Nitin, a colleague of mine was facing a very odd problem. Whenever he typed orkut.com in his browser, an alert came up displaying this message..

It was an very unusual problem and since i had never experienced it. I Googled around to find a huge list of websites which were providing tips for removing this virus. I came across this post by Sumeet and found a simple solution for this problem.

» The Virus

The name of the virus is W32/AHKHeap. It spreads rapidly through use of USB (pen) drives. This virus creates a folder named HEAP in C drive of your system. The virus will even make a entry into your registry so that it can run every time the system is started . The worm spreads via removable drives. Infection starts either with manual execution of the binary or by navigating to folders containing infected files whereby the autorun.inf files can cause auto-execution.

» Instructions – Removing the ‘Foolish Orkut’ Virus

• Go to your task manager by pressing ctrl + alt + del and navigate to the process tab
• Now look for svchost.exe
• You might find more than one of them . In order to recognize the real culprit, look for those who have user name as your login name of computer.
• Select and choose end process option.
• This will temporarily disable the virus.

» Permanent Solution

• Go to Start and choose the run command
• Type C:\heap41a and hit enter.
• It is a hidden folder, and is not visible by default. Delete all the files in this folder (ctrl + a) and then (Shift + del)
• Now go to Start and choose the Run command again

• Type Regedit and Hit Enter. This will open the registry editor.
• Press ctrl + f to open the search box and find “heap41a”
• You will get something like – “[winlogon] C:\heap41a\svchost.exe” and “C:\heap(some number)\std.txt”
• Select both of these results and delete
• Close the registry editor . This will remove the virus completely.

» Notes