Re: "we have been hacked"

From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 12/12/03 

Date: Fri, 12 Dec 2003 20:40:55 GMT

On Fri, 12 Dec 2003 10:53:50 -0800, "RLF" <reinyf@shaw.ca> wrote:

>Our web home page (tools<internet options<general<
>homepage)seems to be hijacked, or as the information on
>the page we are directed to suggests (see below) "we have
>been hacked".
>
>My question: is the info below legitimate? Can we or
>should we follow the instructions it provides to rid our
>computer of its current plague?

It's actually legit. I was suspicious that any hacked page would
redirect like that, but those are the correct instructions.

Jeff

>Note: The following is the info I cut from page we
>continually get directed to. If this doesn't provide the
>solution, what should we do? Pls help!
>
>COPIED INFO IS EXACTLY AS FOLLOWS:
>If you see this page your hosts file has been hacked.
>Please use the instruction below to clean your machine.
>
>You cannot reach the site you where trying to reach
>without following this procedure! - Please follow the
>steps provided in this document and make sure to download
>all patches for your computer from the Windows Update Site
>which can be found here:
>http://windowsupdate.microsoft.com
>
>1. Start regedit,
>find
>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
>\Run ,
>delete starting of svchost.exe file,
>reboot your computer,
>delete file svchost.exe in windows directory.
>
>2. Reboot windows and start in
>SAFE MODE (F8 key on keyboard before windows starting),
>delete file winlogon.exe in directory: C:\Documents and
>Settings\All Users\Start Menu\Programs\Startup
>
>3. Clear your 'hosts' file.
>How to edit your hosts file: locate it first, either by
>browsing to the directory (as shown above) or by
>hitting "Start - Search - select all files and folders -
>type in 'hosts' (without the quotation marks) and hit
>search. When the file is found, click with your right
>mouse button on the file and select 'Open With...' This
>will bring up a list of programs to edit the file with.
>Select Notepad from that list and click OK. - Remove all
>lines from the file and type in: 127.0.0.1 localhost. Now
>close the file and save your changes.
>For Windows 95/98/Millenium machines: Locate the file
>hosts in your C:\Windows directory. Just delete it or edit
>it with a text editor like notepad and make sure there is
>only one line there:
>127.0.0.1 localhost
>For Windows 2000 machines: Locate the file hosts in your
>C:\Winnt\System32\Drivers\Etc directory. Just delete it or
>edit it with a text editor like notepad and make sure
>there is only one line there:
>127.0.0.1 localhost
>For Windows XP machines: Locate the file hosts in your
>C:\Windows\System32\Drivers\Etc directory. Just delete it
>or edit it with a text editor like notepad and make sure
>there is only one line there:
>127.0.0.1 localhost