Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: DraKuL on April 07, 2011, 05:53:05 PM
-
Last month I clicked a video on facebook, and it was unable to play. A download window popped up and i downloaded MediaPluginSetup from Game Play labs. I installed this addon and the video played fine. Today my computer's RAM usage was quite high although I didnt have any programs running, also the CPU fan was going nuts!! Also I got several network threat alerts from Avast! I had MBAM PRO running on real time + AIS 6, none of them detected this till today. I just wanted to check what was wrong so ran a quick scan and it detected this as a spyware..
I wanted to submit it to Avast virus lab but after I restored from MBAM quarantine it shows the file as safe! Still I uploaded it to Avast labs hope they add it, but just in case can one of you guys inform an Admin about this ? its MediaPluginSetup from Game Play labs.
Another issue - Does anyone know how to remove the "twitter" logo from Avast! notifications? I mainly get it when there are threat alerts, the little "T" logo - I find this VERY annoying and out of place.. I dont know why they have put it there in the first place since its very inappropriate.. Please let me know if anyone knows how to remove it :)
-
upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the URL in the address bar and post it here so we can see
alternatives
VirSCAN http://virscan.org/
Jotti http://virusscan.jotti.org/en
-
Like I said, after restoring it from MBAM quarantine it doesnt detect that as a threat anymore.. But I'm pretty sure that it is a threat because MBAM detected it along with several other registry keys..
-
Like i said...test suspicious file(s) at virustotal
the more who detect the bigger the chance for a real detection
-
Ok I will try but what I meant what, what if MBAM "cleaned" or "disinfected" the file ? Also my Avast GUI became a bit messed up just now, dont know if it has anything to do with the infection, I'm running a scan on SAS as well, will restart the pc and see if it will be back to normal.. but at the moment its like this -
-
MBAM does not clean file(s) it move infected files to quarantine
The Malware MBAM looks for is not cleanable
On the other hand, antivirus software can't 'clean' a worm or a trojan, because there is nothing to clean - the entire file IS the worm or trojan.
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm
-
Oh ok. Thanks for the info! :) Anyway I dont know why MBAM doesnt detect the file as a virus once I restore it :-\ guess I ll have to ask their admins about it..
Anyway I scanned it on VirusTotal - there was another potential malware that Avast! didnt detect so I scanned that as well.. So the 2 links for the files are
http://www.virustotal.com/file-scan/report.html?id=4dd6ec9895a6a5a362e0835b258440c86cb1103da7d424826565b14e266c53c3-1302193615
http://www.virustotal.com/file-scan/report.html?id=277b179862655d592587ad3597c1c5ebf8f99a76247a5b8561aec45d8e8edc33-1302193556
-
My guess is False Positives
File - ibelicomeposu.dll
sigcheck:
publisher....: Realtek Semiconductor Corp.
copyright....: Copyright (c) 2004 Realtek Semiconductor Corp.
product......: Realtek AC97 Audio - Event Monitor
description..: Realtek Azalia Audio - Event Monitor
original name: Alcxmntr.exe
internal name: Alcxmntr
file version.: 1, 6, 0, 4
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned
File - BHO.dll
igcheck:
publisher....: GamePlayLabs
copyright....: Copyright 2010. All rights reserved.
product......: GamePlayLabs Browser Helper Object
description..: GamePlayLabs Browser Helper Object
original name: BHO.dll
internal name: BHO.dll
file version.: 1.0.0.1
comments.....: GamePlayLabs Browser Helper Object
signers......: -
signing date.: -
verified.....: Unsigned
-
ibelicomeposu.dll was detected as a malware on quite a bit of different software..
(10/41)
Also May I know how you got the info about this file? The info you typed is very accurate, but when I googled it, no results came up..
about BHO - as I explained in the first post, I was forced to install it (couldnt play videos online without this plugin), but now after it being removed the videos are playing fine, I find that a little bit suspicious..
Thanks for taking your time to help me out :)
-
I know how you got the info about this file? The info you typed is very accurate, but when I googled it, no results came up..
On virustotal.com, result-page (your link), click button "additional info -> show all" ;D
-
Also May I know how you got the info about this file? The info you typed is very accurate, but when I googled it, no results came up..
scroll down the VirusTotal scan, and you will se a button on right side > Additional information " SHOW ALL"
see your message box...top right "MY MESSAGES"
-
lol cant believe I didnt see that! Thanks guys! :)
@pondus - I replied to the msg.
-
Oh ok. Thanks for the info! Anyway I dont know why MBAM doesnt detect the file as a virus once I restore it guess I ll have to ask their admins about it..
have you updated Malwarebytes since it was first detected ?
-
OK first reply recived....seems the Sigcheck in Virustotal is faked
SOPHOS
The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.
BHO.dll -- non-malicious
ibelicomeposu.dll -- identity created/updated (New detection Troj/Agent-RBQ)
-
Malwarebytes
ibelicomeposu.dll (Trojan.Agent)
BHO.dll (Spyware.GamePlayLabs)
-
have you updated Malwarebytes since it was first detected ?
Yes MBAM was updated - I always update MBAM before running a scan, however yesterday BHO was detected and after I restored it, it said the file is safe - I did not update it inbetween this incident - had the same definitions..
-
OK first reply recived....seems the Sigcheck in Virustotal is faked
SOPHOS
The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.
BHO.dll -- non-malicious
ibelicomeposu.dll -- identity created/updated (New detection Troj/Agent-RBQ)
The info about BHO seems to be correct - the signatures I mean.. It was designed by game play labs.
-
Malwarebytes
ibelicomeposu.dll (Trojan.Agent)
BHO.dll (Spyware.GamePlayLabs)
This is exactly what I got from MBAM - this is what it detected the 2 files as. Did you run a scan on MBAM or ? So anyway do you think these are actual viruses? If so please send it to Avast labs.
Cheers! :)
-
Norman
Both are malware files, added detection.
BHO.dll : Processed - BHO.AAQE
ibelicomeposu.dll : Already detected as Suspicious_Gen2.KSJAM
-
Avira
The file 'BHO.dll' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.
The file 'ibelicomeposu.dll' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.
ehrmmmm......okay ???
-
Avira
The file 'BHO.dll' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.
The file 'ibelicomeposu.dll' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.
ehrmmmm......okay ???
Funny, strange... but I tend to trust the Avira findings much more.
After all, Avira has great detection, so their lab must be good...
-
I suspect they use some autoanalyse...however Avira detected this in the first place so i sendt it to them as a possible False Positive case
and that should mean they did a manual analysis ?......people also do mistakes..
anyway samples are sendt avast so now we have to see what they say....
I will see if i can get some extra info from Norman and Malwarebytes
-
I contacted Malwarebyte's and they said its malicious.. Hope Avast! adds it to their definitions :)
-
I suspect they use some autoanalyse...however Avira detected this in the first place so i sendt it to them as a possible False Positive case
and that should mean they did a manual analysis ?......people also do mistakes..
anyway samples are sendt avast so now we have to see what they say....
I will see if i can get some extra info from Norman and Malwarebytes
Avast detects ibelicomeposu.dll as a Win32: Malware-gen now :D they have added it. Still waiting on BHO though.. MBAM Admins confirmed that its a spyware too..
BHO.dll (Spyware.GamePlayLabs) this is how it detects it.
Let me know if you get a reply from Avast!
-
Info from Malwarebytes
Hi Pondus,
Different vendors have different ways of assessing files.
For example "GamePlayLabs" you just need to read their current EULA to see what they have declared they are harvesting(data) from you once installed= Enough for us to classify them a Spyware
Just looking at the file briefly will not tell you this information but more indepth research will
Hope that helps
-
The way it forced me to install was very suspicious.. I actually though that it was needed to play online videos which is why I installed it. Hope you forward the email to Avast! and see their response.. Please inform me about what Avast says.
-
Hope you forward the email to Avast! and see their response.. Please inform me about what Avast says.
avast! never respond.....from all the samples i have uploaded i think i have recived one "Thanks for samples" ::)
anyway you can be sure that they have seen this tread.....so maybe someone from avast! will reply here?
-
avast! never respond.....from all the samples i have uploaded i think i have recived one "Thanks for samples" ::)
lol maybe they should work a bit on that :) Other sites reply thanking us for the samples and they also give a feedback about them, whether they are malicious or not.. Avast! gets so many samples from its users and they should do this for the users in my opinion :) The users want to know whether its a virus or not and the reasoning.. Sophos is doing a great job at that, even malwarebytes' gave a nice feedback right? :)
anyway you can be sure that they have seen this tread.....so maybe someone from avast! will reply here?
Lets hope so ;D
PS - I changed the name of the topic, hope it will attract attention ;D
-
In my experience around 99% of sites asking you to install "codecs", "browser extensions" or similar to view videos are sites that contain malicious software of some sort (a virus, trojan or spyware - sometimes even all of the above).
Unless you are 100% positive that it is a safe site, and it is providing a genuine "you need to update" message then I would be extremely weary of it.
A good example of a "safe" site might be Youtube telling you that your flash player is out of date and that you need to upgrade. At which point you would be pointed to the Adobe site to download the latest version.
However for a malicious site telling you that your codecs are out of date and need to be updated to display a video you will generally find:
1) You are not alerted to this until you click to play the video, at which point you will be presented with a message in the browser that you need to download and install codec "x".
2) When you click the link to download codec "x" the codec will either be hosted on the same domain e.g. http://reallycoolvideosite.com/codecupdate.13483.exe or another odd looking domain e.g. http://abxxs1.downloadsvr211.co.cc/codecsetup.1321.exe
3) The download will be started automatically when you click the "you need to update" message.
4) If you click cancel a javascript prompt will be shown multiple times until you click the "OK" to download the malicious software.
When it comes to browser extensions and codecs the best advice I can give is do not do it unless you are 100% sure it is absolutely safe.
Most importantly, only ever download the latest versions of codecs (or similar) from the developers website - if they are asking you to download the latest flash player, go to the Adobe website. If they want you to update Windows Media Player, go to the Microsoft Website. Real Player? Go to the RealNetworks, Inc website - you get the idea I am sure.
Fake codec/browser extensions are a fairly big issue as even now many people are still unaware of the threat.
Some final advice: Be very careful when you click links posted via Facebook. Likejacking is extremely common, and if you click a "video" on facebook you may find that it takes you to a site that looks like Youtube, or a youtube video for example but in fact is not.
If it is a youtube video, you can generally find this out by right clicking - as the flash player options will be shown. If it's a fake video, often you will see either the standard browser right click menu (e.g. view source etc.) or view image.
If you do not know what likejacking is, be sure to read up on that here (http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/) too.
Likejacking can be reasonably harmless as the majority of the time it is a survey scam (e.g. fill in this survey to prove you are a human and view the video!) however it can also be used to spread malicious software (and in this case it sounds like the latter happened).
-
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.
The file I've downloaded and installed is called MediaPluginSetup with the rolling movie tape icon.
Thanks in advance.
-
In my experience around 99% of sites asking you to install "codecs", "browser extensions" or similar to view videos are sites that contain malicious software of some sort (a virus, trojan or spyware - sometimes even all of the above).
Unless you are 100% positive that it is a safe site, and it is providing a genuine "you need to update" message then I would be extremely weary of it.
A good example of a "safe" site might be Youtube telling you that your flash player is out of date and that you need to upgrade. At which point you would be pointed to the Adobe site to download the latest version.
Thanks, this is very informative! and I am aware that most sites get us to install fake add-ons but this was in facebook and youtube - i couldnt play any videos and it made me download a setup and run ( didnt take me to any external links)..
Edit: , I'm quite aware of 'likejacking' too, but this was a normal facebook video.. I want to thank you very much for the effort and the post, its VERY informative and will help so many users :)
-
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.
Thanks in advance.
The name of the spyware is MediaPlugin and the name of the setup file is MediaPluginInstall. The company/organization that developed it is GamePlayLabs.
If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -
C:\Users\accountName\AppData\Local\Browser Plugin
There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me.. If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.
PS - I assume you're using windows 7 / Vista , if its XP the path will be different.
-
In my experience around 99% of sites asking you to install "codecs", "browser extensions" or similar to view videos are sites that contain malicious software of some sort (a virus, trojan or spyware - sometimes even all of the above).
Unless you are 100% positive that it is a safe site, and it is providing a genuine "you need to update" message then I would be extremely weary of it.
A good example of a "safe" site might be Youtube telling you that your flash player is out of date and that you need to upgrade. At which point you would be pointed to the Adobe site to download the latest version.
Thanks, this is very informative! and I am aware that most sites get us to install fake add-ons but this was in facebook and youtube - i couldnt play any videos and it made me download a setup and run.. I trusted it because fb and youtube both asked for the link.
Funnily enough, I just edited my post to add a specific warning about facebook:
Some final advice: Be very careful when you click links posted via Facebook. Likejacking is extremely common, and if you click a "video" on facebook you may find that it takes you to a site that looks like Youtube, or a youtube video for example but in fact is not.
If it is a youtube video, you can generally find this out by right clicking - as the flash player options will be shown. If it's a fake video, often you will see either the standard browser right click menu (e.g. view source etc.) or view image.
If you do not know what likejacking is, be sure to read up on that here (http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/) too.
Likejacking can be reasonably harmless as the majority of the time it is a survey scam (e.g. fill in this survey to prove you are a human and view the video!) however it can also be used to spread malicious software (and in this case it sounds like the latter happened).
Another issue - Does anyone know how to remove the "twitter" logo from Avast! notifications? I mainly get it when there are threat alerts, the little "T" logo - I find this VERY annoying and out of place.. I dont know why they have put it there in the first place since its very inappropriate.. Please let me know if anyone knows how to remove it :)
Unfortunately currently there is no way to disable this. Nor the "Like" button in the main user interface :(
Considering you are using the paid version of the software (as am I), I think there should be an option to disable these... maybe in the future?
-
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.
Thanks in advance.
The name of the spyware is MediaPluginInstall its installed from game play labs.
If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -
C:\Users\accountName\AppData\Local\Browser Plugin
There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me.. If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.
PS - I assume you're using windows 7 / Vista , if its XP the path will be different.
Thanks for your help. Unfortunately I am using Win XP so if there's any chance you can advise me on where the files might be in Windows Xp, also I've just downloaded MBAM trial, I hope it does the job.
-
C:\Users\accountName\AppData\Local\Browser Plugin
Thanks for your help. Unfortunately I am using Win XP so if there's any chance you can advise me on where the files might be in Windows Xp, also I've just downloaded MBAM trial, I hope it does the job.
If it is same software, then you will likely find the path is:
C:\Documents and Settings\Username\Application Data\Local\Browser Plugin\
-
Thanks for your help. Unfortunately I am using Win XP so if there's any chance you can advise me on where the files might be in Windows Xp, also I've just downloaded MBAM trial, I hope it does the job.
Yes it does! :) and when it cleans it you will be able to see it in the quarantine list - from there you can get the location of the other files :)
MBAM free version is just as good as the paid one but the main difference is, it doesnt provide real-time protection.. only on-demand scanning.
Also make sure you update it before scanning!
Cheers!
-
Another issue - Does anyone know how to remove the "twitter" logo from Avast! notifications? I mainly get it when there are threat alerts, the little "T" logo - I find this VERY annoying and out of place.. I dont know why they have put it there in the first place since its very inappropriate.. Please let me know if anyone knows how to remove it :)
Unfortunately currently there is no way to disable this. Nor the "Like" button in the main user interface :(
Considering you are using the paid version of the software (as am I), I think there should be an option to disable these... maybe in the future?
It's in the Betas already, so there will be the disabling option.
-
@BTCentral - Even I edited my post about it! ;D I'm well aware of facebook scandals! sadly so many people fall for them.. Again I'd like to say that this is very informative and thanks!
@Zyndstoff- Yeah I heard, Actually i like the 'like' button ;D its only the twitter logo I cant stand ;D
-
Again I'd like to say that this is very informative and thanks!
No problem :)
It's in the Betas already, so there will be the disabling option.
Great news, thanks for letting me know :)
-
People still down load stuff from FaceBook ???????? :o :o
-
People still down load stuff from FaceBook ???????? :o :o
I didnt download anything.. Just tried to watch a youtube link posted on facebook and we were asked to install this plugin which it said that it requires to play the video.. So downloaded and installed it because it said that its required to play the video..
-
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.
Thanks in advance.
The name of the spyware is MediaPlugin and the name of the setup file is MediaPluginInstall. The company/organization that developed it is GamePlayLabs.
If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -
C:\Users\accountName\AppData\Local\Browser Plugin
There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me.. If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.
PS - I assume you're using windows 7 / Vista , if its XP the path will be different.
Hello everyone. I had the same problem, and 10 minutes ago, I did delete BHO.dll , but in Firefox, this messages appears all the time whenever I google something or whenever I browse facebook. So how to remove this from Firefox? Btw, on google chrome my antivirus doesn't pop up with an error, but on Firefox it keeps popping out, even while I'm typing this. Here's the screen cap:
http://i55.tinypic.com/o94meq.jpg
So, can I somehow remove this "plugin" or whatever it's called? Or should I just reinstall Firefox and hope for best? :D Thanks in advance everyone.
-
I just found the solution. Needed to remove GamePlayLabs add-on in Firefox and then restarted it. That was it. ;D I hope now everything is going to work fine.
-
I just found the solution. Needed to remove GamePlayLabs add-on in Firefox and then restarted it. That was it. ;D I hope now everything is going to work fine.
Do a quick scan with MBAM just to make sure :)
-
I've made the some mistake : i downloaded and installed this file
The report in Virus total show me :
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: MediaPluginSetup.exe
Submission date: 2011-04-14 16:20:56 (UTC)
Current status: finished
Result: 2/ 40 (5.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.14.00 2011.04.14 -
AntiVir 7.11.6.109 2011.04.14 -
Antiy-AVL 2.0.3.7 2011.04.14 -
Avast 4.8.1351.0 2011.04.14 -
Avast5 5.0.677.0 2011.04.14 -
AVG 10.0.0.1190 2011.04.14 BHO.C
BitDefender 7.2 2011.04.14 -
CAT-QuickHeal 11.00 2011.04.14 -
ClamAV 0.97.0.0 2011.04.14 -
Commtouch 5.2.11.5 2011.04.14 -
Comodo 8340 2011.04.14 -
DrWeb 5.0.2.03300 2011.04.14 -
eSafe 7.0.17.0 2011.04.13 -
eTrust-Vet 36.1.8271 2011.04.14 -
F-Prot 4.6.2.117 2011.04.13 -
F-Secure 9.0.16440.0 2011.04.14 -
Fortinet 4.2.257.0 2011.04.14 -
GData 22 2011.04.14 -
Ikarus T3.1.1.103.0 2011.04.14 -
Jiangmin 13.0.900 2011.04.13 -
K7AntiVirus 9.96.4382 2011.04.13 -
Kaspersky 7.0.0.125 2011.04.14 -
McAfee 5.400.0.1158 2011.04.14 -
McAfee-GW-Edition 2010.1D 2011.04.14 -
Microsoft 1.6702 2011.04.14 -
NOD32 6041 2011.04.14 -
Norman 6.07.07 2011.04.13 -
Panda 10.0.3.5 2011.04.14 -
PCTools 7.0.3.5 2011.04.14 -
Prevx 3.0 2011.04.14 -
Rising 23.53.03.06 2011.04.14 -
Sophos 4.64.0 2011.04.14 -
SUPERAntiSpyware 4.40.0.1006 2011.04.14 -
Symantec 20101.3.2.89 2011.04.14 -
TheHacker 6.7.0.1.173 2011.04.13 -
TrendMicro 9.200.0.1012 2011.04.14 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.14 -
VIPRE 9013 2011.04.14 GamePlayLabs (v)
ViRobot 2011.4.14.4410 2011.04.14 -
VirusBuster 13.6.305.0 2011.04.14 -
Additional informationShow all
MD5 : 3ce497d244bed4b425343edee3ee9caf
SHA1 : 33d87ca16e90458483127b46175ff09e8fb31afb
SHA256: 1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018
Avast didn't noticed anything!!!! I was using chrome
I'll try to removed as shown here i hope it will works...
-
What do you want Avast to notice?
There's 38 scanners out of 40 that say it's clean. ???
And one of the others is VIPRE... not known for good results anyway.
-
@Zyndstoff see the Vipre detection name
http://www.virustotal.com/file-scan/report.html?id=1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018-1302798056
Then look on reply #24
-
@Zyndstoff see the Vipre detection name
http://www.virustotal.com/file-scan/report.html?id=1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018-1302798056
Then look on reply #24
I'm aware of that.
Didn't know you can distinguish malware by reading the EULA... most of every software would be malware in one way or the other if you take their respective EULA literally.
-
Didn't know you can distinguish malware by reading the EULA
they did more then just read the EULA
Just looking at the file briefly will not tell you this information but more indepth research will
-
So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?
-
Hi Pondus,
Two flags are more than one as searched the malware hash...
VirusTotal.com 2/40 (5%) detected malware
ThreatExpert.com New/Nothing Found
Team-CYMRU.org New/Nothing Found
Now lets use the common google search query "MediaPluginSetup.exe BHO.C" and what do we get...e.g.:
This report for WOT: http://www.mywot.com/en/forum/11086-fake-media-player-spreading-through-facebook
This with another added flag: http://virscan.org/report/36f7a8ba55a616e274915fa4a3e3c4b1.html
CP Secure finding: Troj.Downloader.W32.Aphex.020
So what you think?
polonus
-
So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?
Is it the exact same sample ? same MD5 ?
-
So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?
Is it the exact same sample ? same MD5 ?
Sorry, I don't have that file. I would just like to see more scanners jumping on it.
-
Sorry, I don't have that file. I would just like to see more scanners jumping on it.
Working on it ;)
-
Sorry, I don't have that file. I would just like to see more scanners jumping on it.
Working on it ;)
;D waiting
-
Hi Pondus and Zyndstoff,
This adds to the suspicion: http://vscan.novirusthanks.org/analysis/20d3f7c94b5265c14d05554c50eb8fa1/bWVkaWFwbHVnaW5zZXR1cC1leGU=/
and jotti's: http://virusscan.jotti.org/en/scanresult/3eae48334dfd051c642d6e31beef4c7bdf26c62c
virustotal at three detections now and ThreatExpert reporting:
http://www.virustotal.com/file-scan/report.html?id=dccf714d5a272fe6e52db6dd26c5279cea46570b295f70b0a1d0e112a531b518-1302351204
http://www.threatexpert.com/report.aspx?md5=20d3f7c94b5265c14d05554c50eb8fa1
So it is coming like our friend Pondus predicted,
polonus
P.S. for the browser BHO PlugIn, see: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=0xD7DC7DFE31FA56BBF486E947D89C68F3
D
-
yep seems to be the same type, but different MD5...
looks as they do the same as with FakeAV....new MD5 on every sample...
so i was hoping @nounzein should respond so i could get his sample to be 100% sure
here is one more, and again new MD5
http://www.virustotal.com/file-scan/report.html?id=1ffb8c2870f5913928817d64ae361f0a26c20085b64b8336709aa48ee8ce5690-1302812934
Malwarebytes detect as - Spyware.GamePlayLabs
-
Hi Pondus,
So the morphing goes on like in "neverending story", good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet. Question is this an older one:
htxp://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=4
poor rep scan: http://www.mywot.com/en/scorecard/d.gameplaylabs.com
Scanned without results here: http://wepawet.iseclab.org/domain.php?hash=a8445223b1364b1b8a9a9bc4f7180d42&type=js
Check the MD5 hashes at virus check, I think not reported yet,
polonus
-
Hi Pondus,
So the morphing goes on like in "neverending story", good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet,
polonus
I will upload the sample to them ;)
-
I'd like to say that Malwarebytes' definitions are spot on! The way they make users to download and install that plugin, and the fact that you dont actually need it to play videos on facebook is very suspicious.. (As shown in the link polonus posted)
Hope Avast adds it to their definitions as it would help so many users..
-
This is really wired i've installed this file since yesterday and i've got nothing suspicious (till now) but a spyware that you can uninstall!!! I've never seen that...
And it seems that he attached him selfs with the browser that you opened with as an extension (chrome in my case).
-
I would suggest that you use this antivirus Dr.Web Anti Virus for Windows 4.44 (http://www.sembrarpaz.com/Windows/Sicurezza-e-Privacy/AntiSpam-Tools-AntiSpy/DrWeb-Anti-Virus-for-Windows_294.html). It is best for viruses like the one you encounter on facebook. Try using it you'll definitely like it.
-
Hi nounzein,
That is the Browser Help Object that comes with the install: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=0xD7DC7DFE31FA56BBF486E947D89C68F3
See: http://www.threatexpert.com/report.aspx?md5=20d3f7c94b5265c14d05554c50eb8fa1
Anubis report:
http://anubis.iseclab.org/?action=result&task_id=16ae099d4a0b736c42509e155e9aad9b3&format=xml&save=1
It comes now with new installer campaigns, added unwanted installs of BHO's, I had a nasty one with PicPick installer from softonic with a Bing toolbar recently.
and there are more examples...
polonus
-
Norman analysis added detection
Here is the one i found in reply #56
MediaPluginSetup.exe : Processed - GamePlay.D
and here is the one @nounzein sendt me
MediaPluginSetup.exe : Processed - GamePlay.A
-
Wonder why Avast isnt adding it ???
-
Ok so I was just messing around with the browser extensions today and found out that another browser extension from gameplay labs called gameplay labs plugin was installed(obviously it got installed with that media plugin) but before removing it from the GUI of the browser I searched everywhere on the user documents, appdata but couldnt find anything on it.. Dont know how it was still there and why MBAM didnt detect it.. It was installed on firefox as well. It was enabled by default, even if I disable it will get enabled the next time I run the browser. At first the option to remove it completely wasnt there.. but after restarting the computer and disconnecting from the internet, I was able to remove it from both these browsers..
I searched a bit about this plugin and it has given so many people a lot of trouble.. Just google "Gameplay labs plugin" and you'll see :)
Anyway if it really is a spyware and it steals passwords and stuff so many sensitive information of mine has been leaked :(
Avast still hasn't added detection though, I doubt if they will do it in the future..