| 0 |
Subject: glb1a2b.exe - Friend or Foe
Posted by: Richard
- Dude [204252420] Sun, Sep 12, 2004, 18:28
I recently noticed that a file named glb1a2b.exe has started showing up in my c:\windows\temp on my Win 98 machine. I've searched for references to this file thru Google and have seen vastly different claims about this little beast. Some claim it's a harmless file that the unwise.exe uninstaller uses while it does it business removing programs, while others claim that it is a trojan horse/virus file.
Whatever it is, I can delete it from the c:\windows\temp directory and remove a reference to it in the wininit.ini file but the next day it's back. Any ideas on how to remove it permanently, or is it a harmless file that I shouldn't worry about?
My Norton antivirus software doesn't find it, neither does Spybot Search & destroy but my Spyware Protection from AOL claims it is a threat. I'd appreciate any help in understanding this beast and would like any suggestions in how to remove it.
Richard |
| 1 | Mike D
Sustainer
ID: 041831612
Sun, Sep 12, 2004, 21:33
|
I searched my system and can't find it. Which is very odd, since it seems to be linked to Lavasoft's Ad-Aware, and I use that. I agree Richard that the web is all over the place on this thing.
I can't find it listed as a virus hoax anywhere though, or as a virus. It as listed as spyware (a keylogger) but also as a temp uninstall file.
There are many references to it being related to unwise.exe.....like this one:
"GLB1A2B.EXE is sitting in your temp directory. The Wise uninstaller creates this, and except for the name it's identical to UNWISE.EXE. That's how they manage to delete UNWISE.EXE during a normal uninstall without a reboot (it can't delete itself because Windows won't let anyone delete an open file; instead UNWISE.EXE makes a renamed clone of itself in the temp directory, and spawns
the clone at the end of the uninstall process to get rid of itself)."
That concerns me a little bit, since unwise.exe is also mentioned in this explanation of Backdoor.NetTrojan:
"Backdoor.NetTrojan is a Backdoor Trojan Horse that allows unauthorized use of an infected computer. Backdoor.NetTrojan allows its creator to configure unauthorized access, as well as the filename and the port in use. This Trojan may also be referred to as the Distributed Trojan Horse Network (DHTN).
Backdoor.NetTrojan can be configured in many different ways. If the Trojan is set to use its default settings, it does the following:
Copies itself as %Windir%\Unwise.exe. It also deletes the files from that particular folder.
NOTE: %Windir% is a variable. The virus locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. It deletes the files from this folder as well.
Adds the registry value:
WinLoader %windir%\UNWISE.EXE
to the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce
Modifies the (Default) values in the following registry keys:
HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\giffile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\htmlfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\jpegfile\shell\open\command
HKEY_LOCAL_MACHINE\Software\CLASSES\Word.Document.8\shell\open\command
These modifications cause the Trojan to execute when any of the associated file types is launched. The original (Default) value determines the modification to each key. The Trojan saves the original default value under the same key with the value "winampold."
Modifies the shell= line in the System.ini file to:
shell = Explorer.exe %windir%\UNWISE.EXE
The Trojan has many plug-ins that perform different functions. Some of these functions may include:
Performing a Denial of Service (DoS) attack
Sending IRC messages
Spreading itself through email
Spreading to network drives"
The "fears" of it being harmful appear to me to be questionable. But, the only harm in removing it would be possibly messing up the ad-aware uninstaller program. No big deal. So, I'd probably remove it.
|
| 2 | Richard
Dude
ID: 204252420
Mon, Sep 13, 2004, 00:41
|
Thanks, Mike D. You've provided me with lots more detailed information. Hopefully I can figure out where this little guy is actually living and evict him once and for all.
Richard
|
| 3 | Richard
Dude
ID: 204252420
Mon, Sep 13, 2004, 10:23
|
I've found out the cause of the persistent reappearance of glb1a2b.exe in my c:\windows\temp sub-directory. It appears everytime I run the Spyware Protection program provided by AOL. In my case, glb1a2b.exe is an exact copy (same size, same date nodified) of the unwise.exe file that AOL has placed in my c:\program files\common files\AOL\AOL Spyware Protection directory. This Spyware Protection program is working just like the way the wise uninstaller that Mike D references in post #1.
This bit of research has mollified my concerns about this little beast. In my case, glb1a2b.exe seems benign and is a part of the Spyware Protection routine that AOL provides. If I don't want glb1a2b.exe sitting in my c:\wimdows\temp directory, I just don't have to use AOL's Spyware Protection. It seems that having glb1a2b.exe in my c:\windows\temp directory is a cost associated with using AOL's Spyware Protection.
Thanks, Mike D, for helping me figure out what's happening on my computer.
Richard
|
| 4 | Mike D
Sustainer
ID: 41831612
Mon, Sep 13, 2004, 10:44
|
Anytime Richard, though there still is no definitive answer. I'm sure there will be eventually, and the more info like this that is developed, the better. I don't recall seeing many references to the AOL's Spyware Protection, and I don't use that personally. I'm wondering if AOL is using their own software, or whether they have simpled purchased and covered up Ad Aware by Lavasoft, kind of like they do with other software (Internet explorer being blended into theur web browser, for example), and like other companies do (Dell printers being made by Lexmark).
|
| 5 | Mike D
Sustainer
ID: 41831612
Mon, Sep 13, 2004, 10:48
|
Hmmm. Not Lavasoft. Aluria Software, and allegedly not bundled.
"AOL partnered with Aluria Software LLC of Lake Mary, Florida, to provide AOL Spyware Protection. That company makes a product called Spyware Eliminator, but AOL is not bundling that product with its software. Instead, the company worked specifically with Aluria to develop the new antispyware feature, according to Andrew Weinstein, AOL spokesman."
|
| 6 | Bill Green
ID: 4710492512
Thu, Nov 25, 2004, 13:50
|
My thanks to Mike and Richard. I too use AOL Spyware and thanks to these guys, have finally found out what has been creating the GLB1A2B.EXE file in my temp directory. Best Wishes & thanks again
|
| 7 | Mike D
Sustainer
ID: 041831612
Thu, Nov 25, 2004, 21:13
|
Glad some of the gibberish in this thread was helpful bro! And thanks to Guru for creating the whole deal here (as Eagles Coach Andy Reid would say).
|
| 8 | loosi
ID: 0113649
Sat, Dec 04, 2004, 10:36
|
this tried to install on my puter when I upgraded zonealarm??? All the other files that showed up were zonealarm registry changes and this GLB1A2B.EXE file.
|
| 9 | Lou
ID: 531131617
Thu, Dec 16, 2004, 18:03
|
What if I told you it was a collection agency that was hacking systems to find info about you. Do any of you have an outstanding debt. That's why the file isn't being picked up by virus products as a hoax. It's why AOL spyware doesn't through it out, but stores it in your temp dir. The collection agency has probably notified everyone who monitors the net including microsoft. The program is probably entering a back door under another name and being identified as glb1a2b.exe. it's probably running in your system all the time under a different name. You will have to find out the name of the inbound program and the agency involved to delete it from the registry and create a manuel firewall block. I believe it to be NCO financial. GLB1 is there form code. It's at the bottom of their paperwork. These reasons are why all private information should be kept on a separate storage device.
People who create viruses go to jail. Why not the people who create spyware? Who is creating the most stelthy spyware and for what purpose. Who is telling the truth about what it does, sells or returns to the creator? If you format your system, the next time your IP address hits the net these unidentified spyware programs will load right back up again. Microsoft should not allow this kind of privacy violation. At least AOL is letting us know there is something going on.
|
| 10 | Richard
ID: 1111181618
Thu, Dec 16, 2004, 19:20
|
Lou - if you told me that, I wouldn't believe a word you said.
Richard
|
| 11 | Lou
ID: 71115171
Fri, Dec 17, 2004, 02:15
|
It's certainly looks like something stelthy that AOL is descreetly letting us know about. Some IP addresses get it and some don't. If you go directly to the AOL directory and run ASP.exe cold, you will still get the application. I am working on several systems and only one gets the application. My laptop doesn't get it.
It's spyware. I wonder is it in the root directory similar to the old klez fix file. AOL spyware picks it up almost immediately. It has no ID in the properties. You also could be very right and it could be some silly glitch.
I don't have time but if someone has a copy of DOS6 they can view it in dosssell and let us know what it's doing and who ceated it?
|
| 12 | Lou
ID: 201138171
Fri, Dec 17, 2004, 02:38
|
Wise solutions might give us a visit?
|
| 13 | rockafellerskank
Dude
ID: 27652109
Mon, Dec 20, 2004, 22:20
|
Lou #9:
I run a major collection agency. NCO is a huge competitor to me. I wish what you say was true becuase not only would I put them out of business and take all their clients, but I'd actually change sides and file the largest class action suit under the FDCPA that ever existed and get rich, rich, rich!
|
| 14 | Dan
ID: 331441114
Fri, Feb 11, 2005, 15:44
|
I just removed AIM from my computer, then GLB1A2B.EXE was created in my Temp folder. As far as my system goes, it must be related to UNWISE.EXE.
|
| 15 | Don
ID: 12130188
Fri, Feb 18, 2005, 09:30
|
I too just removed AIM from my computer. It may be related to AOL's IM. After rebooting, it does not appear to return.
|
| 16 | r evans
ID: 531442615
Sat, Feb 26, 2005, 16:45
|
i read with interest about this glb1a2b.exe , i have this on my computer also and i do not run anything to do with aol, but i do run adaware by lavasoft and also i noticed it showed up on my firewall when i used the chat client called mychatfx, also this chat client comes up as a trojan de trois on my norton wormguard saying it is blocking it, i read about this chat client and read that it is remotely monitored, i dont know if this is of any help.
|
| 17 | dan
ID: 47272310
Tue, Aug 23, 2005, 11:27
|
GLB1A2B.exe showed up on my computer in the following dir
C:\Documents and Settings\Dan\Local Settings\Temp
Any thoughts?
|
| 18 | tr
ID: 248412213
Thu, Sep 22, 2005, 14:41
|
The following may be of interest, whether it is right or wrong.
http://www.spywareremove.com/removeglb1a2bexe.html
Can anyone comment on what that page says?
|
| 19 | Sander
ID: 2395310
Mon, Oct 03, 2005, 12:05
|
Please read also this one:
Link
|
| 20 | SnowsLight
ID: 581022920
Tue, Nov 29, 2005, 21:04
|
GLB1A2B.exe was recognized by my ZoneAlarm Security Suite...Amazing thing is this little punk .exe file was automatically placed into the trust lable at the top which allows it to access my trusted and internet zones plus internet and trusted zones for serving and allow to send email...I don't like that at all...also unwise.exe was found 3 times for various programs...Amazing Photo Shop allowed it complete access to everything also...I check zones alarms settings reguarily...anything that shows up in my temp files under document and settings and automatically makes itself this trusted....I kill it. Zones Alarm will allow you to do this by setting the trust level in its column trust level at program control...I set these to KILL...
I think it is spyware...
|
| 21 | Sheila
ID: 551182213
Thu, Dec 22, 2005, 14:09
|
Thought I was going crazy!! This thing kept popping up and disappearing. I deleted it and still it came back. It looked suspicious for sure, for one because the properties contained no information of it's origin. I'm just becoming computer literate so I sometimes just take chances but it's good to be able to get other points of view. I just wish some of the people leaving messages would have explained how they got rid of it instead of just saying that they did get rid of it. Merry Christmas!
|
| 22 | Dean
ID: 55014220
Mon, Jan 02, 2006, 21:15
|
Relax folks. It's an uninstaller scat. It's left behind when you remove certain programs. I just uninstalled FlashSwitch after a brief trial and fould the program in my temp.
Everybody can't be spying on us. Well, the NSA maybe, but they'd be more clever than to leave things in the temp directory.
As to those of you finding it reappearing, it's probably some schlock program given to you by one of the "We're Big, We Don't Have To Care" companies that actually installs and uninstalls programs on a regular basis.
Good luck...
|
| 23 | David
ID: 7224287
Tue, Mar 28, 2006, 08:24
|
I also found glb1a2b.exe. It happened when I uninstalled qttask.exe, which I am having a hard time removing from my startup list. Even after I did a removal of Quicken, it appears in my startup when I do an msconfig. I found this with Zone Alarm, where I will attept to kill it next.
|
| 24 | charles
ID: 283142421
Mon, Apr 24, 2006, 23:14
|
yea, i just installed a program "free undelete"..
it installed ok, but didnt work,, then that glb1a2b started...and right after it didnt work, half of windows icons graphic picture disappeared.. went to start it was just all text.. restarted, tried to uninstall in safe mode, crashed and froze close to the end...
i went into dos promt, no windows runing(press f8 at bootup, then dos prompt, not mode dos prompt)
deleted the files out of temp.. the type regedit
and restored the registry dated before i got the file...
|
| 25 | Jennifer
ID: 4227316
Sat, Mar 31, 2007, 08:08
|
Help! My computer keeps popping up on the don't send report/send report saying "Program" can't run. The technical information keeps directing it to files in the Temp folder that keep reappearing after I delete them. I have had the file that was refered to above, plus a ton of WER(with 3 numbers and/or letters following).tmp.dir00 I have been able to trace it back to spyware. I have tried ad aware, and am in the process of trying other programs. Ad award didn't get rid of the problem. It is causing my samsung phone to pc software not to work, as well as AOL. If anyone has a clue please e-mail me!!! This is absolutely about to drive me crazy!!!
|
|
|
|
Post a reply to this message: (But first, how about checking out this sponsor?)
|