[Update 10/12/04: If you are looking for info on the Funner worm that spreads on MSN Messenger, read this article or this page from Symantec. Funner sends itself to everyone on a user's contact list and may try to download content from www.78p.com. Links via Slashdot.]
[Update 6/21/04: A number of commenters are reporting a new version of an AIM virus that closes task manager before the process can be ended. If you have this problem, commenter Tony recommends a program called Security Task Manager that can be downloaded here. This program should allow you to find the files responsible (perhaps "netstatt.exe"), stop them from running, and then delete them. Jay Loden's AIMFix is also working for some people, but that site is facing heavy server traffic and is not always available. A mirror of the fix is up at ftp://metafero.elon.edu/AIMFix.exe.
Jay has also provided these manual removal instructions:
1) For manual removal of the virus files, you will need to first end the processes [Note: not all files will exist on all computers]:
“YahooMsngr.exe”, “NETSTATT.exe”, “YahooMsgr.exe”, “wintcp.exe”, “lansrv.exe”, “idctup20.exe”, “fpjlfrllddpnsi.exe”, “svcl.exe”, “exhhulashk.exe”, “OSNERAOUSGZDPV.exe”, “winampa.exe”, “Data”, “Debug”, “Slideshow.exe”, “Payload.exe”, “MSCVT.exe”, “service.exe”, “zzqh.exe”, “zzb.exe”, “snd332.exe”, “aim1.exe”, “lsas.exe”, “taskmanage.exe”, “winxp.exe”, “download_me.exe”, “windowsupdater.exe”, “wuaumqr.exe”, “winupdat.exe”, “blengine.exe”, “ChannelUp.exe”, “hpztsb05.exe”, “av.exe”, “b.exe”, “bbb.exe”, “wucaumqr.exe”, “winampa”, “xlroue.exe”, “A0L.exe”, “iexpl0re.exe”, “svehost.exe”, “bvjlxjs.exe”, “gxmryzf.exe”, or “aocyvou.exe” (there are more, but I didnt have them all available at the time of posting)using DS Software’s Taskill utility available from
and open it to see a list of running programs. Choose the process and select “Kill”.
2) Now you will need to search through the hard drive for the files “YahooMsngr.exe”, “NETSTATT.exe”, “YahooMsgr.exe”, “wintcp.exe”, “lansrv.exe”, “idctup20.exe”, “fpjlfrllddpnsi.exe”, “svcl.exe”, “exhhulashk.exe”, “OSNERAOUSGZDPV.exe”, “winampa.exe”, “Data”, “Debug”, “Slideshow.exe”, “Payload.exe”, “MSCVT.exe”, “service.exe”, “zzqh.exe”, “zzb.exe”, “snd332.exe”, “aim1.exe”, “lsas.exe”, “taskmanage.exe”, “winxp.exe”, “download_me.exe”, “windowsupdater.exe”, “wuaumqr.exe”, “winupdat.exe”, “blengine.exe”, “ChannelUp.exe”, “hpztsb05.exe”, “av.exe”, “b.exe”, “bbb.exe”, “wucaumqr.exe”, “winampa”, “xlroue.exe”, “A0L.exe”, “iexpl0re.exe”, “svehost.exe”, “bvjlxjs.exe”, “gxmryzf.exe”, or “aocyvou.exe”. These files would be hidden, and will require you to enable viewing of hidden files and folders.
To do this, click on the Tools menu in Explorer, then click Folder Options, and go to the View tab. (if you are on 98 this will be in the View menu) Now check the box next to “show hidden files and folders” and uncheck the “Hide protected operating system files” box. Now choose “apply to all folders” and click apply.
The files are usually located in “C:”, “C:\Windows”, “C:\Winnt”, “C:\Windows\System”, “C:\Winnt\System”, “C:\Windows\System32″, “C:\Winnt\System32″, “C:\Program Files\PSD Tools”, “C:\Program Files\PSDTools” or C:\Documents and Settings\yourusername\Applicaton Data”, though it varies on computer to computer.
3) Delete any of the files if they exist.
4) Please don’t forget to take the link out of your profile]
[Update 2/11/04: From a comment posted today: "I got the osama version yesterday, and I removed it without a problem... First of all, the processes run by this version are called "blengine" and "ChannelUp", so those are the ones to kill if you get this... Removing this virus is pretty much the same procedure that has been posted [below].”]
[Update 2/10/04: Traffic to this website doubled today, which can only mean one thing: there's a new AIM virus going around. This one has a link reading "check this out: http://www.wgutv.com/osama_capture.php?JVFD". I know nothing about this one, but once again J Loden has a fix for it on his site. I haven't tried it out since I don't have the virus, but you can do so here.]
[Update 1/13/04: J Loden is working on a fix for the new virus that puts "an0th3r pr0fil3 0wN3d By b1Ld0" into your profile. Go to his page here for removal instructions and, soon, and automated fix.]
[Update 12/21/03: Comment 35 links to a site with several AIM virus removal tools and it looks legit. So if you don't want to proceed with manual removal, check out Jay Loden's page.]
[Update 12/04/03: There is a new version of this spreading through a link reading something like "I can't believe I found %n's picture here hahaha." The new file name is probably av.exe or a.exe. Just follow the original directions for removing b.exe below or click here for more info.]
I don’t know if this is best classified as a virus or a worm, but whatever it is is spreading via Instant Messenger. The link was in my profile for a while, so my apologies if you got it from me. The link reads “Whoaaa….look at what I found, click here”. Don’t do that! It takes you to a page called talkstocks.net and immediately installs software you don’t want.
But if you did click the link, here are some things you can do to fix the problem. Now I’m no computer expert, so I’m not going to vouch for any these methods. The one I tried worked for me, though.
I followed the directions in Reply 9 on this page. First, edit your AIM profile to delete the link. Then hit ctrl-alt-delete and end the task “b.exe” (may also be “bbb.exe”). Finally, find the same file on your computer (probably in a windows folder) and delete that. Reply 9 lists an additional step to take the file off of the list of start-up tasks, but on my computer that had apparently taken care of itself after I deleted the file. [Additional 11/20/03: some users may need to click "processes" after hitting ctrl-alt-delete.]
From what I can tell, this solves the problem of having the link reappearing on your AIM profile everytime you sign on. However, there are many other files installed as well, including spyware. This page lists the files and directions for deleting them. I haven’t tried the directions yet. I’m going to wait and see if any easier fixes get developed in the next few days, and if they haven’t I’ll try them then.
Again, I’m not a computer expert and can’t vouch for these methods, but hopefully the information above will be helpful if you have this problem.