Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should
not have any open browsers when you are following the procedures below.
Go to
My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that
Search system folders,
Search hidden files and folders, and
Search subfolders are checked.
For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).
Download and install
Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the
Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the
Spybot DSO Exploit Fix and install it over the current Spybot installation.
Download
CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.
Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click
Kill process for each one if they are still listed (they shouldn't be - but double check it):
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.
WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngi neMain
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/151076db280f73...ip/RdxIE601.cab
Do you know what the following program(s) are for? If not, fix it in HijackThis:
O1 - Hosts: 172.18.3.31 DL2500O DL2500O-1
O1 - Hosts: 172.18.4.31 DL2500O-2
O1 - Hosts: 172.18.3.32 DL2500P DL2500P-1
O1 - Hosts: 172.18.4.32 DL2500P-2
O1 - Hosts: 172.18.3.38 DL2500Q DL2500Q-1
O1 - Hosts: 172.18.4.38 DL2500Q-2
O1 - Hosts: 172.18.3.231 GDSCON1 GDSCON1-1
O1 - Hosts: 172.18.4.231 GDSCON1-2
O1 - Hosts: 172.18.3.232 GDSCON2 GDSCON2-1
O1 - Hosts: 172.18.4.232 GDSCON2-2
O1 - Hosts: 172.18.3.171 HRF3 N2B-GDS-PRT-A
O1 - Hosts: 172.18.1.50 GMS-PI-Server gms-pi-server-1 #GMS PI HOME NODE (Virtual IP Address)
O1 - Hosts: 172.18.2.50 gms-pi-server-2 #Alt IP address for GMS PI Home Node (Virtual IP Address)
O1 - Hosts: 172.18.1.51 DL2550V DL2550V-1 AppGmsPiA AppGmsPiA-1 #AppGmsPiA
O1 - Hosts: 172.18.2.51 DL2550V-2 AppGmsPiA-2
O1 - Hosts: 172.18.1.52 DL2550W DL2550W-1 AppGmsPiB AppGmsPiB-1 #AppGmsPiB
O1 - Hosts: 172.18.2.52 DL2550W-2 AppGmsPiB-2
O1 - Hosts: 172.18.1.55 DL2550X DL2550X-1 AppGmsIpiA AppGmsIpiA-1 #AppGmsIpiA
O1 - Hosts: 172.18.2.55 DL2550X-2 AppGmsIpiA-2
O1 - Hosts: 172.18.1.56 DL25504U DL25504U-1 AppGmsIpiB AppGmsIpiB-1 #AppGmsIpiB
O1 - Hosts: 172.18.2.56 DL25504U-2 AppGmsIpiB-2
O1 - Hosts: 172.18.1.57 gms-pi-int gms-pi-int-1 #GMS PI Interface NODE (Virtual IP Address)
O1 - Hosts: 172.18.2.57 gms-pi-int-2 #Alternate IP address for GMS Pi Interface Node (Virtual)
O1 - Hosts: 172.18.1.53 AppGmsApiA AppGmsApiA-1 DL25501A DL25501A-1 #DL25501A
O1 - Hosts: 172.18.2.53 AppGmsApiA-2 DL25501A-2
O1 - Hosts: 172.18.1.54 AppGmsApiB AppGmsApiB-1 DL25501B DL25501B-1 #DL25501B
O1 - Hosts: 172.18.2.54 AppGmsApiB-2 DL25501B-2
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O15 - Trusted Zone: http://www.wwforum.com
O15 - Trusted Zone: http://hrpr.papl.com
Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:
C:\PROGRAM FILES\AWS\ - only if you uninstalled WEATHERBUG
C:\PROGRA~1\WILDTA~1\
Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run
KRC HijackThis Analyzer in the same folder to get the
result.txt log. Just post the contents of the result.txt file in the forum.