For the heck of it

Monday, August 06, 2007

How I Kicked a Virus on its Butt, When it Said "I DNT HATE MOZILLA BUT USE IE OR ELSE..."

I got home from work yesterday and switched on my laptop. I wanted to check a few mails and so connected to the Internet. I double-clicked on the Firefox icon on my desktop to open my favourite web browser. Firefox opened for a second and then closed abruptly, displaying a message in my face, which said "I DNT HATE MOZILLA BUT USE IE OR ELSE...".

And it just had an OK button. I tried again, and the same thing happened twice, but this time with different messages - "Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!" and "YouTube is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!"

So this was a serious issue. I opened IE and immediately Googled out a solution to this problem. It turns out that this virus called w32.USBWorm, spreads through USB flash drives. I remember plugging my roommate's USB drive into my laptop, because he wanted me to copy some of its contents on my laptop. Apparently, he wasn't able to browse through the USB drive's contents simply because when he double-clicked on the USB drive in My Computer, nothing happened. I tried opening the USB drive on my laptop and the same thing happened.

My antivirus (AVG) was unable to detect the virus. I am told that most antiviruses don't detect it. So, you will need to manually remove the virus from your PC. The following steps will help you to remove w32.USBworm completely from your system. First you need to see all the running processes on your system, for that you need to press Alt+Ctrl+Del. This will launch 'Task Manager' then click on Process tab to see all the running processes. Then you need to manually search for 'svchost.exe' (you will find many but you need to carefully select the one which is having 'User Name' as your Windows login name).

After finding the process, right click on the process and click 'End Process Tree', and then click on OK. This will kill the running virus on your system. To remove the worm completely from your computer, you need to remove Registry keys written by the worm

Press "Window key" + "r" or go to Start-->Run, then type "regedit" (without quotes).

You need to navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\
Explorer\Advanced\ Folder\Hidden\SHOWALL, checkedvalue" And reset the “CheckedValue” key back to 1. This is to show all the hidden files.

Then navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\
policies\Explorer\Run " and delete the "winlogon" key. --- This will stop the worm installing at the start up.

Now you need to search for the worm which is located on your hard disk. For that you need to use the windows search and search for svchost.exe in your hard disk drives. Delete the file, which looks like the one below:

Also, once you are done, you might want to format the USB drive to reuse it. I for one, will always scan everything I plug into my laptop hereon, before opening them!

Labels: ,


  • thanks chris......finally i removed this nice n cool worm from my pc...
    good description.....

    if u can..just add a line to this solution that while searching "svchost.exe"/go to advanced options/click on 'search hidden files'tag.....because this file is hidden and one cannot find it will be helpful for many ppl....

    thanks again...../

    By Blogger vimal, at 9/22/2007 10:54 PM  

Post a Comment

<< Home