Host file hacked...

Discussion in 'MCSE' started by Guest, Jan 19, 2004.

  1. Guest

    Guest Guest

    Hi all.

    Was hoping to get a little help from all you good folks... Been a while since I was here..

    Have a remote user with XP home edition that's had his hosts file hacked.... he's got a notice that comes up (from the MS update site) that told him this, along with a step by step to fix it.

    I've signed in with PC anywhere and am having trouble with step one.... it says to go into regedit and delete the starting of svchost.exe from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then reboot and delete the file from the windows directory. but it's not at that location in the registry, and it won't let me delete it from the system32 folder under windows (I imagine cause it's still running....)

    I've been searching the Knowledge base for the last 3 hours, and haven't found anything about it...

    The hosts file is truely hacked. a big long list has replaced the one that should be there. and if I change it back and reboot, it changes back to the hacked version.

    I've done find in the registry, it comes up with quite a few services that use the svchost.exe file, but nowhere that seems to be starting it... I've done file searches and don't find any other instances of the file (like in something that would start it) on the hard drive.

    any ideas?

    Even on how to stop svchost.exe from running at startup...

    George
    MCSE, MCSA, CCNA, Network +, A+.
     
    Guest, Jan 19, 2004
    #1
    1. Advertisements

  2. Guest

    Dragon Guest

    It seems like your system is infected with a virus. Use a virus removal tool
    etc to clean the system. Do NOT delete svchost.exe. If it is infected, use
    some removal tool to clean it.

    Take a look at:
    http://securityresponse.symantec.com/avcenter/vinfodb.html

    HTH.

    hacked.... he's got a notice that comes up (from the MS update site) that
    told him this, along with a step by step to fix it.
    it says to go into regedit and delete the starting of svchost.exe from
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then reboot
    and delete the file from the windows directory. but it's not at that
    location in the registry, and it won't let me delete it from the system32
    folder under windows (I imagine cause it's still running....)
    that should be there. and if I change it back and reboot, it changes back
    to the hacked version.
    use the svchost.exe file, but nowhere that seems to be starting it...
    I've done file searches and don't find any other instances of the file (like
    in something that would start it) on the hard drive.
     
    Dragon, Jan 19, 2004
    #2
    1. Advertisements

  3. Guest

    no one Guest

    If you can get it, grab any data off of the box and
    reformat and rebuild it. IT will take less time to do
    that than to screw around trying to fix an infected
    machine
    Trend and they're not finding any viruses.
    it came from the MS updates page... not convinced that
    it has, but the file is certainly hacked already.
    there's a list of names all pointing to the same ip
    address. when I delete the file and create a new one,
    reboot, it's back to the hacked version.
    a message that a program named WinMin is not shutting
    down and asking him if he wants to end the program. he
    also reports that his whole system is running slow lately.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
    n\Run then reboot
     
    no one, Jan 19, 2004
    #3
  4. Guest

    Dave Marden Guest

    Are you sure there is actually something wrong with this
    pc? I have seen emails that look like what you are
    describing and I just delete them. Works for me.

    Dave Marden

    folks... Been a while since I was here..
    hosts file hacked.... he's got a notice that comes up
    (from the MS update site) that told him this, along with a
    step by step to fix it.
    with step one.... it says to go into regedit and delete
    the starting of svchost.exe from
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Run then reboot and delete the file from the windows
    directory. but it's not at that location in the registry,
    and it won't let me delete it from the system32 folder
    under windows (I imagine cause it's still running....)
    hours, and haven't found anything about it...
    replaced the one that should be there. and if I change
    it back and reboot, it changes back to the hacked version.
    few services that use the svchost.exe file, but nowhere
    that seems to be starting it... I've done file
    searches and don't find any other instances of the file
    (like in something that would start it) on the hard drive.
     
    Dave Marden, Jan 20, 2004
    #4
  5. Guest

    Guest Guest

    ----- George wrote: -----

    but I've run Norton, and the free check available from Trend and they're not finding any viruses.

    OK. So try www.symantec.com
    Go to Security Check, bottom left link.

    Use the online security scanning tool. Then the virus detection tool.


    After this, go to www.iolo.com. Download System Mechanic.

    Go to System / Windows Startup Manager

    Have a look at what is starting when the machine starts.
    If you suspect anything, disable it and try again.



    C'mon George. This is embarrassing.
    You have more certs than nearly everybody here.

    And you want our help???
     
    Guest, Jan 20, 2004
    #5
  6. Guest

    Guest Guest

    If your software doesn't detect a virus/worm ect, then you may have a system infested with a spyware/adware program. You might want to check out Lavasoft AdAware, ( www.lavasoft.de ),or Spybot Search and Destroy,
    ( www.safer-networking.org ) for some pretty good software to clean that crap up. Due to some nasty lawsuits there are some spyware programs out there that change your system like a virus or trajan horse would, but the anti-virus companies are not allowed to list, detect, or remove them.


    ----- George wrote: ----

    Hi all

    Was hoping to get a little help from all you good folks... Been a while since I was here.

    Have a remote user with XP home edition that's had his hosts file hacked.... he's got a notice that comes up (from the MS update site) that told him this, along with a step by step to fix it

    I've signed in with PC anywhere and am having trouble with step one.... it says to go into regedit and delete the starting of svchost.exe from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run then reboot and delete the file from the windows directory. but it's not at that location in the registry, and it won't let me delete it from the system32 folder under windows (I imagine cause it's still running....

    I've been searching the Knowledge base for the last 3 hours, and haven't found anything about it..

    The hosts file is truely hacked. a big long list has replaced the one that should be there. and if I change it back and reboot, it changes back to the hacked version

    I've done find in the registry, it comes up with quite a few services that use the svchost.exe file, but nowhere that seems to be starting it... I've done file searches and don't find any other instances of the file (like in something that would start it) on the hard drive

    any ideas?

    Even on how to stop svchost.exe from running at startup..

    Georg
    MCSE, MCSA, CCNA, Network +, A+.
     
    Guest, Jan 20, 2004
    #6
  7. Guest

    JaR Guest

    Case in point for anybody that cares.

    JaR
    Pointing out the Obvious Thug
     
    JaR, Jan 20, 2004
    #7
  8. Guest

    wjw Guest

    Have you tried booting into safe mode and editing the
    registry there? When in safe mode the registry Run section
    and startup arnt activated. I suspect if you doing it in
    a standard boot, the virus checks the run command is in
    the registry when u shut the PC down... and if its not
    there it adds it again.
     
    wjw, Jan 21, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.