Funny, strange… but I tend to trust the Avira findings much more.
After all, Avira has great detection, so their lab must be good…

I suspect they use some autoanalyse…however Avira detected this in the first place so i sendt it to them as a possible False Positive case
and that should mean they did a manual analysis ?..people also do mistakes…
anyway samples are sendt avast so now we have to see what they say…
I will see if i can get some extra info from Norman and Malwarebytes

I contacted Malwarebyte’s and they said its malicious… Hope Avast! adds it to their definitions

Avast detects ibelicomeposu.dll as a Win32: Malware-gen now they have added it. Still waiting on BHO though… MBAM Admins confirmed that its a spyware too…

BHO.dll (Spyware.GamePlayLabs) this is how it detects it.

Let me know if you get a reply from Avast!

Info from Malwarebytes

Hi Pondus,

Different vendors have different ways of assessing files.

For example “GamePlayLabs” you just need to read their current EULA to see what they have declared they are harvesting(data) from you once installed= Enough for us to classify them a Spyware

Just looking at the file briefly will not tell you this information but more indepth research will

Hope that helps

The way it forced me to install was very suspicious… I actually though that it was needed to play online videos which is why I installed it. Hope you forward the email to Avast! and see their response… Please inform me about what Avast says.

avast! never respond…from all the samples i have uploaded i think i have recived one “Thanks for samples” :

anyway you can be sure that they have seen this tread…so maybe someone from avast! will reply here?

lol maybe they should work a bit on that Other sites reply thanking us for the samples and they also give a feedback about them, whether they are malicious or not… Avast! gets so many samples from its users and they should do this for the users in my opinion The users want to know whether its a virus or not and the reasoning… Sophos is doing a great job at that, even malwarebytes’ gave a nice feedback right?

Lets hope so ;D

PS - I changed the name of the topic, hope it will attract attention ;D

In my experience around 99% of sites asking you to install “codecs”, “browser extensions” or similar to view videos are sites that contain malicious software of some sort (a virus, trojan or spyware - sometimes even all of the above).
Unless you are 100% positive that it is a safe site, and it is providing a genuine “you need to update” message then I would be extremely weary of it.

A good example of a “safe” site might be Youtube telling you that your flash player is out of date and that you need to upgrade. At which point you would be pointed to the Adobe site to download the latest version.

However for a malicious site telling you that your codecs are out of date and need to be updated to display a video you will generally find:

1. You are not alerted to this until you click to play the video, at which point you will be presented with a message in the browser that you need to download and install codec “x”.
2. When you click the link to download codec “x” the codec will either be hosted on the same domain e.g. http://reallycoolvideosite.com/codecupdate.13483.exe or another odd looking domain e.g. http://abxxs1.downloadsvr211.co.cc/codecsetup.1321.exe
3. The download will be started automatically when you click the “you need to update” message.
4. If you click cancel a javascript prompt will be shown multiple times until you click the “OK” to download the malicious software.

When it comes to browser extensions and codecs the best advice I can give is do not do it unless you are 100% sure it is absolutely safe.

Most importantly, only ever download the latest versions of codecs (or similar) from the developers website - if they are asking you to download the latest flash player, go to the Adobe website. If they want you to update Windows Media Player, go to the Microsoft Website. Real Player? Go to the RealNetworks, Inc website - you get the idea I am sure.

Fake codec/browser extensions are a fairly big issue as even now many people are still unaware of the threat.

Some final advice: Be very careful when you click links posted via Facebook. Likejacking is extremely common, and if you click a “video” on facebook you may find that it takes you to a site that looks like Youtube, or a youtube video for example but in fact is not.
If it is a youtube video, you can generally find this out by right clicking - as the flash player options will be shown. If it’s a fake video, often you will see either the standard browser right click menu (e.g. view source etc.) or view image.

If you do not know what likejacking is, be sure to read up on that here too.

Likejacking can be reasonably harmless as the majority of the time it is a survey scam (e.g. fill in this survey to prove you are a human and view the video!) however it can also be used to spread malicious software (and in this case it sounds like the latter happened).

Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven’t seen any side effects. My question is what should I be looking for in “Scan results” to make sure the threat has been removed. I’m using Avast pro.

The file I’ve downloaded and installed is called MediaPluginSetup with the rolling movie tape icon.

Thanks in advance.

Thanks, this is very informative! and I am aware that most sites get us to install fake add-ons but this was in facebook and youtube - i couldnt play any videos and it made me download a setup and run ( didnt take me to any external links)…

Edit: , I’m quite aware of ‘likejacking’ too, but this was a normal facebook video… I want to thank you very much for the effort and the post, its VERY informative and will help so many users

The name of the spyware is MediaPlugin and the name of the setup file is MediaPluginInstall. The company/organization that developed it is GamePlayLabs.

If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -

C:\Users\accountName\AppData\Local\Browser Plugin

There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me… If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.

PS - I assume you’re using windows 7 / Vista , if its XP the path will be different.

Funnily enough, I just edited my post to add a specific warning about facebook:

Some final advice: Be very careful when you click links posted via Facebook. Likejacking is extremely common, and if you click a “video” on facebook you may find that it takes you to a site that looks like Youtube, or a youtube video for example but in fact is not.
If it is a youtube video, you can generally find this out by right clicking - as the flash player options will be shown. If it’s a fake video, often you will see either the standard browser right click menu (e.g. view source etc.) or view image.

If you do not know what likejacking is, be sure to read up on that here too.

Likejacking can be reasonably harmless as the majority of the time it is a survey scam (e.g. fill in this survey to prove you are a human and view the video!) however it can also be used to spread malicious software (and in this case it sounds like the latter happened).

Unfortunately currently there is no way to disable this. Nor the “Like” button in the main user interface

Considering you are using the paid version of the software (as am I), I think there should be an option to disable these… maybe in the future?

Thanks for your help. Unfortunately I am using Win XP so if there’s any chance you can advise me on where the files might be in Windows Xp, also I’ve just downloaded MBAM trial, I hope it does the job.

If it is same software, then you will likely find the path is:
C:\Documents and Settings\Username\Application Data\Local\Browser Plugin\

Yes it does! and when it cleans it you will be able to see it in the quarantine list - from there you can get the location of the other files

MBAM free version is just as good as the paid one but the main difference is, it doesnt provide real-time protection… only on-demand scanning.

Also make sure you update it before scanning!

Cheers!

It’s in the Betas already, so there will be the disabling option.

@BTCentral - Even I edited my post about it! ;D I’m well aware of facebook scandals! sadly so many people fall for them… Again I’d like to say that this is very informative and thanks!

@Zyndstoff- Yeah I heard, Actually i like the ‘like’ button ;D its only the twitter logo I cant stand ;D

No problem

Great news, thanks for letting me know

People still down load stuff from FaceBook ??? :o :o