Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

A new virus which symantec is unable to detect.

Created: 27 May 2009 • Updated: 21 May 2010 | 14 comments

A new virus which symantec is unable to detect.

When ever i open my C:\ drive a process starts with name ffdshow.exe and it leads to explorer crash. unable to find the file on c:\ drive  but when i googled about ffdshow virus there are lots of result  came out which confirmed me that it is a virus.

now unable to submit the file as i an unable to find which file actually causing the problem .Autorun.inf is also not present there.  used process explorer but that didn't also found the locatioin of the file.

NOW WHAT TO DO ?

Discussion Filed Under:

Comments 14 CommentsJump to latest comment

shaun_b's picture

Dont assume that it's a virus just by the google results. I would contact Symantec Response to determine if this actually a threat.

Bijay.Swain's picture

Hi Cycletech

                      Now what I have to do ? do i have to update windows. it has windows xpsp1.

jrudbecka's picture

or try uploading the file to virustotal.com

Then you can see if any of the others vendors detect anything.

Thomas K's picture

You should really be on the latest XP service pack.
What version of ffdshow are you using? I found this site with all the builds listed, the latest rev is 2968.

http://www.afterdawn.com/software/video_software/c...

Symantec states:

"This issue affects versions prior to ffdshow rev2347_20081123. Additional applications that use this codec may also be vulnerable."

AngelD's picture

If you can't find the location of the file then fire off Process Monitor or Process Explorer from SysInternals (now Microsoft) before going to the C drive. Either of the tools will give you details of the file, one of the information is the location.

Ted G.'s picture

As far as I know, ffdshow.exe is part of a k-light codec pack for decoding video and playing it with Media Player. But I'd still submit the file to be sure it's not a fake version.

Bijay.Swain's picture

You are right TED 
                    User has installed  k-light codec pack  on his system. so does removing that will solve the problem.

Ted G.'s picture

Yes, I would think that uninstalling the codec pack would resolve the issue.

mon_raralio's picture

ffsshow.exe is really a codec pack for MPEG-4...

Here's a short description:
FFDShow 2009-05-15 (rev. 2946) was compiled by drevil_xxl using GCC 4.1.1 (libavcodec.dll & libmplayer.dll), FFDShow 2009-05-25 (rev. 2968) MMX* was compiled by clsid using ICL9 while FFDShow 2009-05-15 (rev. 2946) SSE** was also compiled by clsid using ICL9.
* Only for CPUs with support for MMX (MultiMedia eXperience) instructions.
** Only for CPUs with support for SSE (Streaming SIMD Extensions) instructions. Check if your CPU has support for SSE or SSE2 instructions using Cpu-Z, a small tool which shows infos about CPU.

Regarding the file ffdshow.exe. It could be an installer, so it shouldn't be a problem unless you clicked on it.

Does it show up in the registry?
What is your default view of explorer? Is it in thumbnails?

“Your most unhappy customers are your greatest source of learning.”

Vikram Kumar-SAV to SEP's picture

Since this file is causing problems you can first try un-installing K-lite codec pack if still you see that the issue exists run Icesword or rootkit revealer to see if its hidden itself to Kernel Mode.
You can open a case with Symantec and have them analyse the Loadpoint Logs.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Ajit Jha's picture

Submit that file to Symantec Security Response team and let them analysis.

Sometimes Symantec may not detect some files as a virus whereas othe AV does so. So let them Analyze.

Regard's

Ajit Jha

Technical Consultant

ASC & STS

kajal's picture

try to update operating system as well as antivirus at a same time.

Ajju's picture

Go to start--> Run --> msconfig

This will display system configuration utility tool. select the startup and look for suspicious file and its location and submit the sample to security response.