Author Topic: Potential Malware!! :- MediaPluginInstall from game play labs is a spyware!!!  (Read 26618 times)

0 Members and 1 Guest are viewing this topic.

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
In my experience around 99% of sites asking you to install "codecs", "browser extensions" or similar to view videos are sites that contain malicious software of some sort (a virus, trojan or spyware - sometimes even all of the above).
Unless you are 100% positive that it is a safe site, and it is providing a genuine "you need to update" message then I would be extremely weary of it.

A good example of a "safe" site might be Youtube telling you that your flash player is out of date and that you need to upgrade. At which point you would be pointed to the Adobe site to download the latest version.

Thanks, this is very informative! and I am aware that most sites get us to install fake add-ons but this was in facebook and youtube - i couldnt play any videos and it made me download a setup and run ( didnt take me to any external links)..

Edit: , I'm quite aware of 'likejacking' too, but this was a normal facebook video.. I want to thank you very much for the effort and the post, its VERY informative and will help so many users :)
« Last Edit: April 09, 2011, 05:45:16 AM by DraKuL »
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.

Thanks in advance.

The name of the spyware is MediaPlugin and the name of the setup file is MediaPluginInstall.  The company/organization that developed it is GamePlayLabs.

If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -

C:\Users\accountName\AppData\Local\Browser Plugin

There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me.. If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.

PS - I assume you're using windows 7 / Vista , if its XP the path will be different.
« Last Edit: April 09, 2011, 05:47:37 AM by DraKuL »
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline BTCentral

  • Jr. Member
  • **
  • Posts: 50
In my experience around 99% of sites asking you to install "codecs", "browser extensions" or similar to view videos are sites that contain malicious software of some sort (a virus, trojan or spyware - sometimes even all of the above).
Unless you are 100% positive that it is a safe site, and it is providing a genuine "you need to update" message then I would be extremely weary of it.

A good example of a "safe" site might be Youtube telling you that your flash player is out of date and that you need to upgrade. At which point you would be pointed to the Adobe site to download the latest version.

Thanks, this is very informative! and I am aware that most sites get us to install fake add-ons but this was in facebook and youtube - i couldnt play any videos and it made me download a setup and run.. I trusted it because fb and youtube both asked for the link.
Funnily enough, I just edited my post to add a specific warning about facebook:

Some final advice: Be very careful when you click links posted via Facebook. Likejacking is extremely common, and if you click a "video" on facebook you may find that it takes you to a site that looks like Youtube, or a youtube video for example but in fact is not.
If it is a youtube video, you can generally find this out by right clicking - as the flash player options will be shown. If it's a fake video, often you will see either the standard browser right click menu (e.g. view source etc.) or view image.

If you do not know what likejacking is, be sure to read up on that here too.

Likejacking can be reasonably harmless as the majority of the time it is a survey scam (e.g. fill in this survey to prove you are a human and view the video!) however it can also be used to spread malicious software (and in this case it sounds like the latter happened).

Another issue - Does anyone know how to remove the "twitter" logo from Avast! notifications? I mainly get it when there are threat alerts, the little "T" logo - I find this VERY annoying and out of place.. I dont know why they have put it there in the first place since its very inappropriate.. Please let me know if anyone knows how to remove it :)
Unfortunately currently there is no way to disable this. Nor the "Like" button in the main user interface :(

Considering you are using the paid version of the software (as am I), I think there should be an option to disable these... maybe in the future?
« Last Edit: April 08, 2011, 05:26:09 PM by BTCentral »
Windows 7 64bit SP1 | Core i7 930 @ 2.93 GHz | 6GB DDR3 Triple Channel RAM | nVidia GTX 460 1GB | x3 1TB Samsung HD103SJ | 1x 1TB Samsung HD103UJ | 1x 2TB Samsung HD204UI | avast! Internet Security 6 | MalwareBytes Pro | Firefox 6.0.2

Offline rapa

  • Newbie
  • *
  • Posts: 2
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.

Thanks in advance.

The name of the spyware is MediaPluginInstall its installed from game play labs.

If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -

C:\Users\accountName\AppData\Local\Browser Plugin

There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me.. If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.

PS - I assume you're using windows 7 / Vista , if its XP the path will be different.

Thanks for your help. Unfortunately I am using Win XP so if there's any chance you can advise me on where the files might be in Windows Xp, also I've just downloaded MBAM trial, I hope it does the job.

Offline BTCentral

  • Jr. Member
  • **
  • Posts: 50

C:\Users\accountName\AppData\Local\Browser Plugin

Thanks for your help. Unfortunately I am using Win XP so if there's any chance you can advise me on where the files might be in Windows Xp, also I've just downloaded MBAM trial, I hope it does the job.
If it is same software, then you will likely find the path is:
C:\Documents and Settings\Username\Application Data\Local\Browser Plugin\
Windows 7 64bit SP1 | Core i7 930 @ 2.93 GHz | 6GB DDR3 Triple Channel RAM | nVidia GTX 460 1GB | x3 1TB Samsung HD103SJ | 1x 1TB Samsung HD103UJ | 1x 2TB Samsung HD204UI | avast! Internet Security 6 | MalwareBytes Pro | Firefox 6.0.2

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
Thanks for your help. Unfortunately I am using Win XP so if there's any chance you can advise me on where the files might be in Windows Xp, also I've just downloaded MBAM trial, I hope it does the job.


Yes it does! :) and when it cleans it you will be able to see it in the quarantine list - from there you can get the location of the other files :)

MBAM free version is just as good as the paid one but the main difference is, it doesnt provide real-time protection.. only on-demand scanning.

Also make sure you update it before scanning!

Cheers!
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline Zyndstoff (aka Steven Gail)

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2613
  • I can resist anything except temptation.
    • tex62

Another issue - Does anyone know how to remove the "twitter" logo from Avast! notifications? I mainly get it when there are threat alerts, the little "T" logo - I find this VERY annoying and out of place.. I dont know why they have put it there in the first place since its very inappropriate.. Please let me know if anyone knows how to remove it :)
Unfortunately currently there is no way to disable this. Nor the "Like" button in the main user interface :(

Considering you are using the paid version of the software (as am I), I think there should be an option to disable these... maybe in the future?

It's in the Betas already, so there will be the disabling option.
7 x64 SP1, FF 8a Aurora, TB6, 6.0.1203 Free
Free MBAM Clear

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
@BTCentral - Even I edited my post about it!  ;D I'm well aware of facebook scandals! sadly so many people fall for them.. Again I'd like to say that this is very informative and thanks!

@Zyndstoff- Yeah I heard, Actually i like the 'like' button  ;D its only the twitter logo I cant stand  ;D
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline BTCentral

  • Jr. Member
  • **
  • Posts: 50
Again I'd like to say that this is very informative and thanks!
No problem :)


It's in the Betas already, so there will be the disabling option.
Great news, thanks for letting me know :)
Windows 7 64bit SP1 | Core i7 930 @ 2.93 GHz | 6GB DDR3 Triple Channel RAM | nVidia GTX 460 1GB | x3 1TB Samsung HD103SJ | 1x 1TB Samsung HD103UJ | 1x 2TB Samsung HD204UI | avast! Internet Security 6 | MalwareBytes Pro | Firefox 6.0.2

Offline MichaelT.

  • Jr. Member
  • **
  • Posts: 99
People still down load stuff from FaceBook ???????? :o :o

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
People still down load stuff from FaceBook ???????? :o :o

I didnt download anything.. Just tried to watch a youtube link posted on facebook and we were asked to install this plugin which it said that it requires to play the video.. So downloaded and installed it because it said that its required to play the video..
« Last Edit: April 10, 2011, 09:12:36 AM by DraKuL »
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline moskri

  • Newbie
  • *
  • Posts: 2
Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven't seen any side effects. My question is what should I be looking for in "Scan results" to make sure the threat has been removed. I'm using Avast pro.

Thanks in advance.

The name of the spyware is MediaPlugin and the name of the setup file is MediaPluginInstall.  The company/organization that developed it is GamePlayLabs.

If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -

C:\Users\accountName\AppData\Local\Browser Plugin

There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me.. If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.

PS - I assume you're using windows 7 / Vista , if its XP the path will be different.

Hello everyone. I had the same problem, and 10 minutes ago, I did delete BHO.dll , but in Firefox, this messages appears all the time whenever I google something or whenever I browse facebook. So how to remove this from Firefox? Btw, on google chrome my antivirus doesn't pop up with an error, but on Firefox it keeps popping out, even while I'm typing this. Here's the screen cap:
http://i55.tinypic.com/o94meq.jpg   

So, can I somehow remove this "plugin" or whatever it's called? Or should I just reinstall Firefox and hope for best? :D  Thanks in advance everyone.

Offline moskri

  • Newbie
  • *
  • Posts: 2
I just found the solution. Needed to remove GamePlayLabs add-on in Firefox and then restarted it. That was it.  ;D I hope now everything is going to work fine.

Offline DraKuL

  • Sr. Member
  • ****
  • Posts: 392
I just found the solution. Needed to remove GamePlayLabs add-on in Firefox and then restarted it. That was it.  ;D I hope now everything is going to work fine.

Do a quick scan with MBAM just to make sure :)
ASRock Extreme 6 - Intel Corei7-3820 3.60GHz | RAM 16.00GB 2400FSB | 2TB HDD +128SSD | NVIDIA GeForce GTX 660 2GB
Windows 7 Ultimate 64bit |Avast! Internet Security V8 | MBAM PRO - RealTime | SUPERAntiSpyware PRO |CC Cleaner | Chrome | Firefox |(The Latest Release of all the Software)

Offline nounzein

  • Newbie
  • *
  • Posts: 2
I've made the some mistake : i downloaded and installed this file

The report in Virus total show me :

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: MediaPluginSetup.exe
Submission date: 2011-04-14 16:20:56 (UTC)
Current status: finished
Result: 2/ 40 (5.0%)
VT Community

not reviewed
 Safety score: -
Compact
Print results
Antivirus   Version   Last Update   Result
AhnLab-V3   2011.04.14.00   2011.04.14   -
AntiVir   7.11.6.109   2011.04.14   -
Antiy-AVL   2.0.3.7   2011.04.14   -
Avast   4.8.1351.0   2011.04.14   -
Avast5   5.0.677.0   2011.04.14   -
AVG   10.0.0.1190   2011.04.14   BHO.C
BitDefender   7.2   2011.04.14   -
CAT-QuickHeal   11.00   2011.04.14   -
ClamAV   0.97.0.0   2011.04.14   -
Commtouch   5.2.11.5   2011.04.14   -
Comodo   8340   2011.04.14   -
DrWeb   5.0.2.03300   2011.04.14   -
eSafe   7.0.17.0   2011.04.13   -
eTrust-Vet   36.1.8271   2011.04.14   -
F-Prot   4.6.2.117   2011.04.13   -
F-Secure   9.0.16440.0   2011.04.14   -
Fortinet   4.2.257.0   2011.04.14   -
GData   22   2011.04.14   -
Ikarus   T3.1.1.103.0   2011.04.14   -
Jiangmin   13.0.900   2011.04.13   -
K7AntiVirus   9.96.4382   2011.04.13   -
Kaspersky   7.0.0.125   2011.04.14   -
McAfee   5.400.0.1158   2011.04.14   -
McAfee-GW-Edition   2010.1D   2011.04.14   -
Microsoft   1.6702   2011.04.14   -
NOD32   6041   2011.04.14   -
Norman   6.07.07   2011.04.13   -
Panda   10.0.3.5   2011.04.14   -
PCTools   7.0.3.5   2011.04.14   -
Prevx   3.0   2011.04.14   -
Rising   23.53.03.06   2011.04.14   -
Sophos   4.64.0   2011.04.14   -
SUPERAntiSpyware   4.40.0.1006   2011.04.14   -
Symantec   20101.3.2.89   2011.04.14   -
TheHacker   6.7.0.1.173   2011.04.13   -
TrendMicro   9.200.0.1012   2011.04.14   -
TrendMicro-HouseCall   9.200.0.1012   2011.04.14   -
VIPRE   9013   2011.04.14   GamePlayLabs (v)
ViRobot   2011.4.14.4410   2011.04.14   -
VirusBuster   13.6.305.0   2011.04.14   -
Additional informationShow all
MD5   : 3ce497d244bed4b425343edee3ee9caf
SHA1  : 33d87ca16e90458483127b46175ff09e8fb31afb
SHA256: 1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018

Avast didn't noticed anything!!!! I was using chrome
I'll try to removed as shown here i hope it will works...