my window explore recently ran into a problem that keeps
bring up a site that i did not specific as my default
page. according to a message from www.msn.com, my host
file has been hacked. i followed this instructions. but
the site still come back after i reboot. the site is
called www.find4u.com. Please help...

1. Start regedit,
find
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersio
n\Run ,
delete starting of svchost.exe file,
reboot your computer,
delete file svchost.exe in windows directory.

2. Reboot windows and start in
SAFE MODE (F8 key on keyboard before windows starting),
delete file winlogon.exe in directory: C:\Documents and
Settings\All Users\Start Menu\Programs\Startup

3. Clear your 'hosts' file.
How to edit your hosts file: locate it first, either by
browsing to the directory (as shown above) or by
hitting "Start - Search - select all files and folders -
type in 'hosts' (without the quotation marks) and hit
search. When the file is found, click with your right
mouse button on the file and select 'Open With...' This
will bring up a list of programs to edit the file with.
Select Notepad from that list and click OK. - Remove all
lines from the file and type in: 127.0.0.1 localhost. Now
close the file and save your changes.

For Windows XP machines: Locate the file hosts in your
C:\Windows\System32\Drivers\Etc directory. Just delete it
or edit it with a text editor like notepad and make sure
there is only one line there:
127.0.0.1 localhost

Xref: kermit microsoft.public.windowsxp.general:891290

Jerry wrote:
> Yes, I have the same problem right now. If nobody can help us, maybe
> we can help each other by sharing what we know.
>
> Below I wrote comments on those directions they gave us. The funny
> thing about this is I'm not sure if the directions are really from
> microsoft or a trick. They are so ambiguous in places as to be
> impossible for laymen like us to follow. But here's what I've
> figured out. Hope this helps.
>
>
> If you see this page your hosts file has been hacked. Please use
> the instruction below to clean your machine.
>
> You cannot reach the site you where trying to reach without following
> this procedure! - Please follow the steps provided in this document
> and make sure to download all patches for your computer from the
> Windows Update Site which can be found here:
> http://windowsupdate.microsoft.com
>
> 1. Start regedit, [[[should say "Start, Run, type Regedit", then
> screen pops up and find HKEY_Current......]]]
> find HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run ,
> delete starting of svchost.exe file, [[[now what do they mean by
> "starting", and i don't see that file]]] [[[the files i have in the
> run folder are ctfmon.exe and dxsty,, what do you have??]]] [[[I
> haven't deleted anything yet, so I've never made it to the next
> step.]]]
> reboot your computer,
> delete file svchost.exe in windows directory. [[[BY "windows
> directory" i wasn't sure at first, but now I think they mean in my
> computer/local disk c:/windows/system32, there's an exe file called
> "svchost" there]]]
>
> 2. Reboot windows and start in [[[confident I could do this onen when
> the time comes, ask me if you are unsure how to do it..]]]
> SAFE MODE (F8 key on keyboard before windows starting),
> delete file winlogon.exe in directory: C:\Documents and Settings\All
> Users\Start Menu\Programs\Startup
>
> 3. Clear your 'hosts' file. [[[I have XP so I go to the bottom]]]
> How to edit your hosts file: locate it first, either by browsing to
> the directory (as shown above) or by hitting "Start - Search - select
> all files and folders - type in 'hosts' (without the quotation marks)
> and hit search. When the file is found, click with your right mouse
> button on the file and select 'Open With...' This will bring up a
> list of programs to edit the file with. Select Notepad from that list
> and click OK. - Remove all lines from the file and type in: 127.0.0.1
> localhost. Now close the file and save your changes. For Windows
> 95/98/Millenium machines: Locate the file hosts in your C:\Windows
> directory. Just delete it or edit it with a text editor like notepad
> and make sure there is only one line there: 127.0.0.1 localhost
> For Windows 2000 machines: Locate the file hosts in your
> C:\Winnt\System32\Drivers\Etc directory. Just delete it or edit it
> with a text editor like notepad and make sure there is only one line
> there: 127.0.0.1 localhost
> For Windows XP machines: Locate the file hosts in your
> C:\Windows\System32\Drivers\Etc directory. Just delete it or edit it
> with a text editor like notepad and make sure there is only one line
> there: 127.0.0.1 localhost [[[I have a few of what look to be host
> files in this the Ect folder, one called "hosts" and the other
> "lmhost", but it appears the "hosts" is the one they mean us to edit
> with notepad]]]
>
> I hope you are still checking this page..!!

Jerry

Just follow the directions. If you don't see anything with "svchosts" in
that Run key in the registry, then go to the next step.

The svchosts.exe is a legitimate XP file and should be in the \System32
folder. If there is a copy of this file in the C:\Windows folder, right
click the file and select Delete to remove it from there.

Boot into Safe Mode, according to those directions and delete the
Winlogon.exe file from the specified location.

Open the Hosts file (Not lmhosts) and select all of the text in that file
and press the DEL key. At the top of the page, type 127.0.0.1 localhost and
select File/Save and close the file.

This should get rid of this spyware. Next, download one or both of the
following programs and run them on a regular basis to keep this type of
spyware off of the system.

Spybot -- http://www.safer-networking.org/
AdAware -- http://www.lavasoftusa.com/




--
Ronnie Vernon
Microsoft MVP-Windows Shell/User

Please reply to the newsgroup so all may benefit.
http://www.dts-l.org
http://www.mvps.org