Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer (Not Responding)


  • This topic is locked This topic is locked
24 replies to this topic

#1 wrobertshd1

wrobertshd1

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 15 July 2015 - 07:51 PM

When I start IE from the taskbar icon it takes a very long time to open; frequently a (Not Responding) message is displayed.

 

Firefox exhibited similar behavior.

 

I downloaded and ran HijackThis and chose to fix the following log entries related to IE:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

 

When I rebooted I found my browsers (IE & Firefox) had "like new" performance.

 

I have performed most of the steps in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help", including running FRST (I had to temporarily disable Norton to run FRST).

 

I am attaching the FRST.txt and Addition.txt files to this post:Addition.txt files.Attached File  Addition.txt   82.48KB   1 downloadsAttached File  FRST.txt   81.51KB   3 downloads

 

I would appreciate any help you can provide.

 

Cheers,

 

Bill Roberts - wrobertshd1



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 PM

Posted 17 July 2015 - 08:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-72283057-317170361-2249252944-1002\...\Run: [MultiScreen] => [X]
GroupPolicyScripts: Group Policy detected <======= ATTENTION
GroupPolicyScripts\User: Group Policy detected <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-72283057-317170361-2249252944-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-72283057-317170361-2249252944-1002\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.7.0.11\IPS\IPSBHO.DLL No File
Toolbar: HKU\S-1-5-21-72283057-317170361-2249252944-1002 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKU\S-1-5-21-72283057-317170361-2249252944-1002 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR Extension: (New Tab Redirect) - C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2014-04-13]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-72283057-317170361-2249252944-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
R3 WinRing0_1_2_0; \??\C:\Users\Bill\AppData\Local\Temp\tmp7E8B.tmp [X]
AlternateDataStreams: C:\ProgramData\Temp:6DAA43DB
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-504653373
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-795844075
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-993278290
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-999522333
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4119598909
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b42003591202
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b42018440148
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4628274029
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4733527459
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4793413631
AlternateDataStreams: C:\Users\Bill\Desktop\CBS Los Angeles TV.website:TASKICON_06e73a6b1134780ca210df6b6ff4ff4b4-2096215672
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-111526222
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-504653373
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-713110165
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-795844075
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-993278290
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4-999522333
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4119598909
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b41742711437
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b42003591202
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b42018440148
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4419312469
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4628274029
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4733527459
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b4793413631
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:DESTICON_6e73a6b1134780ca210df6b6ff4ff4b482207438
AlternateDataStreams: C:\Users\Bill\Desktop\KNX 1070.website:TASKICON_06e73a6b1134780ca210df6b6ff4ff4b4-2096215672
C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141
===

How is the computer running now?

#3 wrobertshd1

wrobertshd1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 20 July 2015 - 08:11 PM

Hi nasdaq,

 

Thanks for the reply. I created the fixlist.txt file as instructed and am attaching the Fixlog.txt output.

 

Attached File  Fixlog.txt   11.38KB   3 downloads

 

After a reboot I reset my Firefox browser settings.

 

Then I selected the hyperlink you provided entitled "Clear the Firefox Cache" - the hyperlink took me to a page related to clearing Internet Explorer cache, but I cleared that anyway (can't do any harm, right?).

 

I do note however that I still have a registry entry for WinRing0_1_2_0.

 

Overall performance seems to be good (I don't notice any change from when I deleted the 3 registry entries I referenced in my first post, however my desktop gadgets returned, which is nice).

 

Thank you for your help ... I am beginning to suspect the only way I will be able to get rid of the WinRing0_1_2_0 registry entry will be a OS reload.

 

Cheers,

 

Bill Roberts



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 PM

Posted 21 July 2015 - 07:43 AM

Thank you for your help ... I am beginning to suspect the only way I will be able to get rid of the WinRing0_1_2_0 registry entry will be a OS reload.

No do not reload the OS.

WinRing0_1_2_0 => Service stopped successfully.
WinRing0_1_2_0 => Service removed successfully

The service is shown as remove in the fixlog.

After a restart of the computer please run the Farbar tool one move time post a fresh FRST log for my review.
It's only a check since nothing can happen from an empty service.

==

#5 wrobertshd1

wrobertshd1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 21 July 2015 - 08:31 AM

Hi Nasdaq,

 

I've run the farbar tool as requested and am attaching the logs.

 

Attached File  FRST.txt   80.44KB   2 downloads

Attached File  Addition.txt   78.92KB   2 downloads

 

Thanks again,

 

Bill Roberts



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 PM

Posted 21 July 2015 - 03:11 PM


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.


start

CloseProcesses:

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
R3 WinRing0_1_2_0; \??\C:\Users\Bill\AppData\Local\Temp\tmp5BC8.tmp [X]

End
Save the files as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

The good thing is that the the service is empty of the file.
Nothing can happen of it.

===


If the service is still in the registry we can remove it.

Lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter WinRing0_1_2_0 in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

It the item persist I may be able to give you a fix for remove the item from the registry.

#7 wrobertshd1

wrobertshd1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 21 July 2015 - 07:41 PM

Hi nasdaq,

 

Here is Fixlog.txt:

Attached File  Fixlog.txt   1.08KB   0 downloads

 

And here is Search.txt:

Attached File  Search.txt   2.28KB   1 downloads

 

As you can see, WinRing0_1_2_0 persists.

 

Thanks again for your help,

 

Bill Roberts



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 PM

Posted 22 July 2015 - 07:09 AM

This should clean the registry.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINRING0_1_2_0]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINRING0_1_2_0]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WinRing0_1_2_0]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINRING0_1_2_0]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinRing0_1_2_0]
[HKEY_USERS\S-1-5-21-72283057-317170361-2249252944-1002\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"=-


Restart the when completed.

You can delete the fixme.reg file when done.

#9 wrobertshd1

wrobertshd1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 22 July 2015 - 04:00 PM

Hi nasdaq,

 

I followed your instructions, restarted, but I still have a registry entry for WinRing0_1_2_0

 

Attached File  2015-07-22 13_53_52-Registry Editor.png   211.47KB   0 downloads

 

My computer is running much better, so I do thank you for your help.

 

I don't know if anything else can be done.

 

I am leaving on vacation and won't be able to respond until August 1st (should you reply with any other advice on removing the WinRing0_1_2_0 registry entry).

 

Thanks,

 

Bill Roberts



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 PM

Posted 23 July 2015 - 07:34 AM

The key should have been removed.
It's included in my fix under that line.

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinRing0_1_2_0]

Check your registry and see if this one under controlser002 was removed.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WinRing0_1_2_0

#11 wrobertshd1

wrobertshd1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 July 2015 - 05:53 PM

Hello nasdaq,

 

I returned early from one trip and have some time to respond before leaving on my next trip.

 

WinRing0_1_2_0 was still under CurrentControlSet and ControlSet002.

 

I was able to find a way to run regedit as SYSTEM.

 

Step 1: install Sysinternals suite

Step 2: open command prompt as administrator

Step3: CD to directory where Sysinternals is installed

Step4: psexec -i -d -s c:\windows\regedit.exe (from command prompt)

 

In addition to the WinRing0_1_2_0 keys mentioned above, I found two LEGACYWinRing0_1_2_0 keys in CurrentControlSet and ControlSet002.

 

I have deleted all WinRing0_1_2_0 keys and am going to reboot.

 

I will let you know what happens.

 

Thanks again for your help, kindness and patience.

 

Bill Roberts



#12 wrobertshd1

wrobertshd1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 26 July 2015 - 06:43 PM

Didn't do any good ...WinRing0_1_2_0 and LEGACYWinRing0_1_2_0 are still there.



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 PM

Posted 27 July 2015 - 07:09 AM

It's protected by the Legacy key.

The key alone is not causing any problems.

If you insists in removing it do it at you own risk.

Instructions here.

http://www.wilderssecurity.com/threads/how-to-delete-legacy-registry-entries.141555/

#14 wrobertshd1

wrobertshd1
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 01 August 2015 - 11:39 AM

Thanks nasdaq ... I think we can consider this case closed.



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:41 PM

Posted 01 August 2015 - 01:16 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users