http://68.35.184.146/images/symantec.jpg

Why is symantec & mcafee & norton being forwarded like this?  Any ideas any one?

EDIT:
Also, I can't open MSconfig :(

EDIT2:
I can't open task manager :(:(




What HAS my sister openned on our desktop?!
*Note, it's not my fault for once cause I don't use the desktop anymore!

Your picture won't load so this is just a guess.

Sounds a lot like something a virus or trojan would do to prevent you from using one of the free online scan tools.

Try checking your hosts (C:\windows\system32\drivers\etc\hosts)file for the entries.

What sort of entries should I have/not have?

HOST File:

127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1irusalert.nl

That looks very suspicious.  All those websites are being redirected to your local IP.  The first one is fine (duh, localhost).  Delete the rest and do a virus scan. Whatever virus you have will probably put them back, so out of the goodness of my heart I provide you with this link:
trendmicro housecall via IP

Edit: you will need to use IE to visit the page, since it uses an ActiveX control.  There is a java version for netscape, but I haven't been able to get it to work in Firefox.

Get Kaspersky Personal PRO, and Sygate Personal Firewall PRO 5.5. Best antivirus & firewall i've used.

Also get Xoftspy for a Spyware cleaner, and Advanced System Otimizer (very good software). Or you can just format your hardrive.

That's why I hate sharing computers.

Like every online scan has been blocked out by his hosts file.

[quote author=Newby link=topic=11809.msg115569#msg115569 date=1118631489]
That's why I hate sharing computers.
[/quote]I don't use it anymore since I got my laptop.

This stupid thing is an annoying virus.  Messes with my host file, won't let me open up multiple things

I'm trying the Trend Micro thing now

uhm yeah, none of the online scanners work either :(

Ok, in safemode I've scanned with The Cleaner & am currently using Norton to scan aswel

hmm, after scanning with Norton it removed 2 things but my computer still doesn't load Norton (outside of safe mode) or task manager.  Does anyone know of a third party type of task manager so I can remove running processes & see what that does?

Itty Bitty Process manager, and Hijack this are good
Throw us a HijackThis log.
~-~(HDX)~-~

Here is all I can capture in an SS of my taskmanager
[img]http://68.35.184.146/images/tsk.jpg[/img]

[quote]Logfile of HijackThis v1.99.1
Scan saved at 3:33:00 PM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\WINDOWS\system32\External.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wunderground.com/US/NM/Las_Cruces.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wunderground.com/US/NM/Las_Cruces.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=stubentb&key=c9ea9a50957630e8805699bf646c4d2f&ts=4079d251&A=295885650000269&B=1079424000000&C=1079424000000&D=0&I=7.NH3&N=PLEM&O=I
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [External Dependencies] External.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [External Dependencies] External.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://apps.fss.gsa.gov/CFIDE/classes/CFJava.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02fe4a074f033b75ce06/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - c:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SphtBot Profile Launcher (SBProfileLauncher) - Unknown owner - C:\Documents and Settings\Owner\Desktop\ProfileLauncher\ProfileLauncher.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[/quote]

A tip:
My sister's computer used to be full of viruses and many other malware most of the time.
Ever since the last reformat, she's been running as a restricted user ("Users" group in Win2k). Only I have admin.
Sure, it's annoying to have to install new programs every once in a while, but it doesn't happen that often, and I get the power to deny weird requests to install Gator and Comet Cursor if they ever occur.

(Oh, and I installed Firefox while I was at it. No complaints so far.)

[quote author=CrAz3D link=topic=11809.msg115612#msg115612 date=1118687283]
hmm, after scanning with Norton it removed 2 things but my computer still doesn't load Norton (outside of safe mode) or task manager. Does anyone know of a third party type of task manager so I can remove running processes & see what that does?
[/quote]

Sysinternals Process Explorer is a great task manager replacement, not only for getting rid of spyware, but generally.

[quote author=Yoni link=topic=11809.msg115625#msg115625 date=1118698692]
A tip:
My sister's computer used to be full of viruses and many other malware most of the time.
Ever since the last reformat, she's been running as a restricted user ("Users" group in Win2k). Only I have admin.
Sure, it's annoying to have to install new programs every once in a while, but it doesn't happen that often, and I get the power to deny weird requests to install Gator and Comet Cursor if they ever occur.

(Oh, and I installed Firefox while I was at it. No complaints so far.)
[/quote]Well, it's our family desktop & I have my laptop so I wouldn't be allowed to do something like that for her, like my dad would make me allow her access to do everything otherwise I would've had her on a Guest acct awhile ago

Apparently you're not being enough of an evil netadmin/sysadmin. You have to get it straight to your lusers that THEY need YOU. You live in the house, you don't pay the rent. Why would they keep you around? Because of the free IT support, of course!

Remember, if the IT department (you) says that running as a super user brings viruses, it's obviously true. What do they know, anyway?

If you can't have administrative freedom (root), I say leave the family and go rent a house somewhere. They're not worth it.

If you're able to, you could download the Ultimate Boot CD.  Throw it on a CD and boot from that CD, and run the virus scanner it has.  The virus definitions are from January though, so there's a pretty decent gap in detections, but it could be worth a shot.

Spybot S&D can supposedly run from a PE boot CD now too, but I have no idea how to set that up.

wow, such wisdom...I don't have the money to spend to move out :(  I do, but I'd rather save it for later

Finally.  Someone from f150online.com told me to do this & it worked.

[quote]Start Windows In Safe mode.

Open Regedit and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion

Look for an entry called RunServices

If you find it, that is your culprit. Delete it and you should be good to go.

I fixed a PC last month with those exact same symptoms. Took me awhile to find it though.

BTW - this was on a XP machine...

Also, look in the Run, RunOnce and RunOnceEx keys for suspicious entries, etc. Rookie virus pr!cks put stuff here sometimes too.

Good luck !![/quote]

It was an External.exe in C:\Windows\system32\  that was doing this.  I thought it looked suspicious when Googling External.exe came up with nothing

Deleting the whole RunServices key was probably a bad idea.  Lots of non-malware uses that too, like some continuous-protection AV products. :)

Also, you can see all things that startup via registry by running msconfig (Start->Run).

The only thing I saw related to RunServices was the External.exe so I deleted it.

I couldn't use msconfig

[quote author=CrAz3D link=topic=11809.msg115657#msg115657 date=1118709013]
I couldn't use msconfig
[/quote]

Interesting. Then I suggest using autoruns ;)

Ok, it doesn't matter now, I've fixed it

[quote author=CrAz3D link=topic=11809.msg115663#msg115663 date=1118712561]
Ok, it doesn't matter now, I've fixed it
[/quote]

Always good to have that kind of utility. When I feel something is astray (almost never on my comp but other people's :P) I usually run that to see what is starting up.

Something odd though. I tried putting a RunServices key on my XP machine, added an appriopriate entry and rebooted to see if this worked. And it didn't. So I loaded up AutoRuns and it didn't even report my entry as starting up. So I thought that was kind of weird. So I first looked through AutoRuns to see if it even detected that key and it had a string in there to do it. But when I started looking at what it was actuallying doing it made a call to first GetVersion and compared the result to 0x80000000 (as in the code sample provided in the documentation) meaning if the value returned was greater it is a Win9x/ME system and skipped over this key and some others. So I was like oh, RunServices only works on those particular OSes, yet it works on your XP machine? Am I mistaken somehow?

For anyone interested in the inner workings of this particular virus, I also received it in an E-Mail and infected myself with it (purposely).  It's protected with PESpin, so the code is obfuscated.  I also took the following notes:

[quote]
File: External.exe
IRC Server: aue-clan.com
EXEServer: (?)
Port: 8900
Channel: #pwnz
Operator: whoopie
Channel Key: elite
Login: (?)
Comments: IRC server is set up for bots.
SMTP remailer virus.
Kills protective EXEs.
[/quote]

Basically, if you've been infected, it used you to send off thousands more spam emails.

Edit: I saved a copy of the infecting executable if anyone else wants to have a look.  Lastly, with regards to the RunServices key, it also puts itself in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which do load with Windows XP.

[quote author=TehUser link=topic=11809.msg115667#msg115667 date=1118715533]
Edit: I saved a copy of the infecting executable if anyone else wants to have a look.  Lastly, with regards to the RunServices key, it also puts itself in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which do load with Windows XP.
[/quote]

Link? Always to fun analyze viruses.