Symantec.com forwarded to my home server

CrAz3D · June 12, 2005, 03:35 PM

http://68.35.184.146/images/symantec.jpg

Why is symantec & mcafee & norton being forwarded like this? Any ideas any one?

EDIT:
Also, I can't open MSconfig

EDIT2:
I can't open task manager

What HAS my sister openned on our desktop?!
*Note, it's not my fault for once cause I don't use the desktop anymore!

K · June 12, 2005, 03:39 PM

Your picture won't load so this is just a guess.

Sounds a lot like something a virus or trojan would do to prevent you from using one of the free online scan tools.

Try checking your hosts (C:\windows\system32\drivers\etc\hosts)file for the entries.

CrAz3D · June 12, 2005, 03:45 PM

What sort of entries should I have/not have?

HOST File:

127.0.0.1 localhost
127.0.0.1   www.symantec.com
127.0.0.1   securityresponse.symantec.com
127.0.0.1   symantec.com
127.0.0.1   www.sophos.com
127.0.0.1   sophos.com
127.0.0.1   www.mcafee.com
127.0.0.1   mcafee.com
127.0.0.1   liveupdate.symantecliveupdate.com
127.0.0.1   www.viruslist.com
127.0.0.1   viruslist.com
127.0.0.1   viruslist.com
127.0.0.1   f-secure.com
127.0.0.1   www.f-secure.com
127.0.0.1   kaspersky.com
127.0.0.1   kaspersky-labs.com
127.0.0.1   www.avp.com
127.0.0.1   www.kaspersky.com
127.0.0.1   avp.com
127.0.0.1   www.networkassociates.com
127.0.0.1   networkassociates.com
127.0.0.1   www.ca.com
127.0.0.1   ca.com
127.0.0.1   mast.mcafee.com
127.0.0.1   my-etrust.com
127.0.0.1   www.my-etrust.com
127.0.0.1   download.mcafee.com
127.0.0.1   dispatch.mcafee.com
127.0.0.1   secure.nai.com
127.0.0.1   nai.com
127.0.0.1   www.nai.com
127.0.0.1   update.symantec.com
127.0.0.1   updates.symantec.com
127.0.0.1   us.mcafee.com
127.0.0.1   liveupdate.symantec.com
127.0.0.1   customer.symantec.com
127.0.0.1   rads.mcafee.com
127.0.0.1   trendmicro.com
127.0.0.1   pandasoftware.com
127.0.0.1   www.pandasoftware.com
127.0.0.1   www.trendmicro.com
127.0.0.1   www.grisoft.com
127.0.0.1   www.microsoft.com
127.0.0.1   microsoft.com
127.0.0.1   www.virustotal.com
127.0.0.1   virustotal.com
127.0.0.1   www.amazon.com
127.0.0.1   www.amazon.co.uk
127.0.0.1   www.amazon.ca
127.0.0.1   www.amazon.fr
127.0.0.1   www.paypal.com
127.0.0.1   paypal.com
127.0.0.1   moneybookers.com
127.0.0.1   www.moneybookers.com
127.0.0.1irusalert.nl

K · June 12, 2005, 03:59 PM

That looks very suspicious. All those websites are being redirected to your local IP. The first one is fine (duh, localhost). Delete the rest and do a virus scan. Whatever virus you have will probably put them back, so out of the goodness of my heart I provide you with this link:
trendmicro housecall via IP

Edit: you will need to use IE to visit the page, since it uses an ActiveX control. There is a java version for netscape, but I haven't been able to get it to work in Firefox.

ColT · June 12, 2005, 06:32 PM

Get Kaspersky Personal PRO, and Sygate Personal Firewall PRO 5.5. Best antivirus & firewall i've used.

Also get Xoftspy for a Spyware cleaner, and Advanced System Otimizer (very good software). Or you can just format your hardrive.

Newby · June 12, 2005, 09:58 PM

That's why I hate sharing computers.

The-FooL · June 12, 2005, 10:38 PM

Like every online scan has been blocked out by his hosts file.

CrAz3D · June 13, 2005, 12:38 AM

Quote from: Newby on June 12, 2005, 09:58 PM
That's why I hate sharing computers.

I don't use it anymore since I got my laptop.

This stupid thing is an annoying virus. Messes with my host file, won't let me open up multiple things

I'm trying the Trend Micro thing now

CrAz3D · June 13, 2005, 12:42 AM

uhm yeah, none of the online scanners work either

Ok, in safemode I've scanned with The Cleaner & am currently using Norton to scan aswel

CrAz3D · June 13, 2005, 01:28 PM

hmm, after scanning with Norton it removed 2 things but my computer still doesn't load Norton (outside of safe mode) or task manager. Does anyone know of a third party type of task manager so I can remove running processes & see what that does?

Hdx · June 13, 2005, 01:37 PM

Itty Bitty Process manager, and Hijack this are good
Throw us a HijackThis log.
~-~(HDX)~-~

CrAz3D · June 13, 2005, 04:33 PM

Here is all I can capture in an SS of my taskmanager

QuoteLogfile of HijackThis v1.99.1
Scan saved at 3:33:00 PM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\system32\External.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wunderground.com/US/NM/Las_Cruces.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wunderground.com/US/NM/Las_Cruces.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=stubentb&key=c9ea9a50957630e8805699bf646c4d2f&ts=4079d251&A=295885650000269&B=1079424000000&C=1079424000000&D=0&I=7.NH3&N=PLEM&O=I
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [External Dependencies] External.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [External Dependencies] External.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: &Viewpoint Search - res://c:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://apps.fss.gsa.gov/CFIDE/classes/CFJava.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02fe4a074f033b75ce06/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SphtBot Profile Launcher (SBProfileLauncher) - Unknown owner - C:\Documents and Settings\Owner\Desktop\ProfileLauncher\ProfileLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Yoni · June 13, 2005, 04:38 PM

A tip:
My sister's computer used to be full of viruses and many other malware most of the time.
Ever since the last reformat, she's been running as a restricted user ("Users" group in Win2k). Only I have admin.
Sure, it's annoying to have to install new programs every once in a while, but it doesn't happen that often, and I get the power to deny weird requests to install Gator and Comet Cursor if they ever occur.

(Oh, and I installed Firefox while I was at it. No complaints so far.)

Quote from: CrAz3D on June 13, 2005, 01:28 PM
hmm, after scanning with Norton it removed 2 things but my computer still doesn't load Norton (outside of safe mode) or task manager. Does anyone know of a third party type of task manager so I can remove running processes & see what that does?

Sysinternals Process Explorer is a great task manager replacement, not only for getting rid of spyware, but generally.

CrAz3D · June 13, 2005, 04:41 PM

Quote from: Yoni on June 13, 2005, 04:38 PM
A tip:
My sister's computer used to be full of viruses and many other malware most of the time.
Ever since the last reformat, she's been running as a restricted user ("Users" group in Win2k). Only I have admin.
Sure, it's annoying to have to install new programs every once in a while, but it doesn't happen that often, and I get the power to deny weird requests to install Gator and Comet Cursor if they ever occur.

(Oh, and I installed Firefox while I was at it. No complaints so far.)

Well, it's our family desktop & I have my laptop so I wouldn't be allowed to do something like that for her, like my dad would make me allow her access to do everything otherwise I would've had her on a Guest acct awhile ago

Yoni · June 13, 2005, 04:49 PM

Apparently you're not being enough of an evil netadmin/sysadmin. You have to get it straight to your lusers that THEY need YOU. You live in the house, you don't pay the rent. Why would they keep you around? Because of the free IT support, of course!

Remember, if the IT department (you) says that running as a super user brings viruses, it's obviously true. What do they know, anyway?

If you can't have administrative freedom (root), I say leave the family and go rent a house somewhere. They're not worth it.