Solved

Why do websites keep appearing out of nowhere and how do I stop it?

Posted on 2006-10-22
56
560 Views
Last Modified: 2011-10-03
Hello, I've been trying in my very limited way to tidy and clean my daughter's pc, which has never had any such attention since she got it. I've used CCleaner, A Squared, Norton Systemworks, Ad-Aware and am currently having a bit of difficulty getting rid of two Trojan viruses (Norton couldn't delete them), but I'm here now to ask why, when, say, checking email, other websites appear out of the blue and what I can do to stop them. They're not pop-ups, as such, well, not as I understand them, but full-page websites advertising this and that. Sometimes, too, when one appears it seems to have the effect of losing/deleting the email browser.

Hope that makes sense and that you might be able to offer some assistance. Simple language please!

Many thanks

Neil C
0
Comment
Question by:Ennnceee
  • 24
  • 11
  • 8
  • +4
56 Comments
 
LVL 20

Assisted Solution

by:jimmymcp02
jimmymcp02 earned 100 total points
Comment Utility
hi
www
you should install the lasted windows updates and also run http://www.safer-networking.org/en/home/index.html and see if you find any malware. i will recommend running this tools on safe mode.
post back if you need more assistance
0
 

Author Comment

by:Ennnceee
Comment Utility
Thanks for your quick reply Jimmy. I have installed Windows Updates and do you mean install and run Spybot, which is the main product on the safer-networking site? As I said, I've run Ad-Aware, Norton, A Squared; is Spybot better? And perhaps you would explain what you mean by running in safe mode and how I do that.

Thanks

NC
0
 
LVL 3

Assisted Solution

by:bcohea
bcohea earned 100 total points
Comment Utility
What is your Operating System? Windows 98 and ME are no longer supported but you can still get security updates that have already been released. Regardless of the OS, as jimmymcp02 said, go to http://update.microsoft.com and check for updates. You may be prompted to install some software when you go to that site. MAKE SURE the prompts are from Microsoft and continue.

To answer you other question, SpyBot is the program you want from that site. SpyBot isn't necessarily better, but the more utilities you use the broader the scope of malware you can detect. The more nets the more fish, right?

To start in Safe Mode, repeatedly press F8 at system startup after the boot logo and you should see a "Windows Advanced Options Menu" where "Safe Mode" is an option. Make sure you have updated the Ad-Aware, SpyBot, Norton, etc. applications BEFORE you go into safe mode as you won't have network access.

After you do that, download HijackThis and save a log and post here.
HJT: http://www.spywareinfo.com/~merijn/programs.php
How-to: http://www.bleepingcomputer.com/tutorials/tutorial94.html

bcohea
0
 

Author Comment

by:Ennnceee
Comment Utility
Thanks a lot for that. It may take me a day or two to get to that, so bear with me please. I *will* be back.

It's XP Home and only last night I installed quite a large number of updates, but will check again.

Thanks

NC
0
 
LVL 3

Expert Comment

by:bcohea
Comment Utility
You may have to install the updates in stages, rebooting in between. Just keep updating until Windows Updates says there aren't anymore.

bcohea
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
i suggest running ALL these - updated :
     adaware :      http://www.lavasoftusa.com/
     Spybot :        http://www.download.com/3000-8022-10122137.html
http://housecall.trendmicro.com/                                                               online scan for trojans
http://www.spychecker.com/program/hijackthis.html                                   download
http://www.hijackthis.de/index.php?langselect=english                                check the log

especially the housecall is very powerful !
0
 
LVL 6

Expert Comment

by:collins23
Comment Utility
websites don't come from nowhere :D you invite them..
0
 
LVL 59

Assisted Solution

by:LeeTutor
LeeTutor earned 100 total points
Comment Utility
Have you turned off the Messenger service, a source of many unwanted browser windows?  Go to Start -> Run -> type SERVICES.MSC and hit Enter key -> scroll down to the Messenger service in the list, double click on it, and in the window that appears, hit the Stop button for Service status, then change Startup Type to Disabled.
0
 

Author Comment

by:Ennnceee
Comment Utility
I understand that collins23. What I'm trying to discover is how one invites them and what one does to stop inviting them.

Getting there. Spent the entire day updating, installing Spybot, fixing and so on.

Lee, your Messenger note is interesting. Is this MSN Messenger you're referring to? If so, might make some sense as it's my daughter's - as with many, I guess - second home.

If this is MSN Messenger, presume your instructions won't prevent her signing in and messaging etc. I'd never hear the last of it!
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
did you find any spyware?

also disable messager http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx as leetutor recomended it does not affect msn messanger i have messanger service disable on my laptop and im still using msn messanger they are 2 different programs.

Also you ran the spybot and virus scans on safe mode right?

0
 
LVL 3

Expert Comment

by:bcohea
Comment Utility
Ennnceee,

Lee is referring to the Messenger service, and it is completely different from Windows Messenger. The Messenger service allows pop-ups like this:
http://www.itc.virginia.edu/desktop/docs/messagepopup/

And the full page windows you stated that you see in the original question ARE pop-ups. They just look a little different.

The best things you can do to make sure you don't get this junk again is:
1) Make sure XP is up-to-date by going to http://update.microsoft.com and also enabling Automatic Updates
2) disable the preview pane in Outlook Express or Outlook (if used)
3) run a antispyware app that runs resident such as Webroot SpySweeper, or be diligent and regular with the Spybot/AdAware/etc. (manual) scanners
4) use Firefox or Opera (just not Internet Explorer!)
5) create an account for your daughter to use that ISN'T an Administrator-level account

The last step will effectively neuter a ton of spyware. If you are logged in as a regular user-level account, most spyware will inherit those rights and will not be able to infect your system (at least as fully). Of course, you will have to log in to install apps or updates.

bcohea
0
 

Author Comment

by:Ennnceee
Comment Utility
Understand all that bcohea - and thanks - except 5. Perhaps you could elaborate a little.

I did think, by the way, that I had installed Google toolbar with pop-up blocker. Wouldn't that work in these circumstances?

Neil
0
 
LVL 3

Expert Comment

by:bcohea
Comment Utility
Unfortunately Neil, pop-up blockers are not always 100% effective. There are many ways to call or generate a pop-up window and it is the unscrupulous advertisers' job to discover and take advantage of any and all ways to get visibility on your system. If they can even get 1 to 2% return on investment for all the impressions they land (which I would consider amazing for a pop-up creator), that would still mean thousands of sales since they probably had that pop-up appear on millions of user's computers. Therefore they want maximum exposure.

To answer your question about the administrator vs. limited user account: When you are logged in and you execute or start a application, that application usually inherits from you whatever rights you have. Therefore if you are an Administrator and you view a malicious web site or email, whatever process is actually doing the bad stuff in the background will have Administrator rights. Basically that means it can do pretty much ANYTHING it wants... modify the registry, delete files, change settings, etc.

But if you happen to stumble across this junk whilst logged in as a limited user then the malicious process cannot do many things to the system. No registry edits, no deletion of non-owned files, restricted settings change etc. Check out this page for the details on XP user account differences:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/usercpl_overview.mspx?mfr=true

As the documentation above states, it does make it more difficult to install and run some applications while logged in as a limited user account. However, the "runas" command can easily remedy this. It will allow you to run certain apps as an admin that may require it.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx?mfr=true

bcohea
0
 

Author Comment

by:Ennnceee
Comment Utility
It's funny, though. I have a much older system (ten years old, small memory, W98) and I hardly get any pop-ups of any sort. Certainly don't get websites appearing out of the blue. Perhaps, perversely, it's because it's less sophisticated than my daughter's.

Still, making some progress. Have all updates now, have cleaned, virus-checked with Norton, Spybot, Ad-Aware, Housecall... Now need to attend to some of the other suggestions above.

Neil
0
 
LVL 3

Expert Comment

by:bcohea
Comment Utility
Websites appearing out of the blue without ANY prompting is a definite sign of malware infection. Please post the HijackThis log as I suggested earlier. We should make sure your daughter's computer is clean.

And regarding the fact that you get less pop-ups on your computer... there could be a number of possibilities on that. First of all, most new pop-ups are coded to take advantage of XP/2000 loopholes/vulnerabilities. If 98 only has a small marketshare compared to other OSs, advertisers are not going to spend too much time looking for a way onto your system. Even though Vista is due soon, XP is SURE to be around for another 5 to 10 years as a viable OS. Advertisers know that.

Also, and I mean no offense here, you are probably wiser in what you click on and what websites you visit. I don't know how old you daughter is and what sites she visits but Youth-related subject matter is prime picking grounds for pop-up creators. Most kids are not properly taught safe Internet usage and are easily influenced by ads. If you don't think kids are a cash cow, look at the relatively recent explosion of ring-tone/text-messaging businesses out there. What is their target consumer? Teens.

bcohea
0
 

Author Comment

by:Ennnceee
Comment Utility
Have done the HijackThis log bcohea; was just getting to that. I mean no offence - you wouldn't tell me to do it if it wasn't quite safe - but would appreciate reassurance that the log I post here won't contain sensitive information. I can just C & P it can't I?

Oh yes, I know about the ring-tones/text business. My youngest daughter got caught up in one and it took all my expertise to get most of her money back.

Many thanks

Neil
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
you save your log file on the hijackthis site, as i posted; and only post the link to it here
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Did you turn off the Messenger service?
0
 

Author Comment

by:Ennnceee
Comment Utility
Hadn't got round to that Lee, but have looked now and it is already Stopped and Disabled.

Oh, ok nobus. Will check that when I'm able to later today (UK time) or tomorrow. A lot to get through, but getting there. Haven't had anything awry with latest scans from CCleaner, Ad-Aware, Norton Anti-Virus, Spybot (haven't got to Housecall yet), so must be making some progress.
0
 
LVL 3

Expert Comment

by:bcohea
Comment Utility
As long as you follow nobus' advice about posting your HJT log it won't contain any personal info. Even if you posted copied and pasted the log here it shouldn't contain any personal information.

bcohea
0
 
LVL 6

Expert Comment

by:collins23
Comment Utility
try ewido antispyware from http://free.grisoft.com
0
 

Author Comment

by:Ennnceee
Comment Utility
Will do collins23. Slowly getting through all these instructions!

Still getting websites popping up, despite all efforts so far, and currently trying to get rid of Trojan.Duntek in Maindro.dll, which Norton found but can't delete. Any ideas?

Think I've done HijackThis successfully and this should be the link:

http://www.hijackthis.de/logfiles/a26ae17b73fdd4ecf850db448229f726.html
0
 

Author Comment

by:Ennnceee
Comment Utility
When I tried that link earlier, it worked. Now it's telling me this log has been checked automatically. Confused.
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
I'm not sure what that message means, but:  The logfile for analysis of HijackThis is only held for 3 days.  It might have expired.  I suggest you run another analysis and post the link for the analysis again.
0
 

Author Comment

by:Ennnceee
Comment Utility
Yes, I saw that it only lasted for three days, but I did a new one yesterday so should have been there. I'll try again.
0
 

Author Comment

by:Ennnceee
Comment Utility
Or maybe I'll just C&P here if it's quite safe.
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
just C&P on the hijackthis page  then hit analyze and save the report then post the link
0
 

Author Comment

by:Ennnceee
Comment Utility
Jimmy, that's exactly what I did, and as I explained it was there when I tried it originally, but when I tried it a bit later (not three days later) it said as explained above. I'll try again shortly.

In the meantime I've been trying without success to get rid of this interminable Trojan.Duntek, which NAV keeps finding but won't delete or quarantine. It apparently encourages pop-up ads so could be (part of) the problem. I just went to Symatec support chat, but they want quite a lot of money to fix it on top of their annual subscription, so not falling for that. I'll keep looking for a solution and will go back to HijackThis as soon as.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
the trojan is your problem

here is an article on how to remove the trojan
http://www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=3

0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
did you run the online scan for trojans ?
0
 

Author Comment

by:Ennnceee
Comment Utility
I've run all the scans discussed above, including NAV, which found Trojan.Duntek, but which, as I said, won't delete it or quarantine it.

Trendmicro worked the first time I tried it, but, despite numerous attempts since, it won't co-operate. It just comes to a standstill before it's supposed to start scanning.

I've looked at that page jimmy, but am worried I'd be out of my depth. It seems odd to me that NAV can find it, but can't repair it. It almost makes the process pointless.
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
i think that you might have system restore enable and thats why it keeps comming back i dont think that nav is scanning the restore folder.... you might want to disable system restore and do a scan again. also make sure that the scans do not exclude the c:\restore
0
 

Author Comment

by:Ennnceee
Comment Utility
Think I can manage disabling system restore (should I enable it again afterwards?) but how do I make sure that scans don't exclude c:\restore?
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
if you want to try more scans, look here (bottom of page) :
http://www.dedigitalerevolutie.nl/toontext.asp?id=5670
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
You can disable it system restore and re enable later once eveything is fixed we can create a restore point....
As for the exclude run a scan and there should be an options tab check and see if there is a exclude files and folder make sure that is not check....I dont have nav on my pc (home version) i have the enterprise version.
0
 

Author Comment

by:Ennnceee
Comment Utility
Not having much luck. Disabled System Restore, scanned, picked up Trojan.Duntek again, but still wouldn't delete or quarantine; so have re-enabled SR. Did check files and folders weren't excluded.

Haven't tried all scans suggested here yet, but have done Spybot, A Squared, Ad-Aware, Norton, probably one or two others as well, but none of these has picked up T.D, if indeed this is the problem.

Tried again and again to use Trendmicro Housecall after working first time and then not. Tried numerous times, just got to the scan page and didn't do anything, until, finally, it did start to work, but then stopped and in any case the page disappeared of it's own accord! Great fun!

Still, getting ads/websites appearing from nowhere and whole system can be very slow. Considering all the XP updates, scans and so on would have hoped to make more progess by now.

Tried HijackThis again and this should be the link, if it doesn't do what happended last time. That is, the log disappeared and it was saying this has been checked automatically. They're supposed to stay for three days and I've just done it now at 10am, Thursday, UK time.

http://www.hijackthis.de/logfiles/a26ae17b73fdd4ecf850db448229f726.html
0
 

Author Comment

by:Ennnceee
Comment Utility
Just tried that link from above and is working at the moment.
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
im not sure of what this entries are?

O9 - Extra button: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O9 - Extra 'Tools' menuitem: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)

but there seem not to be files associated with those registries

the trojan is causing the sites to pop up.
0
 

Author Comment

by:Ennnceee
Comment Utility
I'm afraid I don't understand the significance of that Jimmy.

That link is still working, but, and this is quite bizarre, I definitely saw a 'Nasty' there when I first looked at it, but it isn't there now. How strange. I do see that it says at the bottom that it's been checked automatically, but unlike my first attempt, when the entire log disappeared, it, or most if it, is still there as I write.

Any more suggestions gratefully received. Have you looked nobus or bcohea?

And any further suggestions as to how I get rid of Trojan.Duntek without paying Symatec $70 for the privilege?

I've done some more scans, including Mcafee, but it was clear and NAV is still the only scan to pick up this trojan.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
did you run the online scan for trojans i asked for in my first post?
0
 

Author Comment

by:Ennnceee
Comment Utility
I presume you're talking about Trendmicro. Please refer to my earlier post; 5 up.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
right - then it gets harder.
i suppose you upgraded the Java .
0
 

Author Comment

by:Ennnceee
Comment Utility
I think it tried to do that during the procedure, presumably without success. Wouldn't have a clue how to do it independently.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
apart from a fresh install, you can still look into this :
if you want to try more scans, look here (bottom of page) :
http://www.dedigitalerevolutie.nl/toontext.asp?id=5670
0
 
LVL 20

Expert Comment

by:jimmymcp02
Comment Utility
sorry i should have been more clear

the below entries can be deleted if you wish they do not have files associated with them.

O9 - Extra button: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)
O9 - Extra 'Tools' menuitem: My Next Search - Toolbar - {1CBF31FC-3C23-4BA6-AF16-2CEC501BD837} - (no file)

Your problem is the trojan and unfortunally the only way is to follow the instructions provided before from the symantec site on how to remove .trojan.dunket
http://www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=3
0
 
LVL 1

Expert Comment

by:gotaluvme
Comment Utility
I feel your pain,
Just spent 4 hours trying to kill this thing.
Following the directions on Symantec is no good.  It does not kill this!

I've tried many combinations, including hijack this, Ad-aware, Spybot, ccleaner, Yahoo spyware killer, Avast antivirus, NAV, Safe Mode. They can't kill it and they can't delete, quarantine or anything else the DLL that this sucker has placed in the system directory.

It's time to re-image. The software solutions are no good.
0
 

Author Comment

by:Ennnceee
Comment Utility
Wel, good to hear from a fellow sufferer!

Now, I *think* I know what you mean by re-image (though couldn't be certain), but wouldn't have a clue how to do it. Not the first idea. And perhaps it's something I shouldn't even attempt. As I posted earlier, Symatec reckon they can remove this remotely for around $70, but why should I pay this when I already pay for their anti-virus.

Jimmy, was the 'nasty' there when you looked at the HijackThis log? As I explained earlier there was certainly one there when I first scanned, but when I checked later if the link was still working (which it isn't now; past the three days) it had somewhow disappeared.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
i would do a fresh install at this point.
Be sure to backup everything first !
0
 

Author Comment

by:Ennnceee
Comment Utility
Well, I think I've managed to get rid of Trojan.Duntek (hope you're reading this gotaluvme) by downloading and using the trial version of NOD32. It seems to have done the trick. I had a good look around Google and found someone else with a similar problem, although he said he'd transferred the HDD to another pc with NOD32 and got rid of it there. Don't know why he did that when the trial version is available for download, but still.

However, getting rid of TD doesn't appear to have solved the problem of pop-up websites.

Scuse my ignorance Nobus, but re-install what? The operating system? I don't think I'd want to try that to be honest. Perhaps we'll just have to live with the problem.

When you talk about back-up Nobus, what do you consider is the most straightforward way?
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
A backup depends on how you are organised; you should backup all your data before doing a clean install of XP.
i like to do it manual, and copy everything i need into folders in my documents, then copy my documents to another disk or usb drive.
i copy my favorites from IE, all the mail and accounts and address books from Outlook, or OE, by copying the pst file or the dbx files, or exporting them to files.
0
 

Author Comment

by:Ennnceee
Comment Utility
A bit lost what to do now. Really don't feel competent to try reinstalling XP and although the pc is certainly running better than previously, thanks to various suggestions here, it is still throwing up websites; despite Google blocker, XP blocker and so on. Eliminating Trojan.Duntek doesn't seem to have done the trick. So, as that was the original question, not sure where we go from here.

By the way, NOD32 seems to my inexpert eyes to be pretty good. They certainly claim quite a lot for it. Does anyone have an opinion?
0
 
LVL 1

Assisted Solution

by:gotaluvme
gotaluvme earned 100 total points
Comment Utility

Reinstalling XP is a different question.
but briefly, back up your important data files to another hard drive or CD/DVD
Copy any email files and other important info from folders if you need them.
You should have your application install disks to reinstall the apps after wiping your hard drive and reinstalling XP.  Other freeware and programs can be downloaded again from the Internet.

Insert your XP CD and restart.  Your computer may autorecognize it and boot from CD instead of your hard drive.  Then go through the options to reformat your harddrive and reinstall XP.

Load your applications after it is done from CD, load any other important files etc. and copy your files back to your new, clean hard drive.
Right mouse click on My computer on the windows desktop and choose manage.
Rename the Administrator account to something else, and be sure and set a password that you know and isn't easily cracked. Try something like:  Spyware_Writers_aRe_Criminal$321


Be sure and have a firewall on, either use windows firewall or get something like Zonealarm, put on Spybot Search and Destroy, Lavasoft Ad-Aware, Antivir Virus Scanner, or AVG.    You can get all this stuff from download links at Majorgeeks.com

Go to windowsupdate.com and install all the updates, patches and software.  go to Microsoft.com and download and install Windows Defender.
If you have Microsoft Office, go to microsoft.com/office and install all the office updates there.

Do all this, then be careful next time before installing things from non-reputable websites, pokersites, screensavers and smilies.


0
 

Author Comment

by:Ennnceee
Comment Utility
Apologies for absence. A dose of something nasty. PC does seem to be working better in general, thanks to much of above advice, but despite using many different cleaners and checkers still can't eradicate websites appearing out of nowhere; the original problem. Appreciate advice on reinstall, but really don't feel competent to attempt that.

I should probably close this now, but will leave open until after the holiday in case any more suggestions forthcoming.

Seasons greetings from the south coast of the UK.

Neil C
0
 
LVL 91

Accepted Solution

by:
nobus earned 100 total points
Comment Utility
maybe time to have a back-up of your data, and doing a fresh install, in order to have a fully operational PC
0
 

Author Comment

by:Ennnceee
Comment Utility
Well, still getting pop-ups, so haven't actually managed to eradicate problem, but appreciate other help and advice. Impossible to know which answer to accept or how to allocate points so will settle for re-install as answer, although don't feel competent or brave enough to attempt that myself, so will probably get someone in in due course.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
sometimes it is the fastest, if not the only answer. sorry i could not help you better  !
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now