set in scan option and her are the results.
(Sorry "trades" i mean threats found 16)

Here are my scanning results !

/usr/lib/codecs/wmsdmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/psiv.dll PUA.Win32.Packer.Starforce-1
/usr/lib/codecs/atrac3.acm PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/codecs/m3jpegdec.ax PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/tssoft32.acm PUA.Win32.Packer.SetupExeSection
/usr/lib/codecs/mcdvd_32.dll PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/linuxmint/mintWifi/drivers/i386/WUSB54Gv4/rt2500usb.sys PUA.Win32.Packer.NspackDotnetNor-1
/home/john/.mozilla/firefox/mwad0hks.default/Cache/F/CC/0A32Cd01 PUA.Script.Packed-1
/usr/lib/codecs/ViVD2.dll PUA.Win32.Packer.Upx-57
/usr/lib/codecs/wms10dmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/VFCodec.dll PUA.Win32.Packer.BorlandDelphi-13
/usr/lib/codecs/ctadp32.acm PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/wmvadvd.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/QuickTimeEssentials.qtx PUA.Win32.Packer.InstallerVise
/usr/lib/codecs/cinevfw.dll PUA.Win32.Packer.Armadillo-42
/usr/lib/codecs/WCMV.dll PUA.Win32.Packer.SetupExeSection
JOHHANSEN
Level 1
Level 1
 
Posts: 7
Joined: Mon Jul 30, 2012 6:49 am

Re: Virus in usr/lib/codecs/

Postby JOHHANSEN on Mon Jul 30, 2012 7:14 pm

I just installert Linux Mint MAYA 13 Mate 32 bits.
There's making a new installation from scratch again.
Scanned with the same preference in clamTk.
And I allmost get the same scan results 15 threats.

My question
Is fault in clamTK or are there viruses in distro file? .iso
Is there anyone who can help me.

Tomorrow I try Ubuntu 12.04

Here are my scan results

/usr/lib/codecs/tssoft32.acm PUA.Win32.Packer.SetupExeSection
/usr/lib/codecs/atrac3.acm PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/codecs/WCMV.dll PUA.Win32.Packer.SetupExeSection
/usr/lib/codecs/wmsdmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/QuickTimeEssentials.qtx PUA.Win32.Packer.InstallerVise
/usr/lib/codecs/mcdvd_32.dll PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/linuxmint/mintWifi/drivers/i386/WUSB54Gv4/rt2500usb.sys PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/wms10dmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/wmvadvd.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/VFCodec.dll PUA.Win32.Packer.BorlandDelphi-13
/usr/lib/codecs/ctadp32.acm PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/ViVD2.dll PUA.Win32.Packer.Upx-57
/usr/lib/codecs/m3jpegdec.ax PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/cinevfw.dll PUA.Win32.Packer.Armadillo-42
/usr/lib/codecs/psiv.dll PUA.Win32.Packer.Starforce-1
JOHHANSEN
Level 1
Level 1
 
Posts: 7
Joined: Mon Jul 30, 2012 6:49 am

Re: Virus in usr/lib/codecs/

Postby GeneC on Mon Jul 30, 2012 7:23 pm

That is very odd.
Those appear to be Windows related? (Win32).
Why would they be in a 'virgin' install???
I am not running Mint 13 XFCE, I am running LMDE XFCE.

Perhaps someone with Mint 13 XFCE could run a ClamAV, and see if they have similar results.
I have been running LMDE/XFCE for almost two years and never have seen this. Also almost two years on this forum daily and to the best of my feeble old memory have never seen a real virus reported in Mint.

I fear I can be of no help.. :( Perhaps someone else will chime in.

Best wishes.
GeneC

AMD Phenom2x4 3.2 ghz, 12GB DDR3, Nvidia GTX 460

Qiana (Cinnamon)
Sparky XFCE (Debian Testing)
Sparky Gnome 3.14 (SID)
EvolveOS (Budgie)
User avatar
GeneC
Level 7
Level 7
 
Posts: 1565
Joined: Fri Sep 03, 2010 1:59 pm
Location: Maine, USA

Re: Virus in usr/lib/codecs/

Postby pqwoerituytrueiwoq on Tue Jul 31, 2012 5:07 am

my guess is it is a failse positive from having to use windows wifi drivers (unless you downloaded infected driver(s) cause the site's windows server got hacked)
Code: Select all
ls  /usr/lib/codecs
cook.so  drvc.so  sipr.so

my install is form the release canidate not the final release
pqwoerituytrueiwoq
Level 1
Level 1
 
Posts: 20
Joined: Mon Nov 14, 2011 9:13 am

Re: Virus in usr/lib/codecs/

Postby viking777 on Tue Jul 31, 2012 5:43 am

Why don't you run one or two of those file through an online virus scanner?

This one is pretty good, it submits individual files to 20 different virus scanning engines at once (and it uses Linux :D )

http://virusscan.jotti.org/en

It can be a bit slow if it is busy though, but worth the wait if you are concerned about it.
Fujitsu Lifebook AH532. Intel i5 processor, 6Gb ram, Intel HD3000 graphics, Intel Audio/wifi. Realtek RTL8111/8168B Ethernet.Lubuntu 13.10,Ubuntu12.10 (Unity), Mint16 (Cinnamon), Manjaro (Xfce).
Image
User avatar
viking777
Level 14
Level 14
 
Posts: 5153
Joined: Mon Dec 01, 2008 11:21 am

Re: Virus in usr/lib/codecs/

Postby mercier on Tue Jul 31, 2012 6:59 am

well, i saw this topic and thought maybe i could scan my Maya x64 MATE.

installed clamtk and scanned home folder - result: 51 threats found.

did not like it to say the least, so i carantined all the threats. nevertheless, i also did what viking777 suggested, and for the few files i checked online i got this:

Image

Uploaded with ImageShack.us


Image

Uploaded with ImageShack.us

:?

case closed, me thinks. but, what IS a good solution for linux virusscan, if clamav does this? :roll:
mercier
Level 3
Level 3
 
Posts: 141
Joined: Sun Jan 06, 2008 1:37 pm

Re: Virus in usr/lib/codecs/

Postby viking777 on Tue Jul 31, 2012 9:01 am

Well that raises a couple of points I think, the first is that there are many other antivirus solutions for Linux that you are free to use if you think one is better - just google 'antivirus + linux', and the second is that your Linux box doesn't have any viruses - that is because there aren't any, so really unless you are using windows drivers or tools like the OP (who could have a virus in those files, though I doubt it) then all antivirus solutions are a waste of resources - For Now. So why not have the one that uses the least resources - and I am pretty sure that is clamav (because it doesn't do 'real time' scanning like some).

The only reason I have antivirus installed is that I use online banking and some (many perhaps??) banks have a clause written in the small print of their t+c's that says that if you don't have an antivirus product on your computer and you lose money through their online services, they won't compensate you.

Edit. Some more information. If you look at this page:

http://www.clamav.net/lang/en/sendvirus/submit-fp/

You will see that although it is perfectly possible to submit 'false positive' files to clamav for inspection, they will automatically reject anything with the term 'PUA' in it's title as this is not a virus but a 'Potentially Unwanted Application' - they don't go into details on that term though. All the files mentioned in this thread so far are PUA's not viruses.

Edit 2. Correction to the above - here are the details of PUA's:

http://www.clamav.net/lang/en/faq/pua/

I believe most of the files mentioned here are 'runtime packers' (except for mercier's which is an embedded javascript script) and I guess that other antivirus solutions are not set up to detect these as they don't consider them malicious. So perhaps clam is doing a more thorough job than some others as it is covering more types of threat than plain viruses. The downside to this is more warnings.
Fujitsu Lifebook AH532. Intel i5 processor, 6Gb ram, Intel HD3000 graphics, Intel Audio/wifi. Realtek RTL8111/8168B Ethernet.Lubuntu 13.10,Ubuntu12.10 (Unity), Mint16 (Cinnamon), Manjaro (Xfce).
Image
User avatar
viking777
Level 14
Level 14
 
Posts: 5153
Joined: Mon Dec 01, 2008 11:21 am

Re: Virus in usr/lib/codecs/

Postby eanfrid on Tue Jul 31, 2012 10:53 am

@mercier: you scanned your home folder... Your home folder belongs to you, not to your distrib.

Scanning PUA is for paranoids as it always gather false positives: these softwares/scripts behave like a virus but are seldom true virusses :) IMHO detection of "broken executables" (--detect-broken=yes) is more accurate.

Edit: Detection of Possibly Unwanted Applications is off by default in clamav.

Edit2: clamav is not a realtime analyzer - unless you use it in combination with your mail server before message delivery. So apart from that, it will never protect you from any incoming virus or "threat".

Edit3: "man clamscan" will show you an ocean of command-line options and what are their defaults. If you use non default switches, then you should expect more false positives and know what to do if it occurs, like scanning with another antivirus in order to confirm or reject.
Main desktop: Debian GNU/Linux Wheezy 64bit - MATE 1.8.1
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox
User avatar
eanfrid
Level 7
Level 7
 
Posts: 1871
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: Virus in usr/lib/codecs/

Postby windtalker on Tue Jul 31, 2012 7:17 pm

Not trying to sound condescending, but an antivirus in Linux imho is like wearing a belt and suspenders.
I've run 'nix for about 15 years now with zero AV and have suffered no problems virus-wise. If I didn't install it myself from a trusted source, it isn't going to get in.

As for the questionable files found, they're safe. If you remove them you won't be able to watch many video's.

I did a google -"what is PUA.Win32.Packer" and found this:

"PUA detection (Potentially Unwanted Applications) is for detecting files that are packed with packers used by malware or tools that could be used by malware (such as keyloggers, remote admin tools, some scripts, etc.). The problem is that both malware and "good" programs can use the same packers. Many "good" websites also use java scripts and other scripts that are put in your temporary internet folder that will be detected as PUA files. Many businesses use remote administration tools as well.

Since PUA detection is optionally selected by the user, Clam AV (Clam AV furnishes its scan engine and virus signatures to
ClamWin) does not make any adjustment to its PUA signatures. The PUA.Win32.Packer detections will detect many, many, many, many, many, many, good programs. If you use PUA detection with quarantine, it will quarantine important files in error, and you will not be able to restore them--because it will also quarantine the ClamWin quarantine restore program!

Use ClamWin to detect real viruses--not PUA. One last time... Do not use PUA detection. It is broken! "
windtalker
Level 1
Level 1
 
Posts: 12
Joined: Sat Oct 06, 2007 9:26 am

Re: Virus in usr/lib/codecs/

Postby JOHHANSEN on Wed Aug 01, 2012 1:45 am

Firstly thanks for all replies to this topic.

Today I have installed Kubuntu to see if I get the same threats in another dristro.
It is again a virgin installation and during the scan, I had no threats clamTK. same preference etc.
I scan the hole file system again.

I have also tried removing the checkmark in clamTK "enable ekstra scan settings" on my LinuxMint and received no threats during scanning this time. (I scan the hole file system)

Conclusion
It will then say to enable ekstra scan settings in clamTK GUI = PUA threats and as I understand
at the forum here is PUA not a threat you have to worry about in Linuxmint.

THANKS
JOHHANSEN
Level 1
Level 1
 
Posts: 7
Joined: Mon Jul 30, 2012 6:49 am

Linux Mint is funded by ads and donations.
 

Return to XFCE

Who is online

Users browsing this forum: No registered users and 3 guests