Security home


Home / malwarePDF  


First posted on 07 June 2012.
Source: Microsoft

Aliases :

Adware:Win32/GamePlayLabs is also known as W32/GamePlay.B (Norman), ADSPY/GamePlayLabs.A.13 (Avira).

Explanation :

Adware:Win32/GamePlayLabs is a program that collects data when you browse websites. It then uses this data to display targeted advertising.


You may install Adware:Win32/GamePlayLabs electively from a specific website.

Upon installation, Adware:Win32/GamePlayLabs may create different files to run in different Internet browsers. For example, it installs the following files to run in Internet Explorer:

  • %Application Data%\GamePlayLabs Plugin\BHO.dll
  • %Application Data% \GamePlayLabs Plugin\gplplugin.crx
  • %Application Data% \GamePlayLabs Plugin\gplplugin.xpi
  • %Application Data%\GamePlayLabs Plugin\setup.ini
  • %Application Data% \GamePlayLabs Plugin\Uninstall.exe

Note: %Application Data% refers to application data directory, for example: c:\Documents and Settings\Administrator\Local Settings\Application Data

Adware:Win32/GamePlayLabs adds itself as a Firefox extension by adding the following directories with supporting files:

  • %DefaultFirefoxProfile%\extensions\
  • %DefaultFirefoxProfile%\extensions\\chrome\content
  • %DefaultFirefoxProfile%\extensions\\chrome\locale\en-US
  • %DefaultFirefoxProfile%\extensions\\defaults\preferences

Note: %DefaultFirefoxProfile% refers to the location that Firefox uses stores its profiles, for example: c:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zi8xn3a1.default

Below are some examples of Firefox files we have observed being installed:

  • chrome.manifest
  • ff-overlay.xul
  • icon.png
  • install.rdf
  • overlay.js
  • prefs.js
  • setup.ini

Adware:Win32/GamePlayLabs adds itself as a Google Chrome extension by adding the following directories with supporting files:

  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\<random characters>\1.0_0
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Local Storage\chrome-extension_<random characters>_0.localstorage

Below are some examples of Google Chrome files we have observed being installed:

  • background.html
  • gameplaylabs.png
  • gameplaylabsplugin.js
  • manifest.json
  • npGamePlayLabsPlugin.dll

Adware:Win32/GamePlayLabs makes the following changes to the registry:

  • Creates the following subkey:


  • Registers itself as a BHO (Browser Helper Object) by adding the following subkeys:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{984A9162-8891-4D19-8CFE-17648BB4E1EC}

  • Adds the following subkey, values and data to add an uninstall entry to the Add/remove programs list dialog:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePlayLabs Plugin
    Sets value: "DisplayName"
    With data: "GamePlayLabs Plugin"
    Sets value: "UninstallString"
    With data: €œ\Application Data\GamePlayLabs Plugin\Uninstall.exe€

Program behavior

If you install the program, you may be asked to provide certain personal information during the registration process. Adware:Win32/GamePlayLabs may store this information, then later use it to display targeted advertising on your computer. You may also be sent a questionnaire requesting more information for the same purpose of providing targeted advertising.

Adware:Win32/GamePlayLabs has also been observed collecting information when you visit the GamePlayLabs website, such as:

  • Email addresses
  • Passwords
  • Computer name
  • Internet connection information

Once installed, Adware:Win32/GamePlayLabs may collect your browsing data the utilizes this information to display targeted advertising.

After being installed as a BHO, you can see Adware:Win32/GamePlayLabs in the Internet Explorer 'Manage Add-ons' dialog:

After being installed as a Firefox extension, you can see Adware:Win32/GamePlayLabs in the Firefox 'Add-ons' dialog:

Adware:Win32/GamePlayLabs data-collecting behavior is mentioned in their end-user license agreement (EULA):

Analysis by Michael Johnson & Ding Plazo

Last update 07 June 2012



Malware :