Solved

If you see this page your hosts file has been hacked? <- authentic?

Posted on 2003-12-11
23
561 Views
Last Modified: 2010-04-11
Recently i attempted to open Google but recieved this instead:

If you see this page your hosts file has been hacked. Please use the instruction below to clean your machine.

You cannot reach the site you where trying to reach without following this procedure! - Please follow the steps provided in this document and make sure to download all patches for your computer from the Windows Update Site which can be found here:
http://windowsupdate.microsoft.com 

1. Start regedit,
find HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ,
delete starting of svchost.exe file,
reboot your computer,
delete file svchost.exe in windows directory.

2. Reboot windows and start in
SAFE MODE (F8 key on keyboard before windows starting),
delete file winlogon.exe in directory: C:\Documents and Settings\All Users\Start Menu\Programs\Startup

3. Clear your 'hosts' file.
How to edit your hosts file: locate it first, either by browsing to the directory (as shown above) or by hitting "Start - Search - select all files and folders - type in 'hosts' (without the quotation marks) and hit search. When the file is found, click with your right mouse button on the file and select 'Open With...' This will bring up a list of programs to edit the file with. Select Notepad from that list and click OK. - Remove all lines from the file and type in: 127.0.0.1 localhost. Now close the file and save your changes.
For Windows 95/98/Millenium machines: Locate the file hosts in your C:\Windows directory. Just delete it or edit it with a text editor like notepad and make sure there is only one line there:
127.0.0.1 localhost
For Windows 2000 machines: Locate the file hosts in your C:\Winnt\System32\Drivers\Etc directory. Just delete it or edit it with a text editor like notepad and make sure there is only one line there:
127.0.0.1 localhost
For Windows XP machines: Locate the file hosts in your C:\Windows\System32\Drivers\Etc directory. Just delete it or edit it with a text editor like notepad and make sure there is only one line there:
127.0.0.1 localhost

I have Nortons firewall/anti virus constantly up. No virus was found in a scan, and google wont open, basically is this real and i should do it, or is it an attempt to damage my system?
0
Comment
Question by:wicker-gk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +4
23 Comments
 
LVL 97

Expert Comment

by:war1
ID: 9921831
Greetings, wicker-gk!
>> I have Nortons firewall/anti virus constantly up. No virus was found in a
>> scan, and google wont open, basically is this real and i should do it, or is
>> it an attempt to damage my system?

Yes, ignor the message. Don't do the registry edits. If you are concern about your HOSTS file, do a search for it (it is a hidden file) and open it up with a text editor.

Best wishes, war1
0
 

Author Comment

by:wicker-gk
ID: 9921849
Great thanks, but what about Google? I cant use it? shall i just use other search engines?
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 33 total points
ID: 9921919
Open your host file

in win 9x its in

c:\windows

in 2k  its in

c:\winnt\system32\drivers\etc

in xp its in

c:\windows\system32\drivers\etc

as War1 tld you it may be hidden so make sure oin explorer you open the folder options and turn OFF "hide hidden files and system files"

Open the file in notepad

Delete EVERYTHING below

127.0.0.1            localhost
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 
LVL 57

Expert Comment

by:Pete Long
ID: 9921925
If your win 9x or ME youll need to reboot :0)

PL
0
 
LVL 97

Expert Comment

by:war1
ID: 9921940
Google is the best search engine around.  So use it.
0
 

Author Comment

by:wicker-gk
ID: 9921953
My point was i cant get to Google because of this warning

and so now i dont ignore it, i delete that one line?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9922053
Ne delete everything below that line, if theres nothing there, then your host file is fine, what OS are you using??

PL
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9922057
Ne = No
0
 
LVL 97

Expert Comment

by:war1
ID: 9922235
>> My point was i cant get to Google because of this warning

If there is nothing in HOSTS file, then, yes, ignor the message. If the message is preventing from getting to Google, use another search engine.
0
 
LVL 5

Assisted Solution

by:Hypoviax
Hypoviax earned 32 total points
ID: 9946623
Try some of these programs:

AdAware
http://www.lavasoftusa.com/

Spycop:
http://www.spycop.com/

This will rid of some of the more well known Home page Hijackers.
CoolWebShredder
http://www.spychecker.com/program/cwshredder.html 

Hijack This and BHODemon and Browser Hijack Blaster

Hijack This http://www.spywareinfo.com/~merijn/files/hijackthis.zip | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found. An easy-to-understand tutorial is available at TomCoyote.org.


Regards,

Hypoviax
0
 
LVL 97

Expert Comment

by:war1
ID: 9961372
wicker-gk,
   We have not heard from you in awhile? Did any comment help you solve your problem? Do you have any more questions? If an Expert help you, please accept his/her answer with an excellent or good grade.

Thanks, war1
0
 
LVL 1

Expert Comment

by:hgottfried
ID: 9981969
First of all I wouldn't think that site or page that loaded was real, I would load spybot search and destroy (FREE) or there are others too, and tell it to lock your hosts file.

I would also do a reboot to be safe, but NEVER NEVER do any reg editing from a webpages instructions. The only thing your hosts file would do if it dosn't work is not load certain pages or allow you to browse. MS would never give the average user an error that instructed them to edit the registry !!

I would also scan your machine for trojans
0
 

Expert Comment

by:jorjelu
ID: 10024834
Hello, i also have this problem, and i delete addresses in hosts, but whenever i reboot my system, the hosts file is filled up again with sites and warez things.
0
 
LVL 97

Expert Comment

by:war1
ID: 10025758
jorjelu,
   You may want to ask what you want in a new question.
0
 

Expert Comment

by:jorjelu
ID: 10025849
Ok, the idea is that i had my host file hacked too. I deleted everything under localhost. After i reboot i realize that the host file is filled up again. Does this have anything in common with some malicious registry? How can i protect my hosts file from being hacked? Thank yuo very much.
0
 
LVL 6

Expert Comment

by:ampcats
ID: 10046638
look for winlogon - i found a site (using google ;~}) that has all the text you mentioned - the root of the domain however had some small script files that ran together, and part of the script includes

C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\winlogon.exe

i'd look for that and lose it...
0
 

Expert Comment

by:jorjelu
ID: 10047318
I cannot delete it...... :( Protected or in use. I cannot close the process even. What do i have to do with winlogon?
0
 
LVL 6

Expert Comment

by:ampcats
ID: 10048287
excellent - well - i mean - err.... that means tht we can delete it before the users log on....

open notepad

c:\windows\system32\attrib.exe -r -a -s -h c:\docume~1\alluse~1\startm~1\programs\startup\winlogon.exe >>c:\dellog.txt
del c:\docume~1\alluse~1\startm~1\programs\startup\winlogon.exe >>c:\dellog.txt

the line starting c:\...  ends with ....dellog.txt - it wraps in my window...
 if your windows dir is different, use that instead of windows!!


save that as c:\dellog.cmd  (save as, save as type : all files, encoding ANSI )

exit

download and install firedaemon
http://www.firedaemon.com/

then..
run it,
service,
new

program tab:
 short name           : killog
 display name         : killog
 working directory    :c:\
 executable             : c:\dellog.cmd

settings tab:
 upon program exit : shutdown firedaemon


click install
click OK
click cancel (you don't want to make a second)

reboot... how's that... check c:\ - open c:\dellog.txt and post it here... then uninstall firedaemon...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11150766
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12994212
In my opinion a split of points between experts should occur as a suitable response to the authors problem has been made.

Hypoviax
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ready for our next Course of the Month? Here's what's on tap for June.
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question