Take care when downloading VLC

[hazelnut]

A lot of us use VLC as a media player for playing films etc.

 

Have a read here and make sure you download from the official site

 

http://www.geek.com/articles/news/vlc-media-player-suffering-in-face-of-crapware-and-uncaring-google-2011077/

[Andavari]

Funny you mention this because just the other day I looked at screenshots of a media player on a download site. I could tell they went all out to make the main GUI their own (or really just a skin for VLC), but one screenshot in particular made it very clear it was really a clone of VLC wearing new clothes with some adware piggybacking.

 

Edit:

With Google I just did a search for VLC, and the whole first page only had legit sites for the download, and even WOT gave them a clean bill of health. On Bing I'm not sure about one link, but at least like Google the official download site is the top-most listed link.

[Alan_B]

GOOGLE IS NOT THE ONLY DANGER

 

I wanted the support forum for a totally different product, so I used Google.

The Google link took me to scamware that burst into life "scanning" me and showing me half a dozen trojans.

No mouse clicks, just the keyboard Ctrl Alt Del to force a shutdown.

 

I immediately emailed their webmaster who soon got it under control and thanked me for the notification

 

10 days later it happened again and again it was brought under control, and he also explained :-

 

Thank you very much for report this problem.

 

I have checked the web source code again, and found the php code have been hacked again.

 

I have decoded the hacked code, and found that the redirection to the hack site only happens if the user clicks the forum link from Google, bing, yahoo, twitter, ask.com, msn, live, facebook. So please do not click the forum link from those page directly.

 

The hack site is [ringostart.osa.pl], [finditnow.osa.pl] may be the customer of the hack site.

 

I have cleared the hacked code, but because we are using an open source forum, We can not defend the hacker completely, may be there are some back doors to the hacker. We'll consider to use a paid forum in future.

 

That was 3 months ago. I have seen no problems since.

I believe they now have frequent automatic validation of the code in use with master copies,

and can urgently correct any hacked code.

Edited July 10, 2011 by Andavari
Removed clickable malware site links to protect forum members.

[Super Fast]

I use KM Player to play videos.

 

KM Player has a few skins you can use, including some that I like that make it look like WMP11 for XP.

That is nice, because you can use it in Windows 7 & make it appear to be XP!

 

Also tried playing some .RM vid in it, which initially failed, but after downloading the correct .dll file that was "missing", I dumped it into the KM Player folder & it started playing .RM files!

 

KM Player also has a very nice video looper where you can select the start (f5 key on the keyboard) & the end (f6 key), which will cause it to automatically loop a certain part of a video. This is great when you need to analyze something.

 

Additionally, one of the KM WMP11 skins has this awesome 1 click button to take pics from a video, or to extract only the part of a video you select! (Re-encode to AVI I suspect).

 

KLM player is alright. I like the volume doubler on it, but KM Player is the one I find I can use the most.

[login123]

...

I immediately emailed their webmaster who soon got it under control and thanked me for the notification

...

 

Would it be a good idea to remove those links from the quote box? They sent me straight to the hack site. Just a thought.

 

edit: And now, a few minutes later, they don't.

[Andavari]

The Google link took me to scamware that burst into life "scanning" me and showing me half a dozen trojans.

If you used Web Of Trust ("WOT") it would've blocked the page automatically for you, I don't know however if it would block any scripts etc., as I dare not visit those sites.

See the WOT website ratings for "ringostart.osa.pl" and "finditnow.osa.pl"

 

I've also removed those active links from your post so perhaps someone doesn't accidentally click them and get a bad surprise.

 

I use KM Player to play videos.

Unfortunately this topic isn't about your long description of KM Player.

[Corona]

Poor Ringo. Always the brunt of malware...I mean nose jokes.

[Guest]

Not sure why people would download from sites other than the official one or reputable mirrors. Anyway, in regards to the article I just went to google.fr and the first result for "vlc" wasn't the official page but going to other European versions returned the official site first. Maybe French people just despise English that much.

[Alan_B]

I am very sorry for those links - I never realised they were active.

 

I simply copied the relevant bit of text from the email and applied red highlight to the fact that some malware attacks visitors that come from non-Google links as well.

 

Life was so much safer when there was no mouse to click,

nothing but a Command Line Interface to obey my every command ! ! !

[login123]

I am very sorry for those links - I never realised they were active.

 

I simply copied the relevant bit of text from the email and applied red highlight to the fact that some malware attacks visitors that come from non-Google links as well.

 

Life was so much safer when there was no mouse to click,

nothing but a Command Line Interface to obey my every command ! ! !

 

Not a problem for me, Alan. But on topic, why did those links go to the actual malaware site the first time and not the second??? I clicked on'em only a few minutes apart and that's what happened. I even disconnected, deleted the sandbox, and tried it again, still nogo, the first one went to some sort of search and the second would not connect. Using ie8. Theres a lot I don't know about this stuff.

[Alan_B]

Not a problem for me, Alan. But on topic, why did those links go to the actual malaware site the first time and not the second??? I clicked on'em only a few minutes apart and that's what happened. I even disconnected, deleted the sandbox, and tried it again, still nogo, the first one went to some sort of search and the second would not connect. Using ie8. Theres a lot I don't know about this stuff.

When I first warned the webmaster I thought he might have the contacts with Google to correct a poisoned link.

 

From his replies I understand that Google linked me to his forum correctly and the hijack was totally outside of Google's control.

He explained that his php code (dont ask me, I dont know) had been hacked in a special way.

I was already aware of referrer links which show who receives commission for a visit and guess this is how the code performed selective trigger.

 

In this case it selected a malware hijack because I did not arrive from a bookmark but from one of certain sites such as Google of Facebook.

(I do not think of Facebook as a search engine but I believe every facebook devotee has a wall on which malware links can be posted)

 

I was previously aware of (but never experienced) a malware hijack that selected what to use for attack depending upon whether it was a Windows or Mac machine.

 

I guess any frequent forum user would recognise the appearance of scamware on his favourite forum and warn the webmaster,

but frequent forum users and webmasters use bookmarks, they do not Google etc to find their way home.

I view this as a cunning ploy that the frequent users who would instantly smell foul play would instead have a normal experience,

and only strangers would be attracted to the possibility that this nice site has my best interests at heart and I must accept advice.

 

The first time this happened I shut down and rebooted without cleaning and launched Firefox and Restored previous session.

Tabs got launched and I was being scanned again.

Crash, Reboot, and Restore once and possibly repeat (bad memory) and the forum appeared without any hijack.

My interpretation was, and remains, that the code noticed my I.P. address and after another one or two connections from the same I.P. it decided :-

1. He is not taking the bait;

2. I am wasting my time on him;

3. He could be investigating me and tracking me down so I will keep clear of his I.P.

 

10 days later when it started all over I again shut down,

and then rebooted and launched Firefox but did not restore previous.

I chose History and selected "show all history" and then Right Click and Copy gave me all the URLs I had been put though,

and this I copied to the Webmaster with my warning on that occasion.

 

I think your experience could be affected by :-

The operating system and the browser in use, and the consequent exploits available and possibly whether a sandbox is in use.

If you use a sandbox you obviously cannot be harmed or even fooled into paying for removal.

 

I hate what is done my malware creators, but have to respect creative deviousness.

 

I am fully with you, there is a lot I don't know about this stuff.

This is why each evening before cleaning my teeth for bed I launch an Incremental Macrium backup of every changed sector on my Primary HDD,

and Macrium always finishes first (it takes just under 2 minutes).

 

So far I have never needed the backup for recovering from malware,

but twice since February it has rescued me from a "Fatal Embrace" by a M.S. Security Patch.

[Andavari]

He explained that his php code (dont ask me, I dont know) had been hacked in a special way.

That can happen if they're behind on keeping things like forum software up-to-date, they can get hacked or whatever.

 

Those links would've been made active because just copying and pasting them the forum software will automatically make them working clickable URL's. Actually just typing something in without selecting the feature of creating a URL will do the same.