AOL.Infostealer.32512 - Removal

The easiest way to remove this Trojan is to download the Fix Buddylist tool.

If the tool does not fix the problem, or if you do not currently have Internet access, you must remove it manually. There is more than one way to do this. In most cases it can be removed in Safe Mode. Please see Solution 1 for instructions on how to do this. If this does not resolve the problem, if you are not able to boot to Safe Mode after following the instructions, or if you prefer to work in MS-DOS mode, then follow the steps in Solution 2.

NOTE: The procedure described in this document will remove most variants of this Trojan. If, after following these instructions, NAV still detects files infected with the AOL.Trojan32512 , but NAV cannot delete or quarantine the infected files when commanded to do so, see the document Cannot delete or quarantine files infected with Infostealer.Trojan after removing the Infostealer.Trojan or the AOL.Infostealer.32512 Trojan

Solution 1
To remove this Trojan, most of the steps are performed in Safe Mode. Please follow, the instructions in each section in the order they are presented.

Enable show all files
Follow these steps to make sure that Windows is set to show all files:

1. Start Windows Explorer.
2. Click the View menu, and click Options or Folder options.
3. Click the View tab, and uncheck "Hide file extensions for known file types" if it is checked.
4. Click "Show all files," and then click OK.

Restart the computer in MS-DOS mode

1. Click Start, and click Shut Down.
2. Click Restart in MS-DOS mode and then click OK. Your computer will now restart in MS-DOS mode You may see messages referring to your CD-ROM or sound card. After restarting, a command prompt appears. The command prompt may appear similar to the following:
   
   C:\>

Delete files
At the command prompt, type the following commands, pressing Enter after each one:

NOTE: If you installed Windows in a location other than C:\Windows, then please substitute the correct path when typing the second line.

c:
cd \windows\system
attrib -s -h -r winsaver.exe
del winsaver.exe

Start Windows in Safe Mode
To start Windows in Safe Mode, type the following, and then press Enter:

win /d:m

NOTE: This will take longer than usual. The Windows desktop will look different, and you will see a message that Windows is running in Safe Mode. If this is not the case, skip to Solution 2.

Find and delete files
Follow these steps to locate and delete the files that were placed on your hard disk by the Trojan:

1. Click Start, point to Find, and click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the Named box, type (or copy and paste) the following file names:
   
   command.exe buddylist.exe registryreminder.exe aimrem*.*
   
4. Click Find Now.
   
   CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.
   
5. In the results pane, select each displayed file, press Delete, and then click Yes to confirm.
6. Close the Find Files or Folders window.
7. Right-click the Recycle Bin icon on your desktop, and click Empty Recycle Bin.

Edit system files
Please follow these steps to remove changes that were made to two Windows files:

1. Click Start, and click Run.
2. Type the following command, and then press Enter to open the System Configuration Editor.
   
   sysedit
   
3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.
   
   CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. If you are sure that the text contained in these lines is for programs that you normally use, we suggest that you do not remove them. If you are not sure, but the text does not refer to the file names shown, you can prevent the lines from loading by placing a semicolon in front of the line (in the first character position), for example:
   
   ; run=accounts.exe
   
4. Click the title bar of the Win.ini window, and then locate the load= line within the [windows] section; it is usually located near the top of the file.
5. Position the cursor immediately to the right of the equal (=) sign.
6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
7. Repeat steps 5 and 6 for the run= line, which is usually beneath the load= line.
8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
9. Click the title bar of the System.ini window, and locate [boot] section; it is usually located near the top of the file.
10. Within the [boot] section, look for the following line:
    
    scrnsave.exe=c:\windows\system\winsaver.exe
    
11. Position the cursor immediately to the right of the equal sign.
12. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
13. Close the System.ini window, and click Yes when you are prompted whether to save the changes.

Remove an entry from the registry

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document, How to back up the Windows registry, before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
4. Look for the following String value in the right pane:
   
   Winprofile "C:\command.exe"
   
5. If it exists, select it, press Delete, and then click Yes to confirm.
6. Exit the Registry Editor.

Restart the computer
The Trojan is now removed from your system. Please shut down the computer, turn off the power, and wait 30 seconds before restarting.

CAUTION: Because your password could have been compromised, we strongly recommend that you call AOL customer service and change the passwords for all AOL screen names used on this computer before you log back on.

For additional information on viruses, Trojans, and how to practice safe computing, please see the document What is a virus?

If you have tried Solution 1, and after restarting, you still experience the same problems, please go on to Solution 2.

Solution 2
To remove this Trojan, most of the steps are performed at the DOS command prompt. Please follow the instructions in each section in the order that they are presented.

Restart the computer in MS-DOS mode

1. Click Start, and click Shut Down.
2. Click "Restart in MS-DOS mode," and then click OK. Your computer will now restart in MS-DOS mode You may see messages referring to your CD-ROM or sound card. After restarting, a command prompt appears. The command prompt will look similar to the following:
   
   C:\>

Delete files

1. At the command prompt, type the following commands, pressing Enter after each one:
   
   NOTE: If you installed Windows in a location other than C:\Windows, please substitute the correct path when typing lines that refer to the \Windows folder.
   
   cd \
   attrib -h -s -r command.exe
   del command.exe
   cd \americ~1.0
   attrib -h -s -r buddyl*.*
   del buddyL~1.exe
   cd \windows\system
   attrib -h -s -r winsaver.exe
   del winsaver.exe
   attrib -h -s -r norton~1\*.*
   deltree norton~1\*.*
   cd \windows\startm~1\programs\startup
   attrib -h -s -r aimrem*.*
   del aimrem~1.exe
   
   NOTE: If you see the message "File not found" when executing any of the these commands, make sure that you have typed the command exactly as shown. Due to the number of variants of this Trojan, not all of these files will have been placed on the system by the Trojan. If you are sure that you have typed the command correctly, ignore the "File not found" error message and proceed to the next command.
   
2. Type exit and then press Enter to restart Windows.
   

Edit system files
Follow these steps to remove changes that were made to two Windows files:

1. Click Start, and click Run.
2. Type the following command, and then press Enter to open the System Configuration Editor.
   
   sysedit
   
3. Close the Autoexec.bat and Config.sys windows in the System Configuration Editor.
   
   CAUTION: The steps that follow instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. If you are sure that the text contained in these lines are for programs that you normally use, we suggest you do not remove them. If you are not sure, but the text does not refer to the file names shown, you can prevent the lines from loading by placing a semicolon in front of the line (in the first character position), for example:
   
   ; run=accounts.exe
   
4. Click the title bar of the Win.ini window, and then locate the load= line within the [windows] section; it is usually located near the top of the file.
5. Position the cursor immediately to the right of the equal (=) sign.
6. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
7. Repeat steps 5 and 6 for the run= line, which is usually beneath the load= line.
8. Close the Win.ini window, and click Yes when you are prompted whether to save the changes.
9. Click the title bar of the System.ini window, and then locate [boot] section; it is usually located near the top of the file.
10. Within the [boot] section, look for the following line:
    
    scrnsave.exe=c:\windows\system\winsaver.exe
    
11. Position the cursor immediately to the right of the equal sign.
12. Press Shift+End to select all of the text to the right of the equal sign, and then press Delete.
13. Close the System.ini window, and click Yes when you are prompted whether to save the changes.

Remove an entry from the registry

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
4. Look for the following String value in the right pane:
   
   Winprofile "C:\command.exe"
   
5. If it exists, select it, press Delete, and then click Yes to confirm.
6. Exit the Registry editor.

The Trojan is now removed from your system. Restart the computer.

CAUTION: Because your password could have been compromised, we strongly recommend that you call AOL customer service and change the passwords for all AOL screen names used on this computer before you log back on.

Technical Details