Warning Internet Gamebox
November 11, 2006 on 9:45 pm | In Malware analysis | 18 CommentsOriginally posted Aug 11 2006, 01:10 PM
InternetGamebox is available from the .com site with the same name.
This so-called Totally Free software installs adware on your computer that behaves like a rootkit.
In other words it hides itself from Windows to avoid being detected.
This malware is also spread by Mailskinner and is usually called EGDAccess or NaviPromo
If you are lucky all it does is display ads in pop-unders, but if you are connected to the net by dial-up it could also “spice up” your phone-bill.
If you are infected with this adware, please follow this procedure:
Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip
Unzip it to it’s own folder (c:\BFU)
RIGHT-CLICK HERE: http://metallica.geekstogo.com/EGDACCESS.bfu and choose “Save As” (in IE it’s “Save Target As”) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)
Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it’s job.
Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
Then reboot your computer and look for the file C:\egd.txt that was created by the script.
Post the content of that file on the Malware Removal forum explaining what you did. Also look at the content of the folder bfubackups in your System(32) folder. This folder was also created by the script. Let the helper know if any files were in that folder and if so, what they are called.
If I have some time I’ll infect a Virtual Machine shortly and post my findings here.Done that. Results below.
Well I installed InternetGamebox and it is definitely bad news.
Besides trying to harvest email-addresses (it asks you to send a message to your friends from an online form) it also installs the NaviPromo/EGDAccess rootkit.
Here is what I found with Blacklight:
After renaming those files and rebooting HijackThis showed the startup entry:
Submitting the file wmjglyxr.exe to one of the online scanners confirmed what we already suspected:
File: wmjglyxr.exe
SHA-1 Digest: a124914f2ae67742e3326b2230edc10ee7447cc3
Packers: PECompact v2.00
Status: Infected or Malware
Although none of the scanners identifies it correctly. (I’ll make sure that changes shortly.)
18 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Another site is spreading this malware:
http://www.gorecord.com/
Investigated and reported by Malekal_morte:
http://forum.malekal.com/ftopic848.php
I’ll run some tests of my own later and post the results here.
Installed Go Record on my VM and noticed there are a lot of similarities with InternetGamebox.
They try to get your friends email addresses and the EULA mentions that advertisements they will show to you.
No word about a rootkit of course. 🙁
But it’s certainly there after the install.
And the startup entry:
O4 – HKLM\..\Run: [ffqjdtffxp] c:\windows\system32\ffqjdtffxp.exe ffqjdtffxp
This adds Go Record to the list of MailSkinner and InternetGamebox.
Others that we expect to fit this same bill:
Go-Astro, Web-Mediaplayer and SudoPlanet
Comment by metallica — November 11, 2006 #
Another one (found by Malekal_morte)
messengerskinner.com
Comment by metallica — November 11, 2006 #
My BFU for this malware will no longer be updated.
A better tool to remove it has been developed by il-mafioso called Navilog1.
I gave him full permission to use the data I had gathered about this family of malware.
You will probably need guidance using it though, so post on one of the renowned computer-forums if you suspect being infected with this malware.
Recently also indicated by popups advertising “spyware secure”
I bid my “child” adieu and wish il-mafioso good fortune with his tool. 🙂
Comment by pieterarntz — October 8, 2007 #
I sent an email asking Internet Gamebox how i could remove the ad-ware…. and they gave me this link that supposedly uninstalls the software:
http://www.pc-on-internet.com/uninstall.php
hope this helps. I personally was able to remove it through a small program called Navilog
later
Alex
Comment by AyeSee — January 22, 2008 #
Glad you got rid of it Alex. Navilog sure looks like a better choice then the “official” uninstaller. 🙂
Comment by Pieter Arntz — January 22, 2008 #
😀 this blog is just about ruined because all u have 2 do is go on thier website klik on help & support and scroll 2 the very bottom of the page + onthe left there is an uninnstall button,but if you want to keep internet gamebox on ur computer install it a second time (If it was deleted b4 and still have adware reinstall it twice) and than uninstall the way I told u to and u will have 1 copy of the game box on ur computer. 😆
Comment by Ross — April 4, 2008 #
I’m sorry Ross, but I’m afraid you have no idea what a rootkit is.
http://en.wikipedia.org/wiki/Rootkit
They are designed to make you think nothing was left behind on your computer. 💡
Comment by metallica — April 5, 2008 #
For those that come here looking for a removal method, Navilog1 is described in English here:
http://pagesperso-orange.fr/il.mafioso/Navifix/presentation_eng.htm
Changelog: http://pagesperso-orange.fr/il.mafioso/Navifix/changelog.htm
If you are unconfortable with running the fix by yourself get help on one of the renowned forums.
Good luck and beware.
Comment by metallica — April 27, 2008 #
Just downloaded the official un-installer and it worked ! No more pop-ups, and my system does seem like it was like before I was stupid enough to dl the Internet Game box.
Comment by vincent Cassar — May 24, 2008 #
Glad to hear it Vincent, but I can not emphasize enough that you need to check your computer for rootkits. Even if all seems well.
Comment by metallica — May 25, 2008 #
Another program is including this malware:
Live-Player from live-player.com installs NaviPromo as well.
Comment by metallica — August 10, 2008 #
Just wanted to say thanks.
saw an ad for this.
Looked good.
Also looked suspicious.
Have read this now, and haven’t installed it.
Cheers.
Comment by nick — August 20, 2008 #
My pleasure nick 😎
It pleases me even more to hear I spared someone the ordeal, then helping someone get rid of it.
Comment by metallica — August 20, 2008 #
as above, thanks for this blog as it stopped me from installing this tempting looking piece of kit..
Comment by Geek UK — October 31, 2008 #
😯 Wow thanks a lot fo posting this,
\i downloaded the gamebox software and tried to install it but lucky enough, my old computer didn’t listen to me lol.
Anyways after it refused to install, I did a search on it and found this.
Thanks again and Talk about a close call!
Comment by Angela — January 12, 2009 #
😈 how do you get Internet Gamebox now in 2010???
Comment by awesome — May 1, 2010 #
What i don’t realize is actually how you are not really much more well-liked than you might be now.You are very intelligent.You realize thus significantly relating to this subject, made me personally consider it from a lot of varied angles.Its like men and women aren’t fascinated unless it’s one thing to accomplish with Lady gaga! Your own stuffs great.Always maintain it up!
Comment by Julieta Kostohryz — December 30, 2011 #
It’s a good summary. Thank you
Comment by drzwi wrocław — April 6, 2012 #