"Copy-Paste" AIM VIRUS REMOVAL
I have been asked to point out that "Gabber Core" does not have any connection to the "copy-paste" virus, so rather than IM him about it, please use the removal tool provided below.
AIMFix will remove this virus but it MUST be run in Safe Mode to be effective.
TO MANUALLY REMOVE THE VIRUS:
1.) you will need to first download the removal
tool, which is provided HERE.
Please do NOT select "open" when you click the link, but save it to your hard drive, preferably to your desktop so that you can find it later.
2) Boot into Safe Mode and Run the removal tool (you may wish to try this twice, if it fails the first time)
3) If the removal tool fails, you will need to manually remove the virus file (if it exists) "win32byte.exe".
4) The first step is to go to the Start menu and click Run. If the Run option does not exist on your Start menu, press the Windows logo key and the R key to bring up the run box. Once you have the run box up, type into it: regedit and press ENTER.
5) Regedit, the Windows Registry Editor, should now be open. You will see "My Computer" listed in it followed with several headings like "HKEY_LOCAL_MACHINE". You will want to enter the key "HKEY_LOCAL_MACHINE", then go to the Software key. Now go to Microsoft, then Windows, then the CurrentVersion key. Finally, enter the Run key. Now, on the right panel, you should see one item labeled "msbootini". This is the key that makes the virus start with Windows.
Double-click on the msbootini key, and you will see a path, such as "C:\Windows\Fonts\tyerohlq.exe". This path and the process name it lists are random, so will be different for every computer.
6) The next step is to remove the file pointed at by the registry key (msbootini) that you just looked at. (Leave regedit open). The easiest way is to go to the folder it lists, such as C:\Windows\Fonts, and look for the file by hand. The file will most likely be hidden, so will require you to enable viewing of hidden files and folders in Windows.
To do this, click on the Tools menu in Explorer, then click Folder Options, and go to the View tab. (if you are on 98 this will be in the View menu) Now check the box next to "show hidden files and folders" and uncheck the "Hide protected operating system files" box. Now choose "apply to all folders" and click apply.
7) If the file exists, delete it. If you find the file "win32byt.exe" in C:\ or C:\Windows\System32 or C:\Windows\System, delete that also.
8) Now return to Regedit, and delete the entire msbootini key. Just right click on it and select delete. This will prevent the virus from starting with Windows logon.
9) The virus also changes your start page for Internet Explorer, as well as hijacking AIM. If you open Internet Explorer without fixing this first you WILL be reinfected. To prevent this, bring up the run box again, and type in www.google.com and press ENTER. This will open Internet Explorer at google, and you can click the link "make google my homepage" at the bottom to reset the start page.
10) Finally, don't forget to erase the aim profile created by the virus, and delete the away message created by the virus.
IMPORTANT: If you are seeing many other effects like excessive pop-ups, "adult links" and extra toolbars in your Internet Explorer, the virus has also installed other programs called spyware and adware. To remove them follow the spyware removal steps.
LEGAL STUFF: I am not affiliated with the makers of this virus in any way, nor am I affiliated with any anti-virus company. I merely provide this as a service for those who have been infected. I take no responsibility for any damage done by the virus or by those incorrectly following these removal steps, or those using my removal tools.
