Potential Malware!! :- MediaPluginInstall from game play labs is a spyware!!!

DraKuL · April 10, 2011, 7:10am

I didnt download anything… Just tried to watch a youtube link posted on facebook and we were asked to install this plugin which it said that it requires to play the video… So downloaded and installed it because it said that its required to play the video…

system · April 10, 2011, 11:17am

DraKuL post:32:

rapa post:30:

Thanks for your efforts concerning this issue, I do however have one question. I have exactly the same as the previous poster installed the program after I was unable to watch the Youtube video posted on facebook, so far I haven’t seen any side effects. My question is what should I be looking for in “Scan results” to make sure the threat has been removed. I’m using Avast pro.

Thanks in advance.

The name of the spyware is MediaPlugin and the name of the setup file is MediaPluginInstall. The company/organization that developed it is GamePlayLabs.

If you use MBAM it will detect this file, I think you can manually remove them by going to this folder -

C:\Users\accountName\AppData\Local\Browser Plugin

There you will see BHO.dll and several other files - delete all of them, do not run the uninstaller provided - it didnt work for me… If you use MBAM to clean it, MBAM will remove the registry files as well! but there will be some leftovers which are harmless but can be manually deleted by going to that folder.

PS - I assume you’re using windows 7 / Vista , if its XP the path will be different.

Hello everyone. I had the same problem, and 10 minutes ago, I did delete BHO.dll , but in Firefox, this messages appears all the time whenever I google something or whenever I browse facebook. So how to remove this from Firefox? Btw, on google chrome my antivirus doesn’t pop up with an error, but on Firefox it keeps popping out, even while I’m typing this. Here’s the screen cap:
http://i55.tinypic.com/o94meq.jpg

So, can I somehow remove this “plugin” or whatever it’s called? Or should I just reinstall Firefox and hope for best? Thanks in advance everyone.

system · April 10, 2011, 11:29am

I just found the solution. Needed to remove GamePlayLabs add-on in Firefox and then restarted it. That was it. ;D I hope now everything is going to work fine.

DraKuL · April 10, 2011, 11:32am

Do a quick scan with MBAM just to make sure

system · April 14, 2011, 4:42pm

I’ve made the some mistake : i downloaded and installed this file

The report in Virus total show me :

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: MediaPluginSetup.exe
Submission date: 2011-04-14 16:20:56 (UTC)
Current status: finished
Result: 2/ 40 (5.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.14.00 2011.04.14 -
AntiVir 7.11.6.109 2011.04.14 -
Antiy-AVL 2.0.3.7 2011.04.14 -
Avast 4.8.1351.0 2011.04.14 -
Avast5 5.0.677.0 2011.04.14 -
AVG 10.0.0.1190 2011.04.14 BHO.C
BitDefender 7.2 2011.04.14 -
CAT-QuickHeal 11.00 2011.04.14 -
ClamAV 0.97.0.0 2011.04.14 -
Commtouch 5.2.11.5 2011.04.14 -
Comodo 8340 2011.04.14 -
DrWeb 5.0.2.03300 2011.04.14 -
eSafe 7.0.17.0 2011.04.13 -
eTrust-Vet 36.1.8271 2011.04.14 -
F-Prot 4.6.2.117 2011.04.13 -
F-Secure 9.0.16440.0 2011.04.14 -
Fortinet 4.2.257.0 2011.04.14 -
GData 22 2011.04.14 -
Ikarus T3.1.1.103.0 2011.04.14 -
Jiangmin 13.0.900 2011.04.13 -
K7AntiVirus 9.96.4382 2011.04.13 -
Kaspersky 7.0.0.125 2011.04.14 -
McAfee 5.400.0.1158 2011.04.14 -
McAfee-GW-Edition 2010.1D 2011.04.14 -
Microsoft 1.6702 2011.04.14 -
NOD32 6041 2011.04.14 -
Norman 6.07.07 2011.04.13 -
Panda 10.0.3.5 2011.04.14 -
PCTools 7.0.3.5 2011.04.14 -
Prevx 3.0 2011.04.14 -
Rising 23.53.03.06 2011.04.14 -
Sophos 4.64.0 2011.04.14 -
SUPERAntiSpyware 4.40.0.1006 2011.04.14 -
Symantec 20101.3.2.89 2011.04.14 -
TheHacker 6.7.0.1.173 2011.04.13 -
TrendMicro 9.200.0.1012 2011.04.14 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.14 -
VIPRE 9013 2011.04.14 GamePlayLabs (v)
ViRobot 2011.4.14.4410 2011.04.14 -
VirusBuster 13.6.305.0 2011.04.14 -
Additional informationShow all
MD5 : 3ce497d244bed4b425343edee3ee9caf
SHA1 : 33d87ca16e90458483127b46175ff09e8fb31afb
SHA256: 1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018

Avast didn’t noticed anything!!! I was using chrome
I’ll try to removed as shown here i hope it will works…

Zyndstoff · April 14, 2011, 4:59pm

What do you want Avast to notice?

There’s 38 scanners out of 40 that say it’s clean. ???

And one of the others is VIPRE… not known for good results anyway.

Pondus · April 14, 2011, 5:09pm

@Zyndstoff see the Vipre detection name

http://www.virustotal.com/file-scan/report.html?id=1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018-1302798056

Then look on reply #24

Zyndstoff · April 14, 2011, 5:13pm

I’m aware of that.
Didn’t know you can distinguish malware by reading the EULA… most of every software would be malware in one way or the other if you take their respective EULA literally.

Pondus · April 14, 2011, 5:18pm

Didn't know you can distinguish malware by reading the EULA

they did more then just read the EULA

Just looking at the file briefly will not tell you this information but more indepth research will

Zyndstoff · April 14, 2011, 5:20pm

So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?

polonus · April 14, 2011, 5:20pm

Hi Pondus,

Two flags are more than one as searched the malware hash…
VirusTotal.com 2/40 (5%) detected malware

ThreatExpert.com New/Nothing Found

Team-CYMRU.org New/Nothing Found

Now lets use the common google search query “MediaPluginSetup.exe BHO.C” and what do we get…e.g.:
This report for WOT: http://www.mywot.com/en/forum/11086-fake-media-player-spreading-through-facebook

This with another added flag: http://virscan.org/report/36f7a8ba55a616e274915fa4a3e3c4b1.html
CP Secure finding: Troj.Downloader.W32.Aphex.020

So what you think?

polonus

Pondus · April 14, 2011, 5:29pm

Is it the exact same sample ? same MD5 ?

Zyndstoff · April 14, 2011, 5:34pm

Sorry, I don’t have that file. I would just like to see more scanners jumping on it.

Pondus · April 14, 2011, 5:39pm

Sorry, I don't have that file. I would just like to see more scanners jumping on it.

Working on it ;)

Zyndstoff · April 14, 2011, 5:45pm

;D waiting

polonus · April 14, 2011, 7:27pm

Hi Pondus and Zyndstoff,

This adds to the suspicion: http://vscan.novirusthanks.org/analysis/20d3f7c94b5265c14d05554c50eb8fa1/bWVkaWFwbHVnaW5zZXR1cC1leGU=/

and jotti’s: http://virusscan.jotti.org/en/scanresult/3eae48334dfd051c642d6e31beef4c7bdf26c62c

virustotal at three detections now and ThreatExpert reporting:
http://www.virustotal.com/file-scan/report.html?id=dccf714d5a272fe6e52db6dd26c5279cea46570b295f70b0a1d0e112a531b518-1302351204

http://www.threatexpert.com/report.aspx?md5=20d3f7c94b5265c14d05554c50eb8fa1

So it is coming like our friend Pondus predicted,

polonus

P.S. for the browser BHO PlugIn, see: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=0xD7DC7DFE31FA56BBF486E947D89C68F3

D

Pondus · April 14, 2011, 8:17pm

yep seems to be the same type, but different MD5…
looks as they do the same as with FakeAV…new MD5 on every sample…
so i was hoping @nounzein should respond so i could get his sample to be 100% sure

here is one more, and again new MD5
http://www.virustotal.com/file-scan/report.html?id=1ffb8c2870f5913928817d64ae361f0a26c20085b64b8336709aa48ee8ce5690-1302812934

Malwarebytes detect as - Spyware.GamePlayLabs

polonus · April 14, 2011, 9:47pm

Hi Pondus,

So the morphing goes on like in “neverending story”, good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet. Question is this an older one:
htxp://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=4
poor rep scan: http://www.mywot.com/en/scorecard/d.gameplaylabs.com

Scanned without results here: http://wepawet.iseclab.org/domain.php?hash=a8445223b1364b1b8a9a9bc4f7180d42&type=js

Check the MD5 hashes at virus check, I think not reported yet,

polonus

Pondus · April 14, 2011, 9:53pm

I will upload the sample to them

DraKuL · April 14, 2011, 11:59pm

I’d like to say that Malwarebytes’ definitions are spot on! The way they make users to download and install that plugin, and the fact that you dont actually need it to play videos on facebook is very suspicious… (As shown in the link polonus posted)

Hope Avast adds it to their definitions as it would help so many users…

Potential Malware!! :- MediaPluginInstall from game play labs is a spyware!!!

Announcements