The following will step you
through the removal of the RealPHX.com, BuddyPicture.net or TalkStock.net
"
First of all, there are two files that may be involved. Realphx and BuddyPicture, at last
check, use a file called av.exe, while TalkStock used
b.exe.
First and Foremost, Stop the process of the program. To do this,
simultaneously press:
[ctrl][alt][
click on:
Task Manager
choose:
Processes Tab
Select, by clicking, b.exe or av.exe
Click on: end process.
If prompted, confirm your
decision.
Close Everything.
So, now that its not running anymore, DON’T open the site that infected
you again. Also, DON’T reboot until
you’ve completed the following:
Click on: Start
Choose: Search
Choose: For Files
or Folders
Choose to Search ALL Files and Folders
Enter into “Filename” “b.exe” or “av.exe” (depending on which site
infected you--- Include the quotes when searching. )
Select Search
Hopefully it found
something.
Click on the files that it
found, press [shift] & [delete] simultaneously to delete them.
Now they aren’t on your
computer anymore… but your computer still wants to run them everytime
it boots. So its time
to do the “tricky” registry editing.
Don’t touch anything I don’t tell you to.
Close all running programs.
Click on: Start
Click on: Run
Enter: Regedit.exe
You should now be greeted
with a kind of tree-based browser. On
the left, should be 5 or 6 folders that begin with HKEY_, and in the right,
should be nearly empty, possibly with a “default entry”.
double click on HKEY_LOCAL_MACHINE
double click on Software
double click on Microsoft
double click on Windows
double click on Current Version
double click on Run
you are now going to look in the right hand box for
anything with a value of “b.exe” or “av.exe”
In my cases, I have found that they are named “AntiVirus.”
Click on the entry named AntiVirus (with value b.exe or av.exe) and press
[delete]. Confirm your action if you are
questioned.
Click on minus signs in the
left hand window pane to get back to your root level, where you have either 5
or 6 HKEY_ entries.
(Note, the following was not
needed for my experiences with talkstock and buddypicture. It’s a
good idea to check anyway. If its not
there, just keep on going.)
Double Click on HKEY_Current_user
Double Click on software
Double Click on microsoft
Double Click on Internet
Explorer
Double Click on Explorer Bars
now, you will have some folders with long gibberish
Some may have a little [+]
next to them indicating more folders under them. These are what we are interested in
here.
Click on the [+] next to one
of these folders, and see if there is a folder called FilesNamedMRU
Yes—
Click
on FilesNamedMRU and look at entries in the right
hand pane.
If
there is an entry (in the right side) named 000 and a value of b.exe (or av.exe)
click on it and delete it.
Goto No
No—Go
on to any other folders looking for FilesNamedMRU
Once
you have deleted any keys named 000 linked to b.exe, you are ready to go
on. Close the Registry Editor.
If the “virus” changed your Internet
Explorer Homepage, do the following
Click on Start
Select Settings
Select Control Panel
In the Control Panel, Select
Internet Options
Make
sure your Home Page is set to something you want it to be. (www.boogle.com is mine).
Also, now would be a good
time to change your AOL Instant Messenger profile to what you want it to be.
REBOOT!
This has now ridded you of
the problem… now to eliminate the infection vector.
First, update! Most computers, you can click Start and then
select Windows Update. The newest IE
takes care of some problems, but believe it or not, this is something Microsoft
DESIGNED to be able to do. Scary, eh?
This step is optional, and
will take care of the problem.
Navigate through My Computer
to C:\Windows\System32
Find MSHTA.EXE and rename it
MSHTA.EXF
This
is the Microsoft Hypertext Transport Application responsible for downloading
and executing the code. Doing this MAY
cause other problems, so remember how to undo it if for some reason IE doesn’t
behave properly.
All done. Enjoy.