Virus in usr/lib/codecs/

Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
JOHHANSEN

Virus in usr/lib/codecs/

Post by JOHHANSEN »

I have scan my computer today with clamtk and found 16 trades.
The linux mint 13 Maya Xfce is a new installation from scratch. (0)
Can it be true and please help :)
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
marsh20
Level 4
Level 4
Posts: 222
Joined: Thu Dec 15, 2011 5:44 am
Location: UK

Re: Virus in usr/lib/codecs/

Post by marsh20 »

Sorry, can't answer your question, but what are "trades"?
Think about the "undo" before you "do".
viking777

Re: Virus in usr/lib/codecs/

Post by viking777 »

I have moved this to Xfce section as these are the people that should know about it, but fwiw my Main Edition Maya doesn't even have a file/folder called /usr/lib/codecs but that may be something to do with the no codec version, not sure (neither does it have any viruses - I just did a full scan).

I suggest in the meantime you copy the name of one of these supposed viruses and google it along with the word clamav. It is probably a false positive, but that is the only way to find out.
GeneC

Re: Virus in usr/lib/codecs/

Post by GeneC »

Running XFCE, but LMDE tracking SID.

I do have a /usr/lib/codecs

But, scan with Clam yields

Code: Select all

ClamTk, v4.41
Mon Jul 30 09:42:02 2012
ClamAV Signatures: 1284076
Directories Scanned:
/usr/lib/codecs

Found 0 possible threats (3 files scanned).

No threats found.
---------------------------------------------
Perhaps you could post your results?
Viking is most likely correct 'false positive'.
JOHHANSEN

Re: Virus in usr/lib/codecs/

Post by JOHHANSEN »

Try to set all 5 parameters (X) in preference in clamtk and make a new scan then see the resulte (Found trades).
Trades are infectet files.
See my attachment picture
GeneC

Re: Virus in usr/lib/codecs/

Post by GeneC »

JOHHANSEN wrote:Try to set all 5 parameters (X) in preference in clamtk and make a new scan then see the results (Found trades).
Trades are infectet files.
See my attachment picture

Same result.. (both regular and recursive scans) and no infected files.

Can you post your 'history' here?

I would do as Viking suggested and 'google' clamtk+,<infected file>

Attached picture?? :wink:

=============

Can find no info on "trades' :?:
https://www.google.com/search?sugexp=ch ... mtk+trades
JOHHANSEN

Re: Virus in usr/lib/codecs/

Post by JOHHANSEN »

I use clamTK 4.41 GUI version
All pereference set in scan option and her are the results.
(Sorry "trades" i mean threats found 16)

Here are my scanning results !

/usr/lib/codecs/wmsdmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/psiv.dll PUA.Win32.Packer.Starforce-1
/usr/lib/codecs/atrac3.acm PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/codecs/m3jpegdec.ax PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/tssoft32.acm PUA.Win32.Packer.SetupExeSection
/usr/lib/codecs/mcdvd_32.dll PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/linuxmint/mintWifi/drivers/i386/WUSB54Gv4/rt2500usb.sys PUA.Win32.Packer.NspackDotnetNor-1
/home/john/.mozilla/firefox/mwad0hks.default/Cache/F/CC/0A32Cd01 PUA.Script.Packed-1
/usr/lib/codecs/ViVD2.dll PUA.Win32.Packer.Upx-57
/usr/lib/codecs/wms10dmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/VFCodec.dll PUA.Win32.Packer.BorlandDelphi-13
/usr/lib/codecs/ctadp32.acm PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/wmvadvd.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/QuickTimeEssentials.qtx PUA.Win32.Packer.InstallerVise
/usr/lib/codecs/cinevfw.dll PUA.Win32.Packer.Armadillo-42
/usr/lib/codecs/WCMV.dll PUA.Win32.Packer.SetupExeSection
JOHHANSEN

Re: Virus in usr/lib/codecs/

Post by JOHHANSEN »

I just installert Linux Mint MAYA 13 Mate 32 bits.
There's making a new installation from scratch again.
Scanned with the same preference in clamTk.
And I allmost get the same scan results 15 threats.

My question
Is fault in clamTK or are there viruses in distro file? .iso
Is there anyone who can help me.

Tomorrow I try Ubuntu 12.04

Here are my scan results

/usr/lib/codecs/tssoft32.acm PUA.Win32.Packer.SetupExeSection
/usr/lib/codecs/atrac3.acm PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/codecs/WCMV.dll PUA.Win32.Packer.SetupExeSection
/usr/lib/codecs/wmsdmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/QuickTimeEssentials.qtx PUA.Win32.Packer.InstallerVise
/usr/lib/codecs/mcdvd_32.dll PUA.Win32.Packer.BorlandDelphi-18
/usr/lib/linuxmint/mintWifi/drivers/i386/WUSB54Gv4/rt2500usb.sys PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/wms10dmod.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/wmvadvd.dll PUA.Win32.Packer.Msvcpp
/usr/lib/codecs/VFCodec.dll PUA.Win32.Packer.BorlandDelphi-13
/usr/lib/codecs/ctadp32.acm PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/ViVD2.dll PUA.Win32.Packer.Upx-57
/usr/lib/codecs/m3jpegdec.ax PUA.Win32.Packer.NspackDotnetNor-1
/usr/lib/codecs/cinevfw.dll PUA.Win32.Packer.Armadillo-42
/usr/lib/codecs/psiv.dll PUA.Win32.Packer.Starforce-1
GeneC

Re: Virus in usr/lib/codecs/

Post by GeneC »

That is very odd.
Those appear to be Windows related? (Win32).
Why would they be in a 'virgin' install???
I am not running Mint 13 XFCE, I am running LMDE XFCE.

Perhaps someone with Mint 13 XFCE could run a ClamAV, and see if they have similar results.
I have been running LMDE/XFCE for almost two years and never have seen this. Also almost two years on this forum daily and to the best of my feeble old memory have never seen a real virus reported in Mint.

I fear I can be of no help.. :( Perhaps someone else will chime in.

Best wishes.
pqwoerituytrueiwoq

Re: Virus in usr/lib/codecs/

Post by pqwoerituytrueiwoq »

my guess is it is a failse positive from having to use windows wifi drivers (unless you downloaded infected driver(s) cause the site's windows server got hacked)

Code: Select all

ls  /usr/lib/codecs
cook.so  drvc.so  sipr.so
my install is form the release canidate not the final release
viking777

Re: Virus in usr/lib/codecs/

Post by viking777 »

Why don't you run one or two of those file through an online virus scanner?

This one is pretty good, it submits individual files to 20 different virus scanning engines at once (and it uses Linux :D )

http://virusscan.jotti.org/en

It can be a bit slow if it is busy though, but worth the wait if you are concerned about it.
mercier

Re: Virus in usr/lib/codecs/

Post by mercier »

well, i saw this topic and thought maybe i could scan my Maya x64 MATE.

installed clamtk and scanned home folder - result: 51 threats found.

did not like it to say the least, so i carantined all the threats. nevertheless, i also did what viking777 suggested, and for the few files i checked online i got this:

Image

Uploaded with ImageShack.us


Image

Uploaded with ImageShack.us

:?

case closed, me thinks. but, what IS a good solution for linux virusscan, if clamav does this? :roll:
viking777

Re: Virus in usr/lib/codecs/

Post by viking777 »

Well that raises a couple of points I think, the first is that there are many other antivirus solutions for Linux that you are free to use if you think one is better - just google 'antivirus + linux', and the second is that your Linux box doesn't have any viruses - that is because there aren't any, so really unless you are using windows drivers or tools like the OP (who could have a virus in those files, though I doubt it) then all antivirus solutions are a waste of resources - For Now. So why not have the one that uses the least resources - and I am pretty sure that is clamav (because it doesn't do 'real time' scanning like some).

The only reason I have antivirus installed is that I use online banking and some (many perhaps??) banks have a clause written in the small print of their t+c's that says that if you don't have an antivirus product on your computer and you lose money through their online services, they won't compensate you.

Edit. Some more information. If you look at this page:

http://www.clamav.net/lang/en/sendvirus/submit-fp/

You will see that although it is perfectly possible to submit 'false positive' files to clamav for inspection, they will automatically reject anything with the term 'PUA' in it's title as this is not a virus but a 'Potentially Unwanted Application' - they don't go into details on that term though. All the files mentioned in this thread so far are PUA's not viruses.

Edit 2. Correction to the above - here are the details of PUA's:

http://www.clamav.net/lang/en/faq/pua/

I believe most of the files mentioned here are 'runtime packers' (except for mercier's which is an embedded javascript script) and I guess that other antivirus solutions are not set up to detect these as they don't consider them malicious. So perhaps clam is doing a more thorough job than some others as it is covering more types of threat than plain viruses. The downside to this is more warnings.
eanfrid

Re: Virus in usr/lib/codecs/

Post by eanfrid »

@mercier: you scanned your home folder... Your home folder belongs to you, not to your distrib.

Scanning PUA is for paranoids as it always gather false positives: these softwares/scripts behave like a virus but are seldom true virusses :) IMHO detection of "broken executables" (--detect-broken=yes) is more accurate.

Edit: Detection of Possibly Unwanted Applications is off by default in clamav.

Edit2: clamav is not a realtime analyzer - unless you use it in combination with your mail server before message delivery. So apart from that, it will never protect you from any incoming virus or "threat".

Edit3: "man clamscan" will show you an ocean of command-line options and what are their defaults. If you use non default switches, then you should expect more false positives and know what to do if it occurs, like scanning with another antivirus in order to confirm or reject.
windtalker
Level 1
Level 1
Posts: 12
Joined: Sat Oct 06, 2007 9:26 am

Re: Virus in usr/lib/codecs/

Post by windtalker »

Not trying to sound condescending, but an antivirus in Linux imho is like wearing a belt and suspenders.
I've run 'nix for about 15 years now with zero AV and have suffered no problems virus-wise. If I didn't install it myself from a trusted source, it isn't going to get in.

As for the questionable files found, they're safe. If you remove them you won't be able to watch many video's.

I did a google -"what is PUA.Win32.Packer" and found this:

"PUA detection (Potentially Unwanted Applications) is for detecting files that are packed with packers used by malware or tools that could be used by malware (such as keyloggers, remote admin tools, some scripts, etc.). The problem is that both malware and "good" programs can use the same packers. Many "good" websites also use java scripts and other scripts that are put in your temporary internet folder that will be detected as PUA files. Many businesses use remote administration tools as well.

Since PUA detection is optionally selected by the user, Clam AV (Clam AV furnishes its scan engine and virus signatures to
ClamWin) does not make any adjustment to its PUA signatures. The PUA.Win32.Packer detections will detect many, many, many, many, many, many, good programs. If you use PUA detection with quarantine, it will quarantine important files in error, and you will not be able to restore them--because it will also quarantine the ClamWin quarantine restore program!

Use ClamWin to detect real viruses--not PUA. One last time... Do not use PUA detection. It is broken! "
JOHHANSEN

Re: Virus in usr/lib/codecs/

Post by JOHHANSEN »

Firstly thanks for all replies to this topic.

Today I have installed Kubuntu to see if I get the same threats in another dristro.
It is again a virgin installation and during the scan, I had no threats clamTK. same preference etc.
I scan the hole file system again.

I have also tried removing the checkmark in clamTK "enable ekstra scan settings" on my LinuxMint and received no threats during scanning this time. (I scan the hole file system)

Conclusion
It will then say to enable ekstra scan settings in clamTK GUI = PUA threats and as I understand
at the forum here is PUA not a threat you have to worry about in Linuxmint.

THANKS
Locked

Return to “Xfce”