Potential Malware!! :- MediaPluginInstall from game play labs is a spyware!!!

[DraKuL]

Last month I clicked a video on facebook, and it was unable to play. A download window popped up and i downloaded MediaPluginSetup from Game Play labs. I installed this addon and the video played fine. Today my computer's RAM usage was quite high although I didnt have any programs running, also the CPU fan was going nuts!! Also I got several network threat alerts from Avast! I had MBAM PRO running on real time + AIS 6, none of them detected this till today. I just wanted to check what was wrong so ran a quick scan and it detected this as a spyware..

I wanted to submit it to Avast virus lab but after I restored from MBAM quarantine it shows the file as safe! Still I uploaded it to Avast labs hope they add it, but just in case can one of you guys inform an Admin about this ? its MediaPluginSetup  from Game Play labs.

Another issue - Does anyone know how to remove the "twitter" logo from Avast! notifications? I mainly get it when there are threat alerts, the little "T" logo - I find this VERY annoying and out of place.. I dont know why they have put it there in the first place since its very inappropriate.. Please let me know if anyone knows how to remove it

[Pondus]

upload suspicious file(s) to www.virustotal.com and test with 43 malware scanners
when you have the result, copy the URL in the address bar and post it here so we can see

alternatives
VirSCAN  http://virscan.org/
Jotti    http://virusscan.jotti.org/en

[DraKuL]

Like I said, after restoring it from MBAM quarantine it doesnt detect that as a threat anymore.. But I'm pretty sure that it is a threat because MBAM detected it along with several other registry keys..

[Pondus]

Like i said...test suspicious file(s) at virustotal
the more who detect the bigger the chance for a real detection

[DraKuL]

Ok I will try but what I meant what, what if MBAM "cleaned" or "disinfected" the file ? Also my Avast GUI became a bit messed up just now, dont know if it has anything to do with the infection, I'm running a scan on SAS as well, will restart the pc and see if it will be back to normal.. but at the moment its like this -

[Pondus]

MBAM does not clean file(s) it move infected files to quarantine

The Malware MBAM looks for is not cleanable

On the other hand, antivirus software can't 'clean' a worm or a trojan, because there is nothing to clean - the entire file IS the worm or trojan.

http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

[DraKuL]

Oh ok. Thanks for the info!   Anyway I dont know why MBAM doesnt detect the file as a virus once I restore it  guess I ll have to ask their admins about it..

Anyway I scanned it on VirusTotal - there was another potential malware that Avast! didnt detect so I scanned that as well.. So the 2 links for the files are

http://www.virustotal.com/file-scan/report.html?id=4dd6ec9895a6a5a362e0835b258440c86cb1103da7d424826565b14e266c53c3-1302193615

http://www.virustotal.com/file-scan/report.html?id=277b179862655d592587ad3597c1c5ebf8f99a76247a5b8561aec45d8e8edc33-1302193556

[Pondus]

My guess is False Positives

File  -   ibelicomeposu.dll

sigcheck:
publisher....: Realtek Semiconductor Corp.
copyright....: Copyright (c) 2004 Realtek Semiconductor Corp.
product......: Realtek AC97 Audio - Event Monitor
description..: Realtek Azalia Audio - Event Monitor
original name: Alcxmntr.exe
internal name: Alcxmntr
file version.: 1, 6, 0, 4
comments.....:
signers......: -
signing date.: -
verified.....: Unsigned


File - BHO.dll

igcheck:
publisher....: GamePlayLabs
copyright....: Copyright 2010. All rights reserved.
product......: GamePlayLabs Browser Helper Object
description..: GamePlayLabs Browser Helper Object
original name: BHO.dll
internal name: BHO.dll
file version.: 1.0.0.1
comments.....: GamePlayLabs Browser Helper Object
signers......: -
signing date.: -
verified.....: Unsigned

[DraKuL]

ibelicomeposu.dll was detected as a malware on quite a bit of different software..
(10/41)

Also May I know how you got the info about this file? The info you typed is very accurate, but when I googled it, no results came up..

about BHO - as I explained in the first post, I was forced to install it (couldnt play videos online without this plugin), but now after it being removed the videos are playing fine, I find that a little bit suspicious..

Thanks for taking your time to help me out

[Zyndstoff (aka Steven Gail)]

I know how you got the info about this file? The info you typed is very accurate, but when I googled it, no results came up..

On virustotal.com, result-page (your link), click button "additional info -> show all" 

[Pondus]

Also May I know how you got the info about this file? The info you typed is very accurate, but when I googled it, no results came up..

scroll down the VirusTotal scan, and you will se a button on right side > Additional information  " SHOW ALL"


see your message box...top right "MY MESSAGES"

[DraKuL]

lol cant believe I didnt see that! Thanks guys!

@pondus - I replied to the msg.

[Pondus]

Oh ok. Thanks for the info!   Anyway I dont know why MBAM doesnt detect the file as a virus once I restore it   guess I ll have to ask their admins about it..

have you updated Malwarebytes since it was first detected ?

[Pondus]

OK first reply recived....seems the Sigcheck in Virustotal is faked

SOPHOS

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

BHO.dll -- non-malicious
ibelicomeposu.dll -- identity created/updated (New detection Troj/Agent-RBQ)

[Pondus]

Malwarebytes

ibelicomeposu.dll  (Trojan.Agent)
BHO.dll  (Spyware.GamePlayLabs)