I didnt download anything… Just tried to watch a youtube link posted on facebook and we were asked to install this plugin which it said that it requires to play the video… So downloaded and installed it because it said that its required to play the video…

Hello everyone. I had the same problem, and 10 minutes ago, I did delete BHO.dll , but in Firefox, this messages appears all the time whenever I google something or whenever I browse facebook. So how to remove this from Firefox? Btw, on google chrome my antivirus doesn’t pop up with an error, but on Firefox it keeps popping out, even while I’m typing this. Here’s the screen cap:
http://i55.tinypic.com/o94meq.jpg

So, can I somehow remove this “plugin” or whatever it’s called? Or should I just reinstall Firefox and hope for best? :smiley: Thanks in advance everyone.

I just found the solution. Needed to remove GamePlayLabs add-on in Firefox and then restarted it. That was it. ;D I hope now everything is going to work fine.

Do a quick scan with MBAM just to make sure :slight_smile:

I’ve made the some mistake : i downloaded and installed this file

The report in Virus total show me :

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: MediaPluginSetup.exe
Submission date: 2011-04-14 16:20:56 (UTC)
Current status: finished
Result: 2/ 40 (5.0%)
VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.04.14.00 2011.04.14 -
AntiVir 7.11.6.109 2011.04.14 -
Antiy-AVL 2.0.3.7 2011.04.14 -
Avast 4.8.1351.0 2011.04.14 -
Avast5 5.0.677.0 2011.04.14 -
AVG 10.0.0.1190 2011.04.14 BHO.C
BitDefender 7.2 2011.04.14 -
CAT-QuickHeal 11.00 2011.04.14 -
ClamAV 0.97.0.0 2011.04.14 -
Commtouch 5.2.11.5 2011.04.14 -
Comodo 8340 2011.04.14 -
DrWeb 5.0.2.03300 2011.04.14 -
eSafe 7.0.17.0 2011.04.13 -
eTrust-Vet 36.1.8271 2011.04.14 -
F-Prot 4.6.2.117 2011.04.13 -
F-Secure 9.0.16440.0 2011.04.14 -
Fortinet 4.2.257.0 2011.04.14 -
GData 22 2011.04.14 -
Ikarus T3.1.1.103.0 2011.04.14 -
Jiangmin 13.0.900 2011.04.13 -
K7AntiVirus 9.96.4382 2011.04.13 -
Kaspersky 7.0.0.125 2011.04.14 -
McAfee 5.400.0.1158 2011.04.14 -
McAfee-GW-Edition 2010.1D 2011.04.14 -
Microsoft 1.6702 2011.04.14 -
NOD32 6041 2011.04.14 -
Norman 6.07.07 2011.04.13 -
Panda 10.0.3.5 2011.04.14 -
PCTools 7.0.3.5 2011.04.14 -
Prevx 3.0 2011.04.14 -
Rising 23.53.03.06 2011.04.14 -
Sophos 4.64.0 2011.04.14 -
SUPERAntiSpyware 4.40.0.1006 2011.04.14 -
Symantec 20101.3.2.89 2011.04.14 -
TheHacker 6.7.0.1.173 2011.04.13 -
TrendMicro 9.200.0.1012 2011.04.14 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.14 -
VIPRE 9013 2011.04.14 GamePlayLabs (v)
ViRobot 2011.4.14.4410 2011.04.14 -
VirusBuster 13.6.305.0 2011.04.14 -
Additional informationShow all
MD5 : 3ce497d244bed4b425343edee3ee9caf
SHA1 : 33d87ca16e90458483127b46175ff09e8fb31afb
SHA256: 1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018

Avast didn’t noticed anything!!! I was using chrome
I’ll try to removed as shown here i hope it will works…

What do you want Avast to notice?

There’s 38 scanners out of 40 that say it’s clean. ???

And one of the others is VIPRE… not known for good results anyway.

@Zyndstoff see the Vipre detection name

http://www.virustotal.com/file-scan/report.html?id=1d86690a7f0959533649b31898efa07b91d8a141bf468d39557a3ddb6b5a2018-1302798056

Then look on reply #24

I’m aware of that.
Didn’t know you can distinguish malware by reading the EULA… most of every software would be malware in one way or the other if you take their respective EULA literally.

Didn't know you can distinguish malware by reading the EULA
they did more then just read the EULA
Just looking at the file briefly will not tell you this information but more indepth research will

So, if that is so, then a new scan today, which is significantly later, should bring up 36 or more scanners showing positiv results?

Hi Pondus,

Two flags are more than one as searched the malware hash…
VirusTotal.com 2/40 (5%) detected malware

ThreatExpert.com New/Nothing Found

Team-CYMRU.org New/Nothing Found

Now lets use the common google search query “MediaPluginSetup.exe BHO.C” and what do we get…e.g.:
This report for WOT: http://www.mywot.com/en/forum/11086-fake-media-player-spreading-through-facebook

This with another added flag: http://virscan.org/report/36f7a8ba55a616e274915fa4a3e3c4b1.html
CP Secure finding: Troj.Downloader.W32.Aphex.020

So what you think?

polonus

Is it the exact same sample ? same MD5 ?

Sorry, I don’t have that file. I would just like to see more scanners jumping on it.

Sorry, I don't have that file. I would just like to see more scanners jumping on it.
Working on it ;)

;D waiting

Hi Pondus and Zyndstoff,

This adds to the suspicion: http://vscan.novirusthanks.org/analysis/20d3f7c94b5265c14d05554c50eb8fa1/bWVkaWFwbHVnaW5zZXR1cC1leGU=/

and jotti’s: http://virusscan.jotti.org/en/scanresult/3eae48334dfd051c642d6e31beef4c7bdf26c62c

virustotal at three detections now and ThreatExpert reporting:
http://www.virustotal.com/file-scan/report.html?id=dccf714d5a272fe6e52db6dd26c5279cea46570b295f70b0a1d0e112a531b518-1302351204

http://www.threatexpert.com/report.aspx?md5=20d3f7c94b5265c14d05554c50eb8fa1

So it is coming like our friend Pondus predicted,

polonus

P.S. for the browser BHO PlugIn, see: http://www.google.nl/search?sourceid=chrome&ie=UTF-8&q=0xD7DC7DFE31FA56BBF486E947D89C68F3

D

yep seems to be the same type, but different MD5…
looks as they do the same as with FakeAV…new MD5 on every sample…
so i was hoping @nounzein should respond so i could get his sample to be 100% sure

here is one more, and again new MD5
http://www.virustotal.com/file-scan/report.html?id=1ffb8c2870f5913928817d64ae361f0a26c20085b64b8336709aa48ee8ce5690-1302812934

Malwarebytes detect as - Spyware.GamePlayLabs

Hi Pondus,

So the morphing goes on like in “neverending story”, good we have you to track them down (and some others as well),
ThreatExpert does not have that one yet. Question is this an older one:
htxp://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=4
poor rep scan: http://www.mywot.com/en/scorecard/d.gameplaylabs.com

Scanned without results here: http://wepawet.iseclab.org/domain.php?hash=a8445223b1364b1b8a9a9bc4f7180d42&type=js

Check the MD5 hashes at virus check, I think not reported yet,

polonus

I will upload the sample to them :wink:

I’d like to say that Malwarebytes’ definitions are spot on! The way they make users to download and install that plugin, and the fact that you dont actually need it to play videos on facebook is very suspicious… (As shown in the link polonus posted)

Hope Avast adds it to their definitions as it would help so many users…