Author Topic: Potential Malware!! :- MediaPluginInstall from game play labs is a spyware!!!  (Read 26593 times)

0 Members and 1 Guest are viewing this topic.

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #15 on: April 08, 2011, 04:04:13 AM »

have you updated Malwarebytes since it was first detected ?

Yes MBAM was updated - I always update MBAM before running a scan, however yesterday BHO was detected and after I restored it, it said the file is safe - I did not update it inbetween this incident - had the same definitions..
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #16 on: April 08, 2011, 04:05:59 AM »
OK first reply recived....seems the Sigcheck in Virustotal is faked

SOPHOS
Quote
The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

BHO.dll -- non-malicious
ibelicomeposu.dll -- identity created/updated (New detection Troj/Agent-RBQ)

The info about BHO seems to be correct - the signatures I mean.. It was designed by game play labs.
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #17 on: April 08, 2011, 04:07:52 AM »
Malwarebytes
Quote
ibelicomeposu.dll  (Trojan.Agent)
BHO.dll  (Spyware.GamePlayLabs)

This is exactly what I got from MBAM - this is what it detected the 2 files as. Did you run a scan on MBAM or ? So anyway do you think these are actual viruses? If so please send it to Avast labs.

Cheers! :)
« Last Edit: April 08, 2011, 07:58:45 AM by DraKuL »
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35951
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #18 on: April 08, 2011, 08:59:25 AM »
Norman
Quote
Both are malware files, added detection.

BHO.dll : Processed - BHO.AAQE
ibelicomeposu.dll : Already detected as Suspicious_Gen2.KSJAM
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35951
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #19 on: April 08, 2011, 09:14:48 AM »
Avira
Quote
The file 'BHO.dll' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

The file 'ibelicomeposu.dll' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.



ehrmmmm......okay    ???
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2613
  • I can resist anything except temptation.
    • tex62
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #20 on: April 08, 2011, 09:43:53 AM »
Avira
Quote
The file 'BHO.dll' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

The file 'ibelicomeposu.dll' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.



ehrmmmm......okay    ???

Funny, strange... but I tend to trust the Avira findings much more.
After all, Avira has great detection, so their lab must be good...
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35951
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #21 on: April 08, 2011, 09:55:41 AM »
I suspect they use some autoanalyse...however Avira detected this in the first place so i sendt it to them as a possible False Positive case
and that should mean they did a manual analysis ?......people also do mistakes..
anyway samples are sendt avast so now we have to see what they say....
I will see if i can get some extra info from Norman and Malwarebytes
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #22 on: April 08, 2011, 10:02:42 AM »
I contacted Malwarebyte's and they said its malicious.. Hope Avast! adds it to their definitions :)
« Last Edit: April 08, 2011, 10:08:25 AM by DraKuL »
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #23 on: April 08, 2011, 03:12:00 PM »
I suspect they use some autoanalyse...however Avira detected this in the first place so i sendt it to them as a possible False Positive case
and that should mean they did a manual analysis ?......people also do mistakes..
anyway samples are sendt avast so now we have to see what they say....
I will see if i can get some extra info from Norman and Malwarebytes

Avast detects ibelicomeposu.dll as a Win32: Malware-gen now :D they have added it. Still waiting on BHO though.. MBAM Admins  confirmed that its a spyware too..

BHO.dll (Spyware.GamePlayLabs) this is how it detects it.

Let me know if you get a reply from Avast!
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35951
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #24 on: April 08, 2011, 03:40:07 PM »
Info from Malwarebytes


Quote
Hi Pondus,

Different vendors have different ways of assessing files.

For example "GamePlayLabs" you just need to read their current EULA to see what they have declared they are harvesting(data) from you once installed= Enough for us to classify them a Spyware

Just looking at the file briefly will not tell you this information but more indepth research will

Hope that helps

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #25 on: April 08, 2011, 04:06:23 PM »
The way it forced me to install was very suspicious.. I actually though that it was needed to play online videos which is why I installed it. Hope you forward the email to Avast! and see their response.. Please inform me about what Avast says.
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35951
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #26 on: April 08, 2011, 04:13:11 PM »
Hope you forward the email to Avast! and see their response.. Please inform me about what Avast says.
avast! never respond.....from all the samples i have uploaded i think i have recived one "Thanks for samples"   ::)

anyway you can be sure that they have seen this tread.....so maybe someone from avast! will reply here?
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Re: MediaPluginInstall from game play labs is a virus!!!
« Reply #27 on: April 08, 2011, 04:36:09 PM »

avast! never respond.....from all the samples i have uploaded i think i have recived one "Thanks for samples"   ::)

lol maybe they should work a bit on that :) Other sites reply thanking us for the samples and they also give a feedback about them, whether they are malicious or not.. Avast! gets so many samples from its users and they should do this for the users in my opinion :)  The users want to know whether its a virus or not and the reasoning.. Sophos is doing a great job at that, even malwarebytes' gave a nice feedback right? :)


anyway you can be sure that they have seen this tread.....so maybe someone from avast! will reply here?

Lets hope so  ;D

PS - I changed the name of the topic, hope it will attract attention  ;D
« Last Edit: April 08, 2011, 04:39:39 PM by DraKuL »
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline BTCentral

  • Jr. Member
  • **
  • Posts: 50
In my experience around 99% of sites asking you to install "codecs", "browser extensions" or similar to view videos are sites that contain malicious software of some sort (a virus, trojan or spyware - sometimes even all of the above).
Unless you are 100% positive that it is a safe site, and it is providing a genuine "you need to update" message then I would be extremely weary of it.

A good example of a "safe" site might be Youtube telling you that your flash player is out of date and that you need to upgrade. At which point you would be pointed to the Adobe site to download the latest version.

However for a malicious site telling you that your codecs are out of date and need to be updated to display a video you will generally find:

1) You are not alerted to this until you click to play the video, at which point you will be presented with a message in the browser that you need to download and install codec "x".
2) When you click the link to download codec "x" the codec will either be hosted on the same domain e.g. http://reallycoolvideosite.com/codecupdate.13483.exe or another odd looking domain e.g. http://abxxs1.downloadsvr211.co.cc/codecsetup.1321.exe
3) The download will be started automatically when you click the "you need to update" message.
4) If you click cancel a javascript prompt will be shown multiple times until you click the "OK" to download the malicious software.

When it comes to browser extensions and codecs the best advice I can give is do not do it unless you are 100% sure it is absolutely safe.

Most importantly, only ever download the latest versions of codecs (or similar) from the developers website - if they are asking you to download the latest flash player, go to the Adobe website. If they want you to update Windows Media Player, go to the Microsoft Website. Real Player? Go to the RealNetworks, Inc website - you get the idea I am sure.

Fake codec/browser extensions are a fairly big issue as even now many people are still unaware of the threat.

Some final advice: Be very careful when you click links posted via Facebook. Likejacking is extremely common, and if you click a "video" on facebook you may find that it takes you to a site that looks like Youtube, or a youtube video for example but in fact is not.
If it is a youtube video, you can generally find this out by right clicking - as the flash player options will be shown. If it's a fake video, often you will see either the standard browser right click menu (e.g. view source etc.) or view image.

If you do not know what likejacking is, be sure to read up on that here too.

Likejacking can be reasonably harmless as the majority of the time it is a survey scam (e.g. fill in this survey to prove you are a human and view the video!) however it can also be used to spread malicious software (and in this case it sounds like the latter happened).
« Last Edit: April 08, 2011, 05:23:54 PM by BTCentral »
Windows 7 64bit SP1 | Core i7 930 @ 2.93 GHz | 6GB DDR3 Triple Channel RAM | nVidia GTX 460 1GB | x3 1TB Samsung HD103SJ | 1x 1TB Samsung HD103UJ | 1x 2TB Samsung HD204UI | avast! Internet Security 6 | MalwareBytes Pro | Firefox 6.0.2

Offline rapa

  • Newbie
  • *
  • Posts: 2
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.

The file I've downloaded and installed is called MediaPluginSetup with the rolling movie tape icon.

Thanks in advance.
« Last Edit: April 08, 2011, 05:14:29 PM by rapa »