Pop Up wanting me to log on

jab119jab119
edited January 2005 in Science & Tech
I have been having some problems on my PC and I received some great help in removing a lot of adware, spyware, trojans and such, from the Spyware/Virus/Trojan Discussion forum by Buckeye_Sam.

A lot has been done and cleaned, check this thread for all the info so I dont take up space here
http://www.short-media.com/forum/showthread.php?t=25138

Anyway what I am getting is a pop-up box (click the link for a pic of the pop-up)
http://www.james-benton.com/popuobox.jpg

I only get this on web sites like yahoo.com, download.com, that have advertisements.

Web sites with no advertisements i dont get this.

I get these pop-ups in both IE and firefox :confused:

this is probablly a result of a software configuration problem with one of my Norton Programs. But I have checked everything and just dont know what to look for now.

Any Ideas???

Thanks

James

Comments

  • SpinnerSpinner Birmingham, UK
    edited January 2005
    Thread moved to SVT.
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    This doesn't sound like a spyware problem, but just to be sure, download HijackThis and post a log. Usually when this happens it is an image on the site that requires access to teh webserver to view.
  • jab119jab119
    edited January 2005
    buckeye_Sam helped me out a lot on this issue, Please see this thread...
    http://www.short-media.com/forum/showthread.php?t=25138

    Here is the last HJT log I ran on the PC in question, I have not even powered up the machine since this last log.

    Logfile of HijackThis v1.99.0
    Scan saved at 5:21:14 PM, on 12/30/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\Fast.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\notepad.exe
    C:\download\fixstuff\HijackThis.exe

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: PhotoCAL Startup.lnk.disabled
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BDD2F926-8158-4F62-9E0D-B3B75FD1F07F} (McObjectFactory Class) - http://download.mcafee.com/molbin/s...0,2/mcmysec.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...416/mcfscan.cab
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • SpywareShooterSpywareShooter 127.0.0.1
    edited January 2005
    Your log is clean, so it isn't a spyware problem. For a fix, you can add that site to your HOSTS file. Search your computer for "HOSTS". There should be a file with no extension in either C:\Windows\ or C:\Windows\System32\Drivers\etc\. Open that with Notepad, and at the bottom of the file, put this line in:

    127.0.0.1 us.a1.yimg.com

    That line will tell your computer that that file is on your hard drive, when it is not, therefore, displaying a 404 error in the place of the image, and not giving you the popup.
  • SpinnerSpinner Birmingham, UK
    edited January 2005
    SpywareShooter wrote:
    Your log is clean, so it isn't a spyware problem.
    127.0.0.1 us.a1.yimg.com
    Move it back to General Software then for us mate. ;D;)
  • jab119jab119
    edited January 2005
    Ok thanks I will make the change in the HOSTS file.

    Im guessing I will have to put a lot of entries in there as the example I showed was only 1 of many pop ups I get, some are for i.i.com.com and some are deom adlog.com.com (yes a double .com)

    James
  • jab119jab119
    edited January 2005
    Ok I made the change to the HOSTS file and it sorta worked.

    It cut down the number of pop up from 20+ down to under 5

    James
  • DexterDexter Vancouver, BC Canada
    edited January 2005
    Does this ever come up when you are not surfing the Net? If you just leave the computer on for a couple of hours, unattended, and come back to check it, will there be a one of those login windows there?

    Dexter...
  • jab119jab119
    edited January 2005
    No, I only get these while surfing

    James
  • DexterDexter Vancouver, BC Canada
    edited January 2005
    OK...here's what I suspect...

    The site it is trying to connect to is an image host for ads. For some reason it wants you to authorize it first, and something is blocking it and asking for authentication.

    Have you tried disabling your Norton and then surfing? Just right click on your NAV icon in the system tray, and disable auto-protect. Then open a web browser and surf to a site that you know causes this to happen, and see if there is any difference.

    Let us know...

    Dexter...
  • jab119jab119
    edited January 2005
    Ok I disabled NAV auto protect and I am still getting the pop ups. I swaped back to my old HOSTS file and I get more pop up, I put the new HOSTS file back inplace and I still get them, but not nearly as many, but with the new HOSTS file in place, I get the pop us for this site (short media)

    James
  • DexterDexter Vancouver, BC Canada
    edited January 2005
    Try changing the Hosts file entry to *.ymg.com.

    Dexter...
  • maxanonmaxanon Montreal
    edited January 2005
    I think we need to investigate why this is happening in the first place. The .yimg is an image hosting site. I don't think this is normally included in a base install of windows so something is blocking it. Are you using a pop-up blocker ( did I see Pop-up stopper and the google bar)?

    Try to boot into safe mode (or close your pop-up blocker) and connect to the web, does it still happen? Some pop-up blockers restrict domains to detect images/sites. Are you using the same pop-up blocker for both IE and FF?

    From your SVT foray it looks like you changed quite a bit and removed a lot of entries. Unfortunately I don't have the time to go through all your changes
Sign In or Register to comment.