Internet Explorer - about:navigationfailure
Hi,
We've just had 5 of our laptops come into the office so that we can make some changes to their configuration. These are Windows XP Pro laptops that are joined to a Windows 2003 SBS domain. They generally don't connect to the domain as they are usually out in the field, and they use Verizon wireless cards for internet. After having the work done and going back into the field, several of them could no longer access the internet. It would bring up the following in the address bar: "about: navigationfailure"
However, we've found that if we delete their temporary files and cookies and then either reboot the computer or restart the EXPLORER service, the internet works again for a while.
These are the changes we made on the computers: Removed Local Admin rights (except on one, and that one was also affected), disabled offline files and relocated My Documents to local hard drive, encrypted My Documents and Desktop folder, installed IDRIVE.COM remote backup, and installed SPECTOR 360 remote monitoring.
Also, they can access their e-mail through outlook (using http over ssl) with no problems, they just cannot access the web on internet explorer. Scanning the systems with malwarebytes and hijackthis turned up nothing also.
Any ideas what could be happening?
We've just had 5 of our laptops come into the office so that we can make some changes to their configuration. These are Windows XP Pro laptops that are joined to a Windows 2003 SBS domain. They generally don't connect to the domain as they are usually out in the field, and they use Verizon wireless cards for internet. After having the work done and going back into the field, several of them could no longer access the internet. It would bring up the following in the address bar: "about: navigationfailure"
However, we've found that if we delete their temporary files and cookies and then either reboot the computer or restart the EXPLORER service, the internet works again for a while.
These are the changes we made on the computers: Removed Local Admin rights (except on one, and that one was also affected), disabled offline files and relocated My Documents to local hard drive, encrypted My Documents and Desktop folder, installed IDRIVE.COM remote backup, and installed SPECTOR 360 remote monitoring.
Also, they can access their e-mail through outlook (using http over ssl) with no problems, they just cannot access the web on internet explorer. Scanning the systems with malwarebytes and hijackthis turned up nothing also.
Any ideas what could be happening?
Could you try downloading ComboFix from here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and then disable your existing antivirus protection and run it. Then, after ComboFix creates a log, send that log to us and re-enable your existing antivirus protection. Also run a full MalwareBytes scan.
If ComboFix cannot run or flashes for a secnod and then disappears, then you need to download again and save with a different name. You can download this on a working PC, save with a different name on the USB drive and then transfer it to the problem PC and run it.
If ComboFix cannot run or flashes for a secnod and then disappears, then you need to download again and save with a different name. You can download this on a working PC, save with a different name on the USB drive and then transfer it to the problem PC and run it.
ASKER
Hi! We've tried IE and Firefox now too. Firefox says "Url invalid" where IE says "about:navigationfailure"
the encryption is just EFS. We encrypt the Documents and the Desktop folder
Previously, the My Documents folder was redirected to a file share on a server and the laptops used offline files while in the field. We relocated it back to the local hard drive and set up remote backup because they rarely come into the office.
There's no proxy. In the office we use a SonicWALL firewall, but they are accessing the internet in the field using verizon wireless cards typically.
When we delete temporary files and cookies and reboot the system, it works for a while but it comes back later.. apparently after the second restart. Also, all of the changes were done on my own laptop as well and have not had any problems.
the encryption is just EFS. We encrypt the Documents and the Desktop folder
Previously, the My Documents folder was redirected to a file share on a server and the laptops used offline files while in the field. We relocated it back to the local hard drive and set up remote backup because they rarely come into the office.
There's no proxy. In the office we use a SonicWALL firewall, but they are accessing the internet in the field using verizon wireless cards typically.
When we delete temporary files and cookies and reboot the system, it works for a while but it comes back later.. apparently after the second restart. Also, all of the changes were done on my own laptop as well and have not had any problems.
ASKER
Here is the Combo FIX log
ComboFix.txt
ComboFix.txt
ASKER
forgot to turn off my AV that time.. here is another log file aftering turning off Trend Micro
combofix2.txt
combofix2.txt
Have you scanned with MalwareBytes now? The first ComboFix log shows a lot of deletions.
Observations:
1. Do you know this file? C:\wellabandon.zip , if not then I suggest uploading it on www.virustotal.com for a virus scan.
2. Upload the below files on www.virustotal.com for a scan:
c:\windows\system32\driver
c:\windows\system32\vdorct
c:\windows\system32\svrltm
vmrypz.dll (I don't know where it is on your system, most likely within c:\windows\system32)
Or
Alternatively, do a scan with the BitDefender Online Scanner based at: http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html and let us know, what you find.
Observations:
1. Do you know this file? C:\wellabandon.zip , if not then I suggest uploading it on www.virustotal.com for a virus scan.
2. Upload the below files on www.virustotal.com for a scan:
c:\windows\system32\driver
c:\windows\system32\vdorct
c:\windows\system32\svrltm
vmrypz.dll (I don't know where it is on your system, most likely within c:\windows\system32)
Or
Alternatively, do a scan with the BitDefender Online Scanner based at: http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html and let us know, what you find.
ASKER
RimSerial.sys scanned fine, the other dlls wouldn't scan with virustotal.com. Malwarebytes found nothing
And SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE)
:)
:)
I am going to suggest a scan with Dr Web CureIt Live CD: http://www.freedrweb.com/livecd/ . Download the ISO file and burn it as an image on a CD. Then boot your system from this CD and run the Dr Web Scanner. Click on select all and cure after the scan finishes. Then reboot your PC in normal mode and scan with your own antivirus (Trend Micro).
This scan will not load any Windows files or drivers and hence, is good at removing rootkits as well.
This scan will not load any Windows files or drivers and hence, is good at removing rootkits as well.
C:\wellabandon.zip <-- I assume you created or know this archive?
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
c:\windows\system32\vdorct
c:\windows\system32\svrltm
c:\windows\system32\vmrypz
RegLock::
[HKEY_LOCAL_MACHINE\softwa
Registry::
[HKEY_LOCAL_MACHINE\SOFTWA
"Keyan3d"=-
[HKEY_LOCAL_MACHINE\softwa
"Appinit_Dlls"=""
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again and delete what's on the script.
@ warturtle:
Thanks for the alert.
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
--------------------------
File::
c:\windows\system32\vdorct
c:\windows\system32\svrltm
c:\windows\system32\vmrypz
RegLock::
[HKEY_LOCAL_MACHINE\softwa
Registry::
[HKEY_LOCAL_MACHINE\SOFTWA
"Keyan3d"=-
[HKEY_LOCAL_MACHINE\softwa
"Appinit_Dlls"=""
--------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again and delete what's on the script.
@ warturtle:
Thanks for the alert.
Disable Spector 360 , windows firewall any software firewall you are running on ONE machine. See if the problem is gone.
Spector can cause a bit flakiness. If you use it, create a exclusion rule in your antivirus/antispyware/fire
Becareful on combofix, it may detect spector as malware, for example the svrltmgr.dll rpggamergirl has posted to delete belongs to spector 360, which is a hidden remote monitoring service.
Is the server 2003 sbs machine doing dhcp for the rest of the computers or not? If not, disable dhcp service on sbs if enabled and if dhcp is handled by a router or so.
Spector can cause a bit flakiness. If you use it, create a exclusion rule in your antivirus/antispyware/fire
Becareful on combofix, it may detect spector as malware, for example the svrltmgr.dll rpggamergirl has posted to delete belongs to spector 360, which is a hidden remote monitoring service.
Is the server 2003 sbs machine doing dhcp for the rest of the computers or not? If not, disable dhcp service on sbs if enabled and if dhcp is handled by a router or so.
If you can't disable spector on one machine, uninstall it completely. It might be a pain since it wont show up in add/remove. Follow the manufacturers uninstall procedure. If you are working correctly afterwards, you'll know spector is the problem. Verify you are using Spector directly from the manufacturer not the ones floating around the web being packaged with cloaked malware. Or programs that claim to unlock it, as they themselves have hidden malware.
I had few problems with diff remote monitoring software. Some to uninstall was a pita with deletion of each file and registry edits per manufacturer. Using the mcafee enterprise at work kept detecting part of the remote monitoring files as hidden rootkits and it would lock up that file, causing connectivity issues. That and glitches by the manufacturer themselves. Check with their website for any update software/patches, etc.
rimserial belongs to blackberry software, I'd leave that alone if clients use blackberries.
I hope some of my insight can be helpful even if down the road.
I had few problems with diff remote monitoring software. Some to uninstall was a pita with deletion of each file and registry edits per manufacturer. Using the mcafee enterprise at work kept detecting part of the remote monitoring files as hidden rootkits and it would lock up that file, causing connectivity issues. That and glitches by the manufacturer themselves. Check with their website for any update software/patches, etc.
rimserial belongs to blackberry software, I'd leave that alone if clients use blackberries.
I hope some of my insight can be helpful even if down the road.
ccwestbrook.
Worst case scenario, start over with a fresh computer. Connect to sbs. Install 1 program at a time from the ones you mentioned in your post. Reboot and test out for a bit, install another item. repeat and so on. Computers were working fine until the additions installed.
My gut instincts it lies with spector, dhcp from server, or a rogue service at this time. I maybe wrong, take the simple steps to find out. The world of IT, they make us work harder sometimes :)
Worst case scenario, start over with a fresh computer. Connect to sbs. Install 1 program at a time from the ones you mentioned in your post. Reboot and test out for a bit, install another item. repeat and so on. Computers were working fine until the additions installed.
My gut instincts it lies with spector, dhcp from server, or a rogue service at this time. I maybe wrong, take the simple steps to find out. The world of IT, they make us work harder sometimes :)
Yes, those files belongs to Spector 360, malware researchers don't seem to like that program, lol. It's understandable I guess being that type.
PrevX classified it as a fraudulent security program
http://74.125.153.132/sear
ThreatExpert classified it as Backdoor.win32.URLBot
http://74.125.153.132/search?q=cache:zeUk5863RkgJ:www.threatexpert.com/files/svrltmgr.dll.html+svrltmgr.dll+threatexpert&cd=1&hl=en&ct=clnk&gl=au
McAfee classified it as Spyware-SpectorKey
http://74.125.153.132/search?q=cache:tMabHA-HJlYJ:vil.nai.com/vil/content/v_153135.htm+system32%5Csvrltmgr.dll&cd=1&hl=en&ct=clnk&gl=au
PrevX classified it as a fraudulent security program
http://74.125.153.132/sear
ThreatExpert classified it as Backdoor.win32.URLBot
http://74.125.153.132/search?q=cache:zeUk5863RkgJ:www.threatexpert.com/files/svrltmgr.dll.html+svrltmgr.dll+threatexpert&cd=1&hl=en&ct=clnk&gl=au
McAfee classified it as Spyware-SpectorKey
http://74.125.153.132/search?q=cache:tMabHA-HJlYJ:vil.nai.com/vil/content/v_153135.htm+system32%5Csvrltmgr.dll&cd=1&hl=en&ct=clnk&gl=au
ASKER
Well, I don't think it is Spector since this problems hasn't occured on my own laptop which I put all of these things on prior to installing it on the field laptops. My own laptop hasn't had problems.. but those guys do go to some of the same questionable websites based on what I saw before in their internet files and may have gotten something in common? Also the abandonwell.zip file is a file I created.. just contains some well abandonment pictures. I'll try these new scans you've suggested next.
ASKER
Dr. Web scanner says a couple of system volume info/_restore/... .bat files are "probably infected with BATCH.Virus", and a number of temp internet files infected with Trojan.Download.28002
ASKER
What specifically could cause "about:navigationfailure" to occur in internet explorer?
A number of things, mostly related to spyware
Heres one link http://www.bleepingcomputer.com/forums/topic4210.html
Download CWS Shredder, About Buster, run them one after the other.
Check your DNS, make sure they are not hijacked to point somehere else
Check your host file for any weird IP's
Go to superantispyware.com, download it, install it, UPDATE it first, then do a scan.
Shut off Systemrestore when starting to do anything of the above, turn it back on when clean.
If still troubled, uninstall the spector from one machine and navigate.
Heres one link http://www.bleepingcomputer.com/forums/topic4210.html
Download CWS Shredder, About Buster, run them one after the other.
Check your DNS, make sure they are not hijacked to point somehere else
Check your host file for any weird IP's
Go to superantispyware.com, download it, install it, UPDATE it first, then do a scan.
Shut off Systemrestore when starting to do anything of the above, turn it back on when clean.
If still troubled, uninstall the spector from one machine and navigate.
Other factors...firewall. You mentioned you have a sonic firewall..is it set to block specific sites, or sites based on a rating?
ASKER
It's not set to block any sites currently. However, these laptops are usually accessing the internet out in the field through verizon wireless cellular internet cards and aren't going through the corporate firewall.
If these laptops are connected wired, do they experience connectivity issues, or is it simply when out in the field?
ASKER
it occurs both in the field and also when they are wired in on the corporate network. The interesting thing I should point out again though is we can get the internet to work temporarily by deleting their temporary files and temporary internet files, cookies, etc. but then a day later or what not it is happening again.
I see, in the mean time you can put this one line command to start up with the PC:
RunDll32.exe InetCpl.cpl,ClearMyTracksB
Try it, copy and paste it to your run box.
Have you done the superantispyware, cws shredder, about buster yet? Be sure to shut off system restore before doing so.
RunDll32.exe InetCpl.cpl,ClearMyTracksB
Try it, copy and paste it to your run box.
Have you done the superantispyware, cws shredder, about buster yet? Be sure to shut off system restore before doing so.
Could you download hijackthis and post a quick log here?
Is it possible on one machine you can remove trend micro and install symantec endpoint temporarily?
You are using SP3 with all the latest updates?
Is it possible on one machine you can remove trend micro and install symantec endpoint temporarily?
You are using SP3 with all the latest updates?
ASKER
Yes, the computers are up to date. The Web CureIt Live CD turned up nothing.. Here's something new: I've found that if I terminated the EXPLORE.EXE process and then reload EXPLORER.EXE via task manager, it fixes the problem temporarily.
It might be worth installing a personal firewall on those PC's that actually travel to client sites and trying to surf the internet then. You already have an antivirus, and if you install a firewall it might help. My suggestion is ZoneAlarm Free firewall (www.zonelabs.com). I don't think its free for corporate use, but you can download a trial version and see its effectiveness. If it works out for you, then you can have the multi PC license and have this on laptops connecting to external networks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It identified Spector files.. anyway, this time I completely removed Spector from one of the laptops and now that laptop has no problem. Funny because some laptops with Spector have no issues. So I'm trying to work it out with their technical support now as to the problem
Strong instinct it was Spector. When using remote monitoring software is a bit tricky, the best way I found it to work is disabling antivirus/firewall first, install it and creating precise rules in firewall/antivirus/antispy
Spector claims incompatibility with Spybot, because spybot does detect it and remove parts of its file, rendering it useless.
I would go as far as reinstalling with the method I posted, but I'm sure you've done that. Perhaps Spector can offer some update/patch to resolve.
Spector claims incompatibility with Spybot, because spybot does detect it and remove parts of its file, rendering it useless.
I would go as far as reinstalling with the method I posted, but I'm sure you've done that. Perhaps Spector can offer some update/patch to resolve.
what does relocated My Documents to local hard drive mean? Roaming pofiles?
what was used to encrypt?