Host file hacked...

Discussion in 'MCSE' started by =?Utf-8?B?R2Vvcmdl?=, Jan 19, 2004.

  1. Hi all.

    Was hoping to get a little help from all you good folks... Been a while since I was here..

    Have a remote user with XP home edition that's had his hosts file hacked.... he's got a notice that comes up (from the MS update site) that told him this, along with a step by step to fix it.

    I've signed in with PC anywhere and am having trouble with step one.... it says to go into regedit and delete the starting of svchost.exe from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then reboot and delete the file from the windows directory. but it's not at that location in the registry, and it won't let me delete it from the system32 folder under windows (I imagine cause it's still running....)

    I've been searching the Knowledge base for the last 3 hours, and haven't found anything about it...

    The hosts file is truely hacked. a big long list has replaced the one that should be there. and if I change it back and reboot, it changes back to the hacked version.

    I've done find in the registry, it comes up with quite a few services that use the svchost.exe file, but nowhere that seems to be starting it... I've done file searches and don't find any other instances of the file (like in something that would start it) on the hard drive.

    any ideas?

    Even on how to stop svchost.exe from running at startup...

    George
    MCSE, MCSA, CCNA, Network +, A+.
    =?Utf-8?B?R2Vvcmdl?=, Jan 19, 2004
    #1
    1. Advertising

  2. =?Utf-8?B?R2Vvcmdl?=

    Dragon Guest

    It seems like your system is infected with a virus. Use a virus removal tool
    etc to clean the system. Do NOT delete svchost.exe. If it is infected, use
    some removal tool to clean it.

    Take a look at:
    http://securityresponse.symantec.com/avcenter/vinfodb.html

    HTH.

    "George" <> wrote in message
    news:...
    > Hi all.
    >
    > Was hoping to get a little help from all you good folks... Been a while

    since I was here..
    >
    > Have a remote user with XP home edition that's had his hosts file

    hacked.... he's got a notice that comes up (from the MS update site) that
    told him this, along with a step by step to fix it.
    >
    > I've signed in with PC anywhere and am having trouble with step one....

    it says to go into regedit and delete the starting of svchost.exe from
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then reboot
    and delete the file from the windows directory. but it's not at that
    location in the registry, and it won't let me delete it from the system32
    folder under windows (I imagine cause it's still running....)
    >
    > I've been searching the Knowledge base for the last 3 hours, and haven't

    found anything about it...
    >
    > The hosts file is truely hacked. a big long list has replaced the one

    that should be there. and if I change it back and reboot, it changes back
    to the hacked version.
    >
    > I've done find in the registry, it comes up with quite a few services that

    use the svchost.exe file, but nowhere that seems to be starting it...
    I've done file searches and don't find any other instances of the file (like
    in something that would start it) on the hard drive.
    >
    > any ideas?
    >
    > Even on how to stop svchost.exe from running at startup...
    >
    > George
    > MCSE, MCSA, CCNA, Network +, A+.
    Dragon, Jan 19, 2004
    #2
    1. Advertising

  3. =?Utf-8?B?R2Vvcmdl?=

    no one Guest

    thanks Dragon

    If you can get it, grab any data off of the box and
    reformat and rebuild it. IT will take less time to do
    that than to screw around trying to fix an infected
    machine
    >-----Original Message-----
    >but I've run Norton, and the free check available from

    Trend and they're not finding any viruses.
    >
    >The page saying that the file has been hacked looks like

    it came from the MS updates page... not convinced that
    it has, but the file is certainly hacked already.
    there's a list of names all pointing to the same ip
    address. when I delete the file and create a new one,
    reboot, it's back to the hacked version.
    >
    >He's also told me that when he shuts down, he's getting

    a message that a program named WinMin is not shutting
    down and asking him if he wants to end the program. he
    also reports that his whole system is running slow lately.
    >
    > ----- Dragon wrote: -----
    >
    > It seems like your system is infected with a virus.

    Use a virus removal tool
    > etc to clean the system. Do NOT delete svchost.exe.

    If it is infected, use
    > some removal tool to clean it.
    >
    > Take a look at:
    >

    http://securityresponse.symantec.com/avcenter/vinfodb.html
    >
    > HTH.
    >
    > "George" <>

    wrote in message
    > news:21C3E723-2049-42A1-998F-

    ...
    > > Hi all.
    > >> Was hoping to get a little help from all you

    good folks... Been a while
    > since I was here..
    > >> Have a remote user with XP home edition that's

    had his hosts file
    > hacked.... he's got a notice that comes up (from

    the MS update site) that
    > told him this, along with a step by step to fix it.
    > >> I've signed in with PC anywhere and am having

    trouble with step one....
    > it says to go into regedit and delete the starting

    of svchost.exe from
    >

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
    n\Run then reboot
    > and delete the file from the windows directory.

    but it's not at that
    > location in the registry, and it won't let me

    delete it from the system32
    > folder under windows (I imagine cause it's still

    running....)
    > >> I've been searching the Knowledge base for the

    last 3 hours, and haven't
    > found anything about it...
    > >> The hosts file is truely hacked. a big long

    list has replaced the one
    > that should be there. and if I change it back and

    reboot, it changes back
    > to the hacked version.
    > >> I've done find in the registry, it comes up with

    quite a few services that
    > use the svchost.exe file, but nowhere that seems to

    be starting it...
    > I've done file searches and don't find any other

    instances of the file (like
    > in something that would start it) on the hard drive.
    > >> any ideas?
    > >> Even on how to stop svchost.exe from running at

    startup...
    > >> George

    > > MCSE, MCSA, CCNA, Network +, A+.

    >
    >
    >
    >.
    >
    no one, Jan 19, 2004
    #3
  4. =?Utf-8?B?R2Vvcmdl?=

    Dave Marden Guest

    Are you sure there is actually something wrong with this
    pc? I have seen emails that look like what you are
    describing and I just delete them. Works for me.

    Dave Marden


    >-----Original Message-----
    >Hi all.
    >
    >Was hoping to get a little help from all you good

    folks... Been a while since I was here..
    >
    >Have a remote user with XP home edition that's had his

    hosts file hacked.... he's got a notice that comes up
    (from the MS update site) that told him this, along with a
    step by step to fix it.
    >
    >I've signed in with PC anywhere and am having trouble

    with step one.... it says to go into regedit and delete
    the starting of svchost.exe from
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Run then reboot and delete the file from the windows
    directory. but it's not at that location in the registry,
    and it won't let me delete it from the system32 folder
    under windows (I imagine cause it's still running....)
    >
    >I've been searching the Knowledge base for the last 3

    hours, and haven't found anything about it...
    >
    >The hosts file is truely hacked. a big long list has

    replaced the one that should be there. and if I change
    it back and reboot, it changes back to the hacked version.
    >
    >I've done find in the registry, it comes up with quite a

    few services that use the svchost.exe file, but nowhere
    that seems to be starting it... I've done file
    searches and don't find any other instances of the file
    (like in something that would start it) on the hard drive.
    >
    >any ideas?
    >
    >Even on how to stop svchost.exe from running at startup...
    >
    >George
    >MCSE, MCSA, CCNA, Network +, A+.
    >.
    >
    Dave Marden, Jan 20, 2004
    #4
  5. RE: thanks Dragon

    ----- George wrote: -----

    but I've run Norton, and the free check available from Trend and they're not finding any viruses.

    OK. So try www.symantec.com
    Go to Security Check, bottom left link.

    Use the online security scanning tool. Then the virus detection tool.


    After this, go to www.iolo.com. Download System Mechanic.

    Go to System / Windows Startup Manager

    Have a look at what is starting when the machine starts.
    If you suspect anything, disable it and try again.



    >> George

    > MCSE, MCSA, CCNA, Network +, A+.



    C'mon George. This is embarrassing.
    You have more certs than nearly everybody here.

    And you want our help???
    =?Utf-8?B?TWFya28=?=, Jan 20, 2004
    #5
  6. If your software doesn't detect a virus/worm ect, then you may have a system infested with a spyware/adware program. You might want to check out Lavasoft AdAware, ( www.lavasoft.de ),or Spybot Search and Destroy,
    ( www.safer-networking.org ) for some pretty good software to clean that crap up. Due to some nasty lawsuits there are some spyware programs out there that change your system like a virus or trajan horse would, but the anti-virus companies are not allowed to list, detect, or remove them.


    ----- George wrote: ----

    Hi all

    Was hoping to get a little help from all you good folks... Been a while since I was here.

    Have a remote user with XP home edition that's had his hosts file hacked.... he's got a notice that comes up (from the MS update site) that told him this, along with a step by step to fix it

    I've signed in with PC anywhere and am having trouble with step one.... it says to go into regedit and delete the starting of svchost.exe from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then reboot and delete the file from the windows directory. but it's not at that location in the registry, and it won't let me delete it from the system32 folder under windows (I imagine cause it's still running....

    I've been searching the Knowledge base for the last 3 hours, and haven't found anything about it..

    The hosts file is truely hacked. a big long list has replaced the one that should be there. and if I change it back and reboot, it changes back to the hacked version

    I've done find in the registry, it comes up with quite a few services that use the svchost.exe file, but nowhere that seems to be starting it... I've done file searches and don't find any other instances of the file (like in something that would start it) on the hard drive

    any ideas?

    Even on how to stop svchost.exe from running at startup..

    Georg
    MCSE, MCSA, CCNA, Network +, A+.
    =?Utf-8?B?TG5rV2l6YXJk?=, Jan 20, 2004
    #6
  7. =?Utf-8?B?R2Vvcmdl?=

    JaR Guest

    Re: thanks Dragon

    "Marko" <> wrote in message
    >
    > >> George

    > > MCSE, MCSA, CCNA, Network +, A+.

    >
    >
    > C'mon George. This is embarrassing.
    > You have more certs than nearly everybody here.
    >
    > And you want our help???
    >
    >


    Case in point for anybody that cares.

    JaR
    Pointing out the Obvious Thug
    JaR, Jan 20, 2004
    #7
  8. =?Utf-8?B?R2Vvcmdl?=

    wjw Guest

    thanks Dragon

    Have you tried booting into safe mode and editing the
    registry there? When in safe mode the registry Run section
    and startup arnt activated. I suspect if you doing it in
    a standard boot, the virus checks the run command is in
    the registry when u shut the PC down... and if its not
    there it adds it again.
    wjw, Jan 21, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jonnah
    Replies:
    1
    Views:
    1,108
    mcaissie
    Apr 21, 2004
  2. Howard Huntley

    Copy Host file

    Howard Huntley, May 31, 2005, in forum: Cisco
    Replies:
    1
    Views:
    439
    Hansang Bae
    May 31, 2005
  3. Anjan

    LM HOST file

    Anjan, Nov 13, 2003, in forum: MCSE
    Replies:
    4
    Views:
    11,711
    anonymous
    Nov 18, 2003
  4. JoelSeph
    Replies:
    9
    Views:
    6,672
    JoelSeph
    Jan 23, 2006
  5. Jojo the 90lb hottie

    Dane Cook: Great S.N.L. host or GREATEST S.N.L. host?

    Jojo the 90lb hottie, Feb 14, 2007, in forum: Digital Photography
    Replies:
    1
    Views:
    644
    Flash Bazbo
    Feb 14, 2007
Loading...

Share This Page