Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE8 hangs or very slow after initial boot


  • This topic is locked This topic is locked
22 replies to this topic

#1 tonyd3870

tonyd3870

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 13 May 2012 - 01:02 AM

For the past month of so my Internet Explorer 8 hangs or is "Not Responding" especially after the initial boot. On ocassion, I also get the "Windows Explorer not working" error message. I'm not sure if it's my Windows 7 startup services or an internet explorer issue on my laptop. I didn't see any unnecessary services running or anything I saw that was strange. My Trend Micro Titanium Maximum Security 2012 hasn't found anything virus related. Any help would be appreciated. Thanks.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 15 May 2012 - 07:31 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 tonyd3870

tonyd3870
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 16 May 2012 - 10:33 PM

Thanks for responding to my post. I'm ready for your first instruction. Not sure if this helps or not but I just noticed I have a couple of "Apple" services running on my laptop. I believe my wife used it to update her ipad or iphone. Thanks in advance for any help you provide.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 17 May 2012 - 05:21 PM

I'm not sure if it's my Windows 7 startup services or an internet explorer issue on my laptop


Yes, looks likely. I don't see anything saying "malware" from the symptoms.


Let's try something before I ask for some logs

Let's try a clean boot. This will boot the system without any services or startup programs and that will eliminate or pinpoint the main problem.

1. Click Start, type msconfig in the Start Search box, and then press Enter. If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.

2. On the General tab, click Selective Startup.

3. Under Selective Startup, click to clear the Load Startup Items check box.

4. Click the Services tab, click to select the Hide All Microsoft Services check box, and then click Disable All.

5. Click Apply and OK.

6. When you are prompted, click Restart.

7. After the computer starts let me know if the problem is still occurring.
Posted Image
m0le is a proud member of UNITE

#5 tonyd3870

tonyd3870
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 19 May 2012 - 04:55 PM

Yes, the problem is still happening. I get "Windows Internet Explorer (Not Responding)" right away when I tried to connect to the web.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 19 May 2012 - 05:10 PM

Okay, let's check for malware

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#7 tonyd3870

tonyd3870
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 20 May 2012 - 08:32 AM

Here is the log you requested.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 20 May 2012 - 02:08 PM

A suspicious partition which we need to check.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#9 tonyd3870

tonyd3870
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 20 May 2012 - 03:25 PM

Here is the log you requested.

Attached Files

  • Attached File  FRST.txt   20.35KB   8 downloads


#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 20 May 2012 - 07:47 PM

Okay, confirmation that a hidden partition has been added. To remove this we need to boot into a Linux operating system (called xPUD) and run a utility that can spot the partition and put the boot flag (this tells the computer which partition to boot from) into the correct partition.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
    Please do the following:
    [list]
  • Download tdl_fix.sh and save it to the xPUD flash drive.
  • Boot into xPUD then click the File tab.
  • Press File
  • Expand mnt
  • Click on the folder under mnt that represents your USB drive (sdb1 ?)
  • You should see the tdl_fix.sh file in the main window.
  • Select Tool from the Menu
  • Choose Open Terminal
  • Type bash tdl_fix.sh then press Enter.
  • Read the warning then type y and press Enter to continue.
  • Type sda then press Enter when prompted.
  • You will be shown a list of partitions to choose marking active.
  • Type 1 then press Enter.
  • If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
  • When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
  • The script will complete and prompt you to reboot the computer.
  • Close the Terminal window and restart back into Windows.
  • Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.

**NOTE: - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

bash tdl_fix.sh -restore

Make sure to leave a space to either side of tdl_fix.sh in the command.
This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
Click OK, and then reboot the computer.
This is a backup of the original mbr and will restore it to it's current state.
Posted Image
m0le is a proud member of UNITE

#11 tonyd3870

tonyd3870
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 22 May 2012 - 12:48 AM

•Expand mnt

•Click on the folder under mnt that represents your USB drive (sdb1 ?)

•You should see the tdl_fix.sh file in the main window.


When I boot to xPUD, I can't find my USB under mnt. The options I see are sda1, sda2, and sda3. I searched within each mnt and didn't find anything referencing my USB drive. The tdl file and the other files are on the USB drive.

Maybe it's the way I booted to the USB drive. I went to the Boot Utility (F12) and chose USB.

Please advise. Thanks.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 22 May 2012 - 06:39 PM

Your best option is to unplug and then plug back in the USB while in xPUD and see if it is then recognised.
Posted Image
m0le is a proud member of UNITE

#13 tonyd3870

tonyd3870
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 22 May 2012 - 11:15 PM

Got it to recognize. Thanks for the tip. Here is the log file. I'll let you know how it's behaving. Actually it took me about 20 minutes to post this reply from the hanging of my IE and it not responding. There were a few times where it actually went from not responding to turning black. That was definetly different.

Not sure if this is related or not but after all the waiting, I pulled up task manager and it looked normal except for 3 instances (I only have 2 IE tabs open) of the process iexplore.exe *32 running and one using a huge amount of memory (139,440k). Easily doubling any process that is running.

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:47 AM

Posted 23 May 2012 - 07:53 PM

TDL Fix seems to have done what we wanted it to do.

I pulled up task manager and it looked normal except for 3 instances (I only have 2 IE tabs open) of the process iexplore.exe *32 running and one using a huge amount of memory (139,440k). Easily doubling any process that is running.


This is quite normal.

IE8 runs each tab as a separate service, so if a tab crashes it does not crash the browser. There is also one extra for Ieframe.

The number of iexplore.exes in task manager should be the number of tabs open plus one which is what Process Explorer shows. The memory being used is not overly high so I am not suspecting malware here.


You still have problems though so let's see if our rootkit brought anything else along.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 tonyd3870

tonyd3870
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Alabama
  • Local time:10:47 PM

Posted 24 May 2012 - 01:14 PM

Here is the log.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users