Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extra window opens in IE and tries too access ad sites


  • Please log in to reply
8 replies to this topic

#1 steve6884

steve6884

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 11 October 2010 - 02:21 PM

I have a Dell computer running Windows XP Service Pack 3. When I use Internet Explorer or firefox and go to many different websites another window opens up and trys to open up some random website. Usually the site doesnt load and I end up with a window that says something like "Oops! Internet Explorer could not connect to insert site name here" It seems like many of the sites have trafficrevenue in the address but not all of them

I have Norton Internet Security 2010 and have run full scans
I have run Malwarebytes and it finds nothing at all
I have run Superantispyware and all that has found is cookies
I ran CCleaner.
I ran spybot and it found 4 cookies
I downloaded Microsoft security Essentials and ran a full scan which took like 5 hours and that found 3 spyware items.

Went to the ESPN website and right away another window opened and was trying to load a random site. Man this is very frustrating.

I have run all those programs in regular and safemode.

I have googled like crazy and can not find an answer or solution. I really do not want to format my drive and reload windows. Does anybody have any suggestions on what else I can try? Thanks for any help

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:57 PM

Posted 11 October 2010 - 03:25 PM

Hello are you getting a Tidserv request when a new window wants to open??
Are you running XP or another system?


ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "<<Back" button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 steve6884

steve6884
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 12 October 2010 - 01:07 AM

ESET Scan Log


C:\Program Files\Atari\Test Drive Unlimited\TestDriveUnlimited.exe probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{60E2E3F3-57EF-4E82-9C42-3CC6C8A68A52}\RP45\A0011838.exe probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{60E2E3F3-57EF-4E82-9C42-3CC6C8A68A52}\RP49\A0012122.exe probably a variant of Win32/Genetik trojan cleaned by deleting - quarantined
D:\agent downloads\sdfind399e.zip IRC/Bomber trojan deleted - quarantined
D:\Downloads\fo-dpp31.zip probably unknown NewHeur_PE virus deleted - quarantined
D:\Downloads\klitekpp210e.exe probably a variant of Win32/TrojanDownloader.VB.IRCSLWN trojan deleted - quarantined
D:\Downloads\OmeNServE.zip IRC/Bomber trojan deleted - quarantined
D:\Downloads\tetroarena.exe7930D1CB multiple threats deleted - quarantined
D:\thunder backup\Thunderbird 2.0.0.18 (en-US) - 2008-12-21.pcv JS/KakWorm.A worm deleted - quarantined
D:\thunder backup\Thunderbird 2.0.0.23 en-US - 2009-11-02.pcv JS/KakWorm.A worm deleted - quarantined

#4 steve6884

steve6884
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 12 October 2010 - 08:54 AM

I am pretty sure many of the files ESET questioned are fine and this morning the same problem was still happening. Here is an example of an extra window that opened

Oops! Internet Explorer could not find east.05tz2e9.com

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:57 PM

Posted 12 October 2010 - 09:21 AM

Hello, the IRC/Bomber is a backkdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

The JS_KAKWORM.A is an Email worm. This JavaScript worm propagates by embedding its code to all outgoing email and newsgroup messages using the Signature feature of Microsoft Outlook Express or Internet Explorer Newsgroup Reader.

These would not be OK,files.


Please download CKScanner and save it to your Desktop. <-Important!!!
  • Double-click on CKScanner.exe and click Search For Files.
  • If using Vista, right-click on it and Run As Administrator.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A text file will be created on your desktop named ckfiles.txt.
  • Click OK at the file saved message box.
  • Double-click the ckfiles.txt icon on your desktop to open the log and copy/paste the contents in your next reply.


EDIT

Oops! Internet Explorer could not find east.05tz2e9.com

This appears to be a site that is infected.

Edited by boopme, 12 October 2010 - 09:34 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 steve6884

steve6884
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 12 October 2010 - 09:59 AM

The two files it identified as IRC/bomber files have been on my D: drive for probably 5-10 years. I dont doubt your word but I have never had any problems in the past when I used those programs and I used to use those alot

The JS/KakWorm.A worm was found in my backups of Thunderbird which I use for email. If I do agree to wipe my c drive clean and reload windows will I lose all my saved emails or can that be cleaned and backed up?


Here is the CKScanner log

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\steve\favorites\financial links\imported bookmarks\ultra xxx passwords - custom hacked xxx passwords! we crack all our own xxx passwords! the best.url
c:\documents and settings\steve\favorites\imported bookmarks\crack search.url
c:\documents and settings\steve\favorites\imported bookmarks\ultra xxx passwords - custom hacked xxx passwords! we crack all our own xxx passwords! the best.url
c:\documents and settings\steve\my documents\my music\itunes\itunes music\annie lennox\exclusive\06 pavement cracks (gabriel & dresde.m4p
c:\documents and settings\steve\my documents\my music\itunes\itunes music\compilations\itunes holiday sampler\17 the nutcracker, op. 71, act 2_ ch.m4a
scanner sequence 3.EM.11
----- EOF -----

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:57 PM

Posted 12 October 2010 - 11:04 AM

I want to ask another to look at this before we proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 steve6884

steve6884
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 13 October 2010 - 08:41 AM

I want to ask another to look at this before we proceed.



Ok thanks

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:57 PM

Posted 13 October 2010 - 09:08 AM

Hello, I got similar info from my colleague.
It was 2 zipped files that were detected as IRC/Bomber. I can find IRC/Bomber in Eset's defintion files but no description of what it actuallly is. Could possibly be a detection similar to a Heuristic.ArchiveBomb which is a packed file that crashes malware scanners. It is usually not harmful to a computer system, but can cause security scanners to crash if they cannot handle the file. After the crash the computer is unprotected as the anti-virus is no longer working. A Decompression bomb is a similar detection.

The JS_KAKWORM.A detection looks like a hit on Thunderbird setup files (two different versions), not actual email messages.


They recommend you ask at ESET Support Forum,as it's their tool finding this and we need to know why also.
Post your log results there so one of their support folks can advise further.
Let us know.
Thanks.

Edited by boopme, 13 October 2010 - 09:09 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users