Sign in to follow this  
Georg

Trace.Registry.DivoCodec!A2 Problem sending the Objects

Recommended Posts

Hi,

already asked this in the German Forums, but got no responses.

A Quickscan gives me this result:

-

Emsisoft Anti-Malware - Version 5.1

Letztes Update: 17.04.2011 20:55:57

Scan Einstellungen:

Scan Methode: Schnelltest

Objekte: Speicher, Traces, Cookies

Archiv Scan: Aus

Heuristik: Aus

ADS Scan: An

Scan Beginn: 17.04.2011 20:59:48

Value: HKEY_CLASSES_ROOT\Media Type\Extensions\.avi --> Source Filter gefunden: Trace.Registry.DivoCodec!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Media Type\Extensions\.avi --> Source Filter gefunden: Trace.Registry.DivoCodec!A2

Gescannt

Dateien: 163

Traces: 587294

Cookies: 2822

Prozesse: 46

Gefunden

Dateien: 0

Traces: 2

Cookies: 0

Prozesse: 0

Registry Keys: 0

Scan Ende: 17.04.2011 21:01:09

Scan Zeit: 0:01:21

Value: HKEY_CLASSES_ROOT\Media Type\Extensions\.avi --> Source Filter Quarantäne Trace.Registry.DivoCodec!A2

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Media Type\Extensions\.avi --> Source Filter Quarantäne Trace.Registry.DivoCodec!A2

Quarantäne

Dateien: 0

Traces: 2

Cookies: 0

-

Detail-Scan wont find more.

I tried multiple times to send the objects to Emsisoft, but always got this:

-

Sende Datein zum Anti-Malware Network...

Uploade Datei...

HKEY_CLASSES_ROOT\Media Type\Extensions\.avi --> Source Filter...Serverfehler

Uploade Datei...

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Media Type\Extensions\.avi --> Source Filter...Serverfehler

Not all files were submitted sucessfully

-

"Serverfehler" = "Server Failure"

After these failed attempts a new Scan will find the same objects again.

After deleting the objects and restarting my Notebook, a new scan will find the objects again.

I can't manually find the objects, so I'm not able to send them in a different way.

I'm totally confused and helpless... So please tell me what is going on, and what I can do.

Thanks in advance

Yours sincerely

Georg

Share this post


Link to post
Share on other sites

Hi Georg , welcome to te forum

1st, Traces are not necessarily dangerous

Then, they indeed can reappear as soon as you use the Software that is placing the entries into the registry. So, it doesn't matter (at the moment when the security flagging them) whether you would quarantine/delete them

It is important to know the associated Software that creates the Traces

If you the security is not flagging the Software itself and/or you trust the Software - you can just safely White-List the flagged entries

As a pure guess at this point - you are probably using Interactive Video On-line like DIVO, therefore those "divo" parts of the detection names

In addition please read Spyware Traces in Detail article as part of Emsisoft Knowledge Base

and search this and old forum for "Traces" and alike - you will find a lot of information

I do not remember any "serious" threats were just "Traces" were reported in many requests

But again, in order to find associated Software you probably need to perform Deep Scan and find whether some Software is flagged

Say, if you read the existing adaware/malware List you will find Adware.Win32.DivoCodec

Have you ever installed something like that?

Sure, I hope that the developers will reply

My regards

Share this post


Link to post
Share on other sites

Hi,

first thank you for your fast response, the links and your help.

I have DivX Player and DivX Web Player installed and on the last Update it installed some Codecs, so I guess I could come from this software. But how do I find out if that is really the case?

I already performed a Detail Scan, and also one in Safety Mode. Both found the same as the Quick Scan.

Do you have any idea why I can't send the objects to Emsisoft?

I'm really worried about all this stuff. And even if it looks like there isn't a "serious" problem (or one at all), how can I make sure that there is really no "real" problem?

Yours sincerely

Georg

Share this post


Link to post
Share on other sites

Thanks for the reply, Georg

Well, if you did perform the Deep Scan

and

you have only those Traces Stated

and

you are using legit DivX Player

and

the Codecs belong to that particular player

- you are safe

a side note: Sure, you know that you should not install any Codecs offered by some weird unknown Software.

But in this case you can relax as far as I understand

One of the cases where the detections of the Traces can be fired is When & IF the Software creates Registry Entries in some particular places known to be used by mal/spy-ware in the past. Sometimes that can be revised by the developers, sometimes it will stay "as is"

As for the inability to send Traces in case you are doing that using "Right-click" & "Submit as false Alert"

I have to try reproducing the similar here ... not with DivX player, since I don't need it and can watch any content possible

I have many Traces White-Listed, so I will remove those from the list and will submit

The thing is that I have to update EEK. That will take some time (not updated for a week - therefore I will receive ~ 90MB of data)

will report back

Meanwhile,

1) you can save the report and send that to the developers by e-mail referring to this thread

Keep in mind if only Traces were flagged - you don't need to perform Deep Scan again - just run the Quick one (as in your initial post) - all Traces will be analyzed ;

2) please clarify - the report you posted is showing EAM ("Emsisoft Anti-Malware - Version 5.1" , but the request is in EEK section

So the same inability of submitting was noticed wit EEK as well? (the latter should show "Emsisoft Emergency Kit - Version 1.0"

3) since you were using quarantine for the said entries , were submitting from Quarantine produced the same Message?

Cheers!

Share this post


Link to post
Share on other sites

Hi,

again thank you for your help.

I used EAM. Don't have EEK. Sorry for posting in the wrong section and the confusion caused by that.

So far I only tried submitting from Quarantine, and that gave that Message. Now I tried "Right-click" & "Submit as false Alert" and got no such Message, but I'm not sure if it worked (I don't think it did because everything went lightning fast and I got no conformation in any form).

I sent the following mail to [email protected]:

-

Hi,

already started a Thread in the support Forum http://support.emsisoft.com/topic/4201-traceregistrydivocodeca2-problem-sending-the-objects/ and was told there to send you a mail, as "Lynx" from the Forum thinks it is False Alert.

I posted my problem in the wrong section by accident, so don't be confused. I didn't use EEK, but Emsisoft Anti-Malware - Version 5.1. as the scan report shows.

I attached a new scan Report.

As stated in the Forum I'm not able to send the Traces from Quarantine to you. It keeps telling me something about a "server failure". After trying to submit the objects, a new scan will find the Traces again. After deleting the objects and restarting my Notebook, a new scan will find the objects again.

For a little more detailed explanation of what is wrong, please read the Forum Thread.

Thank you in advance

Yours sincerely

Georg

-

Yours sincerely

Georg

Share this post


Link to post
Share on other sites

Thanks for the reply & some clarifications posted by you - you saved me some time :)

I was preparing the case scenario with EEK. Since you posted I moved to EAM

So, indeed submitting such items using "Right-click" from the detection window works perfectly

thumb_3479576Traces_Detected.png traces removed from White-List & detected

thumb_9006975TracesSubmitted.pngsubmitted successfully from the detection List

=======

As for the submission from the Quarantine ... hhhmmmm... that raises the very old question that was asked really loooong time ago and was basically forgotten since nobody reported such incident since

I have the links to similar requests in the past e.g. this one

I looked into my Data Base and chats with the developers

The answer at that time in the past was

... the failure of the Internet connection...

Well, I do not have any failure of Internet connection currently for sure ... but ...

The items were temporarily Quarantined & the submission from there produces the very same message , which is doubtfully can be true

thumb_2316293EAM-QuarantineSubmittingTraceRegistry.png

thumb_1531146NotAllFiles_Message.png

Anyway re: you request - I'm 99.(999)% sure you should not worry

If the matter is not fixed for a long time whether that was submission from the detection list or from the quarantine after multiple Re-scanning quarantine items after the updates - just White-List

Since you've sent an e-mail - you will most likely receive a feedback

Basically all described here

Let's just wait for the reply from developers

Cheers!

Share this post


Link to post
Share on other sites

Hi,

again thank you so much for your help and all the time you put into this.

Sorry for not replying for so long, but I had to go to work.

I tried the "Right-click" & "Submit as false Alert" a few more times, but it just goes so fast that I'm not able to tell if it worked or not.

The Pics you posted for submitting from Quarantine are exactly what I get (just in German).

I will report back as soon as I got a reply from the developers.

Yours sincerely

Georg

Share this post


Link to post
Share on other sites

Hi,

in the German Forums "Christian Peters" a Emsisoft Employee just asked if I could find the entries with regedit.exe

I told him I couldn't find them. And that I restored them from Qurantine, and still couldn't find them.

In the meantime I found out that a few .avi clips don't have sound anymore. Neither with Windows Media Player nor with DivX Plus Player (which tells me that a codec is missing).

Yours sincerely

Georg

Share this post


Link to post
Share on other sites

Good morning Georg,

That is good that you got a response from Emsisoft Support - that was expected as much

That's a bit strange though that some media playback became broken. It could be due to your attempts of removing quarantining entries, despite restoring of all entries from quarantine after my experiments above went fine

As for searching in the Registry I would suggest using the following Tool since MS Regedit's Search is very annoying , time-consuming, etc. and many stuff can be just mistakenly missed (real PITA :))

Download RegScanner by NirSoft

You can use different search strings and filters... and the Search will be done properly and extremely fast. Here is one of the examples (using search-string from what you reported):

thumb_7953682SearchingRegistry.png

Sure you can add ".avi" to the Search and /or lighten the criteria by highlighting only HKEY_CLASSES_ROOT & HKEY_LOCAL_MACHINE as base keys (at the right)

I hope that may give you needed result

My regards

Share this post


Link to post
Share on other sites

Hi,

you are really putting so much time and work into this. Thank you so much!

I haven't tried RegScanner so far. As I wanted to try something else first:

I uninstalled DivX Player -> A Quick Scan still found the Traces after restoring them -> installed and updated DivX Player again (also took the opportunity to install and run Norton Quick Scan with it, which was a mistake, because it was mostly advertising. At least that shouldn't have caused more problems?) -> uninstalled DivX Player -> Quick Scan didn't find the Traces (only Cookies) -> Detail Scan didn't find the Traces -> Restarted my Notebook -> Quick Scan didn't find the Traces -> installed and updated DivX Player again -> Quick Scan found the Traces again -> uninstalled DivX Player -> Quick Scan didn't find the Traces.

It seems that its really only a Codec from DivX Player. (Which is what you already suspected).

Also with Windows Media Player I get sound again for the .avi clips.

In the meantime I got an answer from Emsisoft. I was asked to send a HiJackThis log. I sent a HiJackFree log as I think there should be no difference. But that was only a few minutes ago, so no answer so far. *Update: Got an answer - They removed the 2 Traces from their database*

I attached the log here, too.

Yours sincerely

Georg

Share this post


Link to post
Share on other sites

Hi Georg, sorry for the delayed response

1st I'm very glad that the matter was sorted out

...In the meantime I got an answer from Emsisoft... *Update: Got an answer - They removed the 2 Traces from their database*
As posted above
...One of the cases where the detections of the Traces can be fired is When & IF the Software creates Registry Entries in some particular places known to be used by mal/spy-ware in the past. Sometimes that can be revised by the developers, sometimes it will stay "as is"

The "highlighted happened" this time ;)

you are really putting so much time and work into this. Thank you so much!
You are welcome

You were persistent in order to find the truth and you've got the result, That's laudable.

Any help from volunteers would be practically impossible without user's right attitude, which eventually helps other users and the Software itself

Cheers!

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.