HATE MOZILLA BUT USE IE OR ELSE…”

Yesterday, my friend Shyam was having a very dificult time ,in accessing ORKUT AND YOUTUBE. And he told me to help him!.....so i thought i should help him to remove the infection from his PC.(even thou i was not so sure about it...that i could make it!) i went to his home along with Vishnu ,after finishing the horrible test in our tuition class.
even though he scanned his computer with the AVG7.5,it didn't showed any infection..... Hmm strange..
i right clicked and opened the USB drive and found there was no content. Autoplay appears only if there is a Autorun.inf file present in the root of the drive.

He wanted to check his scrap so he ran my beloved browser Firefox, it opened and with in couple of seconds a message box popped up which said ” “I DNT HATE MOZILLA BUT USE IE OR ELSE…” and the header read “USE INTERNET EXPLORER YOU DOPE.” I was like what? It also terminated Firefox :-( . This is when I remembered the Autoplay option in the usb drive. This is when I had to open Internet Explorer and Google this text and found the worm name is w32.USBWorm (it was now obvious). shhhhhhhh....... Nor I could find any information on how to remove it. I decided to give myself a try to remove this worm.

I tried opening orkut and Bang another surprise. This is the message it popped up ” ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did?? ” now this is pissing me off. Now, i had no other option but to remove this worm from his system. I pressed ctrl+alt+del and found nothing suspesious there .

Lets see what this worm does

It runs a exe file which is name MicrosoftPowerpoint.exe which is located in the USB disk. The autorun.inf runs this file when double clicked.(shyam.... you don't need to do this unless you completely format ur usb) Once this program is run you are infected. It hides all your hidden folders, runs the process in the memory, makes the worm to start with windows and pops those annoying messages. This worm doesn’t destroy any system files. It just infects other USB drives and spreads to new hosts.(this information is from the google )

It’s time to KO the Worm

I went through all the process and found out that svchost.exe was the one responsible for it. Where taskmanger helped me a lot...., svchost.exe was running from a location C:\heap41a . So this is where the worm resides, hmm interesting now deleting the folder would do our task. But it was not so easy, as I terminated this process svchost.exe from the process list it would start again.
Now I searched the folder C:\heap41b but it was hidden.

I went to Tools>folder option and select Show all files and folders and pressed ok. I refreshed the c:\ only to find that it won’t show any hidden folders. I again went to the Tools>folder and found the setting of Show all files and folders was reseted. Now how do I see the content, what I did was went to windows search and in advanced option I gave search hidden files and folders and gave svchost.exe as the search keyword. Bang it searched it, so I opened the folder to find out this file was not alone, the other files in this Folder were [offspring], 2.mp3, Icon.ico, reproduce.txt, svchost.exe, drivelist.txt, script1.txt, std.txt .


These are the keys that were responsible for the hidden folder problem that you faced earlier

regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\

Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2



Now to rectify this go to Start Menu>Run and type regedit . In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and in the “Checked all” key reset it back to 1 from 2. Now you can change the settings in the folders option. Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\

Now the virus infection is removed 100%. Before you are done make sure you format the usb drive it doesn’t infect other systems too.(you ....better do it from other system)

All the best shyam . Untill a tool is out for this worm, you can follow this method to remove w32.USBWorm.i hope you got all....