What is PlayGem?
The Malwarebytes research team has determined that PlayGem is adware. These adware applications display advertisements not originating from the sites you are browsing.
How do I know if my computer is affected by PlayGem?
You may see this entry in your list of installed programs:
this kind of advertisements:
and this icon in your startmenu:
How did PlayGem get on my computer?
Adware applications use different methods for distributing themselves. This particular one is offered as an online game portal.
How do I remove PlayGem?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted program.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan now. Or select the Threat Scan from the Scan menu.
- When the scan is complete , make sure that everything is set to "Quarantine", and click Apply Actions.
- Reboot your computer if prompted.
- No, Malwarebytes' Anti-Malware removes PlayGem completely.
We hope our application and this guide have helped you eradicate this adware application.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the PlayGem adware. It would have warned you before the application could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
You will see these signs in a HijackThis log:
O4 - HKLM\..\Run: [PlayGem] "C:\Program Files (x86)\PlayGem\PlayGem.exe" monetizeYou may see these signs in FRST logs:
(PlayGem) C:\Program Files (x86)\PlayGem\PlayGem.exe HKLM-x32\...\Run: [PlayGem] => C:\Program Files (x86)\PlayGem\PlayGem.exe [3247616 2015-10-21] (PlayGem) C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayGem C:\ProgramData\PlayGemConfig C:\Program Files (x86)\PlayGem PlayGem 1.0 (HKLM-x32\...\PlayGem) (Version: 1.0 - PlayGem)Alterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\PlayGem Adds the file Compaign.dat"="22/01/2016 09:35, 8 bytes, A Adds the file Events.dat"="22/01/2016 09:35, 731 bytes, A Adds the file PlayGem.exe"="21/10/2015 14:38, 3247616 bytes, A Adds the file uninst.exe"="22/01/2016 09:35, 165582 bytes, A Adds the file Version.dat"="22/01/2016 09:35, 54 bytes, A Adds the folder C:\ProgramData\PlayGemConfig Adds the file Sample.json"="22/01/2016 09:35, 20108 bytes, A Adds the folder C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayGem Adds the file PlayGem.lnk"="22/01/2016 09:35, 1027 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"= REG_DWORD, 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION] "ExploreMedia.exe"="REG_DWORD", 9999 "PlayGem.exe"="REG_DWORD", 9999 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PlayGem\ExploreMedia] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PlayGem\PlayGem] "(Default)"="REG_SZ", "" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "PlayGem"="REG_SZ", ""C:\Program Files (x86)\PlayGem\PlayGem.exe" monetize" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PlayGem] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\PlayGem\PlayGem.exe" "DisplayName"="REG_SZ", "PlayGem 1.0" "DisplayVersion"="REG_SZ", "1.0" "Publisher"="REG_SZ", "PlayGem" "UninstallString"="REG_SZ", "C:\Program Files (x86)\PlayGem\uninst.exe" "URLInfoAbout"="REG_SZ", " www.PlayGem.com" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlayGem] "xDaysDownload"="REG_DWORD", 2147483647Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 22/01/2016 Scan Time: 09:54 Logfile: mbamPlayGem.txt Administrator: Yes Version: 2.2.0.1020 Malware Database: v2016.01.22.03 Rootkit Database: v2016.01.20.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 317631 Time Elapsed: 4 min, 30 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 2 PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem\PlayGem.exe, 3548, Delete-on-Reboot, [7d2eba823d5cdc5a0f9e332108f8c33d] PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem\PlayGem.exe, 1824, Delete-on-Reboot, [7d2eba823d5cdc5a0f9e332108f8c33d] Modules: 0 (No malicious items detected) Registry Keys: 3 PUP.Optional.PlayGem, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PlayGem, Quarantined, [7b301f1d8811c96d0e0e84786c97748c], PUP.Optional.PlayGem, HKLM\SOFTWARE\WOW6432NODE\PlayGem, Quarantined, [3378c17b0297f640c15fee0e2dd627d9], PUP.Optional.PlayGem, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\PlayGem, Quarantined, [9714c17bc9d0bb7bda444bb1f80bb54b], Registry Values: 4 PUP.Optional.PlayGem, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|PlayGem, "C:\Program Files (x86)\PlayGem\PlayGem.exe" monetize, Quarantined, [7d2eba823d5cdc5a0f9e332108f8c33d] PUP.Optional.PlayGem, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|PlayGem.exe, 9999, Quarantined, [c0ebed4f4b4e1e183c14e8506f9508f8] PUP.Optional.ExploreMedia, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|ExploreMedia.exe, 9999, Quarantined, [bbf0cf6d5a3fab8b2d424490c73bb947] PUP.Optional.PlayGem, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PLAYGEM|URLInfoAbout, www.PlayGem.com, Quarantined, [1596a399d9c0f04639b0869718ec08f8] Registry Data: 0 (No malicious items detected) Folders: 3 PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem, Delete-on-Reboot, [7b301f1d8811c96d0e0e84786c97748c], PUP.Optional.PlayGem, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayGem, Quarantined, [4a6145f76831d85eca5329d39a690bf5], PUP.Optional.PlayGem, C:\ProgramData\PlayGemConfig, Quarantined, [4962d5677c1d41f562d8834b2ad85ba5], Files: 8 PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem\PlayGem.exe, Delete-on-Reboot, [7d2eba823d5cdc5a0f9e332108f8c33d], PUP.Optional.PlayGem, C:\Users\{username}\Desktop\PlayGem_Setup.exe, Quarantined, [377490ac4653d561eebf69eb16ea05fb], PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem\Compaign.dat, Quarantined, [7b301f1d8811c96d0e0e84786c97748c], PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem\Events.dat, Quarantined, [7b301f1d8811c96d0e0e84786c97748c], PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem\uninst.exe, Quarantined, [7b301f1d8811c96d0e0e84786c97748c], PUP.Optional.PlayGem, C:\Program Files (x86)\PlayGem\Version.dat, Quarantined, [7b301f1d8811c96d0e0e84786c97748c], PUP.Optional.PlayGem, C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayGem\PlayGem.lnk, Quarantined, [4a6145f76831d85eca5329d39a690bf5], PUP.Optional.PlayGem, C:\ProgramData\PlayGemConfig\Sample.json, Quarantined, [4962d5677c1d41f562d8834b2ad85ba5], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention