Discovered: December 19, 2000
Updated: August 24, 2005 12:00:00 AM
Type: Removal Information

This tool removes the Trojan horse known as AOL.Trojan.32512. This Trojan horse is also known as "BuddyList." The tool only works in Windows 95/98. Therefore, running it in Windows NT is not recommended. You can run it from a floppy disk or copy it to the hard disk and run it from there. Only one file, Fixbuddy.exe, is required. Execute the file to clean a system infected with BuddyList. You need not restart the computer after executing the tool. Scan the entire hard disk with Norton AntiVirus after running this tool to ensure that no other copies of this Trojan horse exist on the computer.

Fixbuddy.exe searches for the BuddyList Trojan horse in memory. All processes found that match BuddyList are terminated and their corresponding .exe files are deleted. Then, it deletes the copies of the Trojan saved in various locations on the hard disk. Next, it deletes the registry key that the Trojan added upon installation. Finally, it deletes the references to the Trojan from Win.ini and System.ini.

This tool will attempt to restore the system, as much as possible, to the state it was in before it became infected with BuddyList. Some slight differences may still remain following the use of this tool. The System.ini file will contain an entry for SCRNSAVE in the [boot] section. This field is added by the Trojan horse. The tool deletes the reference to the Trojan horse executable but leaves the actual SCRNSAVE field in the file. If you did not have this field previously, this field will remain in the file, but it will be empty. An empty field has no effect on the system.

This tool does not scan the entire hard disk for copies of BuddyList. It only deletes the files in the known folders into which the Trojan horse is copied upon infection. If copies of the Trojan horse exist in other folders, use Norton AntiVirus to scan the hard disk and delete the files. antivirus