w32.USB Worm
Saturday, 28. July 2007, 14:28:56
w32.USB Worm
It is spreading through Pen,USB,Thump disk thats why the name
It shows messages like
"I DNT HATE MOZILLA BUT USE IE OR ELSE..."
"USE INTERNET EXPLORER U DOPE"
"Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!" with title ORKUT IS BANNED
To Remove
1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
9. Now go to Start --> Run and type Regedit
10. Go to the menu Edit --> Find
11. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"
12. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes
13. Now close the registry editor.
Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.
Some reported that after this fix they were not able to see their Hidden folders and files if you have that issue try the folowing
1. Go to REGEDIT
2.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
3. set the DWORD "NoFolderOptions" to 0 or just delete it..
Try the following links also
1. http://www.freewebs.com/mgsujith/worm/remove.html
2. http://www.jeba.in/posts/w32usbworm-lets-remove-this-worm-manually/
3. http://mgharish.blogspot.com/2007/05/i-dnt-hate-mozilla-orkut-is-banned.html
It is spreading through Pen,USB,Thump disk thats why the name
It shows messages like
"I DNT HATE MOZILLA BUT USE IE OR ELSE..."
"USE INTERNET EXPLORER U DOPE"
"Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!" with title ORKUT IS BANNED
To Remove
1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
9. Now go to Start --> Run and type Regedit
10. Go to the menu Edit --> Find
11. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"
12. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes
13. Now close the registry editor.
Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.
Some reported that after this fix they were not able to see their Hidden folders and files if you have that issue try the folowing
1. Go to REGEDIT
Am getting too many responses to this post that some are not able to open the registry entry
you can check the following link which is a link to remove W32 Sohana worm, that have a portion which describes how to open your registry entry.
The link is here
http://krishnan.co.in/blog/post/Remove-Yahoo-messenger-worm-W32Sohana-R.aspx
2.[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
3. set the DWORD "NoFolderOptions" to 0 or just delete it..
Try the following links also
1. http://www.freewebs.com/mgsujith/worm/remove.html
2. http://www.jeba.in/posts/w32usbworm-lets-remove-this-worm-manually/
3. http://mgharish.blogspot.com/2007/05/i-dnt-hate-mozilla-orkut-is-banned.html
WIDGETIZE