We have received the mails from lots of readers whose computer systems got infected by this W32.USBWorm which blocks sites like Youtube, Orkut on their system.
For those who have Firefox installed when they try to launch it prevents Firefox from running and displays the dialog box with the message “I DNT HATE MOZILLA BUT USE IE OR ELSE” in Internet explorer when user tries to open Orkut it says “ORKUT IS BANNED, Orkut is banned you fool“, “The administrators didn’t write this program guess who did??“
While trying to open youtube via Internet Explorer it displays “youtube IS BANNED,youtube is banned you fool” and “The administrators didn’t write this program guess who did??`r`r MUHAHAHA!!,30“
What does this W32.USBWorm do ?
- Runs a process svchost.exe in the background under your username from which you are logged in.
- It automatically copies itself into USB drives and other portable devices.
- Transfers itself from USB portable devices to any computer.
- It also disables the “Show Hidden Folders” option in folder options, we have already posted on how to enable to show hidden files and folders.
Lets see from where this worm comes and how to remove it.
This virus as suggested by it name normally spreads itself through USB drives and portable devices like iPod etc.
Now, you know W32.USBWorm runs a executable file named svchost.exe , all the virus files are placed inside a hidden folder on this path C:\heap41a
Almost no anti-virus can detect this Worm however some anti-viruses blocks some of its activity AVG, NOD32 and Avast.
It spreads itself by creating autorun.inf files in the root directory in the USB portable devices, so be careful to delete any new autorun.inf file on your USB Devices.
How to Remove it completely ?
1. Press alt+shift+esc to open Task Manager
2. Locate the process named svchost.exe in the process tab for which the username is login username, see the image below for reference.
3. Right click on the process and select End Process Tree.
4. Now, browse the virus files folder which contains virus files , press Window + R and type “C:\heap41a” (without quotes)
5. Delete each and every file inside that folder and then the folder also.
After removing the virus you need to repair the registry entries which are created by the virus.
Repair the registry by following the steps below:
1. Open Start >> Run or ( press Window Key + r ).
2. type “regedit” and press enter.
3. Navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\Run and delete the WinLogon Key.
If every thing goes well then you have successfully removed the worm from your system.
TIP: In future in order to protect your drive from virus attacks you can also read a post on how to protect your computer from viruses in pen drives.