Solved

Internet Explorer - about:navigationfailure

Posted on 2009-05-18
29
1,952 Views
Last Modified: 2013-12-08
Hi,

We've just had 5 of our laptops come into the office so that we can make some changes to their configuration.  These are Windows XP Pro laptops that are joined to a Windows 2003 SBS domain.  They generally don't connect to the domain as they are usually out in the field, and they use Verizon wireless cards for internet.  After having the work done and going back into the field, several of them could no longer access the internet.  It would bring up the following in the address bar: "about: navigationfailure"

However, we've found that if we delete their temporary files and cookies and then either reboot the computer or restart the EXPLORER service, the internet works again for a while.

These are the changes we made on the computers: Removed Local Admin rights (except on one, and that one was also affected), disabled offline files and relocated My Documents to local hard drive, encrypted My Documents and Desktop folder, installed IDRIVE.COM remote backup, and installed SPECTOR 360 remote monitoring.  

Also, they can access their e-mail through outlook (using http over ssl) with no problems, they just cannot access the web on internet explorer.  Scanning the systems with malwarebytes and hijackthis turned up nothing also.  

Any ideas what could be happening?  
0
Comment
Question by:ccwestbrook
  • 11
  • 10
  • 4
  • +3
29 Comments
 
LVL 7

Expert Comment

by:sfarazmand
ID: 24414188
Try accessing the internet with another browser to be sure it's not an IE issue (which I doubt). What Group Policy is in place on the domain? Is there a proxy? Is that proxy set through Group Policy. Check the network connections (flush dns).
what does relocated My Documents to local hard drive mean? Roaming pofiles?
what was used to encrypt?
 
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24414255
Could you try downloading ComboFix from here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and then disable your existing antivirus protection and run it. Then, after ComboFix creates a log, send that log to us and re-enable your existing antivirus protection. Also run a full MalwareBytes scan.

If ComboFix cannot run or flashes for a secnod and then disappears, then you need to download again and save with a different name. You can download this on a working PC, save with a different name on the USB drive and then transfer it to the problem PC and run it.
0
 

Author Comment

by:ccwestbrook
ID: 24414360
Hi!  We've tried IE and Firefox now too.  Firefox says "Url invalid" where IE says "about:navigationfailure"

the encryption is just EFS.  We encrypt the Documents and the Desktop folder

Previously, the My Documents folder was redirected to a file share on a server and the laptops used offline files while in the field.  We relocated it back to the local hard drive and set up remote backup because they rarely come into the office.  

There's no proxy.  In the office we use a SonicWALL firewall, but they are accessing the internet in the field using verizon wireless cards typically.  

When we delete temporary files and cookies and reboot the system, it works for a while but it comes back later.. apparently after the second restart.  Also, all of the changes were done on my own laptop as well and have not had any problems.  
0
 

Author Comment

by:ccwestbrook
ID: 24415254
Here is the Combo FIX log
ComboFix.txt
0
 

Author Comment

by:ccwestbrook
ID: 24415318
forgot to turn off my AV that time.. here is another log file aftering turning off Trend Micro
combofix2.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24416029
Have you scanned with MalwareBytes now? The first ComboFix log shows a lot of deletions.

Observations:

1. Do you know this file? C:\wellabandon.zip , if not then I suggest uploading it on www.virustotal.com for a virus scan.

2. Upload the below files on www.virustotal.com for a scan:
    c:\windows\system32\drivers\RimSerial.sys
   c:\windows\system32\vdorctrl.dll
   c:\windows\system32\svrltmgr.dll
   vmrypz.dll   (I don't know where it is on your system, most likely within c:\windows\system32)

Or

Alternatively, do a scan with the BitDefender Online Scanner based at: http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html and let us know, what you find.

0
 

Author Comment

by:ccwestbrook
ID: 24417167
RimSerial.sys scanned fine, the other dlls wouldn't scan with virustotal.com.  Malwarebytes found nothing
0
 
LVL 22

Expert Comment

by:orangutang
ID: 24418537
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24420062
I am going to suggest a scan with Dr Web CureIt Live CD: http://www.freedrweb.com/livecd/ . Download the ISO file and burn it as an image on a CD. Then boot your system from this CD and run the Dr Web Scanner. Click on select all and cure after the scan finishes. Then reboot your PC in normal mode and scan with your own antivirus (Trend Micro).

This scan will not load any Windows files or drivers and hence, is good at removing rootkits as well.

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24421068
C:\wellabandon.zip <-- I assume you created or know this archive?

  Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\vdorctrl.dll
c:\windows\system32\svrltmgr.dll
c:\windows\system32\vmrypz.dll

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Keyan3d"=-
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
"Appinit_Dlls"=""

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again and delete what's on the script.
 
@ warturtle:
Thanks for the alert.
0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24421151
Disable Spector 360 , windows firewall any software firewall you are running on ONE machine. See if the problem is gone.
Spector can cause a bit flakiness. If you use it, create a exclusion rule in your antivirus/antispyware/firewall that it's file are good and not to be scanned.

Becareful on combofix, it may detect spector as malware, for example the svrltmgr.dll rpggamergirl has posted to delete belongs to spector 360, which is a hidden remote monitoring service.

Is the server 2003 sbs machine doing dhcp for the rest of the computers or not? If not, disable dhcp service on sbs if enabled and if dhcp is handled by a router or so.
0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24421259
If you can't disable spector on one machine, uninstall it completely. It might be a pain since it wont show up in add/remove. Follow the manufacturers uninstall procedure. If you are working correctly afterwards, you'll know spector is the problem. Verify you are using Spector directly from the manufacturer not the ones floating around the web being packaged with cloaked malware. Or programs that claim to unlock it, as they themselves have hidden malware.

I had few problems with diff remote monitoring software. Some to uninstall was a pita with deletion of each file and registry edits per manufacturer. Using the mcafee enterprise at work kept detecting part of the remote monitoring files as hidden rootkits and it would lock up that file, causing connectivity issues. That and glitches by the manufacturer themselves. Check with their website for any update software/patches, etc.

rimserial belongs to blackberry software, I'd leave that alone if clients use blackberries.

I hope some of my insight can be helpful even if down the road.
0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24421335
ccwestbrook.

Worst case scenario, start over with a fresh computer. Connect to sbs. Install 1 program at a time from the ones you mentioned in your post. Reboot and test out for a bit, install another item. repeat and so on. Computers were working fine until the additions installed.

My gut instincts it lies with spector, dhcp from server, or a rogue service at this time. I maybe wrong, take the simple steps to find out. The world of IT, they make us work harder sometimes :)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24421840
Yes, those files belongs to Spector 360, malware researchers don't seem to like that program, lol. It's understandable I guess being that type.


PrevX classified it as a fraudulent security program
http://74.125.153.132/search?q=cache:scMvueoxQ-0J:www.prevx.com/filenames/995150728107722352-X1/VMRYPZ.DLL.html+vmrypz.dll&cd=1&hl=en&ct=clnk&gl=au



ThreatExpert classified it as Backdoor.win32.URLBot
http://74.125.153.132/search?q=cache:zeUk5863RkgJ:www.threatexpert.com/files/svrltmgr.dll.html+svrltmgr.dll+threatexpert&cd=1&hl=en&ct=clnk&gl=au
 

McAfee classified it as Spyware-SpectorKey
http://74.125.153.132/search?q=cache:tMabHA-HJlYJ:vil.nai.com/vil/content/v_153135.htm+system32%5Csvrltmgr.dll&cd=1&hl=en&ct=clnk&gl=au

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:ccwestbrook
ID: 24423600
Well, I don't think it is Spector since this problems hasn't occured on my own laptop which I put all of these things on prior to installing it on the field laptops.  My own laptop hasn't had problems.. but those guys do go to some of the same questionable websites based on what I saw before in their internet files and may have gotten something in common?  Also the abandonwell.zip file is a file I created.. just contains some well abandonment pictures.  I'll try these new scans you've suggested next.
0
 

Author Comment

by:ccwestbrook
ID: 24432848
Dr. Web scanner says a couple of system volume info/_restore/... .bat files are "probably infected with BATCH.Virus", and a number of temp internet files infected with Trojan.Download.28002
0
 

Author Comment

by:ccwestbrook
ID: 24432903
What specifically could cause "about:navigationfailure" to occur in internet explorer?
0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24433172
A number of things, mostly related to spyware
Heres one link http://www.bleepingcomputer.com/forums/topic4210.html
Download CWS Shredder, About Buster, run them one after the other.
Check your DNS, make sure they are not hijacked to point somehere else
Check your host file for any weird IP's
Go to superantispyware.com, download it, install it, UPDATE it first, then do a scan.

Shut off Systemrestore when starting to do anything of the above, turn it back on when clean.

If still troubled, uninstall the spector from one machine and navigate.

0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24433198
Other factors...firewall. You mentioned you have a sonic firewall..is it set to block specific sites, or sites based on a rating?
0
 

Author Comment

by:ccwestbrook
ID: 24433218
It's not set to block any sites currently.  However, these laptops are usually accessing the internet out in the field through verizon wireless cellular internet cards and aren't going through the corporate firewall.
0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24433340
If these laptops are connected wired, do they experience connectivity issues, or is it simply when out in the field?
0
 

Author Comment

by:ccwestbrook
ID: 24433383
it occurs both in the field and also when they are wired in on the corporate network.  The interesting thing I should point out again though is we can get the internet to work temporarily by deleting their temporary files and temporary internet files, cookies, etc.  but then a day later or what not it is happening again.  
0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24433586
I see, in the mean time you can put this one line command to start up with the PC:
RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255

Try it, copy and paste it to your run box.

Have you done the superantispyware, cws shredder, about buster yet? Be sure to shut off system restore before doing so.

0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24433625
Could you download hijackthis and post a quick log here?
Is it possible on one machine you can remove trend micro and install symantec endpoint temporarily?
You are using SP3 with all the latest updates?
0
 

Author Comment

by:ccwestbrook
ID: 24453242
Yes, the computers are up to date.  The Web CureIt Live CD turned up nothing..   Here's something new: I've found that if I terminated the EXPLORE.EXE process and then reload EXPLORER.EXE via task manager, it fixes the problem temporarily.  
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24453772
It might be worth installing a personal firewall on those PC's that actually travel to client sites and trying to surf the internet then. You already have an antivirus, and if you install a firewall it might help. My suggestion is ZoneAlarm Free firewall (www.zonelabs.com). I don't think its free for corporate use, but you can download a trial version and see its effectiveness. If it works out for you, then you can have the multi PC license and have this on laptops connecting to external networks.

0
 
LVL 11

Accepted Solution

by:
NaturaTek earned 500 total points
ID: 24454071
You know, you might have a cloaked malware. I just had encountered one last week, no antivirus, or good antispyware I used detected it, It was tiny and only affected iexplorer.
Google and download 'prevx'. Its a trial and wont let you clean up, but it detects if you have something and the name of the file. The one I encountered on a machine, left a embedded item in Internet explorer and was called by a hidden file. Download it, scan and if you detect something it wont clean it, but you can see where the files are, delete the running task (if you can see it) and manually delete the file/registry key. Or post here.

I don't want to sound Like I'm making something sound bad, but it was weird how NOTHING detected this tiny malware, except prevx, makes me think they invented the darn malware so they can only take it out. worth a shot.
0
 

Author Closing Comment

by:ccwestbrook
ID: 31582673
It identified Spector files.. anyway, this time I completely removed Spector from one of the laptops and now that laptop has no problem.  Funny because some laptops with Spector have no issues.  So I'm trying to work it out with their technical support now as to the problem
0
 
LVL 11

Expert Comment

by:NaturaTek
ID: 24455273
Strong instinct it was Spector. When using remote monitoring software is a bit tricky, the best way I found it to work is disabling antivirus/firewall first, install it and creating precise rules in firewall/antivirus/antispyware software to allow it and to exclude from scans/detection. Then turn on antivirus back on. I'm not sure if the Trend you are using detects it or blocks it. As you saw more than a handful of programs detects as spyware, in all reality..it is spyware but legitimate spyware. The minute one program detects 1 tiny part of spector and quarantines it, little glitches arise.

Spector claims incompatibility with Spybot, because spybot does detect it and remove parts of its file, rendering it useless.

I would go as far as reinstalling with the method I posted, but I'm sure you've done that. Perhaps Spector can offer some update/patch to resolve.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now