I was pissed off when I saw this alert message repeatedly after I tried opening orkut in my IE. Yes, there was a WORM attack in my laptop.

Orkut

Later I came to know that this was caused by a worm that spreads through USB drive devices.

So, here is how I cleaned it up! (definitely not on my own but from yahoo answers and fellow bloggers - Herewith, I am giving a simplified, kinda mixed solution from more sites that worked good for me! )

- I, being provoked by my level-headed 3_years_IT_experience (yup!! yesterday, september 6th 2007, I successfully stepped into 4th year of my computer engineering career ), intelligently(??!!) switched off my javascript alert in browser thinking that it would be a temporary solution so that I can look for a permanent clean up. But it did not work.

- My set up is Win XP with IE7. For users who have browsers without tabs, you will have to copy this solution out into a text editor before trying since the browser gets closed automatically after the alert message pops up. For people with IE7 / Mozilla / Netscape 8, the browser will pop up a message if you have opened up multiple tabs whether to close ‘em all or not. you may give ‘no’ to retain the browser. But the alert will show up once in a while.

- Go to the task manager -> processes -> sort them by ‘Image Name’ -> delete all the ’svchost.exe’ with your user name under the ‘User Name’. DO NOT delete other ’svchost.exe’ tabs that has usernames as ’system, local service or network
service’

- Start -> Run -> C:\heap41a - this is a hidden folder. There will be some 8 visible files. Delete all the files in this folder.

- If you are not able to view/access this folder, then Start -> Run -> regedit ->

In the Registry Editor browse to this entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL and if you have “Checked all” key, then reset it back to 1 from 2. Now you can change the settings in the folders option to view hidden files.

- Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run which says heap41a.

The Worm would have gone by now. Autoplaying the USB driver caused this WORM to get into the reading computer. Make sure to format the USB drive before using it again. The name of this WORM is ‘w32.USBWorm’

This alerts us when we try to work with Mozilla or try to browse through Orkut and youtube sites

You can find a more elaborate explaination with code of the WORM here - http://www.jeba.in/posts/w32usbworm-lets-remove-this-worm-manually/