Search this blog

Sunday, July 13, 2008

Orkut Is Banned - Heap41a - win32.USBworm Removal

One of my friend had a problem with his computer. He was getting the following message when opening Orkut:

ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!

OrkutBanned

On further research I found out that this is caused by a worm called win32.USBworm. It also blocks Firefox from accessing the internet. The following message comes when opening Firefox:

I Dnt Hate Mozilla But Use IE Or Else… with title as Use Internet Explorer U Dope.

FFDisabled

And it also blocks Youtube popping up the following message:

youtube IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!

YoutubeBanned

Follow the steps below to remove this worm from the infected machine:

  1. Open Task Manager –> Processes –> Find svchost.exe under the user account (There will be others under network and system accounts. Don’t close them). There will be two svchost.exe under the user account. Kill both of them.
  2. Then go to Start –> Run –> regedit and find the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    Delete Winlogon key from the right hand pane.
  3. Enable your “Show hidden files and folders” which is explained in the following article:
    http://www.technize.com/2007/05/13/show-hidden-files-and-folders-not-working/
  4. After completing step 3, issue the following commands from the command prompt:
    Open command prompt and execute the following command:
    attrib -S -H -R C:\heap41a
    After executing the above command, execute the following command:
    rmdir /s /q C:\heap41a
    Replace C:\ with your system drive.
  5. If you are using a flash drive, remove microsoftpowerpoint.exe and autorun.inf from the drive.
  6. Go to your start menu –> All Programs –> Startup. Make sure there is no unnamed suspicious file in the startup folder.
  7. Turn off system restore and turn it on again.
  8. Restart your computer.

Hopefully this will remove the worm from the infected system. Please tell us your experiences about this. If you have any doubts, please ask me via comments below.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)