Many people are facing a common problem, where Orkut.com, YouTube.com and Firefox are blocked in their systems and they get following error with a scary laughing sound:
ORKUT IS BANNED
Orkut is banned you fool, The administrators didnt write this program guess who did??
MUHAHAHA!!
Following is a screenshot of the message:
So here I'm posting a detailed procedure to solve this problem.
It happens because of "Heap41a / win32.USBworm" which spreads through USB pen drives and removable storage devices. I'll tell you a simple method to remove the virus:
1. Open "Task Manager" and go to "Processes" tab.
2. Look for services with name "svchost.exe". There will be many services with the same name. Most of them will have "SYSTEM", "LOCAL SERVICE" OR "NETWORK SERVICE" as User Name but you have to look for "svchost.exe" service which has your currently logged in username as User Name.
3. You'll get approx. 2 services with the name "svchost.exe" which has your Windows username. End Task them by pressing <Delete> key or by selecting them and clicking on "End Process" button. It'll confirm the action, accept it.
4. Now open "regedit" from RUN and go to following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Policies\Explorer\Run
And look for a key in right-side pane with the name "Winlogon" which will have "heap41a\svchost.exe" in its value field. If you find this key, delete it.
5. Now go to following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\explorer\Advanced\Folder\Hidden\SHOWALL
And in right-side pane, change value of "CheckedValue" to 1
6. Now enable "Show Hidden Files/Folders" option in "Tools -> Folder Options" in My Computer.
7. Right-click on Start button and select "Open". Now open "Programs" folder, here you'll see a folder "Startup". Open it and if you get a hidden file there, delete it. If its not there, then close it.
8. At last open "My Computer" and open C: drive. Disable "Hide Protected System files" option in "Tools -> Folder Options". You'll see a folder "heap41a" in C: drive. Delete it.
That's it. After doing all this, restart your system and you'll get rid of the virus.
PS: Don't forget to format your pen drive or removable storage media which caused this virus infection because it would still contain the virus. If you don't want to format it, then delete following 2 files from pen drive:
microsoftpowerpoint.exe
autorun.inf
This article was posted by VG in following section: Troubleshooting, Windows 7, Windows Vista, Windows XP.
If you enjoyed this article, subscribe to our RSS feed or free newsletter to get all new articles directly in your Inbox. Also check out our popular articles and archive to read other interesting articles.
Manan
thanx for putting it up here now i wont have to search everytime a friend calls up
Arnab
Hey, one of my frnd had this prob too... But I's not affected by the worm so I was not able to know about it. Thanx for the tut. But one question was ur PC too affected by it? unless how u come to know about the soln?
VG
^^ bcoz I have fixed so many systems infected with the same virus. :P
krishna
when we type of youtube web site name
he creat a message youtube IS BANNED, orkut is banned you fool The administrators didnt write this program guess who did?? r r MUHAHAHA!!
karthik
thanks a lot..........i have the same problem........ i am doing the the method which u have specified as "manual method" for weeks......thanks for a permanant solution......
Pushpakarthi
Thanks
Prasad
Hi,
The solution is worked alot . Long back i'm not able to logon to Youtube & Orkut. & :!:
Now this helped me a lot and now i'm able to logon.
Thanks a lot,
Prasad
Teejay
thanks a lot dude...many of ma frnds were facin this prob....great work dude!
Entermediate
hi, Vishal,, tnx for d above info i finally gt rid of d worm but gt anther prob hir..can't open my drive D: it display " can't find script file "D:FS6519.dll.vbs", how cn i fix it..tnx a lot
VG
^^ Enable "Show Hidden files" option and disable "Hide Protected system files" option in "Folder Options" and then look for "Autorun.ini" file in D:\ drive. If you find it, delete it.