Solved

divx install flagged as malware

  • 11 September 2015
  • 19 replies
  • 1529 views

The last two times Divx has tried to update Webroot has flagged a file in the install as malware. Divx says there is no malware in their software and anti-virus companies need to update their files. The install gets aborted of course. Anyone else have this problem?
icon

Best answer by RetiredTripleHelix 15 September 2015, 23:19

View original

19 replies

Userlevel 7
Hello MartMan, welcome to the Community!
 
I have not seen any posts recently regarding Divx installers have a problem, but it can happen here and there.  It sounds like you have already done this, but I am going to mention it just to make sure:
 
  • Make sure you are downloading ONLY from the software maker/vendor.  Do not use a 3rd party download site.
  • When installing, look very closely at every single detail.  Often, download installers will have optional 3rd party software attached to them as "trial" or "extra value", etc etc.  Often it is not the intended installer that is the problem, it is the 3rd party add-ons that are the problem.  Uncheck anything that is trying to piggyback in with the Divx software.
 
If none of this is of help, submit a Trouble Ticket so that Webroot Support can take a look and 'whitelist' any files that are being marked as bad.
 
I hope this helps, 
Userlevel 7
Badge +62
Hello ?
 
Welcome to the Community,
 
Yes I use this Divx with my Mac/Yosemite. When I try to upgrade it shows this ..
 


 


 


 


 


 
So I haven't called upon support to check this out yet because I also can't upgrade or use this player either.
 
I'd advise you to submit a Support Ticket like ?has mentioned. I will do the same to try to get this sorted.
 
Kind Regards,
Userlevel 7
Thank you ?!   🙂
Userlevel 7
Badge +62
You are quite welcome ?,
 
This player has been doing this on my computer for awhile now and I've just kept putting off contacting support. Now I will of course.:@
 
Anyways it's Teamwork!:D
Userlevel 7
Badge +62
?, I have submitted my Support Ticket and have provided them this link to this thread as well!
 
Support is usually pretty quick so let me know as I will you what they determine if this is a False Positive!
 
EDIT: I will ping ? to look at this PUA. He is our Mac Threat Researcher who will know!
 
 
Best Regards,
 
 
 
Userlevel 7
Hello MartMan47,
Sorry for just now replying, I have been out of town for the past few days on a hunting trip.  I looked into the DivxInstaller to see why we are flagging it as malware.  It seems that there is a bunch of code in their software that is downloading Adware information from Ironcore.  Ironcore is associated with causing ADware to pop up on programs.  I have attached a screenshot of what the program is doing, on the left side is the Hex reading which is what the computer sees, on the right is the actual text layout.  In the text you can see that it is contacting the ironcore server and downloading an encrypted file.  This is why we are detecting it, Also probably why Divx hasnt contacted us about it.  Normally if we are detecting something that we shouldnt be then the company will contact us directly so that I can fix it, Divx may know that they are running adware and that is why they havent contacted me about this.  I hope this answered your questions, please feel free to reach out to me about any mac related issues in the future. 

Userlevel 7
Badge +62
Aewsome information about this divx. I did get an answer from support and they told me that the answer to my question is in the Community Forum now. LOLs
 
 
Thanks so much ?  😃
Userlevel 7
Badge +56
I have Divx and Webroot always removes the PUA info and continues to install without the PUA on PC's.
 
Daniel
Userlevel 7
Badge +62
Hmmm really? On the Mac Webroot won't let it update. I tried around 5 times thinking this might be a false positive until the OP posted his issue...
Userlevel 7
Badge +56
OpenCandy and Divx works fine after install with the PUA files removed.
 
Daniel ;)
 
Tue 2015-09-15 17:15:38.0135 Infection detected: c:usersdanielappdatalocalmicrosoftwindowsinetcacheie7yk703wvocsetuphlp[1].dll [MD5: 5B7D751BD2BD34A188F62A0A9270E225] [3/00081000] [Pua.Opencandy]
Tue 2015-09-15 17:15:38.0137 Infection detected: c:usersdanielappdatalocal empocp2b32.tmpocp2b33.tmp [MD5: 5B7D751BD2BD34A188F62A0A9270E225] [3/00081000] [Pua.Opencandy]
Tue 2015-09-15 17:15:38.0374 Scan Results: Files Scanned: 17278, Duration: 34s, Malicious Files: 2
Tue 2015-09-15 17:15:38.0402 Scan Finished: [ID: 22 - Seq: 2147000000]
Tue 2015-09-15 17:15:56.0028 Determination flags modified: c:usersdanielappdatalocalmicrosoftwindowsinetcacheie7yk703wvocsetuphlp[1].dll - MD5: 5B7D751BD2BD34A188F62A0A9270E225, Size: 854512 bytes, Flags: 00000020
Tue 2015-09-15 17:15:56.0028 Determination flags modified: c:usersdanielappdatalocalmicrosoftwindowsinetcacheie7yk703wvocsetuphlp[1].dll - MD5: 5B7D751BD2BD34A188F62A0A9270E225, Size: 854512 bytes, Flags: 00000020
Tue 2015-09-15 17:15:57.0838 Performing cleanup entry: 4
Tue 2015-09-15 17:15:57.0838 Performing cleanup entry: 5
Tue 2015-09-15 17:15:58.0341 Scan Started: [ID: 23 - Flags: 551/144]
Tue 2015-09-15 17:16:12.0034 Begin passive write scan (1 file(s))
Tue 2015-09-15 17:16:12.0262 End passive write scan (1 file(s))
Tue 2015-09-15 17:16:26.0407 Scan Results: Files Scanned: 17061, Duration: 28s, Malicious Files: 0
 


 


 


 
 
Userlevel 7
On macs the coding is different, the code to download the PUA is in the main binary of the program so we detect it all as the PUA.
Userlevel 7
Badge +56
Kwel! :D
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +62
@ wrote:
On macs the coding is different, the code to download the PUA is in the main binary of the program so we detect it all as the PUA.
That explains things a lot more clearer...Thanks!
Thanks for the information. Divx wanted to update again tonight and Webroot again flagged what is identified as Pua.opencandy in a file ocp6f13.tmp. This time I went to the folder and of course the file was removed by Webroot I guess but the install then proceeded normally and finished without complaint. By your explanation that file was not really needed so thats why the actual install worked. Pretty bogus of DivX but thanks to you all for zapping that file!!
 
Userlevel 7
Badge +62
Hi ?,
 
Thanks for getting back to us.
 
You must be running a PC Windows and not a Mac? That's great that this is now working for you. Yes it is pretty bad that Divx has done this to their program.
 
 
Have a great day!
 
 
Regards,
Userlevel 7
Badge +62
@ wrote:
Kwel! :D
 
Thanks,
 
Daniel ;)
Hi @,
 
Thank you for jumping in on this one...Divx! We all learned alot didn't we? Cool;)
 
 
Cheers!
Userlevel 5
Badge +19
Just had this happen today. I was going to post a warning about this, but I see there is already a post.
 
I got Divx apparently when I installed the purchased version of Cyberlink Media Suite. During the install, it quarantined an installer for Divx. It hasn't seemed to hurt how Cyberlink functions, or maybe I just haven't used the right app yet. I was concerned at the time but then I noticed that it was a pup, so I relaxed a little.
 
Since then I have continued to get notices that there was an update for Divx. I went ahead today and said install it. Immediately Webroot put up a threat alert and the installer? I guess said shortly thereafter that it was blocked. And after that webroot was green again.
 
In the past, when there was a threat detected, Webroot would have me confirm removal and then it would start a scan. But this time the scan didn't start. (Are thing different now in how Webroot works?) When the scan didn't start, I tried to start one manually. I opened webroot, clicked on scan my computer. The panel closed and I saw the little popup with all the shields active. But no scan appeared to be running...(maybe Webroot was already scanning in the background?). I tried it again. Same result. So I finally said to restart. That took a while. There was just a black screen with that spinning circle cursor for a while. When I was finally back in, I clicked to Scan my computer and the scan ran just like regular. No threats detected.As I recall, the same thing occurred when Webroot found the pup in the Cyberlink install. So is this normal behavior for a threat detection.
 
I have run several scans since then and Webroot hasn't found any issues.
 
Just to clarify...Webroot did not find any issues with Cyberlink itself...just the Divx installer that was apparently included.
 
Before I came here, I also searched the internet for a virus included with the Divx installer and I found a whole threat where people were listing MANY anti-virus programs blocking the installer. There were also some replies where someone from Divx say that OpenCandy was one of there partners and not a virus.
 
Just wanted to add that I'm not sure if Divx maybe actually installed without the malware. I see to remember that screen that Daniel shows where it was successful. But I also remember seeing a screen where it said something was blocked.
 
 
Userlevel 5
Badge +19
If you install Cyberlink Media Expresso or any Suite that includes Media Expresso, Webroot will throw up an alert that a threat has been detected and it will quarantine a file called installer.
 
When I installed the Media Suite, I got this threat alert. I didn't know which application in the Media Suite caused this or if it was the Suite in general. I also thought it was probably a false positive. A few days later there was an update for Media Expresso and when I installed the update, I got the same threat alert. Shortly after that, I noticed that I was getting an update alert that there was DivX update. I was surprised because I didn't realize that I had Divx. I went ahead and said to update and Webroot put up an alert and quarantined two files and another message popped up saying that the install? was blocked. Not sure who put up that message. Was it Webroot? The Installer? Windows? Doesn't really matter. But I was freaked. And that lead me to searching the web and finding this thread.
 
I noticed that the file that was quarantined during the Media Expresso install had Divx in the path. That's how I figured out that Cyberlink was installing Divx as part of their install. It appears that the Cyberlink install (including Divx) was successful inspite of the file that was quarantined and there was no infection. As I already stated, the Divx update was blocked. I have since disabled the Divx update alert. Not taking any chances.
 
In any case, I contacted Cyberlink to advise them that their installer was causing Webroot to throw up a threat alert and the culprit was Divx. I sent a screen shot of the quarantined files. I included a link to this threat, where a Moderator said the files were being properly flagged and it was not a false positive. I even included a link to a thread on Divx's own website where people were complaining that they were getting malware when installing Divx. And Divx was saying that it was not malware, but a feature. That you could opt out of any extra software that was piggybacking along. But people were complaining that they watched carefully and were never given the chance to opt out and unwanted programs got installed.
 
I did hear back from tech support and they said that I could uninstall Divx if I wanted to but I might lose some functionality in Media Expresso. They said that they would notify Dixv that their installer was throwing up false positives.
 
So just be advised....if you install Media Expresso you will get a threat alert. I think Cyberlink is fine. It's just that they use Dixv as a support file.
 
 
Userlevel 7
Badge +56
I have the Pro paid version of Divx and it doesn't come with any PUA's! https://community.webroot.com/t5/Techie-KB/How-to-Remove-Potentially-Unwanted-Applications/ta-p/40744 but as we can see the free version does.
 
Daniel 😉

Reply