# Malicious Script: Source: C:\WINDOWS\system32\-Embedding



## polarmoose (Jul 17, 2003)

Hi All,

Everytime I open my internet explorer I get a warning from Norton saying it has detected a malicous script in action. It gives me no details or clues as to where the script is, it just points to:

Malicious Script: Source: C:\WINDOWS\system32\-Embedding

I have done a search and can't find any "-Embedding" anywhere on my system. And Norton doesn't detect any viruses, just when I open IE. I've also noticed that now when I click on a link in Internet Explorer if the link was meant to open into a new window it won't, links that open in the same page are fine, but if it opens in a new window, it just freezes...

Please any help would be appreciated!


----------



## NiteHawk (Mar 9, 2003)

Go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the Scan button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. _IF you happen to be using a proxy server, please mention it in your post._ Most of what it finds is harmless, so do not do anything yet. Someone will be glad to help you sort out any of the baddies that may be in there.


----------



## polarmoose (Jul 17, 2003)

Here is a copy of what Hijack this gave:

(Oh and Internet Explorer is set to automatically detect proxy)

Logfile of HijackThis v1.97.2
Scan saved at 8:59:25 AM, on 9/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3dsmax5\AfterFLICS.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\PROGRA~1\HEWLET~1\hpis\common\MOTIVE~1.EXE
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jeff.3AMDESIGN\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp
O1 - Hosts: 64.191.95.139 alltheweb.com
O1 - Hosts: 64.191.95.139 web.ask.com
O1 - Hosts: 64.191.95.139 ask.com
O1 - Hosts: 64.191.95.139 www.ask.com
O1 - Hosts: 64.191.95.139 www.teoma.com
O1 - Hosts: 64.191.95.139 search.aol.com
O1 - Hosts: 64.191.95.139 www.looksmart.com
O1 - Hosts: 64.191.95.139 search.msn.com
O1 - Hosts: 64.191.95.139 search.lycos.com
O1 - Hosts: 64.191.95.139 www.lycos.com
O1 - Hosts: 64.191.95.139 www.google.ca
O1 - Hosts: 64.191.95.139 google.ca
O1 - Hosts: 64.191.95.139 www.google.uk
O1 - Hosts: 64.191.95.139 www.google.co.uk
O1 - Hosts: 64.191.95.139 www.google.com.au
O1 - Hosts: 64.191.95.139 www.google.co.jp
O1 - Hosts: 64.191.95.139 www.google.jp
O1 - Hosts: 64.191.95.139 www.google.com.ar
O1 - Hosts: 64.191.95.139 www.google.at
O1 - Hosts: 64.191.95.139 www.google.be
O1 - Hosts: 64.191.95.139 www.google.com.br
O1 - Hosts: 64.191.95.139 www.google.ch
O1 - Hosts: 64.191.95.139 www.google.de
O1 - Hosts: 64.191.95.139 www.google.dk
O1 - Hosts: 64.191.95.139 www.google.fi
O1 - Hosts: 64.191.95.139 www.google.fr
O1 - Hosts: 64.191.95.139 www.google.com.gr
O1 - Hosts: 64.191.95.139 www.google.com.hk
O1 - Hosts: 64.191.95.139 www.google.ie
O1 - Hosts: 64.191.95.139 www.google.co.il
O1 - Hosts: 64.191.95.139 www.google.it
O1 - Hosts: 64.191.95.139 www.google.co.kr
O1 - Hosts: 64.191.95.139 www.google.com.mx
O1 - Hosts: 64.191.95.139 www.google.nl
O1 - Hosts: 64.191.95.139 www.google.co.nz
O1 - Hosts: 64.191.95.139 www.google.pl
O1 - Hosts: 64.191.95.139 www.google.pt
O1 - Hosts: 64.191.95.139 www.google.com.ru
O1 - Hosts: 64.191.95.139 www.google.com.sg
O1 - Hosts: 64.191.95.139 www.google.co.th
O1 - Hosts: 64.191.95.139 www.google.com.tr
O1 - Hosts: 64.191.95.139 www.google.com.tw
O1 - Hosts: 64.191.95.139 google.com.ar
O1 - Hosts: 64.191.95.139 google.at
O1 - Hosts: 64.191.95.139 google.be
O1 - Hosts: 64.191.95.139 google.com.br
O1 - Hosts: 64.191.95.139 google.ch
O1 - Hosts: 64.191.95.139 google.cl
O1 - Hosts: 64.191.95.139 google.de
O1 - Hosts: 64.191.95.139 google.dk
O1 - Hosts: 64.191.95.139 google.fi
O1 - Hosts: 64.191.95.139 google.fr
O1 - Hosts: 64.191.95.139 google.com.gr
O1 - Hosts: 64.191.95.139 google.com.hk
O1 - Hosts: 64.191.95.139 google.ie
O1 - Hosts: 64.191.95.139 google.co.il
O1 - Hosts: 64.191.95.139 google.it
O1 - Hosts: 64.191.95.139 google.co.kr
O1 - Hosts: 64.191.95.139 google.com.mx
O1 - Hosts: 64.191.95.139 google.nl
O1 - Hosts: 64.191.95.139 google.co.nz
O1 - Hosts: 64.191.95.139 google.pl
O1 - Hosts: 64.191.95.139 google.com.ru
O1 - Hosts: 64.191.95.139 google.com.sg
O1 - Hosts: 64.191.95.139 google.co.th
O1 - Hosts: 64.191.95.139 google.com.tr
O1 - Hosts: 64.191.95.139 google.com.tw
O1 - Hosts: 64.191.95.139 www.hotbot.com
O1 - Hosts: 64.191.95.139 hotbot.com
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Jeff.3AMDESIGN\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab


----------



## NiteHawk (Mar 9, 2003)

Do you over clock your PC?


----------



## NiteHawk (Mar 9, 2003)

In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.
*
ALL O1 entries. They all point to the same place
*

*
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
*
IF you dont over clock you dont need this starting up all the time
* O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe (over clocking)
*
These can be started via icons or the program menu on an as need basis
*
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
*
Known resource hog.
*
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
*

Reboot into normal mode

Now download Spybot - Search & Destroy  (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks


----------



## polarmoose (Jul 17, 2003)

Thanks a bunch nitehawk... your help along with a technote from microsoft (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281679&sd=tech) Fixed the problem.

Your solutions helped me get rid of the cause, and microsft helped me fix the problem without a reinstall by re-registering my core ie .dll's and repairing them. Apparently it was a malicious script which attacks the window's hosts files (downloaded simply through a web page and a stupid windows vulnerability (even tho my updates were current) and changes the .dll core functions using the scripting commands GetSPecialFolder & CreateTextFile.

I'm not sure at which site the attack took place (I have two firewalls ) but it seems to point to the address 64.191.95.139 which is a referral search engine for the various search sites out there.

Anyways, thanks again for all the Help NiteHawk, much appreciated


----------



## NiteHawk (Mar 9, 2003)

Yes, basicly it hijacked most of the popular search engins and redirected them to 64.191.95.139.

As for where you picked it up, it could have been any number of places.


----------



## cecquilter (Sep 25, 2003)

Thank you, NiteHawk. I contacted my local techie after reading your instructions. He verified Spybot S&D and HJT are reliable, dependable programs. 

My techie also said the file I was told to change (hosts) could be deleted without harm. I'm about to test his theory.

Thanks for being out there for us.


----------



## KeithKman (Dec 29, 2002)

Re-scan HoJackThis and put a check by the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp
O1 - Hosts: 64.191.95.139 alltheweb.com
O1 - Hosts: 64.191.95.139 web.ask.com
O1 - Hosts: 64.191.95.139 ask.com
O1 - Hosts: 64.191.95.139 www.ask.com
O1 - Hosts: 64.191.95.139 www.teoma.com
O1 - Hosts: 64.191.95.139 search.aol.com
O1 - Hosts: 64.191.95.139 www.looksmart.com
O1 - Hosts: 64.191.95.139 search.msn.com
O1 - Hosts: 64.191.95.139 search.lycos.com
O1 - Hosts: 64.191.95.139 www.lycos.com
O1 - Hosts: 64.191.95.139 www.google.ca
O1 - Hosts: 64.191.95.139 google.ca
O1 - Hosts: 64.191.95.139 www.google.uk
O1 - Hosts: 64.191.95.139 www.google.co.uk
O1 - Hosts: 64.191.95.139 www.google.com.au
O1 - Hosts: 64.191.95.139 www.google.co.jp
O1 - Hosts: 64.191.95.139 www.google.jp
O1 - Hosts: 64.191.95.139 www.google.com.ar
O1 - Hosts: 64.191.95.139 www.google.at
O1 - Hosts: 64.191.95.139 www.google.be
O1 - Hosts: 64.191.95.139 www.google.com.br
O1 - Hosts: 64.191.95.139 www.google.ch
O1 - Hosts: 64.191.95.139 www.google.de
O1 - Hosts: 64.191.95.139 www.google.dk
O1 - Hosts: 64.191.95.139 www.google.fi
O1 - Hosts: 64.191.95.139 www.google.fr
O1 - Hosts: 64.191.95.139 www.google.com.gr
O1 - Hosts: 64.191.95.139 www.google.com.hk
O1 - Hosts: 64.191.95.139 www.google.ie
O1 - Hosts: 64.191.95.139 www.google.co.il
O1 - Hosts: 64.191.95.139 www.google.it
O1 - Hosts: 64.191.95.139 www.google.co.kr
O1 - Hosts: 64.191.95.139 www.google.com.mx
O1 - Hosts: 64.191.95.139 www.google.nl
O1 - Hosts: 64.191.95.139 www.google.co.nz
O1 - Hosts: 64.191.95.139 www.google.pl
O1 - Hosts: 64.191.95.139 www.google.pt
O1 - Hosts: 64.191.95.139 www.google.com.ru
O1 - Hosts: 64.191.95.139 www.google.com.sg
O1 - Hosts: 64.191.95.139 www.google.co.th
O1 - Hosts: 64.191.95.139 www.google.com.tr
O1 - Hosts: 64.191.95.139 www.google.com.tw
O1 - Hosts: 64.191.95.139 google.com.ar
O1 - Hosts: 64.191.95.139 google.at
O1 - Hosts: 64.191.95.139 google.be
O1 - Hosts: 64.191.95.139 google.com.br
O1 - Hosts: 64.191.95.139 google.ch
O1 - Hosts: 64.191.95.139 google.cl
O1 - Hosts: 64.191.95.139 google.de
O1 - Hosts: 64.191.95.139 google.dk
O1 - Hosts: 64.191.95.139 google.fi
O1 - Hosts: 64.191.95.139 google.fr
O1 - Hosts: 64.191.95.139 google.com.gr
O1 - Hosts: 64.191.95.139 google.com.hk
O1 - Hosts: 64.191.95.139 google.ie
O1 - Hosts: 64.191.95.139 google.co.il
O1 - Hosts: 64.191.95.139 google.it
O1 - Hosts: 64.191.95.139 google.co.kr
O1 - Hosts: 64.191.95.139 google.com.mx
O1 - Hosts: 64.191.95.139 google.nl
O1 - Hosts: 64.191.95.139 google.co.nz
O1 - Hosts: 64.191.95.139 google.pl
O1 - Hosts: 64.191.95.139 google.com.ru
O1 - Hosts: 64.191.95.139 google.com.sg
O1 - Hosts: 64.191.95.139 google.co.th
O1 - Hosts: 64.191.95.139 google.com.tr
O1 - Hosts: 64.191.95.139 google.com.tw
O1 - Hosts: 64.191.95.139 www.hotbot.com
O1 - Hosts: 64.191.95.139 hotbot.com
O1 - Hosts: 127.127.127.127 elite
O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 64.191.95.139 google.com
O1 - Hosts: 64.191.95.139 www.altavista.com
O1 - Hosts: 64.191.95.139 altavista.com
O1 - Hosts: 64.191.95.139 search.yahoo.com
O1 - Hosts: 64.191.95.139 uk.search.yahoo.com
O1 - Hosts: 64.191.95.139 ca.search.yahoo.com
O1 - Hosts: 64.191.95.139 jp.search.yahoo.com
O1 - Hosts: 64.191.95.139 au.search.yahoo.com
O1 - Hosts: 64.191.95.139 de.search.yahoo.com
O1 - Hosts: 64.191.95.139 search.yahoo.co.jp
O1 - Hosts: 64.191.95.139 www.lycos.de
O1 - Hosts: 64.191.95.139 www.lycos.ca
O1 - Hosts: 64.191.95.139 www.lycos.jp
O1 - Hosts: 64.191.95.139 www.lycos.co.jp

After you do so click "fix checked" and restart your computer.


----------



## KeithKman (Dec 29, 2002)

Then do:

Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click ok and exit Internet Explorer.


----------

