internetgamebox

[snoozy]

My sisters kid has downloaded this and it seems to have installed a rootkit. (On her PC not mine fortunately!).

As best as I can tell it's "navipromo". (POP-UPs for winfixer 2007 etc..)


The site is internetgamebox.com

It almost looks like a legit site. On their T&C page, tucked away right at the bottom, you can get an uninstal program.

http://www.gad-network.com/uninstall

I used a throw away email and have received "promoremover.exe"

Anyone run it? Frying pan and fire? Any other way to get shot of the pop-ups? Windows defender, spybot and Lavasoft don't see it.

Thanks for any help.

[JohnnyReb51]

Hiya.

It is rootkit adware.

Firstly, I would download a Rootkit cleaner and place it on the infected PC, in its own folder on the Desktop will do. You may need this, so do that before anything else.

The trial cleaner in the link below is OK and free at the moment, called Blacklight....

http://www.f-secure.com/blacklight

Has your sister uninstalled the Internetgamebox program, either from Add/Remove Programs or from the Start Menu/Programs. If not, it is advisable to do so.

If that goes OK, then run the promoremover.exe and click on the Start Cleaning button, OK it when finished and OK it again if the OK button re-appears a few moments later.

Restart the PC and see if the popsups have stopped.

If not successful in any/some of the above and the Internet connection is possibly lost, run the blacklight cleaner by double clicking on the exe and let it scan the PC, its doesnt install anything, but will create a fsbl-xxxxxxxxxxxxxx.log in the folder.

When it has finished scanning and if it has found any hidden files, it will display them and you need to click on each file name and then click on the Rename button, do that for all the files found, then click next, at one point it will say for Advanced users only, etc, OK that, then it will ask to restart the PC, make sure all open programs/windows are closed before clicking on the restart button in the program.

The blacklight renamed files will still be on the PC and possibly some remnants left behind from the uninstalling of the program, if applicable, which can be manually removed if needed later.

Lets remove any infections first and deal with the remnants afterwards.

[snoozy]

Thanks for that.

She started uninstalling Internetgame box from add/remove programs - but it tried to connect to the Internet (firewall popped up) so she blocked it. It then said it needed to connect in order to uninstall. At the moment it isn't unistalled, and is still blocked from Internet access.

So should she unblock and try uninstal again? Or will that just download more bad stuff?


"If that goes OK, then run the promoremover.exe and click on the Start Cleaning button, OK it when finished and OK it again if the OK button re-appears a few moments later."

Have you run promoremover.exe before? Will it bring up a "start cleaning button"? I was really scared about running the .exe since it came from the same place that put the root kit on in the first place!

I understand what you are saying about downloading blacklight first.

cheers

[JohnnyReb51]

Hiya.

I actually installed this program yesterday to get a better perspective of what it does.

It does ask for an Internet connection when it is installing and uninstalling, but unfortunately, I have ActiveX disabled and it failed to uninstall automatically after several attempts.

I also didnt get any popups either, which from looking at the program when it runs, ActiveX is needed to run it fully and hence why the popups get through and infect the PC.

I did however lose my internet connection and hence why I mentioned downloading Blacklight, before anything is attempted. Running that and renaming the rootkit files gave me back my connection. The rootkit files it installed are randomly named.

EG.

Hidden process: C:\WINNT\system32\frdepbcugr.exe
Hidden file: c:\WINNT\SYSTEM32\FRDEPB~1.EXE
Hidden file: c:\WINNT\SYSTEM32\FRDEPB~1.DAT

For some more punishment, lol, I then installed it again and had the exact same problems as above but with different file names and in the end I manually uninstalled the program, ran promoremover.exe, then Blacklight and cleaned out a few registry entries related to the rootkit and program. I havent had any problems since.

Personally I would let it have the connection to uninstall, I honestly dont think it will install anything else. The program itself may be Kosha, its the rootkit that is the problem.

Many free programs have some form of adverts/banners, as part of the agreement when installing, what I dont like is the underhand tactics used to install something that is not needed in this program.

Yes I did run the promoremover.exe, but cannot say what it uninstalled, there is no log or reference when it is running, but I have had no adverse affects from it.

When I emailed them for the file, I put in the Reason for uninstalling, that I was investigating why companies install rootkits on peoples PC's and why I lost my connection. I recieved the file, which I wasnt expecting, but no comments were offered in the reply. :D

So if you want to attempt what I have said, I will be here for you if anything goes screwy. I cant be any fairer than that.

[snoozy]

WOW - You loaded this bad stuff onto your PC to help me out! Thanks!


Do you think we could manually uninstall internetgamebox to avoid unblocking it (or just leave it and ignore it)? I know she will be nervous of allowing it to "phone home" again. (Me to to be honest if she will have activex enabled to allow it to uninstall).

Then run promoremover and Blacklight like you did.

How did you uninstall it manually?

Thanks again

[JohnnyReb51]

Hiya.

You can manually uninstall it if you wish, but some Registry editing is required to remove the traces of the program and the rootkit entries that may be in there.

These instructions may be slightly different to XP, I am using Win2k but you should be able to follow them easily enough.

Make sure the Program is not running before you continue.

1 Go to Program Files and Delete the InternetGameBox folder.

2. Go to Start/Programs and look for the InternetGameBox folder in there, right click on the main folder and select Delete.

3. Run the promoremover.exe file, as mentioned in my other reply.

4. Run Blacklight and rename the files it finds, make sure Blacklight is in its own folder on the Desktop for the Log to be created. We may need this log later for cleaning the registry and removing the renamed files from the PC.

5. Close any open programs/windows, etc and restart the PC, when Blacklight requests a restart.

Hopefully the popups should be gone and its just the cleaning of the remnant files left to do.

If not, let me know.

I have 5 exported Registry files here, that I collected from a search of the Registry, but only 4 are useable, the other one contains the random named files created by the Rootkit and will be of no value to you, because they will all be different.

If you are competant in the Registry, I can give you all the locations I found, if not, I can create a Reg file to remove them, except the rootkit entries, that will have to be done manually I'm afraid. But saying that, if I have the exact names of the random files it created, it may be possible to add them to the cleaning Reg file. Duh!

Try what I have outlined above and see if that works OK, then let me know what you wish to do regarding the Registry, etc. I can then give more instructions to remove the remnant files left behind on the PC.

EDIT.

Before you rename any files in the Blacklight program, can you first post back what files are shown in the Clean Hidden Items window, just as a precaution in case there are some legitimate files in there. Mine only showed infections, I dont want any good files deleted by mistake.

[snoozy]

OK here's what we did...

Before starting we ran Backlight which found one hidden process and the (random name) hidden files as expected. We went ahead and renamed them (did this before reading your last message) - but after a reboot the popups were back.

So we unblocked internetgamebox and unistalled. Went OK - they asked why we were uninstalling. (Can't tell you what we said on a familly forum..). Program dissapeared OK - but not the popups.

Ran promoremover.exe, which also insisted on an internet connection to run (eeek!). It ran as you described. The popups have stopped, at least for now. She hasn't rebooted since. When she does I'll get her to run Blacklight again. If any hidden files remain, or if anything else is amis, I'll post back here.

Thanks for your help - really appreciated.

[JohnnyReb51]

Hiya.

No problem, I will keep an eye on this thread for any replies then.

Lol at the > Went OK - they asked why we were uninstalling. (Can't tell you what we said on a familly forum..)

[bugleboy1312]

im stuck i downloaded the promo remover program and it keeps asking me to connect to the internet

[JohnnyReb51]

Hi bugleboy1312.

Welcome to The Scream! :)

You dont give much info on what you are trying to do, I assume remove the popups, etc.

Snoozy, uninstalled the Internetgamebox program, then ran the Promoremover.exe.

If you are using the Promoremover, you will have to let it have access to the Internet, for it to work. If you have a Firewall installed, it may blocking Promoremover and needs to be allowed access.

[bugleboy1312]

yes im trying to stop the popups....how do i unblock the promoremover im using mcafee firewall by the way

[JohnnyReb51]

Hiya.

Firstly, you do realise that uninstalling the popups, will stop Internetgamebox program functioning completely.

When I ran the promoremover in a test, my firewall automatically asked to allow a connection to www03.gad-network.com which I allowed. Did McAfee's firewall, not do something similar ?

Most firewalls will ask to block/allow any program that requires an Internet connection, which can only be authorised by you.

Once access is allowed, the cleaning program will continue and a panel will appear with a Start Cleaning button to press, once it has finished cleaning, it will say so and you OK it, possibly twice.

As for unblocking McAfee, I am not conversant with that particular firewall and there may be several versions available, but found this link for the McAfee Personal Firewall Plus, which should be similar.

http://store.bioware.com/help/mcafee_firewall.html

The second picture in the link above, shows you where to enter the Internet Applications settings, so by clicking on that panel, you should then be in picture 3, which shows the list of applications allowed and/or blocked.

If Promoremover is blocked, you need to highlight it in the list, then change the permission, from Blocked to Allow Full Access.

I may be completely wrong with the above directions, because the info you have given is very sparse, so dont be afraid to talk, lol.