"Best Friends" AIM VIRUS REMOVAL
Please note that this virus changes extremely frequently. The process names listed below are NOT accurate for any of the new variants of the virus. The virus has used dozens or process names and it is simply impossible to keep them updated on this page. The website name also changes just as frequently. If AIMFix does not work for you, your best course of action is simply to contact me so that I can help you.
This virus not only interferes with AIM, but also prevents task manager, regedit, or msconfig from staying open. Removing the virus will resolve this also.
This virus also uses auto-away messages such as:
- PICS FROM APRIL FOOLS !!
- NEW PICS FROM THE BEACH http://jamesburg.org/photos.pif
- New PICS FROM THE BEACH http://chadwack.com/photos.pif
- PICS FROM VALENTINES DAY!! http://www.jamesburg.org/photos.pif
- PICS FROM THE BEACH www.allbeaches.net/pics/pictures.pif :-) !!!
- http://gravityteen.com/bestfriends.pif
- OMG LOOK http://www.emalia.net/bestfriends.scr ?!!!??!?
- "WTF LOOK http://www.charmedpo3.com/bestfriends.scr ?!!!??!?" and other links, often preceeded by "WTF OMFG" or something like it.
- "i am seeing in me now the things you swore you saw yourself http://www.fals.net/vindicated ..."
- "LOOKhttp://www.angelfire.com/ar3/sunz/bestfriends.scr !?!?!"
- The virus originally appeared as www.cbcica.org/bestfriends.scr and shrek2.scr. I contacted the church that owns cbcica.org and let them know, and it was taken down. It then moved to: "OMFG! http://www.shadowedstories.org/bestfriend.scr !!" Which was also removed at my request. However, they have now taken to using angelfire accounts, which they can easily set up dozens of and simply move the virus constantly to avoid being shut down permanently.
If you see these, do NOT click the link, and if you believe you are infected, you will need to follow the removal steps and use the REMOVAL TOOL I have created. The virus is resetting Internet Explorer to "HIGH" security settings, which prevents you from downloading anything from anywhere that is not a trusted site. Go to Tools, Internet Options, and the "Trusted Sites" item. Then add jayloden.com as a trusted site and you will be able to download AIMFIx
TO REMOVE THE VIRUS:
1.) you will need to first download the removal
tool, which is provided HERE.
Please do NOT select "open" when you click the link, but save it to your hard drive, preferably to your desktop so that you can find it later.
2) Run the removal tool (you may wish to try this twice if it fails the first time)
3) If the removal tool fails, please boot into Safe Mode and try running the tool in safe mode. For instructions on booting into Safe Mode, click here.
4) For manual removal of the virus files, you will need to first end the process "YahooMsgr.exe" or "YahooMsg.exe", using DS Software's Taskill utility (click save, not Open, and save to your Desktop) and open it to see a list of running programs. Choose the process and select "Kill".
5) Now you will need to search through the hard drive for the files "YahooMsgr.exe", or "YahooMsg.exe". These files would be hidden, and will require you to enable viewing of hidden files and folders. Please note that these are only the ORIGINAL names of the virus file, it has changed over a hundred times since then. You just have to use some judgement. If you see an item claiming to be "SECUREANTIVIRUS.EXE" an you never installed any such thing, then that's probably it.
To unhide files, click on the Tools menu in Explorer, then click Folder Options, and go to the View tab. (if you are on 98 this will be in the View menu) Now check the box next to "show hidden files and folders" and uncheck the "Hide protected operating system files" box. Now choose "apply to all folders" and click apply.
The files are usually located in C:\Windows\System or C:\Windows\System32, though it varies on computer to computer.
6) Delete "YahooMsgr.exe" or "YahooMsg.exe" if they exist. Again, these are only example file names.
IMPORTANT: If you are seeing many other effects like excessive pop-ups, "adult links" and extra toolbars in your Internet Explorer, the virus has also installed other programs called spyware and adware. To remove them download and run Spybot AND Ad-Aware then update and run a full system scan with each. For help using these programs, click Here.
LEGAL STUFF: I am not affiliated with the makers of this virus in any way, nor am I affiliated with any anti-virus company. I merely provide this as a service for those who have been infected. I take no responsibility for any damage done by the virus or by those incorrectly following these removal steps, or those using my removal tools.
