SecurityHome.eu Win32/GameVance

Home / malware PDF

Win32/GameVance

First posted on 01 February 2012.
Source: Microsoft
Aliases :
There are no other names known for Win32/GameVance.
Explanation :
Adware:Win32/GameVance is a detection for advertising components that display advertisements and track anonymous usage information, in exchange for a free online gaming experience.

Top

Adware:Win32/GameVance is a detection for advertising components that display advertisements and track anonymous usage information, in exchange for a free online gaming experience.

Installation

Win32/GameVance advertising components are available via the following websites:

epicplay.com

freeworkz.com

freeworkzgames.com

gamevance.com

livingplay.com

mimagoo.com

plpickle.com

spworkz.com

This adware can appear as the following applications:

EpicPlay

FreeWorkz

GameVance

LivingPlay

Mighty Magoo

PlayPickle

During installation, it may display a message similar to any of the following:

The installer drops the following files:

GameVance:

%ProgramFiles%\Gamevance\ars.cfg

%ProgramFiles%\Gamevance\gamevance32.exe

%ProgramFiles%\Gamevance\gamevancelib32.dll

%ProgramFiles%\Gamevance\gvtl.dll

%ProgramFiles%\Gamevance\gvun.exe

%ProgramFiles%\Gamevance\icon.ico

Mighty Magoo:

%ProgramFiles%\Mighty Magoo\ars.cfg

%ProgramFiles%\Mighty Magoo\icon.ico

%ProgramFiles%\Mighty Magoo\mightymagoo32.exe

%ProgramFiles%\Mighty Magoo\mightymagoolib32.dll

%ProgramFiles%\Mighty Magoo\mmagootl.dll

%ProgramFiles%\Mighty Magoo\mmagooun.exe

FreeWorkz:

%ProgramFiles%\Freeworkz\freeworkzpop.dll

%ProgramFiles%\Freeworkz\freeworkztl.dll

%ProgramFiles%\Freeworkz\fworkzun.exe

%ProgramFiles%\Freeworkz\npfwpop.dll

LivingPlay:

%ProgramFiles%\LivingPlay Games\lplaypop.dll

%ProgramFiles%\LivingPlay Games\lplaytl.dll

%ProgramFiles%\LivingPlay Games\lplayun.exe

%ProgramFiles%\LivingPlay Games\nplplaypop.dll

EpicPlay:

%ProgramFiles%\EpicPlay\epicHost.dll

%ProgramFiles%\EpicPlay\epicPlayGames.dll

%ProgramFiles%\EpicPlay\epicRemoval.exe

PlayPickle:

%ProgramFiles%\Play Pickle\ars.cfg

%ProgramFiles%\Play Pickle\playpickle32.exe

%ProgramFiles%\Play Pickle\playpicklelib32.dll

%ProgramFiles%\Play Pickle\pptl.dll

%ProgramFiles%\Play Pickle\ppun.exe

The installer creates registry entries so that it runs at every Windows start and as a Browser Helper Object (BHO) when Internet Explorer is opened.

GameVance:

HKCU\Software\gvtl

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7370F91F-6994-4595-9949-601FA2261C8D}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gamevance

HKLM\Software\Classes\Gamevance.Linker

HKLM\Software\Classes\Gamevance.Linker.1

HKLM\Software\Classes\clsid\{7370F91F-6994-4595-9949-601FA2261C8D}

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance

Mighty Magoo:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mightymagoo

HKLM\Software\Classes\MightyMagooText.Linker

HKLM\Software\Classes\MightyMagooText.Linker.1

HKCU\Software\AppDataLow\mmagootl

HKLM\SOFTWARE\Classes\CLSID\{EEAD004E-7E2D-49f8-831C-A01647E85B53}

HKLM\SOFTWARE\Classes\CLSID\{97E74A14-E5F1-40cc-9B0F-0D11946E5469}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97E74A14-E5F1-40cc-9B0F-0D11946E5469}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MightyMagoo

FreeWorkz:

HKLM\Software\Classes\fwtlIE.TextLinks

HKLM\SOFTWARE\Classes\fwtlIE.TextLinks.1

HKLM\Software\Classes\AppID\fwtlIE.DLL

HKLM\SOFTWARE\Classes\AppID\{ACF86820-8B34-4441-ACF8-7661FD546B7F}

HKLM\SOFTWARE\Classes\CLSID\{098B1077-D8E5-4974-B5D7-A044B88740E6}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{098B1077-D8E5-4974-B5D7-A044B88740E6}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freeworkz

LivingPlay:

HKCU\Software\AppDataLow\lplaytl

HKLM\SOFTWARE\Classes\lptlIE.TextLinks

HKLM\SOFTWARE\Classes\lptlIE.TextLinks.1

HKLM\SOFTWARE\Classes\npPopupEngineIE.PopupEngine

HKLM\SOFTWARE\Classes\AppID\lptlIE.DLL

HKLM\SOFTWARE\Classes\CLSID\{A2F3646F-8BEE-4D69-856A-8434159A6E9E}

HKLM\SOFTWARE\Classes\CLSID\{D9291F9E-7010-4D7A-8DF6-455DEEF8EF51}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D9291F9E-7010-4D7A-8DF6-455DEEF8EF51}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LivingPlay

EpicPlay:

HKCU\Software\AppDataLow\ePlayConf

HKLM\SOFTWARE\Classes\CLSID\{18488039-9344-4dcf-A9B0-72AFA058EE44}

HKLM\SOFTWARE\Classes\CLSID\{56E4076B-A42B-4745-BA35-34DA8AC4C2F2}

HKLM\SOFTWARE\Classes\EpicPlay.TextLinks

HKLM\SOFTWARE\Classes\EpicPlay.TextLinks.1

HKLM\SOFTWARE\Classes\EpicPlayHost.DisplayEngine

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56E4076B-A42B-4745-BA35-34DA8AC4C2F2}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EpicPlay

HKLM\Software\AppDataLow\ePlayConf

PlayPickle:

HKCU\Software\AppDataLow\pptl

HKLM\SOFTWARE\Classes\PlayPickleText.Linker

HKLM\SOFTWARE\Classes\PlayPickleText.Linker.1

HKLM\SOFTWARE\Classes\AppID\PlayPickleText.DLL

HKLM\SOFTWARE\Classes\CLSID\{02F0243C-2E71-4a1a-A790-6C30888119D0}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02F0243C-2E71-4a1a-A790-6C30888119D0}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Play Pickle

The uninstall component may have any of the following file names:

epicRemoval.exe

fworkzun.exe

gvun.exe

lplayun.exe

mmagooun.exe

ppun.exe

Additional information

It is possible to uninstall GameVance using the Add/Remove Programs dialog in the Control Panel. However, a shortcut to the uninstallers are not provided anywhere in the start menu. When executed, most components of the installed package are removed, and the rest are removed after a restart. A webpage is then opened in Internet Explorer that solicits feedback from the user regarding why GameVance was removed. The page may appear similar to the following:

Analysis by Marianne Mallen

Last update 01 February 2012

TOP

Malware :

Last 20