Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Technical Support

Reply
Thread Tools Search this Thread Display Modes
Old 15th July 2010, 04:31   #1
mridion
Junior Member
 
Join Date: Jul 2010
Posts: 2
FYI: winamp5581 appears install tries to modify McAfee Antivirus settings...

I just downloaded winamp5581_full_emusic-7plus_en-us.exe from www.winamp.com and when I installed it McAfee Access protection log displayed the following entries:


Blocked by Access Protection rule D:\media\winamp5581_full_emusic-7plus_en-us.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write

Blocked by Access Protection rule D:\media\winamp5581_full_emusic-7plus_en-us.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write

Blocked by Access Protection rule D:\media\winamp5581_full_emusic-7plus_en-us.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write

Blocked by Access Protection rule D:\media\winamp5581_full_emusic-7plus_en-us.exe \REGISTRY\MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write


Has anyone else noticed something similar?

Thanks
Stephen
mridion is offline   Reply With Quote
Old 15th July 2010, 08:05   #2
thehealer
Junior Member
 
Join Date: Jul 2010
Posts: 7
I just got a Zonealarm quarantine warning with winamp agent:

Worm.Win32.Qvod.anx was found in C:\Program Files\Winamp\winampa.exe on 15/07/2010 08:49:32
thehealer is offline   Reply With Quote
Old 15th July 2010, 08:48   #3
ahigson
Junior Member
 
Join Date: Jul 2010
Location: Manchester, U.K.
Posts: 1
I'm getting a similar warning from Kaspersky too. This has only started happening today and i too installed the latest winamp. Kaspersky says :

"Winamp is trying to get access to malicious software. A special disinfection procedure iss required which demands a system reboot. You are advised to close all other applications. Perform disinfection ?

Object:
c:\program files\winamp\winampa.exe

Virus:
Worm.Win32.Qvod.anx
ahigson is offline   Reply With Quote
Old 15th July 2010, 09:27   #4
bloodredchaos
Junior Member
 
Join Date: Jul 2010
Posts: 4
Yes. I had the same thing happen to me as well. Just detected it five minutes ago.
bloodredchaos is offline   Reply With Quote
Old 15th July 2010, 10:55   #5
TromboneFreakus
Junior Member
 
Join Date: Oct 2001
Posts: 3
Same here, Kaspersky just removed the virus "Worm.Win32.Qvod.anx" from winampa.exe

What's happening?
TromboneFreakus is offline   Reply With Quote
Old 15th July 2010, 11:04   #6
boingboinb
Junior Member
 
Join Date: Jul 2010
Posts: 2
Add another user to the list of detecting worm.win32.qvod.anx as coming from winampa.exe

This disappoints me.
boingboinb is offline   Reply With Quote
Old 15th July 2010, 11:40   #7
jochens.knochen
Junior Member
 
Join Date: Jul 2010
Posts: 5
I also experienced the exact same problem, I have Kaspersky Internet Security 2010 installed.

C:\Program Files (x86)\Winamp\winampa.exe
Virus Worm.Win32.Qvod.anx


It is interesting that various virus scanners suddenly agree on Winamp Agent being evil. What is going on here?

Last edited by jochens.knochen; 15th July 2010 at 13:29. Reason: highlighting
jochens.knochen is offline   Reply With Quote
Old 15th July 2010, 11:52   #8
boingboinb
Junior Member
 
Join Date: Jul 2010
Posts: 2
Considering there seems to be nothing else than this tread when googling...it is a bit suspect.

I also wonder what's up with this.
boingboinb is offline   Reply With Quote
Old 15th July 2010, 12:26   #9
franpa
Member
 
Join Date: Feb 2007
Location: australia, brisbane
Posts: 56
Send a message via Yahoo to franpa
sounds most likely like a false positive, send a message to Kaspersky telling them about it so they can get a fix out a.s.a.p.
franpa is offline   Reply With Quote
Old 15th July 2010, 13:05   #10
Fatbat
Junior Member
 
Join Date: Sep 2006
Posts: 1
I just had the exact same thing happen with Kaspersky detecting...

Worm.Win32.Qvod.anx in c:\program files\winamp\winampa.exe and Kaspersky scrubbed the .exe from my machine.

May very well be a false positive but quite frankly I'm not taking any chances until I have official word that there's not a problem with it especially considering we have 3 different AV apps reporting similar findings.
Fatbat is offline   Reply With Quote
Old 15th July 2010, 13:32   #11
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
I've also got Kaspersky IS 2010 with the latest database from today.

No threats detected.

There's no virus/trojan/worm in the default Winamp distribution.

It's either a false positive (most likely) or the malware was already on your system via other means and the Winamp Agent (winampa.exe) has since been infected as a result.

http://virusscan.jotti.org/en-gb/sca...d0b930b39bb201

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attached Thumbnails
Click image for larger version

Name:	winampa_clean.png
Views:	159
Size:	36.6 KB
ID:	47290  
DJ Egg is offline   Reply With Quote
Old 15th July 2010, 13:47   #12
jochens.knochen
Junior Member
 
Join Date: Jul 2010
Posts: 5
Quote:
Originally Posted by DJ Egg View Post
I've also got Kaspersky IS 2010 with the latest database from today.

No threats detected.

There's no virus/trojan/worm in the default Winamp distribution.

It's either a false positive (most likely) or the malware was already on your system via other means and the Winamp Agent (winampa.exe) has been infected as a result.

http://virusscan.jotti.org/en-gb/sca...d0b930b39bb201

~~~~~~~~~~~~~~~~~~~~~~~~~~~
That is of course possible, but consider 2 things:

*) I just reinstalled my whole system a few days ago, Kaspersky 2010 was pretty much the first thing I installed and there have not been any warnings, alarms etc. so far.
*) It would be a big coincidence that suddenly several users experience this problem at the same time, with different virus scanners!!

Sadly, of course, we don't have this winampa.exe anymore, so it's hard to tell. But, could you upload just this file winampa.exe, that you just scanned? I wonder what happens if we copy it to the program folder again (in case this exe is the same on all systems?)

Thanks in advance!
jochens.knochen is offline   Reply With Quote
Old 15th July 2010, 16:01   #13
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Virus-free "Winamp Agent" (winampa.exe) from 5.581 attached, as requested.

~~~~~~~~~~~~~~~~~~~~~~~~~
Attached Files
File Type: exe winampa.exe (73.0 KB, 209 views)
DJ Egg is offline   Reply With Quote
Old 15th July 2010, 18:50   #14
NFFFFF
Junior Member
 
Join Date: Jul 2010
Posts: 1
Heya folks. Yep, I had some of the same circumstances... I had gotten Winamp's last update, Zonealarm found the same virus in the same place, and I found my way here through Google.

I'm not entirely sure what the situation is with it being detected, but it hadn't been found as it was being installed with the update, but was definitely found later. I'm not sure if "it's not being found" via scans of the file directly, but it definitely slipped by my antivirus/etc when it was scanned as "safe". I'm not sure if the "safe" file (Edit, in this thread) is the same as we must've downloaded a day or two ago, it could've been swapped out with a fresh/clean one to save face for the program.

I'm not sure what the virus was meant to DO yet, though I was seeing more slowdowns/freezes/crashes/etc as I tried to do stuff, unaware of the virus.

More than anything, I'm a bit let down. Winamp was (dunno if it still is) my favorite music/media player. I kept thinking to myself "Winamp is the one thing I've seen from AOL that isn't [garbage], aside from the frisbees (Trial CDs) they sent in the mail". If these trends serve to be accurate that there WERE viruses inside their own update functions... I'm not sure I can say that anymore. It might just be the frisbees now.
NFFFFF is offline   Reply With Quote
Old 15th July 2010, 19:31   #15
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
The winampa.exe attached in my post above is EXACTLY the same one from the 5.581 distribution (with build number 5.5.8.2985, timestamp 12th July).
It has not been modified or rebuilt, and it contains no viruses.
DJ Egg is offline   Reply With Quote
Old 15th July 2010, 19:50   #16
JonnyMac
Moderator
 
JonnyMac's Avatar
 
Join Date: Dec 2000
Posts: 14,384
To add to the talk here.

My Trend Micro AntiVirus completed an scheduled full system scan today. No virus threats or targets were found. Just to be sure, a individual scan of the Winamp directory found no threats.

Winamp downloaded from the Winamp site is virus/malware free.

Sometimes a virus signature can very closely match legitimate software, resulting in false positives. Have you tried sending the file in question to your AV software company for testing/evaluation?

Please do not PM me for tech support. Any request for tech support through PM will be ignored.
Read the Stickies
---> | | | | <--- Knowledge is power
JonnyMac is offline   Reply With Quote
Old 15th July 2010, 20:34   #17
jochens.knochen
Junior Member
 
Join Date: Jul 2010
Posts: 5
After KIS 2010 deleting my winampa.exe I downloaded DJ Egg's attachment and reput it into the programs folder.

What I can say so far: It seems to work! Thank you!!

Still, I wonder what caused this whole problem? And especially, why does it affect some users and some not?
jochens.knochen is offline   Reply With Quote
Old 15th July 2010, 20:56   #18
aashmir
Junior Member
 
Join Date: Jul 2010
Posts: 2
The company I work for uses Landesk Antivirus and it detected the virus from a system restore file in Windows XP on my machine.

Google brought me to this forum today because I usually research any virus notifications I get on my machine.

So is it starting to look like a false positive?

I attached a screenshot of my antivirus quarantine.
Attached Thumbnails
Click image for larger version

Name:	Winampa.exe_virus.jpg
Views:	168
Size:	29.8 KB
ID:	47294  
aashmir is offline   Reply With Quote
Old 15th July 2010, 21:08   #19
vhortex
Junior Member
 
Join Date: Jul 2010
Posts: 2
i also have the viral alert using KIS 2010. the scan just started 1 hour ago and I have installed winamp pro last 3 days. I scanned winamp directory and it was clean on kaspersky standard until winamp agent opened up.

the installer came from the winamp server itself and was not altered in anyway. each time winamp agent is running (winampa.exe), my system slows down as if it was trying to do some nasty stuff. i am hitting 90-100% cpu process when the agent was running.

I am on windows 7 and my computer was double protected with malware bytes and kaspersky 2010. the trigger was caused when winampa.exe was trying to create rootkit access on windows and trying to modify/unload kaspersky files in the memory.

i can no longer post the screen but i can post what kaspersky have done with the file. it was a forced removal. winampa.exe refused to be unloaded via kaspersky unload procedure. pretty strange for a software.
vhortex is offline   Reply With Quote
Old 15th July 2010, 21:13   #20
vhortex
Junior Member
 
Join Date: Jul 2010
Posts: 2
winampa.exe was the only file that was forced to be removed this whole year. there must be an infected version since i too downloaded the file a few days ago same with the other people that have problems with it.

winamp downloaded last december was clean with or without winampa.exe
vhortex is offline   Reply With Quote
Old 15th July 2010, 21:57   #21
jochens.knochen
Junior Member
 
Join Date: Jul 2010
Posts: 5
Update to my post above:

I now used the same installer as a few days ago to install winamp on a virtual machine, and had a look on the winampa.exe.

It is NOT the same as DJ Egg posted above, as far as I can tell it's a different file version (5.5.8.2975 here, DJ Egg posted 5.5.8.2985).

Seems to me that this file was updated sometime within the last days, and winampa.exe is fine again!

Considering this updated winampa.exe, is it possible that the official file WAS actually infected??
jochens.knochen is offline   Reply With Quote
Old 15th July 2010, 22:41   #22
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Quote:
Originally Posted by jochens.knochen View Post
Update to my post above:

I now used the same installer as a few days ago to install winamp on a virtual machine, and had a look on the winampa.exe.

It is NOT the same as DJ Egg posted above, as far as I can tell it's a different file version (5.5.8.2975 here, DJ Egg posted 5.5.8.2985).

Seems to me that this file was updated sometime within the last days, and winampa.exe is fine again!

Considering this updated winampa.exe, is it possible that the official file WAS actually infected??
5.5.8.2975 = Winamp 5.58 (29 June 2010)
5.5.8.2985 = Winamp 5.581 (12 July 2010)

The latest version is 5.581
and that is what the virus-free Winamp Agent (winampa.exe) that I attached above is from.

However, there was no virus in the older 5.58 version either.

If it's not just a false-positive (which I still suspect), then wherever said virus came from, it wasn't from us.
DJ Egg is offline   Reply With Quote
Old 16th July 2010, 00:25   #23
mridion
Junior Member
 
Join Date: Jul 2010
Posts: 2
To moderator: False postivie != attempted virus scanner registry entry changes

Yes it is possible that a virus scanner database might produce false positives. But the first post I made shows clearly that there is a lot more to this.

An attempt to modify registry entries of your virus scanner has little to do with false positives.

I think you need a much better explaintion than "just another false positive"
mridion is offline   Reply With Quote
Old 16th July 2010, 01:10   #24
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
@mridion

That's just Mcafee preventing the Winamp installer from adding Winamp shortcut icons on the desktop & in the start menu,
and from adding Winamp Agent to the Run registry key (programs which load at Windows startup).

Basically, Mcafee is just doing whatever its high security settings are telling it to do.
It's got nothing to do with the Winamp installer.
You'd need to change Mcafee's security settings to allow the Winamp installer to do those (harmless) things.
DJ Egg is offline   Reply With Quote
Old 16th July 2010, 10:18   #25
DevonPete
Junior Member
 
Join Date: Jul 2010
Posts: 3
I've just had this problem too!

Hello everyone.

I've just joined this forum to chip in here as I've just had this problem. Running W7 64 bit and Kaspersky 2011. Definitely something quite worrying going on, I would not consider this issue lightly.

Kaspersky couldn't "clean" or remove the "infected" file despite rebooting several times it still remained and Kaspersky maintained it's warning. Things like this cause me huge concern (If you've ever had a virus infection you'll understand why) and anxiety.

I looked up the virus threat at the Kaspersky site to realise it had only been reported/discovered the evening before (15-07-2010 at 22 something hours). With NO treatment available!

Fortunately the warning message was early enough so that I DID NOT run/open Winamp. After disconnecting from my network, internet, and unmounting my external hard discs I uninstalled Winamp. However the virus messages still continued thereafter until I deleted the warning in Kaspersky and rebooted. Of course I have run several complete scans since and I now consider my machine free of any infection. (I hope).

This is a serious issue here, and not one to be dismissed in any casual manner.

Since experiencing this I will not reinstall Winamp at all and have gone back to using Windows media player. At least that way I know I'm not compromising my computer, and consequently my identity and personal details, or worse.

However I still remain concerned enough to join this forum and post this thread. I suggest that until some satisfactory conclusion/explanation is reached, that people remain vigilant and extremely concerned. This is an extremely serious matter and should be treated as such.
DevonPete is offline   Reply With Quote
Old 16th July 2010, 13:03   #26
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
Please read the above posts.

If it's not a false-positive, then the virus did NOT come from us.
DJ Egg is offline   Reply With Quote
Old 16th July 2010, 16:32   #27
DevonPete
Junior Member
 
Join Date: Jul 2010
Posts: 3
Whether this is a false positive, or a virus or whatever... the complacent, "It's not our fault" attitude I find of more concern to me now than the issue in question.

I would have expected the company to issue some notification along the lines of... "It has been brought to our attention that there could be an issue regarding our software (details here) and that we are taking this matter very seriously and will continue to post updates indication progress towards a satisfactory conclusion.... we value our customers and their safety... etc"

Personally I do not want software on my computer that presents me with any issues like this, and further a company that continues to treat it in such a dismissive, defensive manner.

I would have considered a more pro-active response far more appropriate in these circumstances. It is not my intention to be contentious, or create any issues. I have already wasted over half a day of my time on this so far and do not intend to waste any more.

I sincerely hope this turns out to be nothing of any consequence.
DevonPete is offline   Reply With Quote
Old 16th July 2010, 17:24   #28
DJ Egg
Techorator
Winamp & SHOUTcast Team
 
Join Date: Jun 2000
Posts: 35,821
It's been brought to our attention via this thread and we did take the matter very seriously.

We have come to the conclusion that there is no issue regarding our software and that, if it is a false-positive, you should take up the matter with your anti-virus vendor, or if it's a virus that was already on your system which is infecting other software, then you should run a full anti-virus scan with the latest definitions, and then reinstall Winamp again after your system has been cleaned.

I can guarantee that the Winamp installer provided on this site is 100% virus free.

Of course we value our customers and their safety.
I'm really not sure what else/more we can do, to be honest.
DJ Egg is offline   Reply With Quote
Old 16th July 2010, 17:31   #29
jochens.knochen
Junior Member
 
Join Date: Jul 2010
Posts: 5
Quote:
Originally Posted by DevonPete View Post
I would have expected the company to issue some notification along the lines of... "It has been brought to our attention that there could be an issue regarding our software (details here) and that we are taking this matter very seriously and will continue to post updates indication progress towards a satisfactory conclusion.... we value our customers and their safety... etc"

[...]

I have already wasted over half a day of my time on this so far and do not intend to waste any more.
lulz

Don't get me wrong, I was also a bit worried when I had this virus alert, but no need for high blood pressure

Remember, Winamp is freeware, so you can guess that many people have "wasted" a lot more time on this software than you. And, software is never perfect, neither Winamp nor Kaspersky/McA.

As far as I see it, there could as well have been a problem with the current virus defintions (various software firms work together), that has been updated soon after, which is why some have not even received a message (maybe their AV update was only after the second virus definitions), and I also have no problem since.

Cheers,
strange.opi
jochens.knochen is offline   Reply With Quote
Old 16th July 2010, 17:59   #30
DevonPete
Junior Member
 
Join Date: Jul 2010
Posts: 3
Quote:
Originally Posted by DJ Egg View Post
It's been brought to our attention via this thread and we did take the matter very seriously...

I can guarantee that the Winamp installer provided on this site is 100% virus free.

Of course we value our customers and their safety.
I'm really not sure what else/more we can do, to be honest.
Thanks for your reassurances. I welcome these comments, and your honesty, warmly. Thank you. It's appreciated.
DevonPete is offline   Reply With Quote
Old 18th July 2010, 12:49   #31
Batter Pudding
Major Dude
 
Batter Pudding's Avatar
 
Join Date: Jun 2008
Posts: 1,665
False positives will often happen with Virus scanners. The classic ones are one they suddenly decide a vital system file is a virus and remove it.

What is often the case is the Virus Scanner recognises the way the executable has been compressed and decides it is the same technique used to compress a certain virus. And then it makes that bad decision.

The best way to handle this is to contact the support department of your Anti-Virus product and send them a copy of the file. They will then be able to confirm that there is no infection in the file and then update their definitions to reflect that.
Batter Pudding is offline   Reply With Quote
Old 18th July 2010, 15:43   #32
buhlig
Junior Member
 
Join Date: Oct 2001
Posts: 3
Sunbelt Vipre AV - False Positive?

I downloaded the new winamp5581_pro_en-us and upon scanning it detects Trojan-Downloader.Win32.Small, any other AV apps seeing this? Just wanted to check before I send it out to Sunbelt/GFI.

TIA
Attached Thumbnails
Click image for larger version

Name:	vipre.png
Views:	136
Size:	6.8 KB
ID:	47319  
buhlig is offline   Reply With Quote
Old 18th July 2010, 17:07   #33
Koopa
16-Bit Moderator
 
Koopa's Avatar
 
Join Date: Apr 2004
Posts: 4,341
buhlig: I've merged your thread with this one. The current thread is only a few days old, has the same contents and is active, so no need for a new thread.
Koopa is offline   Reply With Quote
Old 18th July 2010, 17:12   #34
aashmir
Junior Member
 
Join Date: Jul 2010
Posts: 2
Quote:
Originally Posted by aashmir View Post
The company I work for uses Landesk Antivirus and it detected the virus from a system restore file in Windows XP on my machine.

Google brought me to this forum today because I usually research any virus notifications I get on my machine.

So is it starting to look like a false positive?

I attached a screenshot of my antivirus quarantine.
+I logged in today and my IT staff have restored the file that was reported in having the virus. Once a file goes in quarantine, they check them for accuracy and put them back if they are OK. In this case, that is what they did. I'll update this thread again if anything else shows up, but for now, I think we are in the clear.

Best of Luck!
aashmir is offline   Reply With Quote
Old 18th July 2010, 22:13   #35
buhlig
Junior Member
 
Join Date: Oct 2001
Posts: 3
thanks for dropping me in here, on my initial search I didnt see this thread... I already contacted my vendor and waiting on a reply
buhlig is offline   Reply With Quote
Old 31st August 2010, 08:45   #36
Depeche242
Junior Member
 
Join Date: Feb 2006
Posts: 5
Well I run Kaspersky AV 7, fully updated and it shows detected: virus Worm.Win32.Qvod.anx Running module: winampa.exe\winampa.exe

I only installed winamp last Friday, however no trace of this virus on Kaspersky virus check website: http://www.securelist.com/en/descrip...Win32.Qvod.anx

What's happening. I've read the above posts the last one being dated July 18th and this thread appears to have gone cold, Have I missed something?
Regards

Depeche242
Depeche242 is offline   Reply With Quote
Old 3rd September 2010, 07:58   #37
Depeche242
Junior Member
 
Join Date: Feb 2006
Posts: 5
Well Kaspersky haven't got back to me, I'm surprised DJ EGG hasn't either.
Depeche242 is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Technical Support

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump