here a fix strait jacked from another forum
Systems Affected:
AOL AIM client (does not affect trillian, miranda, etc)
MS Internet Explorer 4.x, 5.x, 6.x
What you can do:
In order of preference:
1, format, reinstall, and apply a sensible security policy, such as not logging on as administrator
2, change your IE settings to not automatically download and install programs just because a web site tells it to
3, tell IE to ignore the buddylinks worm installer
Here's how you do each:
1, it's involved.
2, this is easy. You'll need to run a couple of commands. If you don't have windows XP, you'll need reg.exe, free from lots of places:
Code:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1001" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v "1004" /t REG_DWORD /d 1 /f
3, This is easy too. Just add its CLSID to the blacklist:
Code:
reg add "HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{FDDCE9FF-1FC6-413c-80B1-37B101FDA1D4}" /v "Compatibility Flags" /t REG_DWORD /d 1024 /f
If you're already infected, you need to unregister the file, then delete it. Run these commands:
Code:
regsvr32 /s /u "%SYSTEMROOT%\Downloaded Program Files\shellinstaller.ocx"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Buddylinks" /t REG_STRING /d "del /s %SYSTEMDRIVE%\shellinstaller.ocx"
All of this in one code block:
Code:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\3" /v "1001" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\3" /v "1004" /t REG_DWORD /d 1 /f
reg add "HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{FDDCE9FF-1FC6-413c-80B1-37B101FDA1D4}" /v "Compatibility Flags" /t REG_DWORD /d 1024 /f
regsvr32 /s /u "%SYSTEMROOT%\Downloaded Program Files\shellinstaller.ocx"
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once" /v "Buddylinks" /t REG_STRING /d "del /s %SYSTEMDRIVE%\shellinstaller.ocx"
To run these, copy them to the clipboard and paste them into a command prompt window (start/programs/accessories/command prompt).
To see if you're infected, do "dir /s %SYSTEMDRIVE%\shellinstaller.ocx". If anything comes up, you have it
Bookmarks