WARNING - Video evidence of malware installed by Shark007s Codec pack

Hi all,

I have wanted to post a message to warn people about malware being spread by Shark007s Codec pack for a while but have been off of the web for a bit. I believe that this codec pack was, and maybe still is getting recommended by this excellent site.

I had some problems a while back with this particular codec pack and decided not to bother with extra codecs for Windows again, so just installed VLC with its own internal codecs.

Anyway, I am not alone in this and recently found a video posted on YouTube of someones desktop finding serious malware from this codec pack, downloaded directly from shark007s own website, NOT some 3rd party site.

Here is the short 40 second video clip, the comments on that page also reveal extra info about this.

http://www.youtube.com/watch?v=uHyXTihNRbk

To finalise here, I myself posted on Shark007s website forum some time ago and didn't like the way he suggested for me to download his "own special version, with security enhancements" of Media Player Classic. I also didn't like the way Shark007 referred to the K-Lite Codec Pack as the 'K-Crap Pack', this displayed a lack of professionalism & integrity not too mention immaturity, imho.

So, basically, please take my warning about this if you are ever looking for extra codecs for Windows.

 

They have known about this false positive issue for some time now and while I have not seen them address TrendMicro, other antivirus have flagged their software also. False Positive Fixes

Some software is considered intrusive by antivirus/antimalware, even ones hosted at MajorGeeks, and will set off an antivirus just for the simple fact of what it does to the computer. Security software does not know the difference in "good' and 'bad' processes. All it knows is something is happening that it does not like so it alerts the user. It's just doing it's job. It's up to the user to determine if it is real or a false positive. The person who made that video obviously didn't care to find out the truth and just ran with a false positive.

I'm pretty sure that you can install the codecs now with no issues from most antivirus as they have included the Shark007 Codecs to their whitelists.

 

Well thats good to know, I hope anyone that installed these codecs only got false positives and not malware.

 

As long as teh download comes from a clean download site they shouldn't have a problem.

Be aware though that codecs are a big way of distributing malware on websites. If you are ever on a website that prompts you to install a codec so you can view content on the site.... be very, very cautious! The codecs included in the Shark007 pack should allow you to view anything.

 

I am fuly aware of that, the video I linked to above is not made by me. Anyone trying to install a codec in the way you are talking about would not be very bright would they?

Actually seeing as you feel the need to state that the shark007 pack should allow you to view anything, wrong, in many cases this particular pack actually breaks pre-existing system codecs, it did so on my previous Vista system some time ago and there are many users on the shark007 forums complaining about the same. In my particular case I was able to view the previously unviewable formats such as avi, mkv etc. but could no longer view any .wmv for example, problem solved by uninstalling the pack and istalling VLC instead.

 

Thanks for the info.

 

they are not false positives, last month, I thought of installing the SharkHacker007 Codec Pack instead of manually installing ffdshow, LAV, and madVR

I had no antivirus but this was a clean Windows 8.1 installation I haven't even browsed the web or used my computer (other than visit MG offcourse)

I installed the codec pack, opted out of installing his hacking/virus toolbars that he wants the whole world to forcefully install to make money out of people...

1st gripe, I had to make a ton of option changes to make LAV the default codec used for everything and every format, it's not one click, you have to specify "use LAV" for every format.

no big deal, just didn't like that

all seemed well

next, I install my trusty NOD32 which has 0 false positives in the 9 years I've been using it since v2 (and to prove, check out its false positive score here >>> http://chart.av-comparatives.org/chart1.php )

As soon as I installed NOD32 and updated it, it informed me about a virus that is running on startup, I removed it and rebooted, then I try to play a video, then I got another warning that madVR is infected with some virus. False positive? I think not

I uninstalled everything by that crapware then reinstalled madVR manually ( http://www.free-codecs.com/download/madVR.htm ) along with ffDshow and LAV, then everything was ok.

From then on, I swore never to touch that pile of crap codec package

and hey, Shark says K-Crap, at least they don't infect people's computers or have toolbars and viruses embedded in their installer.

In the past, when I asked a question about LAV vs. DXVA on his forums, he told me "I am not here to educate you, these forums are only to support my codecs" he's very rude and I really hope that Major Geeks would stop hosting his codecs

 

on a side note, VLC is NOT a codec package it's a video player that does not need any external codecs installed to play videos. While it does work out of the box, its quality sucks and is inferior to having MPC-BE + madVR + LAV installed, the quality on those blow VLC out of the water.

Want more? try to enable its hardware acceleration and notice how when you move the seekbar to skip to a diff. portion of the movie, sometimes the screen would become all fuzzy/green for a split seconds. not to mention that it doesn't really use your hardware properly like LAV does

 

if you opt out of the pup software, you will not get anything extra out of the install.

 

I did man, I always do for any software I install, I am not one of those people who blindly click next, next next, till the install is finished. that's what surprised me

it never happened in the past, only in the latest update

seems like he has been working hard to infect people's PCs

I suggest anyone who has his codecs installed to scan his computer with his current AV and a standalone 2nd opinion scanner such as MBAM

 

These, right?

http://www.majorgeeks.com/files/details/win7codecs.html


I will test them out and if they are installing non-opt out additional crap, I am certain they will be pulled.

I haven't tested it since the latest update.

 

but as a test, please disable your antivirus first! then after installation, reboot

then tell me after you do a complete scan with your AV and MBAM

thanks

 

Will do.

 

Just an update:

'm making sure my VM is clean before I test it.

 

Is this what you saw?

https://www.dropbox.com/s/sr7dbg1mrrgaiir/Screenshot 2014-04-07 20.18.26.png


If so, note the location. It is a remnant of the pup installers that were extracted during the install. That said, I have no active or actual infections.

Steps taken:

MBAM before to make sure I was clean.
MSE before installation to make sure I was clean.
Disabled MSE.
Installed codecs, skipping PUPs.
Rebooted and scanned with both.

 

I really cannot recall bro, but there was a trojan/virus starting on boot up which NOD32 removed.

I am not going to risk which such crapware anymore sorry, better install the codecs myself than trying to play an evade game.

I'm sure those codecs may work for others. But for me, I'll never touch anything made by Shark007

 

2 years later..... Internet calls within the software are still there as of writing this post:

Trend Micro logs

20160411
http : / / d27foqb3kkzkt9.cloudfront.net/sdk/binsis/2.3a/ BiTool.dll
Adware

20160411
http : / / sub.spirlymo.com/installers/bi_downloader/1460333038965/ setup.exe
Disease Vector

The Shark007 guy says to turn off Internet connection - install - then turn it back on.
This, I find is an unacceptable response for including malware/freeware calls to download crappy software from the net.

So dodgy! I think I'll stick with K-lite or CCCP.
And MajorGeeks should stop hosting his codecs.... even if they've been thoroughly scanned etc. This is evidence his software is being nasty.

 

Firstly, I've been using those codecs for years and as long as a user unchecks the offered additional software options, it installs nothing else. I use Comodo Internet Security Premium which has one of the highest rated Firewalls on the market and I'm confident it would alert me to any connections other than the software itself. Neither does CIS AV, HiPs or Viruscope give any warnings.
Secondly, even scanning those two addresses you give on VirusTotal gives only 6 out of 66 security sites scanning it show any concern.
Thirdly, if the developer suggests you install the codecs without an internet connection, then either follow it or simply don't use the software.
Lastly, if you have any genuine concern about your system - and be aware no one here knows the state of your system generally or the nature of your internet behaviour - then just head off to the Malware Forum here (or elsewhere) and complete the required scans and supply the required logs and a Malware Expert will give you a judgement on your system and any advice you need.
As for your final comment, MGs only hosts software that has been thoroughly tested for safety first.
But if you don't agree, then don't use that software and don't choose MGs to get any programs.