"I dont hate Mozilla but use IE.worm" on the loose in class !

Posted by Harryz Sandhu on Jun 24, 2009 / Labels: , ,
To my DDS classmates, someone's thumb drive in our class is actually affected with a worm. To be exact,Its a W32/Forbot-J Spyware Worm which will allows others to access the computer, the worm itself steals information, reduces system security and it installs itself in the windows registry .

I've put up the solutions to remove it below for those are affected. Hope it helps!
[Thanks to Cipson Thomas from Bangalore,India for the solution..it worked mate!]

No need to format the USB Pen Drive, delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

Press Alt+Ctrl+Del --> you can see 'Task Manager' --> click on Process tab --> Locate 'SVCHOST.EXE' (will see many SVCHOST.EXE, but select the one having 'User Name' same as your Windows login name). --> Click End Process button

Now proceed the following;

Way 1
Open Task Manager by holding Ctrl + Alt + Del and click on the process tab.
- Ignore the warning messages and stop the SVC.Host for the system's user name.
- Navigate to C:/Heap41a and delete the contents of the folder. Smile.

Way 2
Start Menu>Run>regedit press enter key
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue reset it back to 1 from 2. ( to do that right click CheckedValue>modify>value data >
go to C:\heap41a and delete this folder, If the folder called test.exe delete that too from your desktop.

-----------------------------------------------------------
Once you're done with the steps above, proceed with the next step below.

Moving on ...
The next step is to remove the worm completely from your computer, you need to remove Registry keys written by the worm. This step will stop the worm from installing at the start up.

1. Press "Window key" + "r" or go to Start-->Run, then type "regedit" (without quotes).

2. You need to navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL, checkedvalue" And reset the “CheckedValue” key back to 1. This is to show all the hidden files.

3. Then navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run " and delete the "winlogon" key.


This are a few screen shots on how to do it ..





SO IF YOU THINK THIS IS JUST A PURE WASTE OF TIME![LIKE I DID], FIND THE PERSON WHO IS SPREADING THIS AND CONFISCATE THE THUMB DRIVE.