«

Hi all.

Was hoping to get a little help from all you good folks... Been a while since I was here..

Have a remote user with XP home edition that's had his hosts file hacked.... he's got a notice that comes up (from the MS update site) that told him this, along with a step by step to fix it.

I've signed in with PC anywhere and am having trouble with step one.... it says to go into regedit and delete the starting of svchost.exe from HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run then reboot and delete the file from the windows directory. but it's not at that location in the registry, and it won't let me delete it from the system32 folder under windows (I imagine cause it's still running....)

I've been searching the Knowledge base for the last 3 hours, and haven't found anything about it...

The hosts file is truely hacked. a big long list has replaced the one that should be there. and if I change it back and reboot, it changes back to the hacked version.

I've done find in the registry, it comes up with quite a few services that use the svchost.exe file, but nowhere that seems to be starting it... I've done file searches and don't find any other instances of the file (like in something that would start it) on the hard drive.

any ideas?

Even on how to stop svchost.exe from running at startup...

George
MCSE, MCSA, CCNA, Network +, A+.

It seems like your system is infected with a virus. Use a virus removal tool
etc to clean the system. Do NOT delete svchost.exe. If it is infected, use
some removal tool to clean it.

Take a look at:
http://securityresponse.symantec.com...r/vinfodb.html

HTH.

"George" <> wrote in message
news:21C3E723-2049-42A1-998F-...
> Hi all.
>
> Was hoping to get a little help from all you good folks... Been a while
since I was here..
>
> Have a remote user with XP home edition that's had his hosts file
hacked.... he's got a notice that comes up (from the MS update site) that
told him this, along with a step by step to fix it.
>
> I've signed in with PC anywhere and am having trouble with step one....
it says to go into regedit and delete the starting of svchost.exe from
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run then reboot
and delete the file from the windows directory. but it's not at that
location in the registry, and it won't let me delete it from the system32
folder under windows (I imagine cause it's still running....)
>
> I've been searching the Knowledge base for the last 3 hours, and haven't
found anything about it...
>
> The hosts file is truely hacked. a big long list has replaced the one
that should be there. and if I change it back and reboot, it changes back
to the hacked version.
>
> I've done find in the registry, it comes up with quite a few services that
use the svchost.exe file, but nowhere that seems to be starting it...
I've done file searches and don't find any other instances of the file (like
in something that would start it) on the hard drive.
>
> any ideas?
>
> Even on how to stop svchost.exe from running at startup...
>
> George
> MCSE, MCSA, CCNA, Network +, A+.

If you can get it, grab any data off of the box and
reformat and rebuild it. IT will take less time to do
that than to screw around trying to fix an infected
machine
>-----Original Message-----
>but I've run Norton, and the free check available from
Trend and they're not finding any viruses.
>
>The page saying that the file has been hacked looks like
it came from the MS updates page... not convinced that
it has, but the file is certainly hacked already.
there's a list of names all pointing to the same ip
address. when I delete the file and create a new one,
reboot, it's back to the hacked version.
>
>He's also told me that when he shuts down, he's getting
a message that a program named WinMin is not shutting
down and asking him if he wants to end the program. he
also reports that his whole system is running slow lately.
>
> ----- Dragon wrote: -----
>
> It seems like your system is infected with a virus.
Use a virus removal tool
> etc to clean the system. Do NOT delete svchost.exe.
If it is infected, use
> some removal tool to clean it.
>
> Take a look at:
>
http://securityresponse.symantec.com...r/vinfodb.html
>
> HTH.
>
> "George" <>
wrote in message
> news:21C3E723-2049-42A1-998F-
...
> > Hi all.
> >> Was hoping to get a little help from all you
good folks... Been a while
> since I was here..
> >> Have a remote user with XP home edition that's
had his hosts file
> hacked.... he's got a notice that comes up (from
the MS update site) that
> told him this, along with a step by step to fix it.
> >> I've signed in with PC anywhere and am having
trouble with step one....
> it says to go into regedit and delete the starting
of svchost.exe from
>
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersio
n\Run then reboot
> and delete the file from the windows directory.
but it's not at that
> location in the registry, and it won't let me
delete it from the system32
> folder under windows (I imagine cause it's still
running....)
> >> I've been searching the Knowledge base for the
last 3 hours, and haven't
> found anything about it...
> >> The hosts file is truely hacked. a big long
list has replaced the one
> that should be there. and if I change it back and
reboot, it changes back
> to the hacked version.
> >> I've done find in the registry, it comes up with
quite a few services that
> use the svchost.exe file, but nowhere that seems to
be starting it...
> I've done file searches and don't find any other
instances of the file (like
> in something that would start it) on the hard drive.
> >> any ideas?
> >> Even on how to stop svchost.exe from running at
startup...
> >> George
> > MCSE, MCSA, CCNA, Network +, A+.
>
>
>
>.
>

Are you sure there is actually something wrong with this
pc? I have seen emails that look like what you are
describing and I just delete them. Works for me.

Dave Marden


>-----Original Message-----
>Hi all.
>
>Was hoping to get a little help from all you good
folks... Been a while since I was here..
>
>Have a remote user with XP home edition that's had his
hosts file hacked.... he's got a notice that comes up
(from the MS update site) that told him this, along with a
step by step to fix it.
>
>I've signed in with PC anywhere and am having trouble
with step one.... it says to go into regedit and delete
the starting of svchost.exe from
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion
\Run then reboot and delete the file from the windows
directory. but it's not at that location in the registry,
and it won't let me delete it from the system32 folder
under windows (I imagine cause it's still running....)
>
>I've been searching the Knowledge base for the last 3
hours, and haven't found anything about it...
>
>The hosts file is truely hacked. a big long list has
replaced the one that should be there. and if I change
it back and reboot, it changes back to the hacked version.
>
>I've done find in the registry, it comes up with quite a
few services that use the svchost.exe file, but nowhere
that seems to be starting it... I've done file
searches and don't find any other instances of the file
(like in something that would start it) on the hard drive.
>
>any ideas?
>
>Even on how to stop svchost.exe from running at startup...
>
>George
>MCSE, MCSA, CCNA, Network +, A+.
>.
>

----- George wrote: -----

but I've run Norton, and the free check available from Trend and they're not finding any viruses.

OK. So try www.symantec.com
Go to Security Check, bottom left link.

Use the online security scanning tool. Then the virus detection tool.


After this, go to www.iolo.com. Download System Mechanic.

Go to System / Windows Startup Manager

Have a look at what is starting when the machine starts.
If you suspect anything, disable it and try again.



>> George
> MCSE, MCSA, CCNA, Network +, A+.


C'mon George. This is embarrassing.
You have more certs than nearly everybody here.

And you want our help???

If your software doesn't detect a virus/worm ect, then you may have a system infested with a spyware/adware program. You might want to check out Lavasoft AdAware, ( www.lavasoft.de ),or Spybot Search and Destroy,
( www.safer-networking.org ) for some pretty good software to clean that crap up. Due to some nasty lawsuits there are some spyware programs out there that change your system like a virus or trajan horse would, but the anti-virus companies are not allowed to list, detect, or remove them.


----- George wrote: ----

Hi all

Was hoping to get a little help from all you good folks... Been a while since I was here.

Have a remote user with XP home edition that's had his hosts file hacked.... he's got a notice that comes up (from the MS update site) that told him this, along with a step by step to fix it

I've signed in with PC anywhere and am having trouble with step one.... it says to go into regedit and delete the starting of svchost.exe from HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run then reboot and delete the file from the windows directory. but it's not at that location in the registry, and it won't let me delete it from the system32 folder under windows (I imagine cause it's still running....

I've been searching the Knowledge base for the last 3 hours, and haven't found anything about it..

The hosts file is truely hacked. a big long list has replaced the one that should be there. and if I change it back and reboot, it changes back to the hacked version

I've done find in the registry, it comes up with quite a few services that use the svchost.exe file, but nowhere that seems to be starting it... I've done file searches and don't find any other instances of the file (like in something that would start it) on the hard drive

any ideas?

Even on how to stop svchost.exe from running at startup..

Georg
MCSE, MCSA, CCNA, Network +, A+.

"Marko" <> wrote in message
>
> >> George
> > MCSE, MCSA, CCNA, Network +, A+.
>
>
> C'mon George. This is embarrassing.
> You have more certs than nearly everybody here.
>
> And you want our help???
>
>

Case in point for anybody that cares.

JaR
Pointing out the Obvious Thug

Have you tried booting into safe mode and editing the
registry there? When in safe mode the registry Run section
and startup arnt activated. I suspect if you doing it in
a standard boot, the virus checks the run command is in
the registry when u shut the PC down... and if its not
there it adds it again.