General discussion

Locked

GLB1A2B EXE

By ledishaw ·
found this in the temp folder not temporary internet folder...what is it for? Did a search and found maybe a virus and may not...any ideas??

This conversation is currently closed to new comments.

40 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

check this link

by musicwriter In reply to GLB1A2B EXE

http://forums.zonelabs.com/zonelabs/board/message?board.id=security&message.id=3590

Collapse -

Problem with this web link

by terryyy In reply to check this link

I checked this web link on 07/23/2004, and
it was not valid.

Collapse -

malware - GLB1A2B EXE

by chris In reply to GLB1A2B EXE

You don't want it. It's a disaster to remove. It reinstalls things you don't want on your PC.

You have to take really serious action to get rid of VCOM, PMXY2, Sexcams, and dozens of other registry keys to shift it. Adaware and Spybot can't shift it. Let me know if you can't sort it and I'll help but it's taken me two days and I'm still not sure if I got rid of it. It comes from gmsoft I think but I'm still dizzy from trying to fix it.

chris

Collapse -

Possible Solution

by richfairfull In reply to GLB1A2B EXE

Have begun to encounter this #$@& on customer computers a few weeks ago.

Apparently launching IE triggers a process that downloads glb1a2b.exe into the XP users c:\documents and settings\username\local settings\temporary internet files folder.

This may be a solution:

Create a file called glb1a2b.txt in the c:\documents and settings\username\local settings\temporary internet files folder

Rename it to glb1a2b.exe. Apparently the bug thinks the file exists and will not download it again.

So far so good.

Have encountered other file names as well.

-Rich

Collapse -

This *Thing* is killin me lol

by LWStanding In reply to Possible Solution

OK this GLB1A2B.EXE is killin me here, and I'm Elmer-Fudd-like with popgun in hand hunting it down but goin nowhere snicker.


Got Blackice (latest) which detected GLB1A2B.EXE *as it tried to initially access the internet* and naturally I chose "terminate (process" and that was that.


My initial guess, as I'd terminated the thing before it accessed the network, was that it hadn't run, and as I 'searched for the two files mentioned that it installs and Search didn't find them' I then thought that perhaps that might confirm that GLB1A2B.EXE hadn't run *and* hadn't installed any rougue files on the pc yet (the two files that were searched for and not found were: MTX_.EXE and IE_PACK.EXE , and I run a two-month-old up-to-the-minute updated {all progs and windows daily at boot up and many times frequently during the day just to be sure, as I have a cable modem} XP Home machine with plenty of security).


Still, because I'm 'patho' about security I went as one post suggested to the free scanner at mcafee online (which the poster referred to as the 'only one identifying this rogue they knew of to date).

When I did so, as the poster also suggested LOL as I clicked on the register (for the scan) page SUBMIT

>>>IE6.0 SP1 latest crashed (which poster reported IE4.0 - 5.0 crashed),

then I tried

>>>Netscape 7.1 latest (which poster said he hadn't tested by the time of his post) which I got referred to an error page from McAfee which said (paraph) "nuh uh uhhhhhhhhh gotta be IE 5.0+ try again using IE" so Netscape is out lol

>>>Went to Symantec online scanner, which another google search byte pulled up and when I tried it in IE 6.0 latest I got the error (paraph) "nuh uh uhhhhhhh must be updated IE to 5.0+ please update and try again" lol


So, Here I sit.

Currently Conditions (2 files found):

GLB1A2B.EXE
found in the folder mentioned above, C:\Documents and Settings\hh\Local Settings\Temp (hh is current user)

and
GLB1A2B.EXE-3781414F.pf
located at: C:\WINDOWS\Prefetch


I hesitated to do the following (until):

I tend to not want to reboot until I get some clue about what *not* to do next...it's obvious something's already adjusted something in my IE (who's settings are set to MEDIUM security and all Active X configs are double checked and at default levels for MEDIUM and in-sync with what Symantec says will work on their site) - therefore *something* was initiated even though I terminated GLB1A2B.EXE's accessing the network. What can I do pre-reboot that won't make it worse or beyond a third-party software from finding all damaged files and fixing them?

and
I tend not to try the "create GLB1A2B.txt file in same directory as GLB1A2B.EXE is found, then rename the TXT file to EXE file and it fools something *evil* into not being effective, until I'm certain there's no known scanner in the world off the shelf or online right this minute that will identify and *fix* the culprit, because if I do something to change an attribute that a scanner will be using to *identify* that I'm infected, then it seems to me a scanner would perhaps miss it and I'd be left with bits and pieces of corrupted-or-worm files and I'll never be free free free lol. Does that rename/overwrite trick just trick the original file from running *again* or does that stop the infection before it even begins?


Appreciate any comments on it, I hesitate to even log off until I have more of a feeling on it. I run EZAntiVirus (Computer Associates Intl) and it finds nothing, as I sit here and stare at the file sitting there.

Think I can just delete both the Prefetch file and the Temp file before rebooting and be done with the thing ? And if it was stopped in it's tracks before running, is it logical to assume it was either BlackIce (latest) or perhaps a Windows/IE hotfix that stopped it ?

It'd *sure* be nice to identify what stopped it from running instantly, if anything did, for future reference.

And also, if as it says on google this particular malady was identified August of 2000, why is nothing identifying it in the scanners except for McAfee and Symantec still what some four years later ?

Thanks for any insight.

Collapse -

Nothing new to add

by richfairfull In reply to This *Thing* is killin me ...

Sorry, nothing new to add. Have found that the exectuable is downloaded again and have not been able to stop it.

I repair computers in my shop...returned this box to the customer...will reinstall windows later...unless I can find a solution....

Collapse -

thanks for reply-but no answers yet here

by LWStanding In reply to Nothing new to add

Hi Rich-thanks for responding, I was hoping though to hear that rename/overwrite trick perhaps at least broke the chain where it couldn't do any more harm.

I'm still working on it here, and the drag on this mouse is driving me up the wall for hours now, I can feel the *irk* ! I've exhausted google to where my eyes are blurry...

>>>found 9 items (6 rougue programs) suspect through using Pest Patrol online, but the online version doesn't remove them - and some are quite extensive to do manually - unless I buy Pest Patrol for $50 then it'll remove them.

In my experience though, I keep buying this stuff, and one rogue infection is found by two and not seen by all the others and every time it's a different 'expert program' and as I sit here looking at these pretty pretty boxes on the wall here above me of all this fancy stuff I paid loads for that 'isn't' identifying these things (some of these bad-files Pest Patrol found are rather old), I'm asking myself 'Do I want to get yet another 'expert program' and spend $50 on yet another *one time fix*, where next time some other 'expert-purchase' is needed. It doesn't seem practical to keep spending like that. (snicker - what do these companies do, trade off 'fixes' so that at each new virus one of them is guaranteed a sale? lol it's crackin me up. These things are *old* news and should easily be in brand new boxed security products -and why didn't my brand-new-symantec get the last one (two years old downloader) - that's the reason I went to EZAntivirus not a month ago !

At least Pest Patrol identified them by name *and* by location. That's something the others (no matter what I paid them) didn't do. <insert shrugs smiley>

Hopefully I'll come up with something. Apparently part of my problem here, is what I suspected, I run various things that stop PARTIAL install's (or stop installs just seconds later which seems to allow partial installs to commense and install crud-ware partially, which of itself is enough sometimes to disrupt use of the box - and because only 'part' of the bad-files actually exist in my computer, when it's scanned apparently some scanners don't look for 'all' possible files they just look for the primary bad-files, and if so they miss what I have sitting here.

But my gosh, what's the answer to that? Slowing down my DOWNLOAD speed to a creep so that my BlackIce can stop it in time ? Or is it better to let the full bad guys in so the scanners find them (eek)?

Seems like these security companies need to get a better way of *collecting* computer examples of this stuff real time from a huge base of voluntary users, instead of just collecting them from 20 computers sitting in some lab somewhere. Maybe then they'd actually have fixes for two year old maladies in their definitions.

Sorry, but after 8 hours of reading google, I'm pretty down on all this pretty pretty expensive useless boxed software I got up on the wall. Makes for colorful decoration, but not much else use today < this is me irked

LWS

LWS

Collapse -

p.s. Addendum to My Post

by LWStanding In reply to thanks for reply-but no a ...

p.s. Addendum to My Post there-

This is a three month old machine here, straight out of the manufacturers box, so these things hanging out in this harddrive were received by me *new* three months ago or sooner... and I powered up the first time with top rate stuff installed...

so really, shame shame on whatever vulnerability (MS says 'there are none' wink) or false promise (we'll block out all adware real-time from entering) that some company made or sold me, that allowed trashware from two years ago to seep into my system. shame shame shaking head.

And crossing arms, I'm gonna go have a Cherry coke and stew :)

There's gotta be an answer.

LWS

Collapse -

Be careful with PestPatrol/PestScan

by ummagumma In reply to thanks for reply-but no a ...

I ran pestscan.com's scan.

It found xxxtoolbar.com.

It provided complicated instructions for removal, so I did a little homework before attempting pestscan/pestpatrol's removal practice.

It turned out that pestscan was tagging a SpywareBlaster (a good spyware blocker program)entry.

Collapse -

How I handle these type of programs

by dpenrod In reply to thanks for reply-but no a ...

Ive dealt with about 10 different PC's that have had this type of stuff on them. Ive been able to defeat every one using the following general procedures.

(one user compained his PC was so slow as to be unuseable. Tok 15 minutes to boot because he had 78 different spyware programs running!)

ok, ive heard AD-Aware is good, but I use Spy-sweeper from Webroot.com Free download if you dont subscribe to updates. Be sure to chose update when you install if you can.

Run spy sweeper, get rid of everything it finds.

Reboot into SAFE mode. This should stop most of any junk pgms left over from starting.

Run Spy sweeper again to double check for any items it missed.

Delete all files from any temp directories, including C:\temp, C:\windows\temp,
c:\documents and settings\username\local settings\temporary internet files folder.

Before you open Internet Explorer, use control panel\internet to check the default home page and make sure its not going to some rogue website.
Clear your internet temp files here. I clear all cookies as well, be be warned you may lose cached passwords to some websites.

I suggest the user consider using the free, open source Mozilla Foxfire browser instead of IE, as it does not run activeX, wich is the major culprit in getting these programs installed. There are a few cons, but thats another topic of discussion.

Regardless, aat this point you must tightem up IE security. On the IE Security tab, reset the internet zone security to HIGH. Now the user will have to explicitly add web domains to the trusted sites list to allow scripting and activex to run on their PC. Do the same for cookies, set to high (not block all) and the user will have to explictly allow a web domain to send cookies.

This is an inconvenience for many users, but it the one way to control what web sites get access to your PC.

At this point I run regedit and check the run keys for any programs which should not be there. There are several good web sites which identify by object name any programs you find in the RUN keys to help you identify if they are needed or not. Just google for the program name and you should hit upon one of these sites, then bookmark it.

Optionally, the final place to check is the folder C:\Windows\downloaded program files. This folder contains controls and programs which are plug-in type programs for IE. If you dont know what it is, you can probably delete it, it will just have to be downloaded again when you need it.

Now you can reboot again into normal mode, and you should be clean.

If you use windows update, or the auto download options from Microsoft to update security patches, at least once a week, you should be ok going forward.

And of course keep your anti-virus updated.

- Dan

Back to Desktop Forum
40 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next

Related Discussions

Related Forums