1. Symantec/
  2. Security Response/
  3. PUA.GameVance

PUA.GameVance

Updated:
June 12, 2015 1:26:41 PM
Type:
Potentially Unwanted App
Infection Length:
Varies
Risk Impact:
Low
Systems Affected:
Windows
This program must be manually installed.

When the program is executed, it creates the following files:
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome\gvtextlinks.jar
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome.manifest
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.xpt
  • %UserProfile%\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\install.rdf
  • %UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hnhgoncokajlafhnhjmccgcmgggiehjm\gvtl.js
  • %UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hnhgoncokajlafhnhjmccgcmgggiehjm\manifest.json
  • %UserProfile%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hnhgoncokajlafhnhjmccgcmgggiehjm\npgvtl.dll
  • %ProgramFiles%\Gamevance Games\ars.cfg
  • %ProgramFiles%\Gamevance Games\gamevance32.exe
  • %ProgramFiles%\Gamevance Games\gamevancelib32.dll
  • %ProgramFiles%\Gamevance Games\gvtl.dll
  • %ProgramFiles%\Gamevance Games\gvun.exe
  • %ProgramFiles%\Gamevance Games\icon.ico


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Gamevance" = "C:\Program Files\Gamevance Games\gamevance32.exe a"

It also creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\"" = "GamevanceText"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GamevanceText.DLL\"AppID"= "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\"" = "C:\Program Files\Gamevance Games\gamevancelib32.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\"" = "Gamevance"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID\"" = "GamevanceText.Linker"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib\"" = "{014C4232-6904-47B9-9144-7E0FB7277444}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID\"" = "GamevanceText.Linker.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\"" = "C:\Program Files\Gamevance Games\gvtl.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\"" = "Gamevance Text"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CurVer\"" = "GamevanceText.Linker.1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker\CLSID\"" = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker\"" = "Gamevance Text"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\CLSID\"" = "{beaC7DC8-E106-4C6A-931E-5A42E7362883}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\GamevanceText.Linker.1\"" = "Gamevance Text"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\"" = "Gamevance"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\"NoExplorer" = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\"" = "Gamevance Text"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaC7DC8-E106-4C6A-931E-5A42E7362883}\"NoExplorer" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance\"DisplayName" = "Gamevance"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance\"UninstallString" = "C:\Program Files\Gamevance Games\gvun.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance\"DisplayIcon" = "C:\Program Files\Gamevance Games\gvun.exe"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_STISVC\0000\Control\"ActiveService" = "stisvc"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"maxdday" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"maxtoday" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"les" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"uid" = "[UID STRING]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"ct" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"ci" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"cid" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"sc1u" = "http://links.gamevance.net/common.php?p="
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"d" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"esint" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"domfqc" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"domfqt" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"sc2u" = "http://links.gamevance.net/keywords-cli.php?p="
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"nos2" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"domfqcl" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"scr1" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"eu" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\AppDataLow\gvtl\"eus" = "[BINARY DATA]"


The program then highlights keywords on random web pages. When one of those keywords is hovered over with the mouse, a pop-up advertisement is displayed. If a keyword is clicked, a new browser window opens with an advertisement.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube