Orkut Is Banned – Heap41a – win32.USBworm Removal

Chiranjib had a problem with his computer. He was getting the following message when opening Orkut:

ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!

OrkutBanned
On further research I found out that this is caused by a worm called win32.USBworm. It also blocks Firefox from accessing the internet. The following message comes when opening Firefox:

I Dnt Hate Mozilla But Use IE Or Else… with title as Use Internet Explorer U Dope.

FFDisabled
And it also blocks Youtube popping up the following message:

youtube IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r                                               MUHAHAHA!!

YoutubeBanned
Follow the steps below to remove this worm from the infected machine:

  1. Open Task Manager –> Processes –> Find svchost.exe under the user account (There will be others under network and system accounts. Don’t close them). There will be two svchost.exe under the user account. Kill both of them.
  2. Then go to Start –> Run –> regedit and find the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    Delete Winlogon key from the right hand pane.
  3. Enable your “Show hidden files and folders” which is explained in the following article:
    http://www.technize.com/2007/05/13/show-hidden-files-and-folders-not-working/
  4. After completing step 3, issue the following commands from the command prompt:
    Open command prompt and execute the following command:
    attrib -S -H -R C:\heap41a
    After executing the above command, execute the following command:
    rmdir /s /q C:\heap41a
    Replace C:\ with your system drive.
  5. If you are using a flash drive, remove microsoftpowerpoint.exe and autorun.inf from the drive.
  6. Go to your start menu –> All Programs –> Startup. Make sure there is no unnamed suspicious file in the startup folder.
  7. Turn off system restore and turn it on again.
  8. Restart your computer.

Hopefully this will remove the worm from the infected system. Please tell us your experiences about this. If you have any doubts, please ask me via comments below.

Posted

in

, ,

by

Sanix

Comments

8 responses to “Orkut Is Banned – Heap41a – win32.USBworm Removal”

  1. UTP

    WOW…so orkut and mozilla are definitely famous now…if worms and viruses have started attacking them….
    I think that is a good thing…Google deserves to get their software hacked as well…why only Internet Explorer and windows….heheh…

  2. Sanix

    UTP, thanks for the comment. It is interesting to note that the author disabled mozilla firefox because he couldn’t read the edit fields through autohotkeys. This little worm has been created in autohotkeys 🙂

  3. lipak ranjan

    type orkut.com ,if that mssg come then open the task manager and end task the orkut block mssg.then close task manager and open orkut again,it will open until u do not restart computer,after reststing the mssg will come again,then do the the same,any problem mail me

  4. rajesh

    cool think u will help more

  5. harish

    hi,
    a similar problem is peeving me a lot since many days.
    here i want to present my suffering from “THB VIRUS”
    2 months back, my system got attacked from “JAMMER WORM” which is sent from orkut. every time when i try to open mozilla, or orkut or you tube, a message is triggering saying that “orkut(youtube) is sending dangerous virus to ur system. please close the window to stop the virus being entering in ur computer”
    when i closed the window, then after, the hidden files option is disappearing and the icon of my C: drive is changing. the name of the drive also got changed to “$@thb&$”.
    in order to get rid of this, one of my friends suggested me COMBOFIX antivirus software. it ran succesfully and removed the worm. but after some days, it is attacking again and again.
    note: its not happening after each and every reboot.
    for some days the system is working fine. this worm is attacking even if i dont open orkut for that matter.
    i dont know how is it attacking the system and how is it re entering into the system.
    please try to resolve my problem.
    i want to attach the log report of the combofix antivirus that scanned my computer. but dont know how to do this. kindly help me out.
    -thanks,
    harish m v

  6. tayyab ali

    Hi!
    I tried doing that. But the problem still remains.
    I am able to change the status to “Show hidden files and folders” and apply the changes. But it doesn’t save it.
    So next time when I open Folder Option, its again “Do not show hidden files and folders”.tayyab ali

  7. bud glass vase

    Truly interesting posts.We enjoyed reading this. We want to examine much more on this topic..Thanks for sharing the pleasant info…

  8. Mini Bass Guitar

    This is my very first time i visit here. I found so numerous interesting stuff in your weblog especially its discussion. From the tons of comments on your content articles, I guess I’m not the only one having all the enjoyment right here! maintain up the great function.