# problem wid firefox n orkut



## mind021 (Jul 3, 2007)

heloo frnds..
i face a small problem..
actually whenever i try 2 open firefox 4 browsing it doesnt open..
i get a msg "I DO NOT HATE MOZILLA..BUT USE IE"
even when i try 2 open orkut in IE..it says
"U FOOL..ORKUT IS BLOCKED"
den another msg comes "DIS PROGRAM IS NOT WRITTEN BY ADMIN..GUESS WHO HAS DONE IT"

plz do help me finding me a soln

hey..isnt any1 here able 2 solve my problem??


----------



## Vishal Gupta (Jul 3, 2007)

ur system is infected by virus/spyware. Download HijackThis from *www.hijackthis.de/ and scan ur computer with it. Then post the contents of log file here.


----------



## spironox (Jul 3, 2007)

virus problem/ some script running by some program or say some files


----------



## mind021 (Jul 3, 2007)

Vishal Gupta said:
			
		

> ur system is infected by virus/spyware. Download HijackThis from *www.hijackthis.de/ and scan ur computer with it. Then post the contents of log file here.




hey i hv already found d way 2 rectify it...
u just tell me d way how 2 block a process(from ctrl+alt+del) using registry editing or by any other way
i already tried using msconfig in "run" but is nt coming dere



			
				spironox said:
			
		

> virus problem/ some script running by some program or say some files




yaa..whenever i start d comp i find a process named as svchost.exe wid username as dat of which i login in windows is dere..
if i end dis process den orkut n firefox both function properly


----------



## shivendrashukla (Jul 3, 2007)

The virus must have blocked this also. Try it in safe mode.


----------



## mind021 (Jul 3, 2007)

shivendrashukla said:
			
		

> The virus must have blocked this also. Try it in safe mode.




well i think its a bug..n it not blocked anything else..other dan firefox n orkut..dose also work if i end d process name svchost.exe wid username as dat of login name
i dont know how 2 block d process without use of msconfig...4om where i m nt able 2
also i dont know how 2 do registry editing


----------



## Garbage (Jul 3, 2007)

mind021 said:
			
		

> i dont know how 2 block d process without use of msconfig...4om where i m nt able 2
> also i dont know how 2 do registry editing



For editing services without using msconfig -


> Go to Control Panel --> Administrative Tools --> Services


----------



## vrnoormd (Jul 5, 2007)

Please Show the Thread and solve your Problem

*www.thinkdigit.com/forum/showthread.php?t=55966


----------



## zyberboy (Jul 5, 2007)

one of my friend got infected with the same virus...i suspect the source of this virus is from india,this virus can only transfers through usb storage.Its runs two scripts in memory both named as svhost.exe.The interesting  part is some months ago not even a single antivrus was able to detect it . Yeah this virus is so simple but vry effective...and it also plays a sound file to  make u scare
Hope by this time  u may have rectified it, hav u? so i am not posting the method


----------



## spironox (Jul 5, 2007)

dear do one thing if u dont get the start up working well then use the msconfig 

start->run->msconfig .... services (tick the hide microsft services) and see if there is any alien stuff there .. other wise just head to start up and disable all unknown programs ...

press apply

it will ask for restart --well do it 

and see if the problem is still there or not (trial and error basis works well with Msconfig well so its time to tweak)


----------



## mind021 (Jul 10, 2007)

ax3 said:
			
		

> last option ........ da a CLEAN FORMAT of C drive ............
> 
> will definately solve ur problem ........ & henceforth bware of files u download from unknown sites or users .........



well...it didnt solve d problem


----------



## zyberboy (Jul 10, 2007)

^^hav u soved the problem??


----------



## RCuber (Jul 10, 2007)

*us.mcafee.com/virusInfo/default.asp?id=description&virus_k=142280

*www.sophos.com/virusinfo/analyses/w32ahkheapa.html


----------



## fannedman (Jul 11, 2007)

REALLY SORRY MAN, that was my handiwork  
DONT DO ANYTHING CRAZY LIKE FORMATTING YOUR DRIVE

I blocked mozilla coz i couldnt read the edit fields in it through autohotkey, so forced the user to use ie or opera only.

If its not detected by the antivirus
Run the task manager,in processes tab you'll see two processes svchost.exe running under your user name, end them. 
then go to

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
delete winlogon key

you better leave the status key, coz i made the virus first check this key, if present it'll not install

then go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
here set the checked value to 1

AND IF you are not administrator, the virus couldnt access the registry, so i created startup shortcuts in startmenu. you'll see an invisible icon in the startup menu of start menu, delete it

DO ALL THIS AFTER YOU END THE TWO PROCESSES otherwise they'll be RESTORED every 10 seconds

After all this go to folder options uncheck hide protected files
you'll see C:\heap41a folder, delete it and you'll see microsoftpowerpoint.exe in your pen drives along with autorun.inf , delete them

AND please tell me where you found this, bangalore right  
_ sorry for what i have caused, had no idea _


----------



## zyberboy (Jul 12, 2007)

^^^^^^^
OMG!!!!   you  r the creator of that virus!!, hey one of my friend got infected in june  here in kerala,he called me and finally i was able to delete the virus, it is now everywhere here ,ur virus is now competing with other virus like boot.exe in cyber cafes here....lolz,i dont believe this man r u the real guy?? where did u got tat laughing mp3. My friends little brother got frightened hearing that.
Do u know that virus is spreading into other countries becoz no Antivirus was able to detect that virus wen it was first found,His computer was running avast which failed to detect it then i terminated svhost.exe to get rid of it,then i copied the files and scanned with every AV's like kasperksy,Avira but none was able to detect it(i know this is due to "autohotkey" which is a known script maker). 
Its signatures is now being added in Av's (including kaspersky,nod32,avast etc).I read its source code its install script is long,what made u to write this virus just to ban orkut and YT??.How much time spend on this??,i guess u started its work in february isn't?.
Furstration for people,but i have to say amazing work,particularly how that "reproduce+offspring script works"


----------



## mind021 (Jul 12, 2007)

hey man its really a gr8 piece of work
as others hv specified it is not detected by any antivirus..
by d way i got d temporary soln d first day itself...n i m weak in registry editing so cant get d permanent soln..

but thnx 4 telling me it..

n yaa 1 more thing..in my comp i was not able 2 open any browser other dan IE..
how come u opened opera
n yaa..also svchost.exe didnt regenerate itself unltill i restarted d comp...so each i started d comp i had 2 end d process...n yaa..no unknown service i found in msconfig

n yaa..i wld surely try out d registry editing way 2day...hope u r correct


----------



## shri (Jul 12, 2007)

fannedman said:
			
		

> REALLY SORRY MAN, that was my handiwork



If you are really the creater of this orkut virus then I guess you would know this by now-You have caused a hell of a lot of problems to a heck of a lot of people. 
You should have posted the solution to this a lot earlier.


----------



## fannedman (Jul 12, 2007)

cyberboy_kerala said:
			
		

> ^^^^^^^
> OMG!!!!   you  r the creator of that virus!!, hey one of my friend got infected in june  here in kerala,he called me and finally i was able to delete the virus, it is now everywhere here ,ur virus is now competing with other virus like boot.exe in cyber cafes here....lolz,i dont believe this man r u the real guy?? where did u got tat laughing mp3. My friends little brother got frightened hearing that.
> Do u know that virus is spreading into other countries becoz no Antivirus was able to detect that virus wen it was first found,His computer was running avast which failed to detect it then i terminated svhost.exe to get rid of it,then i copied the files and scanned with every AV's like kasperksy,Avira but none was able to detect it(i know this is due to "autohotkey" which is a known script maker).
> Its signatures is now being added in Av's (including kaspersky,nod32,avast etc).I read its source code its install script is long,what made u to write this virus just to ban orkut and YT??.How much time spend on this??,i guess u started its work in february isn't?.
> Furstration for people,but i have to say amazing work,particularly how that "reproduce+offspring script works"



WTH! kerala!!! man its spreading because many antiviruses didnt have its signature.

one more caveat , its a simple winrar sfx archive, i used resource hacker to extract the folder and invisible icon from shell32.dll

And the laughter sound is from *mortal kombat 4 setup*

and comon dude it cannot be spreading to other countries, unless you take there an infected pen drive from here

There was some misunderstanding between me and our college admin about the usage of orkut,its a long story, so in retribution i created this mess, i just didnt know it will blow up like this!!


----------



## zyberboy (Jul 13, 2007)

fannedman said:
			
		

> and comon dude it cannot be spreading to other countries, unless you take there an infected pen drive from here


Somewhere i read tat it is being shared in P2P,i think i read this in some blog or something.

Autohotkey guys r angry with you..lol, their reputation is taken a hit becoz ter r some virus in wild written with it, Now Anti virus are detecting useful autohotkey script as virus. what do u think?.


----------



## fannedman (Jul 15, 2007)

cyberboy_kerala said:
			
		

> Somewhere i read tat it is being shared in P2P,i think i read this in some blog or something.
> 
> Autohotkey guys r angry with you..lol, their reputation is taken a hit becoz ter r some virus in wild written with it, Now Anti virus are detecting useful autohotkey script as virus. what do u think?.



Yeah i know, i feel sorry for that. But i think the exe is excluded from detection, only install.txt and autorun.inf are detected


----------



## hard_rock (Jul 15, 2007)

Well...Boy..You have invaded the whole hostel's computers here in shimoga.. Those dumb guys dont know how to operate USB.. Spreaded like hell. Usually I scan all files which are foreign to my PC. But someday during project work, it was urgent so dint scanned and after sometime when I opened Opera..Bang!!! Orkut banned.. I told so many many bad words to the creator  that day.. And it was you?? (Who knows..) But all that CURSE goes to you...


----------



## a_k_s_h_a_y (Jul 23, 2007)

i think that guy is frm my college....PESIT....that viurs is all over our college comps....Orkut is banned in our college.......and i also remember that all hoste PCs being infected and the creator of it helping them  in hostel to sort the mess


----------



## navjotjsingh (Aug 2, 2007)

BTW can somebody mail me the virus? I would really love to try on my sister who is constantly hooked to orkut!


----------



## aryayush (Aug 2, 2007)

Why are you guys applauding and encouraging the virus creator! This is insane.


----------



## kumarmohit (Aug 2, 2007)

Why are you bothered, isnt the Mac Virus Free!


----------



## aryayush (Aug 2, 2007)

Yes, it is but where does that figure into this conversation!


----------



## spironox (Aug 2, 2007)

if he says that he is the creator then.... buddy go underground and erase yourself from net god knows some freaks might file a cyber case and u might be enjoying some days.years.or centuries behind the jail (get off asap) for the problem caused by your research (so called)  

just try to understand what u did was a mistake and dont aks for forgivenss as people will not listen all they need is some one to blame and that is u ! idiotically u confessed in too .. now what will happen is just a wait and watch act !


let me ref the indian cyber laws and let u know (but i am not sure about the diff public ,gov,institutional rules/law/policies)


----------



## RCuber (Aug 2, 2007)

^^ What if he appologises and give a removal tool for that virus?


----------



## spironox (Aug 2, 2007)

very few chances i think .. only if he doesnt sells them and give them out as a preventive tool rather than removal tool

base line is he should give the removal tool in form of a preventive tool and that too free of cost and also accept no responsibility for the function-ability of the tool

thus he can save his skin in that process otherwise some weirdo will cash on him i am sure about that


----------



## kumarmohit (Aug 2, 2007)

spironox said:
			
		

> if he says that he is the creator then.... buddy go underground and erase yourself from net god knows some freaks might file a cyber case and u might be enjoying some days.years.or centuries behind the jail (get off asap) for the problem caused by your research (so called)
> 
> just try to understand what u did was a mistake and dont aks for forgivenss as people will not listen all they need is some one to blame and that is u ! idiotically u confessed in too .. now what will happen is just a wait and watch act !
> 
> ...



In India!!! nah, it will take a decade for Indian Courts and law to understand what a computer is supposed to work like. Take it from me the implementation of cyber laws is pathetic in India, *Pathetic*. They do not bother about piracy which has let loose all hell elsewhere in the world. *I am not justifying fannedman's act, nor am I saying he should do it again.* I am commenting on the chances of any conviction considering the present awareness of cyber law in legal circles.


----------



## praka123 (Aug 2, 2007)

he should provide removal tool hosted somewhere(share it in p2p).but first does his virus got a name?


----------



## clifford (Aug 2, 2007)

fannedman said:
			
		

> Yeah i know, i feel sorry for that. But i think the exe is excluded from detection, only install.txt and autorun.inf are detected


 
Hey Fannedman,

Well is was effected with ur great brains......I got so sfrustrated that i logged myself out from a cyber cafe......Well but i really liked ur virus...as i changes 3 anti virus 1) nortan 2) AVG 3 Antivira anit virus but could not get ur script detected...... well i used the same pen drive that i used at the cyber n voila even my Pc got infected...so i sat down starting thinking how to disable ur virus....well when i entered ur link the virus got activated....wen i did i just cliked CTRL ALT DEL and found ur program then just went n did End task...there u go ur virus was no where any more to hunt me...LOL

Well hats off to u if u r the real writer of this script......

I loved the experience......

clifford


----------



## vish786 (Aug 2, 2007)

fannedman said:
			
		

> Yeah i know, i feel sorry for that. But i think the exe is excluded from detection, only install.txt and autorun.inf are detected



if ur the creator... honestly then i feel like kicking ur A$$... just now i did a fresh windows xp installation in my office... and inserted pen drive.... and ur virus is already into it.   . it has avast and still virus is running in background... i cant even see my hidden folders in GUI by changing the settings... just tell me ur address and i'm coming to bang u


----------



## navjotjsingh (Aug 2, 2007)

Don't bang his head..instead read his post of how to remove the virus.


----------



## thecreativeboy (Aug 2, 2007)

hi,
   this is the problem bcoz of the win32 virus.you can go to the task manager and delete the svchost.exe.then delete the heap31a(folder or file) in the c:windows.and in other places.it will cure ur problem.


----------



## vish786 (Aug 2, 2007)

thecreativeboy said:
			
		

> hi,
> this is the problem bcoz of the win32 virus.you can go to the task manager and delete the svchost.exe.then delete the heap31a(folder or file) in the c:windows.and in other places.it will cure ur problem.



i know tat man.


----------



## RCuber (Aug 2, 2007)

can someone please post(attach) the screenshot of registery entry of the following.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL


----------



## aryayush (Aug 2, 2007)

clifford said:
			
		

> Hey Fannedman,
> 
> Well is was effected with ur great brains......I got so sfrustrated that i logged myself out from a cyber cafe......Well but i really liked ur virus...as i changes 3 anti virus 1) nortan 2) AVG 3 Antivira anit virus but could not get ur script detected...... well i used the same pen drive that i used at the cyber n voila even my Pc got infected...so i sat down starting thinking how to disable ur virus....well when i entered ur link the virus got activated....wen i did i just cliked CTRL ALT DEL and found ur program then just went n did End task...there u go ur virus was no where any more to hunt me...LOL
> 
> ...


If someone uses their excellent coding skills to create malware, it is a practice that should be strongly discouraged, not lauded. This is so silly.


----------



## vish786 (Aug 2, 2007)

aryayush said:
			
		

> If someone uses their excellent coding skills to create malware, it is a practice that should be strongly discouraged, not lauded. This is so silly.



exactly... instead of creatin a malware he should hav done something better using is skills (if he has one)... he's lika a villian after creatin malware . after all creatin a malware does not help anyone... it just creates probs.


----------



## spironox (Aug 2, 2007)

any how i said what i know rest is upto so called the creator of the script ...he can go public  heheh 


regards
nixon


----------



## vish786 (Aug 2, 2007)

charangk said:
			
		

> can someone please post(attach) the screenshot of registery entry of the following.
> 
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run
> 
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Advanced\Folder\Hidden\SHOWALL


screenshot of unaffected registry.

*images6.theimagehosting.com/first.43d.th.JPG
*images6.theimagehosting.com/second.31a.th.JPG


----------



## RCuber (Aug 2, 2007)

Thanks vish for the screenshot. I cannot see a explorer entry in my system. can anyone please post the affected  registry entry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run is enough for me.


----------



## vish786 (Aug 2, 2007)

charangk said:
			
		

> Thanks vish for the screenshot. I cannot see a explorer entry in my system. can anyone please post the affected registry entry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run is enough for me.
> 
> PS: Attached the zipped screenshot file for my reference will remove it later.


shot of affected registry.

*images6.theimagehosting.com/affected.th.JPG

just delete the run entry on the the left side. the " run " entry is added by virus.


----------



## RCuber (Aug 2, 2007)

^^^ thanks  .. for those guys wondering why im asking this ... you must have guessed it .. im trying to write a fix for that.. only registry part is left  .. but I wonder if I can finish it


----------



## bugsome (Aug 6, 2007)

Lol..just got it infected..Good work buddy..Hope u will use ur skills foe better purposes...Can anybody give me the virus...i deleted it..now i want to play tricks on my friend..Can any body give it in a safe way..?


----------



## mind021 (Aug 28, 2007)

hey thnx frnds..
even i now know 2 solve d problem..actually long time back i did it..
d soln i found was..
delete folder named C:\heap41a n alll its content


----------



## Gigacore (Sep 2, 2007)

@ fannedman thanks for creating it and solution to fix it 

^ lol... is this powerful than u


----------



## mind021 (Sep 3, 2007)

hey vish786 thnx man 4 giving d soln
i hadnt seen it earlier..
hope it wld work..
now i m free of it..
wld try it when i c next time in some1's system..
thnx bro


----------



## vish786 (Sep 3, 2007)

thx to virus creator, i just gave a little more detail my giving shots.
anyways ur always welcome.


----------



## mind021 (Sep 4, 2007)

hey vish786..
how do u paste d screen shots here
help me out..
i hv problem wid a virus/bug here..
*www.thinkdigit.com/forum/showthread.php?t=67249

n i think without showing d screenshot its difficult 2 explain n understand


----------



## vish786 (Sep 4, 2007)

follow what choto cheeta said in second post of that thread.


----------



## mind021 (Sep 5, 2007)

oh yaa..
actually when i had posted here..it wasnt replied dere..
thnx bro


----------



## RCuber (Sep 5, 2007)

I wanted to create a patch for this virus but could not complete it. Today I found a patch for this which was created by Sarath Lakshman. 

Here is the screenshot 
*img413.imageshack.us/img413/4733/orkutfixzl5.jpg

You can read more about this here

Direct Link for Removal Tool (ZIP)


----------



## mind021 (Sep 6, 2007)

hey thnx charan...

hey guys..got another problem..
plz check out dis link n answer me dere..

*www.thinkdigit.com/forum/showthread.php?t=67249


----------



## MetalheadGautham (Jan 28, 2008)

wow, that virus was one hell of a thing. My school's CS instructor promised me some free marks if I block orkut. Any way of recreating this virus for other sites ?


----------



## thewhizgeek (Jan 30, 2008)

hey this works ! i got from a blog !!! should be of some use !!



Some guys here are really pissed off by a message that popped up each time they tried to access *orkut*, youtube or even myspace through their browsers. These guys started asking “if the *Orkut* is banned?” or “is Youtube banned?” and other such types of questions on forums, discussion boards, yahoo answers, etc. Now, is *orkut* really banned?
 The pop up message which exactly looks something like “*Orkut is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!!*” or something like “*Youtube is banned you fool, The administrators didn’t write this program guess who did?? MUHAHAHA!!*” Technically, this message is caused by a computer worm called W32.USBWorm (or a few variants of the same). This worm mostly spread from one computer to another when you insert a USB drive, like a pen drive, a flash drive or even a cell phone memory card. 
*Now, how can you remove this worm? *
 This *Orkut* or Youtube worm generally places itself in a hidden folder named *heap41a* in your C drive (or your Windows drive). You can directly access this folder by typing *C:\heap41a* into your *Run* command box. You will see a variety of files, including Svchost, Script1, Reproduce, etc. 
 To remove the worm, select all these files (except one file named *Svchost*); and delete them (Shift + Del). Now go to your registry editor (*Run > regedit*) and Go to *HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > policies > Explorer > Run*. On the right hand side, you should see *winlogon* key value set. Right click on it and *delete it*. (Note: In some computers, you may find the same at HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run). 
 Now, restart your computer. Once you have restarted, go to *Run* and type *C:\heap41a*. You will see the svchost file. If you see any other files, select all and *delete them*. Remove it from the recycle bin as well (*Ctrl + Del*).
 Now, open your browser and log on to www.[B]orkut[/B].com or www.youtube.com. Voila! you got it right!
 Note: The same USB worm also causes a peculiar firefox problem. When you try to install a new version of firefox or when you try to open it up, you will get an error message something like “*I DNT HATE MOZILLA BUT USE IE OR ELSE…*“. This maybe called a “Use Internet Explorer you dope” problem. So, you have just solved this problem as well. Enjoy.


----------



## mind021 (Feb 27, 2008)

MetalheadGautham said:


> wow, that virus was one hell of a thing. My school's CS instructor promised me some free marks if I block orkut. Any way of recreating this virus for other sites ?




its not difficult friend...as thewhizgeek in his last post has given the blog...dere r certain text files in *C:\heap41a *folder. check in which file d script is written..i think its *script.txt* file...i dont rememeber now as i had done dis long back.
in that file u seach for *orkut.com* n replace it with the site u want to block..like if u want to block google.com replace *orkut.com* with *google.com
*this is easiest so i told it
better copy n paste the whole function with replacing orkut.com with google.com....it would be similar to writing another function.

after this just restart your computer...google.com would also be blocked this time.


----------



## mind021 (Apr 21, 2008)

hey friends
nowadays my computer is regularly being attacked by a new variant of this virus....it starts a process named wdfmgr.exe
also realplay.exe and realesched.exe are started with it.
though these two are harmless(actually they are our real one player and sound control respectively)

but with wdfmgr.exe sometimes cmd.exe gets started and certain code starts running...which i have not been to rad as it gets over too quickly
as far as i have analysed it...the code creates to files ntldr.exe and autorun.inf in each and every drive of the hard disk
still i am not sure about it
is anyone else too attacked by similar thing???


----------



## MenTaLLyMenTaL (Aug 24, 2009)

@fannedman

Hey thats a really great piece of handiwork!

I'm from Pune and I found this _virus_ in my mom's pendrive AND in my college Internet Lab. After researching a bit, I found the files c:\heap41a and took it home for inspection. Later i found out it was all done using a simple, legal software autohotkey and winrar. Marvelling at the brainwork, I searched the net for heap41a and found your post and was totally surprised to find it right here on thinkdigit!! LOL i'm an instant fan of urs now.

And you don't deserve any punishment. It wasn't ur intention to spread this around the world like a virus, but only to prank some of hostelites. Its fun! 
If u make something like this again, you might want to set a condition for reproducing the offspring based on a limiting Date.

Nice work. Reading this thread also gave me a lot of laughter and enjoyment.


----------



## piyush.ml20 (Aug 27, 2009)

can nybody mail me this virus on piyush.ml20@rediff.com plz.


----------



## cyberxtremer (Sep 1, 2009)

This is a very old virus which many people used to get affected from at that time. I have helped a lot of my friends in cleaning the virus. Sad I dont even remember hte virus name now


----------

