Jump to content

JRT Wrecking IE 6


Recommended Posts

when i run JRT it removes some regkeys which wrecks "IE 6" on my computer, running windows xpsp3..

 

here is the "scan-log":

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by MalwarebytesVersion: 8.0.2 (01.06.2016)Operating System: Microsoft Windows XP x86 Ran by user (Limited) on Mon 02/01/2016 at  2:09:27.64~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~File System: 0 Registry: 5 Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value) Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\\{1E796980-9CC5-11D1-A83F-00C04FC99D61} (Registry Value) Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\\{710EB7A1-45ED-11D0-924A-0020AFC7AC4D} (Registry Value) Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value) Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Mon 02/01/2016 at  2:11:19.62End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

incidentally, when i run JRT, it prompts me to run it with administrator-privileges but i was running it from my windows user-account which has administrator-privileges.. (i only have one windows user-account and it has administrator-privileges).. (the JRT scan-log says it is running from a limited-user-account)..

 

i don't need to be told that i need to install IE 8.. i hate IE 8 which is why it is not installed..

 

i only use "IE 6" when using microsoft's "windows update" and it works fine for that..

 

the regkeys that JRT is flagging are false-positives..

 

Link to post
Share on other sites

  • Staff

Hi,

 

IE6 should still launch, why do you say it's "wrecked"?

 

So I can get a better understanding, what URL(s) were these set to?

  • HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value)
  • HKLM\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value)
  • HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)

 

__

 

As for these below (something I was able to research), they appear adware related to me and others.

 

  • HKCU\Software\Microsoft\Internet Explorer\Toolbar\\{1E796980-9CC5-11D1-A83F-00C04FC99D61} - here, here, and here
  • HKCU\Software\Microsoft\Internet Explorer\Toolbar\\{710EB7A1-45ED-11D0-924A-0020AFC7AC4D} - here, here, and here

 

Regards

Link to post
Share on other sites

IE 6 will not open after JRT removes the regkeys..

 

if i use "ERUNT" to restore my registry, then IE 6 will open again..

 

here are the "values" for the 3 regkeys that you asked about:

HKCU "startpage" = http://www.google.com/webhp?complete=0&nord=1HKLM "startpage" = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=homeHKLM "SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

the second two should be windows-default-settings..

 

the first one is what i set for my homepage..

 

i imagine that it is the other two "toolbar"-regkeys that are removed that are the problem..

 

i think the two toolbar-regkeys that are being flagged are legitimate, that they just happen to be used by some malware-variants and so they are erroneously being labelled as being "bad".. i have seen that happen before, where a legitimate regkey was erroneously labelled as being bad when it was used by a malware-variant..

 

i used JRT before malwarebytes got it and it didn't flag any of the regkeys that are being flagged, in the past..

 

incidentally, JRT build 8.0.0 flagged the same regkeys that are being flagged by build 8.0.2..

 

no malware has ever been detected on my computer which is one reason i would think that the regkeys that were flagged are false-positives..

 

 

Link to post
Share on other sites

  • Root Admin

I really like XP myself but why are you using IE6 ? Even if you use Firefox as your default browser there are still files on the system from IE6 that can potentially help allow an attack that have been corrected in IE8 (yes going forward there are no more updates from Microsoft but I'd think it best to have at least the latest updates they did provide before dropping support for XP)

 

I'm curious if you can manually remove the toolbar keys yourself and if that breaks IE from starting or not. By default if the main IE keys were missing it will automatically restore basic settings and launch. Wondering what element is actually preventing it from starting.

Link to post
Share on other sites

  • Staff

IE 6 will not open after JRT removes the regkeys..

 

Do you get an error message of any sort when you try? If so, can you relay that to me.

 

 

 

HKCU "startpage" = http://www.google.com/webhp?complete=0&nord=1

 

I was able to reproduce this as a FP which in turn deletes the HKLM version of "StartPage" too. Will be fixed in the next version :)

Link to post
Share on other sites

hello.. sorry for my "late" reply.. no, i don't get any error-messages when i try to open IE.. it just won't open.. and i didn't see anything in windows "event viewer"..

 

from what i was able to find on the internet, one of the "toolbar" items is associated with managing the buttons in IE's "toolbar", which explains why it is used by "emusic", since the "emusic" adware adds a button to IE's toolbar.. however, the CLSID that is being flagged is not for emusic's toolbar-button, or else it would be flagged by "hijackthis".. (i remove all third-party toolbar-buttons, such as the one that was installed by the "paltalk" program)..

 

the other toolbar-item that was flagged seems to be associated with IE's "tools"-menu..

 

i will leave it to malwarebytes to work things out, to figure out that the regkeys that are being flagged by JRT are legitimate and that they shouldn't be being removed (despite symantec's associating them with malware, and then everyone else's following suit)..

 

advancedsetup, i really don't want to go to the trouble of removing the regkeys just to confirm that doing that will wreck IE, necessitating running ERUNT again, to fix the problem.. i have already been through that twice, once with JRT 8.0.0 and then again with JRT 8.0.2.. however, maybe i will do that, removing the regkeys, as you suggested.. i just haven't done it yet..

Link to post
Share on other sites

  • Root Admin

I have a default new installation of Windows XP Pro with SP3 US English. The only update installed was the Microsoft Visual Studio 2008 Runtime file.

It is running IE6 at 128-bit cipher and it too has this value

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar

{710EB7A1-45ED-11D0-924A-0020AFC7AC4D}

 

I unlocked the toolbar and it created the following

{1E796980-9CC5-11D1-A83F-00C04FC99D61}

 

Locking or Unlocking now does not seem to change that value anymore

 

I would have to believe that this entry is a default entry from Microsoft as this installation is not infected and no software installed and no other Windows updates installed.

{710EB7A1-45ED-11D0-924A-0020AFC7AC4D}

 

 

Deleting those keys though does not prevent IE from launching for me. It does not recreate them either as I thought it would but I notice no difference with or without the registry keys there.

Link to post
Share on other sites

advancedsetup, thanks for looking into it.. at least y'all now know to stop removing the one regkey since it is a "default" regkey..

 

i just assumed that the "{710EB7A1-45ED-11D0-924A-0020AFC7AC4D}" "value" didn't exist, by default, because, when i was reading about it, a couple of people said that they didn't have it on their computers..

Link to post
Share on other sites

  • Root Admin

Found a copy of that version of JRT. Ran it and it removed the 2 keys and did not affect IE for me. Still runs just fine.

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Microsoft Windows XP x86
Ran by AS (Administrator) on Tue 02/02/2016 at 23:17:17.93
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Toolbar\\{710EB7A1-45ED-11D0-924A-0020AFC7AC4D} (Registry Value)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/02/2016 at 23:17:48.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Link to post
Share on other sites

  • 1 month later...
On 2/6/2016 at 9:43 PM, thisisu said:

Thanks all. The toolbar issue should be fixed in 8.0.3 which will hopefully be released soon. Haven't been able to reproduce the SearchAssistant value being deleted using that URL so I have that left that alone for now.

here is another case whre the windows-default "searchassistant" regkey seems to be being removed, if you look at the JRT scan-log that the person posted:


https://forums.malwarebytes.org/topic/178891-wired-problem-with-jrt/

i don't know why you can't see that JRT shouldn't remove windows-default regkeys..

you say that you can't reproduce the problem even though everyone else does..

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.