[Resolved]gamevance wont uninstall (please help)

I was on the computer earlier and noticed a pop-up (which almost never happens) and when I went to a website I noticed a new toolbar installed “mywebsearch” I think. I figured ok someone was just messing around and clicked something. When I checked avast log viewer it had two warnings about it but it seems it is still installed and avast is no longer detecting it as harmful. After trying to remove it from the Firefox add-ons where I first noticed it and being unsuccessful, I then removed it from the control panel. That hasn’t seem to done any good. I did a search on the gamevance name, I saw it talk about really annoying pop-ups and remote attackers. So I immediately came here for help. PLEASE help me before it gets any worse. :'(.

I am running Avast 4.8 Home edition and the os system is windows 7. Any help or recommendations are greatly appreciated. Thank you.

Hi fiveavast, and welcome to the forum. :slight_smile:

Do you have a 32 or 64-bit machine? What is your firewall (FW)?

Have you updated your Avast definitions and run a Full Scan yet?

Thank you and hello to you also SafeSurfer. The machine runs 64 bit and the firewall is windows firewall. The avast definitions are all up to date and I have done a complete scan but I don’t know if it was a full scan?

Is anything sitting in your Avast Virus Chest now? Let me know if you need help finding it.

Also, did you change any of the default setting of Avast?

To find the Virus Chest: open the Avast GUI > Maintenance > Virus Chest.

Is there anything listed in there? If so, can you give me either a screen shot or manually type in the exact wording of what is there?

My prior question was did you change any of the default settings of Avast?

gamevance32.exe and gvun.exe are in the avast chest. I have not changed the default settings except when I first installed avast I turned the resident scanner up to high. It’s not detecting “mywebsearch” at all but that wont uninstall either.

Good…that’s what I wanted to see.

I’d like to check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.

Please let me know if you have any questions.

under general I turn the automatic file save on? Then I check all scanned setting boxes. Then I update Malwarebytes. Select full scan, Then quarantine anything found? then post the log here?

Yes…to all your questions.

try mbam,gamevance is an adware

The OP is already running a FULL scan of MBAM. But thank you for responding. :slight_smile:

Thank you. Here is the log.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4500

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/29/2010 1:31:14 AM
mbam-log-2010-08-29 (01-31-14).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 229458
Time elapsed: 25 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproductsinstaller.start (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproductsinstaller.start.1 (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{1d4db7d1-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{1d4db7d3-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{1d4db7d0-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gamevance (Adware.Gamevance) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files (x86)\MyWebSearch (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin (Adware.MyWebSearch) → Quarantined and deleted successfully.

Files Infected:
C:\Program Files (x86)\Uninstall Fun Web Products.dll (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.
C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) → Quarantined and deleted successfully.

Also after restarting this came up. If your having trouble reading it, it is “There was a problem starting C:\PROGRA~2\UNINST~1.DLL The specified module could not be found.”

http://i38.tinypic.com/j0fcau.png

and fire fox still has the same problem. This file keeps reinstalling itself. The add-on is name “Gamevance Textlinks 1.0.0”

http://i38.tinypic.com/mrqwc6.png

Thank you for helping me with this.

You had a lot of adware in addition to a Trojan that MBAM put into quarantine. Leave everything in there and Do NOT delete anything!

As for the FF extension, have you tried to delete it?

I have tried disabling it and uninstalling it but every time Firefox restarts its comes back. I even tried reinstalling Firefox itself. Also another question, I have to keep MBAM now? I can’t uninstall it?

No…you need to keep MBAM as we will need it for future use. It is an excellent on-demand scanner than many of us use here.

I’d like you to run some more diagnostic tools with OTL. Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. You have already done the MBAM part, so you can skip this.

Under the red OTL, click on it and it will download a file…download it to your desktop. Follow the instructions in the link above. You will be prompted to save 2 files to your desktop and attach them to your next post. To attach a file to a post: click on “Additional Options” > Attach > browse (the 2 files will be on your desktop) > post.

I am going to have a Certified Malware Removal expert named Essexboy review your OTL logs and respond to you in this thread. He will ask you questions and give you instructions. I will be monitoring in the background.

Please do not make any further changes to you machine other than doing normal Avast updates or you will need to re-do all the logs again.

Do you have any questions?

Prior to doing the OTL log, please clean your machine with CCleaner – a freeware system optimization, privacy and cleaning tool. There is a Slim version available at http://www.piriform.com/ccleaner/builds. It removes unused files (cache, temporary Internet files, etc.) from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner.

and…

Download TFC by OldTimer to your desktop.

http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
· Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
· It will close all programs when running, so make sure you have saved all your work before you begin.
· Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
· Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

After doing BOTH cleaners…then run the OTL logs.

Ok thank you.

Do you have any questions? I will be signing off shortly but will check in later. I will let Essexboy run the show but be in the background.

I’m still unsure how to attach the file but if you log off I’m sure someone can help me with it. Thank you for all your help SafeSurf.

also download ccleaner http://www.piriform.com/ccleaner/download

dont forget to run “the registry” scan

http://img412.imageshack.us/img412/9197/ccleanerk.png