Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 591
  • Last Modified:

Why do websites keep appearing out of nowhere and how do I stop it?

Hello, I've been trying in my very limited way to tidy and clean my daughter's pc, which has never had any such attention since she got it. I've used CCleaner, A Squared, Norton Systemworks, Ad-Aware and am currently having a bit of difficulty getting rid of two Trojan viruses (Norton couldn't delete them), but I'm here now to ask why, when, say, checking email, other websites appear out of the blue and what I can do to stop them. They're not pop-ups, as such, well, not as I understand them, but full-page websites advertising this and that. Sometimes, too, when one appears it seems to have the effect of losing/deleting the email browser.

Hope that makes sense and that you might be able to offer some assistance. Simple language please!

Many thanks

Neil C
0
Ennnceee
Asked:
Ennnceee
  • 24
  • 11
  • 8
  • +4
5 Solutions
 
jimmymcp02Commented:
hi
www
you should install the lasted windows updates and also run http://www.safer-networking.org/en/home/index.html and see if you find any malware. i will recommend running this tools on safe mode.
post back if you need more assistance
0
 
EnnnceeeAuthor Commented:
Thanks for your quick reply Jimmy. I have installed Windows Updates and do you mean install and run Spybot, which is the main product on the safer-networking site? As I said, I've run Ad-Aware, Norton, A Squared; is Spybot better? And perhaps you would explain what you mean by running in safe mode and how I do that.

Thanks

NC
0
 
bcoheaCommented:
What is your Operating System? Windows 98 and ME are no longer supported but you can still get security updates that have already been released. Regardless of the OS, as jimmymcp02 said, go to http://update.microsoft.com and check for updates. You may be prompted to install some software when you go to that site. MAKE SURE the prompts are from Microsoft and continue.

To answer you other question, SpyBot is the program you want from that site. SpyBot isn't necessarily better, but the more utilities you use the broader the scope of malware you can detect. The more nets the more fish, right?

To start in Safe Mode, repeatedly press F8 at system startup after the boot logo and you should see a "Windows Advanced Options Menu" where "Safe Mode" is an option. Make sure you have updated the Ad-Aware, SpyBot, Norton, etc. applications BEFORE you go into safe mode as you won't have network access.

After you do that, download HijackThis and save a log and post here.
HJT: http://www.spywareinfo.com/~merijn/programs.php
How-to: http://www.bleepingcomputer.com/tutorials/tutorial94.html

bcohea
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
EnnnceeeAuthor Commented:
Thanks a lot for that. It may take me a day or two to get to that, so bear with me please. I *will* be back.

It's XP Home and only last night I installed quite a large number of updates, but will check again.

Thanks

NC
0
 
bcoheaCommented:
You may have to install the updates in stages, rebooting in between. Just keep updating until Windows Updates says there aren't anymore.

bcohea
0
 
nobusCommented:
i suggest running ALL these - updated :
     adaware :      http://www.lavasoftusa.com/
     Spybot :        http://www.download.com/3000-8022-10122137.html
http://housecall.trendmicro.com/                                                               online scan for trojans
http://www.spychecker.com/program/hijackthis.html                                   download
http://www.hijackthis.de/index.php?langselect=english                                check the log

especially the housecall is very powerful !
0
 
collins23Commented:
websites don't come from nowhere :D you invite them..
0
 
LeeTutorretiredCommented:
Have you turned off the Messenger service, a source of many unwanted browser windows?  Go to Start -> Run -> type SERVICES.MSC and hit Enter key -> scroll down to the Messenger service in the list, double click on it, and in the window that appears, hit the Stop button for Service status, then change Startup Type to Disabled.
0
 
EnnnceeeAuthor Commented:
I understand that collins23. What I'm trying to discover is how one invites them and what one does to stop inviting them.

Getting there. Spent the entire day updating, installing Spybot, fixing and so on.

Lee, your Messenger note is interesting. Is this MSN Messenger you're referring to? If so, might make some sense as it's my daughter's - as with many, I guess - second home.

If this is MSN Messenger, presume your instructions won't prevent her signing in and messaging etc. I'd never hear the last of it!
0
 
jimmymcp02Commented:
did you find any spyware?

also disable messager http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx as leetutor recomended it does not affect msn messanger i have messanger service disable on my laptop and im still using msn messanger they are 2 different programs.

Also you ran the spybot and virus scans on safe mode right?

0
 
bcoheaCommented:
Ennnceee,

Lee is referring to the Messenger service, and it is completely different from Windows Messenger. The Messenger service allows pop-ups like this:
http://www.itc.virginia.edu/desktop/docs/messagepopup/

And the full page windows you stated that you see in the original question ARE pop-ups. They just look a little different.

The best things you can do to make sure you don't get this junk again is:
1) Make sure XP is up-to-date by going to http://update.microsoft.com and also enabling Automatic Updates
2) disable the preview pane in Outlook Express or Outlook (if used)
3) run a antispyware app that runs resident such as Webroot SpySweeper, or be diligent and regular with the Spybot/AdAware/etc. (manual) scanners
4) use Firefox or Opera (just not Internet Explorer!)
5) create an account for your daughter to use that ISN'T an Administrator-level account

The last step will effectively neuter a ton of spyware. If you are logged in as a regular user-level account, most spyware will inherit those rights and will not be able to infect your system (at least as fully). Of course, you will have to log in to install apps or updates.

bcohea
0
 
EnnnceeeAuthor Commented:
Understand all that bcohea - and thanks - except 5. Perhaps you could elaborate a little.

I did think, by the way, that I had installed Google toolbar with pop-up blocker. Wouldn't that work in these circumstances?

Neil
0
 
bcoheaCommented:
Unfortunately Neil, pop-up blockers are not always 100% effective. There are many ways to call or generate a pop-up window and it is the unscrupulous advertisers' job to discover and take advantage of any and all ways to get visibility on your system. If they can even get 1 to 2% return on investment for all the impressions they land (which I would consider amazing for a pop-up creator), that would still mean thousands of sales since they probably had that pop-up appear on millions of user's computers. Therefore they want maximum exposure.

To answer your question about the administrator vs. limited user account: When you are logged in and you execute or start a application, that application usually inherits from you whatever rights you have. Therefore if you are an Administrator and you view a malicious web site or email, whatever process is actually doing the bad stuff in the background will have Administrator rights. Basically that means it can do pretty much ANYTHING it wants... modify the registry, delete files, change settings, etc.

But if you happen to stumble across this junk whilst logged in as a limited user then the malicious process cannot do many things to the system. No registry edits, no deletion of non-owned files, restricted settings change etc. Check out this page for the details on XP user account differences:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/usercpl_overview.mspx?mfr=true

As the documentation above states, it does make it more difficult to install and run some applications while logged in as a limited user account. However, the "runas" command can easily remedy this. It will allow you to run certain apps as an admin that may require it.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true

bcohea
0
 
EnnnceeeAuthor Commented:
It's funny, though. I have a much older system (ten years old, small memory, W98) and I hardly get any pop-ups of any sort. Certainly don't get websites appearing out of the blue. Perhaps, perversely, it's because it's less sophisticated than my daughter's.

Still, making some progress. Have all updates now, have cleaned, virus-checked with Norton, Spybot, Ad-Aware, Housecall... Now need to attend to some of the other suggestions above.

Neil
0
 
bcoheaCommented:
Websites appearing out of the blue without ANY prompting is a definite sign of malware infection. Please post the HijackThis log as I suggested earlier. We should make sure your daughter's computer is clean.

And regarding the fact that you get less pop-ups on your computer... there could be a number of possibilities on that. First of all, most new pop-ups are coded to take advantage of XP/2000 loopholes/vulnerabilities. If 98 only has a small marketshare compared to other OSs, advertisers are not going to spend too much time looking for a way onto your system. Even though Vista is due soon, XP is SURE to be around for another 5 to 10 years as a viable OS. Advertisers know that.

Also, and I mean no offense here, you are probably wiser in what you click on and what websites you visit. I don't know how old you daughter is and what sites she visits but Youth-related subject matter is prime picking grounds for pop-up creators. Most kids are not properly taught safe Internet usage and are easily influenced by ads. If you don't think kids are a cash cow, look at the relatively recent explosion of ring-tone/text-messaging businesses out there. What is their target consumer? Teens.

bcohea
0
 
EnnnceeeAuthor Commented:
Have done the HijackThis log bcohea; was just getting to that. I mean no offence - you wouldn't tell me to do it if it wasn't quite safe - but would appreciate reassurance that the log I post here won't contain sensitive information. I can just C & P it can't I?

Oh yes, I know about the ring-tones/text business. My youngest daughter got caught up in one and it took all my expertise to get most of her money back.

Many thanks

Neil
0
 
nobusCommented:
you save your log file on the hijackthis site, as i posted; and only post the link to it here
0
 
LeeTutorretiredCommented:
Did you turn off the Messenger service?
0
 
EnnnceeeAuthor Commented:
Hadn't got round to that Lee, but have looked now and it is already Stopped and Disabled.

Oh, ok nobus. Will check that when I'm able to later today (UK time) or tomorrow. A lot to get through, but getting there. Haven't had anything awry with latest scans from CCleaner, Ad-Aware, Norton Anti-Virus, Spybot (haven't got to Housecall yet), so must be making some progress.
0
 
bcoheaCommented:
As long as you follow nobus' advice about posting your HJT log it won't contain any personal info. Even if you posted copied and pasted the log here it shouldn't contain any personal information.

bcohea
0
 
collins23Commented:
try ewido antispyware from http://free.grisoft.com
0
 
EnnnceeeAuthor Commented:
Will do collins23. Slowly getting through all these instructions!

Still getting websites popping up, despite all efforts so far, and currently trying to get rid of Trojan.Duntek in Maindro.dll, which Norton found but can't delete. Any ideas?

Think I've done HijackThis successfully and this should be the link:

http://www.hijackthis.de/logfiles/a26ae17b73fdd4ecf850db448229f726.html
0
 
EnnnceeeAuthor Commented:
When I tried that link earlier, it worked. Now it's telling me this log has been checked automatically. Confused.
0
 
LeeTutorretiredCommented:
I'm not sure what that message means, but:  The logfile for analysis of HijackThis is only held for 3 days.  It might have expired.  I suggest you run another analysis and post the link for the analysis again.
0
 
EnnnceeeAuthor Commented:
Yes, I saw that it only lasted for three days, but I did a new one yesterday so should have been there. I'll try again.
0
 
EnnnceeeAuthor Commented:
Or maybe I'll just C&P here if it's quite safe.
0
 
jimmymcp02Commented:
just C&P on the hijackthis page  then hit analyze and save the report then post the link
0
 
EnnnceeeAuthor Commented:
Jimmy, that's exactly what I did, and as I explained it was there when I tried it originally, but when I tried it a bit later (not three days later) it said as explained above. I'll try again shortly.

In the meantime I've been trying without success to get rid of this interminable Trojan.Duntek, which NAV keeps finding but won't delete or quarantine. It apparently encourages pop-up ads so could be (part of) the problem. I just went to Symatec support chat, but they want quite a lot of money to fix it on top of their annual subscription, so not falling for that. I'll keep looking for a solution and will go back to HijackThis as soon as.
0
 
jimmymcp02Commented:
the trojan is your problem

here is an article on how to remove the trojan
http://www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=3

0
 
nobusCommented:
did you run the online scan for trojans ?
0
 
EnnnceeeAuthor Commented:
I've run all the scans discussed above, including NAV, which found Trojan.Duntek, but which, as I said, won't delete it or quarantine it.

Trendmicro worked the first time I tried it, but, despite numerous attempts since, it won't co-operate. It just comes to a standstill before it's supposed to start scanning.

I've looked at that page jimmy, but am worried I'd be out of my depth. It seems odd to me that NAV can find it, but can't repair it. It almost makes the process pointless.
0
 
jimmymcp02Commented:
i think that you might have system restore enable and thats why it keeps comming back i dont think that nav is scanning the restore folder.... you might want to disable system restore and do a scan again. also make sure that the scans do not exclude the c:\restore
0
 
EnnnceeeAuthor Commented:
Think I can manage disabling system restore (should I enable it again afterwards?) but how do I make sure that scans don't exclude c:\restore?
0
 
nobusCommented:
if you want to try more scans, look here (bottom of page) :
http://www.dedigitalerevolutie.nl/toontext.asp?id=5670
0
 
jimmymcp02Commented:
You can disable it system restore and re enable later once eveything is fixed we can create a restore point....
As for the exclude run a scan and there should be an options tab check and see if there is a exclude files and folder make sure that is not check....I dont have nav on my pc (home version) i have the enterprise version.
0
 
EnnnceeeAuthor Commented:
Not having much luck. Disabled System Restore, scanned, picked up Trojan.Duntek again, but still wouldn't delete or quarantine; so have re-enabled SR. Did check files and folders weren't excluded.

Haven't tried all scans suggested here yet, but have done Spybot, A Squared, Ad-Aware, Norton, probably one or two others as well, but none of these has picked up T.D, if indeed this is the problem.

Tried again and again to use Trendmicro Housecall after working first time and then not. Tried numerous times, just got to the scan page and didn't do anything, until, finally, it did start to work, but then stopped and in any case the page disappeared of it's own accord! Great fun!

Still, getting ads/websites appearing from nowhere and whole system can be very slow. Considering all the XP updates, scans and so on would have hoped to make more progess by now.

Tried HijackThis again and this should be the link, if it doesn't do what happended last time. That is, the log disappeared and it was saying this has been checked automatically. They're supposed to stay for three days and I've just done it now at 10am, Thursday, UK time.

http://www.hijackthis.de/logfiles/a26ae17b73fdd4ecf850db448229f726.html
0
 
EnnnceeeAuthor Commented:
Just tried that link from above and is working at the moment.
0
 
jimmymcp02Commented:
im not sure of what this entries are?

O9 - Extra button: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O9 - Extra 'Tools' menuitem: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)

but there seem not to be files associated with those registries

the trojan is causing the sites to pop up.
0
 
EnnnceeeAuthor Commented:
I'm afraid I don't understand the significance of that Jimmy.

That link is still working, but, and this is quite bizarre, I definitely saw a 'Nasty' there when I first looked at it, but it isn't there now. How strange. I do see that it says at the bottom that it's been checked automatically, but unlike my first attempt, when the entire log disappeared, it, or most if it, is still there as I write.

Any more suggestions gratefully received. Have you looked nobus or bcohea?

And any further suggestions as to how I get rid of Trojan.Duntek without paying Symatec $70 for the privilege?

I've done some more scans, including Mcafee, but it was clear and NAV is still the only scan to pick up this trojan.
0
 
nobusCommented:
did you run the online scan for trojans i asked for in my first post?
0
 
EnnnceeeAuthor Commented:
I presume you're talking about Trendmicro. Please refer to my earlier post; 5 up.
0
 
nobusCommented:
right - then it gets harder.
i suppose you upgraded the Java .
0
 
EnnnceeeAuthor Commented:
I think it tried to do that during the procedure, presumably without success. Wouldn't have a clue how to do it independently.
0
 
nobusCommented:
apart from a fresh install, you can still look into this :
if you want to try more scans, look here (bottom of page) :
http://www.dedigitalerevolutie.nl/toontext.asp?id=5670
0
 
jimmymcp02Commented:
sorry i should have been more clear

the below entries can be deleted if you wish they do not have files associated with them.

O9 - Extra button: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O9 - Extra 'Tools' menuitem: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)

Your problem is the trojan and unfortunally the only way is to follow the instructions provided before from the symantec site on how to remove .trojan.dunket
http://www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=3
0
 
gotaluvmeCommented:
I feel your pain,
Just spent 4 hours trying to kill this thing.
Following the directions on Symantec is no good.  It does not kill this!

I've tried many combinations, including hijack this, Ad-aware, Spybot, ccleaner, Yahoo spyware killer, Avast antivirus, NAV, Safe Mode. They can't kill it and they can't delete, quarantine or anything else the DLL that this sucker has placed in the system directory.

It's time to re-image. The software solutions are no good.
0
 
EnnnceeeAuthor Commented:
Wel, good to hear from a fellow sufferer!

Now, I *think* I know what you mean by re-image (though couldn't be certain), but wouldn't have a clue how to do it. Not the first idea. And perhaps it's something I shouldn't even attempt. As I posted earlier, Symatec reckon they can remove this remotely for around $70, but why should I pay this when I already pay for their anti-virus.

Jimmy, was the 'nasty' there when you looked at the HijackThis log? As I explained earlier there was certainly one there when I first scanned, but when I checked later if the link was still working (which it isn't now; past the three days) it had somewhow disappeared.
0
 
nobusCommented:
i would do a fresh install at this point.
Be sure to backup everything first !
0
 
EnnnceeeAuthor Commented:
Well, I think I've managed to get rid of Trojan.Duntek (hope you're reading this gotaluvme) by downloading and using the trial version of NOD32. It seems to have done the trick. I had a good look around Google and found someone else with a similar problem, although he said he'd transferred the HDD to another pc with NOD32 and got rid of it there. Don't know why he did that when the trial version is available for download, but still.

However, getting rid of TD doesn't appear to have solved the problem of pop-up websites.

Scuse my ignorance Nobus, but re-install what? The operating system? I don't think I'd want to try that to be honest. Perhaps we'll just have to live with the problem.

When you talk about back-up Nobus, what do you consider is the most straightforward way?
0
 
nobusCommented:
A backup depends on how you are organised; you should backup all your data before doing a clean install of XP.
i like to do it manual, and copy everything i need into folders in my documents, then copy my documents to another disk or usb drive.
i copy my favorites from IE, all the mail and accounts and address books from Outlook, or OE, by copying the pst file or the dbx files, or exporting them to files.
0
 
EnnnceeeAuthor Commented:
A bit lost what to do now. Really don't feel competent to try reinstalling XP and although the pc is certainly running better than previously, thanks to various suggestions here, it is still throwing up websites; despite Google blocker, XP blocker and so on. Eliminating Trojan.Duntek doesn't seem to have done the trick. So, as that was the original question, not sure where we go from here.

By the way, NOD32 seems to my inexpert eyes to be pretty good. They certainly claim quite a lot for it. Does anyone have an opinion?
0
 
gotaluvmeCommented:

Reinstalling XP is a different question.
but briefly, back up your important data files to another hard drive or CD/DVD
Copy any email files and other important info from folders if you need them.
You should have your application install disks to reinstall the apps after wiping your hard drive and reinstalling XP.  Other freeware and programs can be downloaded again from the Internet.

Insert your XP CD and restart.  Your computer may autorecognize it and boot from CD instead of your hard drive.  Then go through the options to reformat your harddrive and reinstall XP.

Load your applications after it is done from CD, load any other important files etc. and copy your files back to your new, clean hard drive.
Right mouse click on My computer on the windows desktop and choose manage.
Rename the Administrator account to something else, and be sure and set a password that you know and isn't easily cracked. Try something like:  Spyware_Writers_aRe_Criminal$321


Be sure and have a firewall on, either use windows firewall or get something like Zonealarm, put on Spybot Search and Destroy, Lavasoft Ad-Aware, Antivir Virus Scanner, or AVG.    You can get all this stuff from download links at Majorgeeks.com

Go to windowsupdate.com and install all the updates, patches and software.  go to Microsoft.com and download and install Windows Defender.
If you have Microsoft Office, go to microsoft.com/office and install all the office updates there.

Do all this, then be careful next time before installing things from non-reputable websites, pokersites, screensavers and smilies.


0
 
EnnnceeeAuthor Commented:
Apologies for absence. A dose of something nasty. PC does seem to be working better in general, thanks to much of above advice, but despite using many different cleaners and checkers still can't eradicate websites appearing out of nowhere; the original problem. Appreciate advice on reinstall, but really don't feel competent to attempt that.

I should probably close this now, but will leave open until after the holiday in case any more suggestions forthcoming.

Seasons greetings from the south coast of the UK.

Neil C
0
 
nobusCommented:
maybe time to have a back-up of your data, and doing a fresh install, in order to have a fully operational PC
0
 
EnnnceeeAuthor Commented:
Well, still getting pop-ups, so haven't actually managed to eradicate problem, but appreciate other help and advice. Impossible to know which answer to accept or how to allocate points so will settle for re-install as answer, although don't feel competent or brave enough to attempt that myself, so will probably get someone in in due course.
0
 
nobusCommented:
sometimes it is the fastest, if not the only answer. sorry i could not help you better  !
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 24
  • 11
  • 8
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now