I am trying to connect to www.norton.com and I get messagebox that asks for username and

a password in order to connect to ftp.symantec.org I also try to connect to

www.mcafee.com and I get another messagebox that asks for username and paswword in order

to connect to mcafee.com. The same thing happens when I try to connect to www.sarc.com

(Norton) or www.helpvirus.com or any other virus related site. Does anyone have any

suggestions? It is beginning to drive me crazy....

I can visit any other page on the internet.... My system is winXP

regards,
tzic
www.tzic.com

Hi Tzic welcome to the forum!
sounds sad; please have a look in this thread as it looks the same issue! Hope it helps! http://www.wilderssecurity.com/showthread.php?t=13664
Please tell us if this solves your problem!

Thank you Jooske, following the threads instructions I managed to solve the problem..!

tzic

Ahhhh i'm so glad you did! And thanks for telling us!
Congratulations! Now make sure you have a clean restore point from here (make it manually) if ever needed for anything; you mighyt like to give it a descriptive name indicating this is a clean safe restore point to use.

I dont know how to create a restore point... :-( Can you take a look at http://www.wilderssecurity.com/showthread.php?t=13664;start=15 at my last reply where I list the contents of thr host file and tell me what you think?

Hi, i hope somebody can walk you through doing so on an XP system, i see one for win ME which might not be much different i hope here (http://www.europe.f-secure.com/v-descs/sfc_dis.shtml) with images; once you're in that system restore area you have the option to create manually a new restore point.


I looked at that quotelf which seems rather abused; googled for that name and i see more examples like your host file with the same kinds of additions and the whole lot which Pieter described.
What surprises me, there is a HOSTS file and i thought what you showed (as well as the other people) would have been a manipulated Hosts.Sam file and if a sam file would be a sample and not to run why does it run or was this an addition to the original HOSTS file?

I hope the quotelf stocks info itself was not infected and causing this, or in combination with some vulnerability or infection either from a website or via email nasties.
Did the properties of that manipulated HOSTS file say a last modification date?

the file was:

-created: Thursday, August 23, 2001, 2:00:00 PM

-Modified: Monday, June 23, 2003, 12:16:13 AM (on my birthday..?)

-Accessed: Today, September 15, 2003, 3:36:20 AM

What should I do now? Actually there is no "host" file because I renamed it to host.bak Should I create or download another one?

If you like you could create a new HOSTS file; not sure what you like to put in it; there are a few sites about it with updates for thousands of sites we don't want to know about. The HOSTS file is discussed in the forum too occasionally.


A very belated happy birthday!

Is there a possibility to do in Windows a search/find for files modified or created on that same date?
It could have been an infected "happy birthday" e-card for instance. So look for emails from that date and a day before and in all the system. In the "find" you can sort them on date/hour so look for that time of modification and around.

I remember there were articles of compromised hosts around 15 june, and the JS/Fortnight was doing such things too, adding a hosts file to the windows directory with bunches of redirections (mostly p0rn sites)

thank you Jooske, everything works fine.. :-)

tziC