W32.USB Worm or Heap41a attempts to periodically copy itself to removable drives and USB keys. The worm will attempt to create a hidden file Autorun.inf on the removeable drive and copy itself to the removeable drive as MicrosoftPowerPoint.exe. It will monitor internet brwser activities and display the following messages:
1. Press CTRL+ALT+DEL to open Windows Task Manager and go to the Processes tab
2. Find the Image Name svchost.exe that is running under the current Username (Login Name)
3. Click End Process at bottom right of the Windows Task Manager to kill the running process. When prompted with a warning, press Yes
4. Repeat and find other svchost.exe in the same status. Do not end svchost.exe with SYSTEM, Local Service or Network Service. They are process necessary in running Windows.
5. Close Windows Task Manager when done
6. Open My Computer
7. In the address bar, type C:\heap41a and press Enter. This is a hidden folder and not visible by simply browsing.
8. Delete all the files including the folder
9. Go to Start > Run and type Regedit
10. Go to the Menu > Edit > Find
11. Search for “heap41a”. You will have a results similar to “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt”
12. Select and Delete the registry string. click Yes if it prompts you to delete the registry entries.
13. Exit registry editor.
Cleaning the USB Drive
1. Before inserting the USB Drive please disable autorun to prevent the virus from infecting your computer again.
3. Look for autorun.inf and autorun.exe and delete them
Restoring View of Hidden Files and Folders (Optional)
1. Go to Start > Regedit
2. Navigate to the following registry entry and modify the value
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
Value: DWORD “NoFolderOptions” from 1 change to 0
- “USE INTERNET EXPLORER YOU DOPE, I DNT HATE MOZILLA BUT USE IE OR ELSE…”
- “Orkut is BANNED you fool, The adminstrators didn’t write this program guess who did??”
1. Press CTRL+ALT+DEL to open Windows Task Manager and go to the Processes tab
2. Find the Image Name svchost.exe that is running under the current Username (Login Name)
3. Click End Process at bottom right of the Windows Task Manager to kill the running process. When prompted with a warning, press Yes
4. Repeat and find other svchost.exe in the same status. Do not end svchost.exe with SYSTEM, Local Service or Network Service. They are process necessary in running Windows.
5. Close Windows Task Manager when done
6. Open My Computer
7. In the address bar, type C:\heap41a and press Enter. This is a hidden folder and not visible by simply browsing.
8. Delete all the files including the folder
9. Go to Start > Run and type Regedit
10. Go to the Menu > Edit > Find
11. Search for “heap41a”. You will have a results similar to “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt”
12. Select and Delete the registry string. click Yes if it prompts you to delete the registry entries.
13. Exit registry editor.
Cleaning the USB Drive
1. Before inserting the USB Drive please disable autorun to prevent the virus from infecting your computer again.
How to Disable USB Drive to autorun (Windows XP):2. Insert USB Drive and scan with an updated AntiVirus Software
a. Open Windows Explorer or press the Windows + “e” key.
b. Right-click the drive of the USB Drive. Then select Properties. Drive Properties will appear.
c. Select the AutoPlay tab.
d. Choose Select an Action to Perform
e. At the bottom of the selection, click Take no Action, then click Apply.
f. Click OK to exit Drive Properties.
3. Look for autorun.inf and autorun.exe and delete them
Restoring View of Hidden Files and Folders (Optional)
1. Go to Start > Regedit
2. Navigate to the following registry entry and modify the value
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
Value: DWORD “NoFolderOptions” from 1 change to 0
Post a Comment