DraKuL
41
I didnt download anything… Just tried to watch a youtube link posted on facebook and we were asked to install this plugin which it said that it requires to play the video… So downloaded and installed it because it said that its required to play the video…
system
42
Hello everyone. I had the same problem, and 10 minutes ago, I did delete BHO.dll , but in Firefox, this messages appears all the time whenever I google something or whenever I browse facebook. So how to remove this from Firefox? Btw, on google chrome my antivirus doesn’t pop up with an error, but on Firefox it keeps popping out, even while I’m typing this. Here’s the screen cap:
http://i55.tinypic.com/o94meq.jpg
So, can I somehow remove this “plugin” or whatever it’s called? Or should I just reinstall Firefox and hope for best?
Thanks in advance everyone.
system
43
I just found the solution. Needed to remove GamePlayLabs add-on in Firefox and then restarted it. That was it. ;D I hope now everything is going to work fine.
DraKuL
44
Do a quick scan with MBAM just to make sure 
system
45
I’ve made the some mistake : i downloaded and installed this file
The report in Virus total show me :
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: MediaPluginSetup.exe
Submission date: 2011-04-14 16:20:56 (UTC)
Current status: finished
Result: 2/ 40 (5.0%)
VT Community
not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.14.00 2011.04.14 -
AntiVir 7.11.6.109 2011.04.14 -
Antiy-AVL 2.0.3.7 2011.04.14 -
Avast 4.8.1351.0 2011.04.14 -
Avast5 5.0.677.0 2011.04.14 -
AVG 10.0.0.1190 2011.04.14 BHO.C
BitDefender 7.2 2011.04.14 -
CAT-QuickHeal 11.00 2011.04.14 -
ClamAV 0.97.0.0 2011.04.14 -
Commtouch 5.2.11.5 2011.04.14 -
Comodo 8340 2011.04.14 -
DrWeb 5.0.2.03300 2011.04.14 -
eSafe 7.0.17.0 2011.04.13 -
eTrust-Vet 36.1.8271 2011.04.14 -
F-Prot 4.6.2.117 2011.04.13 -
F-Secure 9.0.16440.0 2011.04.14 -
Fortinet 4.2.257.0 2011.04.14 -
GData 22 2011.04.14 -
Ikarus T3.1.1.103.0 2011.04.14 -
Jiangmin 13.0.900 2011.04.13 -
K7AntiVirus 9.96.4382 2011.04.13 -
Kaspersky 7.0.0.125 2011.04.14 -
McAfee 5.400.0.1158 2011.04.14 -
McAfee-GW-Edition 2010.1D 2011.04.14 -
Microsoft 1.6702 2011.04.14 -
NOD32 6041 2011.04.14 -
Norman 6.07.07 2011.04.13 -
Panda 10.0.3.5 2011.04.14 -
PCTools 7.0.3.5 2011.04.14 -
Prevx 3.0 2011.04.14 -
Rising 23.53.03.06 2011.04.14 -
Sophos 4.64.0 2011.04.14 -
SUPERAntiSpyware 4.40.0.1006 2011.04.14 -
Symantec 20101.3.2.89 2011.04.14 -
TheHacker 6.7.0.1.173 2011.04.13 -
TrendMicro 9.200.0.1012 2011.04.14 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.14 -
VIPRE 9013 2011.04.14 GamePlayLabs (v)
ViRobot 2011.4.14.4410 2011.04.14 -
VirusBuster 13.6.305.0 2011.04.14 -
Additional informationShow all
MD5 : 3ce497d244bed4b425343edee3ee9caf
SHA1 : 33d87ca16e90458483127b46175ff09e8fb31afb
SHA256: 1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018
Avast didn’t noticed anything!!! I was using chrome
I’ll try to removed as shown here i hope it will works…
What do you want Avast to notice?
There’s 38 scanners out of 40 that say it’s clean. ???
And one of the others is VIPRE… not known for good results anyway.
Pondus
47
I’m aware of that.
Didn’t know you can distinguish malware by reading the EULA… most of every software would be malware in one way or the other if you take their respective EULA literally.
Pondus
49
Didn't know you can distinguish malware by reading the EULA
they did more then just read the EULA
Just looking at the file briefly will not tell you this information but more indepth research will
So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?
Hi Pondus,
Two flags are more than one as searched the malware hash…
VirusTotal.com 2/40 (5%) detected malware
ThreatExpert.com New/Nothing Found
Team-CYMRU.org New/Nothing Found
Now lets use the common google search query “MediaPluginSetup.exe BHO.C” and what do we get…e.g.:
This report for WOT: http://www.mywot.com/en/forum/11086-fake-media-player-spreading-through-facebook
This with another added flag: http://virscan.org/report/36f7a8ba55a616e274915fa4a3e3c4b1.html
CP Secure finding: Troj.Downloader.W32.Aphex.020
So what you think?
polonus
Pondus
52
So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?
Is it the exact same sample ? same MD5 ?
Sorry, I don’t have that file. I would just like to see more scanners jumping on it.
Pondus
57
yep seems to be the same type, but different MD5…
looks as they do the same as with FakeAV…new MD5 on every sample…
so i was hoping @nounzein should respond so i could get his sample to be 100% sure
here is one more, and again new MD5
http://www.virustotal.com/file-scan/report.html?id=1ffb8c2870f5913928817d64ae361f0a26c20085b64b8336709aa48ee8ce5690-1302812934
Malwarebytes detect as - Spyware.GamePlayLabs
Hi Pondus,
So the morphing goes on like in “neverending story”, good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet. Question is this an older one:
htxp://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=4
poor rep scan: http://www.mywot.com/en/scorecard/d.gameplaylabs.com
Scanned without results here: http://wepawet.iseclab.org/domain.php?hash=a8445223b1364b1b8a9a9bc4f7180d42&type=js
Check the MD5 hashes at virus check, I think not reported yet,
polonus
Pondus
59
Hi Pondus,
So the morphing goes on like in “neverending story”, good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet,
polonus
I will upload the sample to them 
DraKuL
60
I’d like to say that Malwarebytes’ definitions are spot on! The way they make users to download and install that plugin, and the fact that you dont actually need it to play videos on facebook is very suspicious… (As shown in the link polonus posted)
Hope Avast adds it to their definitions as it would help so many users…