I have been having some problems on my PC and I received some great help in removing a lot of adware, spyware, trojans and such, from the Spyware/Virus/Trojan Discussion forum by Buckeye_Sam.

A lot has been done and cleaned, check this thread for all the info so I dont take up space here
http://www.short-media.com/forum/showthread.php?t=25138

Anyway what I am getting is a pop-up box (click the link for a pic of the pop-up)
http://www.james-benton.com/popuobox.jpg

I only get this on web sites like yahoo.com, download.com, that have advertisements.

Web sites with no advertisements i dont get this.

I get these pop-ups in both IE and firefox :confused:

this is probablly a result of a software configuration problem with one of my Norton Programs. But I have checked everything and just dont know what to look for now.

Any Ideas???

Thanks

James

Thread moved to SVT.

This doesn't sound like a spyware problem, but just to be sure, download HijackThis and post a log. Usually when this happens it is an image on the site that requires access to teh webserver to view.

buckeye_Sam helped me out a lot on this issue, Please see this thread...
http://www.short-media.com/forum/showthread.php?t=25138

Here is the last HJT log I ran on the PC in question, I have not even powered up the machine since this last log.

Logfile of HijackThis v1.99.0
Scan saved at 5:21:14 PM, on 12/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\download\fixstuff\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: PhotoCAL Startup.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/s...0,2/mcmysec.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...416/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Your log is clean, so it isn't a spyware problem. For a fix, you can add that site to your HOSTS file. Search your computer for "HOSTS". There should be a file with no extension in either C:\Windows\ or C:\Windows\System32\Drivers\etc\. Open that with Notepad, and at the bottom of the file, put this line in:

127.0.0.1 us.a1.yimg.com

That line will tell your computer that that file is on your hard drive, when it is not, therefore, displaying a 404 error in the place of the image, and not giving you the popup.

Your log is clean, so it isn't a spyware problem.
127.0.0.1 us.a1.yimg.comMove it back to General Software then for us mate. ;D ;)

Ok thanks I will make the change in the HOSTS file.

Im guessing I will have to put a lot of entries in there as the example I showed was only 1 of many pop ups I get, some are for i.i.com.com and some are deom adlog.com.com (yes a double .com)

James

Ok I made the change to the HOSTS file and it sorta worked.

It cut down the number of pop up from 20+ down to under 5

James

Does this ever come up when you are not surfing the Net? If you just leave the computer on for a couple of hours, unattended, and come back to check it, will there be a one of those login windows there?

Dexter...

No, I only get these while surfing

James

OK...here's what I suspect...

The site it is trying to connect to is an image host for ads. For some reason it wants you to authorize it first, and something is blocking it and asking for authentication.

Have you tried disabling your Norton and then surfing? Just right click on your NAV icon in the system tray, and disable auto-protect. Then open a web browser and surf to a site that you know causes this to happen, and see if there is any difference.

Let us know...

Dexter...

Ok I disabled NAV auto protect and I am still getting the pop ups. I swaped back to my old HOSTS file and I get more pop up, I put the new HOSTS file back inplace and I still get them, but not nearly as many, but with the new HOSTS file in place, I get the pop us for this site (short media)

James

Try changing the Hosts file entry to *.ymg.com.

Dexter...

I think we need to investigate why this is happening in the first place. The .yimg is an image hosting site. I don't think this is normally included in a base install of windows so something is blocking it. Are you using a pop-up blocker ( did I see Pop-up stopper and the google bar)?

Try to boot into safe mode (or close your pop-up blocker) and connect to the web, does it still happen? Some pop-up blockers restrict domains to detect images/sites. Are you using the same pop-up blocker for both IE and FF?

From your SVT foray it looks like you changed quite a bit and removed a lot of entries. Unfortunately I don't have the time to go through all your changes