- Status
vish786
"The Gentleman"
shot of affected registry.charangk said:Thanks vish for the screenshot. I cannot see a explorer entry in my system. can anyone please post the affected registry entry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run is enough for me.
PS: Attached the zipped screenshot file for my reference will remove it later.
*images6.theimagehosting.com/affected.th.JPG
just delete the run entry on the the left side. the " run " entry is added by virus.
Last edited:
I wanted to create a patch for this virus but could not complete it. Today I found a patch for this which was created by Sarath Lakshman.
Here is the screenshot
*img413.imageshack.us/img413/4733/orkutfixzl5.jpg
You can read more about this here
Direct Link for Removal Tool (ZIP)
Here is the screenshot
*img413.imageshack.us/img413/4733/orkutfixzl5.jpg
You can read more about this here
Direct Link for Removal Tool (ZIP)
MetalheadGautham
AFK
wow, that virus was one hell of a thing. My school's CS instructor promised me some free marks if I block orkut. Any way of recreating this virus for other sites ?
thewhizgeek
Broken In
hey this works ! i got from a blog !!! should be of some use !!
Some guys here are really pissed off by a message that popped up each time they tried to access orkut, youtube or even myspace through their browsers. These guys started asking “if the Orkut is banned?” or “is Youtube banned?” and other such types of questions on forums, discussion boards, yahoo answers, etc. Now, is orkut really banned?
The pop up message which exactly looks something like “Orkut is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!!” or something like “Youtube is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!!” Technically, this message is caused by a computer worm called W32.USBWorm (or a few variants of the same). This worm mostly spread from one computer to another when you insert a USB drive, like a pen drive, a flash drive or even a cell phone memory card.
Now, how can you remove this worm?
This Orkut or Youtube worm generally places itself in a hidden folder named heap41a in your C drive (or your Windows drive). You can directly access this folder by typing C:\heap41a into your Run command box. You will see a variety of files, including Svchost, Script1, Reproduce, etc.
To remove the worm, select all these files (except one file named Svchost); and delete them (Shift + Del). Now go to your registry editor (Run > regedit) and Go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > policies > Explorer > Run. On the right hand side, you should see winlogon key value set. Right click on it and delete it. (Note: In some computers, you may find the same at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run).
Now, restart your computer. Once you have restarted, go to Run and type C:\heap41a. You will see the svchost file. If you see any other files, select all and delete them. Remove it from the recycle bin as well (Ctrl + Del).
Now, open your browser and log on to www.[B]orkut[/B].com or www.youtube.com. Voila! you got it right!
Note: The same USB worm also causes a peculiar firefox problem. When you try to install a new version of firefox or when you try to open it up, you will get an error message something like “I DNT HATE MOZILLA BUT USE IE OR ELSE…“. This maybe called a “Use Internet Explorer you dope” problem. So, you have just solved this problem as well. Enjoy.
Some guys here are really pissed off by a message that popped up each time they tried to access orkut, youtube or even myspace through their browsers. These guys started asking “if the Orkut is banned?” or “is Youtube banned?” and other such types of questions on forums, discussion boards, yahoo answers, etc. Now, is orkut really banned?
The pop up message which exactly looks something like “Orkut is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!!” or something like “Youtube is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!!” Technically, this message is caused by a computer worm called W32.USBWorm (or a few variants of the same). This worm mostly spread from one computer to another when you insert a USB drive, like a pen drive, a flash drive or even a cell phone memory card.
Now, how can you remove this worm?
This Orkut or Youtube worm generally places itself in a hidden folder named heap41a in your C drive (or your Windows drive). You can directly access this folder by typing C:\heap41a into your Run command box. You will see a variety of files, including Svchost, Script1, Reproduce, etc.
To remove the worm, select all these files (except one file named Svchost); and delete them (Shift + Del). Now go to your registry editor (Run > regedit) and Go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > policies > Explorer > Run. On the right hand side, you should see winlogon key value set. Right click on it and delete it. (Note: In some computers, you may find the same at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run).
Now, restart your computer. Once you have restarted, go to Run and type C:\heap41a. You will see the svchost file. If you see any other files, select all and delete them. Remove it from the recycle bin as well (Ctrl + Del).
Now, open your browser and log on to www.[B]orkut[/B].com or www.youtube.com. Voila! you got it right!
Note: The same USB worm also causes a peculiar firefox problem. When you try to install a new version of firefox or when you try to open it up, you will get an error message something like “I DNT HATE MOZILLA BUT USE IE OR ELSE…“. This maybe called a “Use Internet Explorer you dope” problem. So, you have just solved this problem as well. Enjoy.
its not difficult friend...as thewhizgeek in his last post has given the blog...dere r certain text files in C:\heap41a folder. check in which file d script is written..i think its script.txt file...i dont rememeber now as i had done dis long back.
in that file u seach for orkut.com n replace it with the site u want to block..like if u want to block google.com replace orkut.com with google.com
this is easiest so i told it
better copy n paste the whole function with replacing orkut.com with google.com....it would be similar to writing another function.
after this just restart your computer...google.com would also be blocked this time.
hey friends
nowadays my computer is regularly being attacked by a new variant of this virus....it starts a process named wdfmgr.exe
also realplay.exe and realesched.exe are started with it.
though these two are harmless(actually they are our real one player and sound control respectively)
but with wdfmgr.exe sometimes cmd.exe gets started and certain code starts running...which i have not been to rad as it gets over too quickly
as far as i have analysed it...the code creates to files ntldr.exe and autorun.inf in each and every drive of the hard disk
still i am not sure about it
is anyone else too attacked by similar thing???
nowadays my computer is regularly being attacked by a new variant of this virus....it starts a process named wdfmgr.exe
also realplay.exe and realesched.exe are started with it.
though these two are harmless(actually they are our real one player and sound control respectively)
but with wdfmgr.exe sometimes cmd.exe gets started and certain code starts running...which i have not been to rad as it gets over too quickly
as far as i have analysed it...the code creates to files ntldr.exe and autorun.inf in each and every drive of the hard disk
still i am not sure about it
is anyone else too attacked by similar thing???
MenTaLLyMenTaL
Broken In
@fannedman
Hey thats a really great piece of handiwork!
I'm from Pune and I found this virus in my mom's pendrive AND in my college Internet Lab. After researching a bit, I found the files c:\heap41a and took it home for inspection. Later i found out it was all done using a simple, legal software autohotkey and winrar. Marvelling at the brainwork, I searched the net for heap41a and found your post and was totally surprised to find it right here on thinkdigit!! LOL i'm an instant fan of urs now.
And you don't deserve any punishment. It wasn't ur intention to spread this around the world like a virus, but only to prank some of hostelites. Its fun!
If u make something like this again, you might want to set a condition for reproducing the offspring based on a limiting Date.
Nice work. Reading this thread also gave me a lot of laughter and enjoyment.
Hey thats a really great piece of handiwork!
I'm from Pune and I found this virus in my mom's pendrive AND in my college Internet Lab. After researching a bit, I found the files c:\heap41a and took it home for inspection. Later i found out it was all done using a simple, legal software autohotkey and winrar. Marvelling at the brainwork, I searched the net for heap41a and found your post and was totally surprised to find it right here on thinkdigit!! LOL i'm an instant fan of urs now.
And you don't deserve any punishment. It wasn't ur intention to spread this around the world like a virus, but only to prank some of hostelites. Its fun!
If u make something like this again, you might want to set a condition for reproducing the offspring based on a limiting Date.
Nice work. Reading this thread also gave me a lot of laughter and enjoyment.
Last edited:
piyush.ml20
The assaulter
can nybody mail me this virus on piyush.ml20@rediff.com plz.
- Status