• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1997
  • Last Modified:

Internet Explorer - about:navigationfailure

Hi,

We've just had 5 of our laptops come into the office so that we can make some changes to their configuration.  These are Windows XP Pro laptops that are joined to a Windows 2003 SBS domain.  They generally don't connect to the domain as they are usually out in the field, and they use Verizon wireless cards for internet.  After having the work done and going back into the field, several of them could no longer access the internet.  It would bring up the following in the address bar: "about: navigationfailure"

However, we've found that if we delete their temporary files and cookies and then either reboot the computer or restart the EXPLORER service, the internet works again for a while.

These are the changes we made on the computers: Removed Local Admin rights (except on one, and that one was also affected), disabled offline files and relocated My Documents to local hard drive, encrypted My Documents and Desktop folder, installed IDRIVE.COM remote backup, and installed SPECTOR 360 remote monitoring.  

Also, they can access their e-mail through outlook (using http over ssl) with no problems, they just cannot access the web on internet explorer.  Scanning the systems with malwarebytes and hijackthis turned up nothing also.  

Any ideas what could be happening?  
0
ccwestbrook
Asked:
ccwestbrook
  • 11
  • 10
  • 4
  • +3
1 Solution
 
sfarazmandCommented:
Try accessing the internet with another browser to be sure it's not an IE issue (which I doubt). What Group Policy is in place on the domain? Is there a proxy? Is that proxy set through Group Policy. Check the network connections (flush dns).
what does relocated My Documents to local hard drive mean? Roaming pofiles?
what was used to encrypt?
 
0
 
warturtleCommented:
Could you try downloading ComboFix from here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and then disable your existing antivirus protection and run it. Then, after ComboFix creates a log, send that log to us and re-enable your existing antivirus protection. Also run a full MalwareBytes scan.

If ComboFix cannot run or flashes for a secnod and then disappears, then you need to download again and save with a different name. You can download this on a working PC, save with a different name on the USB drive and then transfer it to the problem PC and run it.
0
 
ccwestbrookAuthor Commented:
Hi!  We've tried IE and Firefox now too.  Firefox says "Url invalid" where IE says "about:navigationfailure"

the encryption is just EFS.  We encrypt the Documents and the Desktop folder

Previously, the My Documents folder was redirected to a file share on a server and the laptops used offline files while in the field.  We relocated it back to the local hard drive and set up remote backup because they rarely come into the office.  

There's no proxy.  In the office we use a SonicWALL firewall, but they are accessing the internet in the field using verizon wireless cards typically.  

When we delete temporary files and cookies and reboot the system, it works for a while but it comes back later.. apparently after the second restart.  Also, all of the changes were done on my own laptop as well and have not had any problems.  
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
ccwestbrookAuthor Commented:
Here is the Combo FIX log
ComboFix.txt
0
 
ccwestbrookAuthor Commented:
forgot to turn off my AV that time.. here is another log file aftering turning off Trend Micro
combofix2.txt
0
 
warturtleCommented:
Have you scanned with MalwareBytes now? The first ComboFix log shows a lot of deletions.

Observations:

1. Do you know this file? C:\wellabandon.zip , if not then I suggest uploading it on www.virustotal.com for a virus scan.

2. Upload the below files on www.virustotal.com for a scan:
    c:\windows\system32\drivers\RimSerial.sys
   c:\windows\system32\vdorctrl.dll
   c:\windows\system32\svrltmgr.dll
   vmrypz.dll   (I don't know where it is on your system, most likely within c:\windows\system32)

Or

Alternatively, do a scan with the BitDefender Online Scanner based at: http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html and let us know, what you find.

0
 
ccwestbrookAuthor Commented:
RimSerial.sys scanned fine, the other dlls wouldn't scan with virustotal.com.  Malwarebytes found nothing
0
 
orangutangCommented:
0
 
warturtleCommented:
I am going to suggest a scan with Dr Web CureIt Live CD: http://www.freedrweb.com/livecd/ . Download the ISO file and burn it as an image on a CD. Then boot your system from this CD and run the Dr Web Scanner. Click on select all and cure after the scan finishes. Then reboot your PC in normal mode and scan with your own antivirus (Trend Micro).

This scan will not load any Windows files or drivers and hence, is good at removing rootkits as well.

0
 
rpggamergirlCommented:
C:\wellabandon.zip <-- I assume you created or know this archive?

  Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\vdorctrl.dll
c:\windows\system32\svrltmgr.dll
c:\windows\system32\vmrypz.dll

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Keyan3d"=-
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=""

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again and delete what's on the script.
 
@ warturtle:
Thanks for the alert.
0
 
NaturaTekCommented:
Disable Spector 360 , windows firewall any software firewall you are running on ONE machine. See if the problem is gone.
Spector can cause a bit flakiness. If you use it, create a exclusion rule in your antivirus/antispyware/firewall that it's file are good and not to be scanned.

Becareful on combofix, it may detect spector as malware, for example the svrltmgr.dll rpggamergirl has posted to delete belongs to spector 360, which is a hidden remote monitoring service.

Is the server 2003 sbs machine doing dhcp for the rest of the computers or not? If not, disable dhcp service on sbs if enabled and if dhcp is handled by a router or so.
0
 
NaturaTekCommented:
If you can't disable spector on one machine, uninstall it completely. It might be a pain since it wont show up in add/remove. Follow the manufacturers uninstall procedure. If you are working correctly afterwards, you'll know spector is the problem. Verify you are using Spector directly from the manufacturer not the ones floating around the web being packaged with cloaked malware. Or programs that claim to unlock it, as they themselves have hidden malware.

I had few problems with diff remote monitoring software. Some to uninstall was a pita with deletion of each file and registry edits per manufacturer. Using the mcafee enterprise at work kept detecting part of the remote monitoring files as hidden rootkits and it would lock up that file, causing connectivity issues. That and glitches by the manufacturer themselves. Check with their website for any update software/patches, etc.

rimserial belongs to blackberry software, I'd leave that alone if clients use blackberries.

I hope some of my insight can be helpful even if down the road.
0
 
NaturaTekCommented:
ccwestbrook.

Worst case scenario, start over with a fresh computer. Connect to sbs. Install 1 program at a time from the ones you mentioned in your post. Reboot and test out for a bit, install another item. repeat and so on. Computers were working fine until the additions installed.

My gut instincts it lies with spector, dhcp from server, or a rogue service at this time. I maybe wrong, take the simple steps to find out. The world of IT, they make us work harder sometimes :)
0
 
rpggamergirlCommented:
Yes, those files belongs to Spector 360, malware researchers don't seem to like that program, lol. It's understandable I guess being that type.


PrevX classified it as a fraudulent security program
http://74.125.153.132/search?q=cache:scMvueoxQ-0J:www.prevx.com/filenames/995150728107722352-X1/VMRYPZ.DLL.html+vmrypz.dll&cd=1&hl=en&ct=clnk&gl=au



ThreatExpert classified it as Backdoor.win32.URLBot
http://74.125.153.132/search?q=cache:zeUk5863RkgJ:www.threatexpert.com/files/svrltmgr.dll.html+svrltmgr.dll+threatexpert&cd=1&hl=en&ct=clnk&gl=au 
 

McAfee classified it as Spyware-SpectorKey
http://74.125.153.132/search?q=cache:tMabHA-HJlYJ:vil.nai.com/vil/content/v_153135.htm+system32%5Csvrltmgr.dll&cd=1&hl=en&ct=clnk&gl=au

0
 
ccwestbrookAuthor Commented:
Well, I don't think it is Spector since this problems hasn't occured on my own laptop which I put all of these things on prior to installing it on the field laptops.  My own laptop hasn't had problems.. but those guys do go to some of the same questionable websites based on what I saw before in their internet files and may have gotten something in common?  Also the abandonwell.zip file is a file I created.. just contains some well abandonment pictures.  I'll try these new scans you've suggested next.
0
 
ccwestbrookAuthor Commented:
Dr. Web scanner says a couple of system volume info/_restore/... .bat files are "probably infected with BATCH.Virus", and a number of temp internet files infected with Trojan.Download.28002
0
 
ccwestbrookAuthor Commented:
What specifically could cause "about:navigationfailure" to occur in internet explorer?
0
 
NaturaTekCommented:
A number of things, mostly related to spyware
Heres one link http://www.bleepingcomputer.com/forums/topic4210.html
Download CWS Shredder, About Buster, run them one after the other.
Check your DNS, make sure they are not hijacked to point somehere else
Check your host file for any weird IP's
Go to superantispyware.com, download it, install it, UPDATE it first, then do a scan.

Shut off Systemrestore when starting to do anything of the above, turn it back on when clean.

If still troubled, uninstall the spector from one machine and navigate.

0
 
NaturaTekCommented:
Other factors...firewall. You mentioned you have a sonic firewall..is it set to block specific sites, or sites based on a rating?
0
 
ccwestbrookAuthor Commented:
It's not set to block any sites currently.  However, these laptops are usually accessing the internet out in the field through verizon wireless cellular internet cards and aren't going through the corporate firewall.
0
 
NaturaTekCommented:
If these laptops are connected wired, do they experience connectivity issues, or is it simply when out in the field?
0
 
ccwestbrookAuthor Commented:
it occurs both in the field and also when they are wired in on the corporate network.  The interesting thing I should point out again though is we can get the internet to work temporarily by deleting their temporary files and temporary internet files, cookies, etc.  but then a day later or what not it is happening again.  
0
 
NaturaTekCommented:
I see, in the mean time you can put this one line command to start up with the PC:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Try it, copy and paste it to your run box.

Have you done the superantispyware, cws shredder, about buster yet? Be sure to shut off system restore before doing so.

0
 
NaturaTekCommented:
Could you download hijackthis and post a quick log here?
Is it possible on one machine you can remove trend micro and install symantec endpoint temporarily?
You are using SP3 with all the latest updates?
0
 
ccwestbrookAuthor Commented:
Yes, the computers are up to date.  The Web CureIt Live CD turned up nothing..   Here's something new: I've found that if I terminated the EXPLORE.EXE process and then reload EXPLORER.EXE via task manager, it fixes the problem temporarily.  
0
 
warturtleCommented:
It might be worth installing a personal firewall on those PC's that actually travel to client sites and trying to surf the internet then. You already have an antivirus, and if you install a firewall it might help. My suggestion is ZoneAlarm Free firewall (www.zonelabs.com). I don't think its free for corporate use, but you can download a trial version and see its effectiveness. If it works out for you, then you can have the multi PC license and have this on laptops connecting to external networks.

0
 
NaturaTekCommented:
You know, you might have a cloaked malware. I just had encountered one last week, no antivirus, or good antispyware I used detected it, It was tiny and only affected iexplorer.
Google and download 'prevx'. Its a trial and wont let you clean up, but it detects if you have something and the name of the file. The one I encountered on a machine, left a embedded item in Internet explorer and was called by a hidden file. Download it, scan and if you detect something it wont clean it, but you can see where the files are, delete the running task (if you can see it) and manually delete the file/registry key. Or post here.

I don't want to sound Like I'm making something sound bad, but it was weird how NOTHING detected this tiny malware, except prevx, makes me think they invented the darn malware so they can only take it out. worth a shot.
0
 
ccwestbrookAuthor Commented:
It identified Spector files.. anyway, this time I completely removed Spector from one of the laptops and now that laptop has no problem.  Funny because some laptops with Spector have no issues.  So I'm trying to work it out with their technical support now as to the problem
0
 
NaturaTekCommented:
Strong instinct it was Spector. When using remote monitoring software is a bit tricky, the best way I found it to work is disabling antivirus/firewall first, install it and creating precise rules in firewall/antivirus/antispyware software to allow it and to exclude from scans/detection. Then turn on antivirus back on. I'm not sure if the Trend you are using detects it or blocks it. As you saw more than a handful of programs detects as spyware, in all reality..it is spyware but legitimate spyware. The minute one program detects 1 tiny part of spector and quarantines it, little glitches arise.

Spector claims incompatibility with Spybot, because spybot does detect it and remove parts of its file, rendering it useless.

I would go as far as reinstalling with the method I posted, but I'm sure you've done that. Perhaps Spector can offer some update/patch to resolve.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 11
  • 10
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now