29 May 2007

I DNT HATE MOZILLA BUT USE IE OR ELSE


W32.USBWorm spreads through USB drives. Prevents user from using Firefox, shows message which reads, "I DNT HATE MOZILLA BUT USE IE OR ELSE..." The message header reads, "USE INTERNET EXPLORER YOU DOPE." Firefox is then closed by force. Also blocks "Orkut" and "YouTube" sites.

Solutions

Format the usb drive first (your data may loose) which carries the virus
Update : No need to frmat the USB Pen Drive, delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

Press Alt+Ctrl+Del --> you can see 'Task Manager' --> click on Process tab --> Locate 'SVCHOST.EXE' (will see many SVCHOST.EXE, but select the one having 'User Name' same as your Windows login name). --> Click End Process button

Now proceed the following


Way 1

Open Task Manager by holding Ctrl + Alt + Del and click on the process tab.

- Ignore the warning messages and stop the SVC.Host for the system's user name.

- Navigate to C:/Heap41a and delete the contents of the folder. Smile.


Way 2

Start Menu>Run>regedit press enter key

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue reset it back to 1 from 2. ( to do that right click CheckedValue>modify>value data >

Beware of using USB Pen drive especially in the browsing center. Found some browsing centers in Bangalore too.

go to C:\heap41a and delete this folder, If the folder called test.exe delete that too from your desktop.

Clear all the key entries from this registry

HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ with entry called heap41a
W32.USBWorm

i dont hate mozilla

Update : Don't Unintall FireFox, some people are experiencing issues with OS after uninstalling Fire Fox after infecting the virus. Instead of removing the virus, if you uninstall the system will refuse to boot in normal / safe mode

For further reference check out here

Warning : Try out this at your own risk

118 comments:

  1. dude... thanks for ur comment.

    but in way 2 also i think you will need to terminate the svchost process first otherwise..

    it wont stop...

    ReplyDelete
  2. Rajavanya, Thanks for pointing out this. Updated in the post

    ReplyDelete
  3. hi,
    i am experiencin the same virus attack..but to add to my distress my laptop says 'Task Manager has been disabled by administrator' or 'registry editor has been disabled by administrator' ..now whadda i do??
    pls help.
    keerthy

    ReplyDelete
  4. Hi keerthy
    You have to contact to your administrator to do this for you

    ReplyDelete
  5. "registry editor has been disabled by administrator" give a search in google and it is showing lot of solution how to fix this issue. or check out what Microsoft says http://support.microsoft.com/kb/555480

    ReplyDelete
  6. Boot up in safe mode, and search under C:\ (root drive) for a system folder called heap81 or something. This contains the script files containing the text messages that you see. The folderr also contains a copy of svchost.exe

    Delete the folder and contents.

    Reboot normally.

    This worked for me.

    ReplyDelete
  7. reg editor done.. thanks a lot..
    but i dont see any heap41a in my c drive..

    ReplyDelete
  8. heap41a is a hidden folder and not visible by default. In the address bar, type C:\heap41a and press enter.
    Hope you can see that now

    ReplyDelete
  9. or Go to windows explorer > Menu> Tools >Folder Options..> View>Show hidden files and folders ->select that, it will show all the hidden folders

    ReplyDelete
  10. tried viewin thru hidden file option..not working..
    tried searchin..that too dint show any results.

    ReplyDelete
  11. hey..thanks,
    worked some how or the other (tried thru run window)..
    problem solved.. thanks a lot man.

    ReplyDelete
  12. That is fine.. i can use firefox now.. But the hidden files in system cannot be seen.. how to solve this issue

    ReplyDelete
  13. AnonymousJune 12, 2007

    Newbies can look at this site which has got some gifs and screen shots to
    remove the worm.
    w32.USBWorm-remove.html

    ReplyDelete
  14. AnonymousJune 14, 2007

    hi , i also had the same problem of "I DNT HATE MOZILLA...." and "ORKUT IS BANNED..." but after deleting the folder heap41a and after making changes in registry (i,e "HKEY_LOCAL_MACHINE->software->microsoft->windows->current
    version->explorer->advanced->folder->hidden->showall->CheckedValue" to 1 instead of the 0)......
    after making these changes i am facing a new problem in "shutting down my Laptop"....
    it is taking too much time to shut down and it is not shutting down properly....
    Please help me dudes...

    ReplyDelete
  15. Hi , Anonymous
    Its clearly said that if the registr value is 2 then make it to 1 . You did like 0 to 1 which you should not do. Be serious if you play around with registry.

    ReplyDelete
  16. AnonymousJune 19, 2007

    hey ppl hi

    i had the same problem the only one thing i did was system restore u ppl can try tat. mine is solved.its the most simple solution.

    ReplyDelete
  17. AnonymousJune 20, 2007

    Thanks, works great

    ReplyDelete
  18. Thanks for the info. I was facing the same problem. By the looks of the content of the folder, it looked like a simple program and not a virus. Just a Virus-like program. Didnt harm the PC. On running svchost.exe, it created a text file. Apparently this nifty script (virus?) has been created using AutoHotKey (http://www.autohotkey.com/)!! So this guys not a geek, or a computer wizard, but just some poor old jobless guy. I pity him.

    ReplyDelete
  19. Thanks to some great documentation on the web, I have managed to rid my system off the worm. But try as I did, I couldn't delete the autorun.inf from my pen drive. Every time I undertake a data transaction via the pen drive, my registry gets altered so that i cant see the hidden files anymore. I tried changing the registry value too. But, contrary to written documentation the value was 0 initially and not 2. Can anyone help me to rid the worm from my drive forever? I tried formatting, that doesnt help. My pen drive is a U3 Cruzer make, if that helps.

    ReplyDelete
  20. Thanks a lot....Using slide show i got corrected...

    Mallesh.J

    ReplyDelete
  21. Dear cipson,

    I have a serious problem and I hope you can help me out to which I will be eternally grateful.

    There are two PCs in our home. My GF's comp and mine. My GF's comp is connected to the net while mine isn't. My GF's comp has just got infected with the "I DNT HATE MOZILLA BUT USE IE OR ELSE" virus. So we uninstalled FF through safe mode.

    Now her comp just wont boot!!! Either through safe mode or normal, it cannot boot.

    So here I am connecting to the net from my comp (her connection), hoping you can help us with our plea. What are we supposed to do? We cannot even go to the HKEY registry etc because her comp cannot boot.

    Sincerely yours,

    Kima and Hmai.

    ReplyDelete
  22. Hi illusionaire,

    This is an odd problem and looks serious. Instead of uninstalling the FireFox, you should have to follow the procedure mentioned in my blog. Try to repair your comptuer with the OS CDs.

    Note to others : If you are a victim of this virus, DONT uninstall the FireFox, instead of just remove the virus . Else you may also end up with what illusionaire is facing now.

    ReplyDelete
  23. Thanx Clipsen. Yes I now know I shouldn't have uninstalled FF. That's what everybody seems to tell me in all the Forums I've posted.

    Anyway, I was hoping I could add one more point regarding this virus.

    During my research, I read that McAfee can clean this virus while AVG can't. That explained the reason why my GF's PC crashed while mine didnt, because a friend of ours came and connected her i-Pod to BOTH our PCs last night but only my GF's PC was infected. My GF use AVG while I use McAfee.

    When our friend first connected her i-Pod to my PC (McAfee) USB drive my PC hanged, so she connected to my GF's PC (AVG) where it didnt hang. I guess my PC hanged because my McAfee tried to block the virus or something like that.

    Hope that helps a bit.

    ReplyDelete
  24. hey there,
    thanks a lot,

    your suggestion helped me out.

    ankit.

    ReplyDelete
  25. hey ,

    now whenever i reboot the error reappears,

    i go thr' the way2 again, it solves the problem but only for that session,
    again when i switch off and start the comp. the virus reappears,

    but now heap41a the file which i had deleted in first place does not reappear.

    any suggestions,


    ankit.

    ReplyDelete
  26. That was a reliever...thanz a lot!

    ReplyDelete
  27. thaanz a lt dude...dat was a reliever...such a strange worm!....

    ReplyDelete
  28. hi thanks a lot.can open firefox now but for some reason my firefox can only go to the polish version of youtube(ithink) (cuz its http://pl.youtube.com). cant access the english version. If u know a way to fix tht pls let me know . thank you. Surya

    ReplyDelete
  29. Surya
    Just clear your browser history and content may solve your problem

    ReplyDelete
  30. Yuppp.Thanks a lot man :)

    ReplyDelete
  31. hi,
    i have a problem. i wont able to find out c:/Heap41a . its also not available in hiden file. so, what to do.... plz help me..

    ReplyDelete
  32. It might be hidden
    Open Windows Explorer > Menu > Tools > Folder Options > View >

    select "show hidden files and folders" and try.

    ReplyDelete
  33. hi i tried doing all the above .. but for me it does not work..
    i just cant see the folder heap41a..
    i followed both method 1 and
    method 2.. also changed the instruction to ' show hidden files' but i still cant see the folder..
    but when i try to do it via command prompt.. i can enter the directory heap41a .. and see the file using dir command..
    i tried 'del' it says access denied..

    so what should i do..
    when going via the task manger.. on doing end file.. the worm open more svchost.exe..

    kindly help

    ReplyDelete
  34. How to get rid of this virus from my Pen drive ? please help..

    ReplyDelete
  35. hi im having this orkut banned problem, i tried both the ways mentioned but none worked as no task manager is responding n no regedit file opens from start menu>run. niether my laptop is going into safe mode. i had tried for restoration of system but the virus folder keeps on coming up its c:\heap41a\reproduced.txt
    kindly help

    ReplyDelete
  36. >>How to get rid of this virus from my Pen drive ?

    TO prevent to spread this virus, format the pen drive. Transfer ONLY your important data before doing this

    ReplyDelete
  37. ANKIT

    Are you using the same pen drive again in your comptuer ? Format the pen drive, else when ever you connect the pen drive the virus will appear again and again.

    ReplyDelete
  38. yogi

    Check out you have the admin rights to do it

    ReplyDelete
  39. >>no task manager is responding n no regedit file opens from start menu>run

    Check out you have the administrator rights in your computer. Still if you cannot open the task manager, looks like the problem is something else with your computer.

    ReplyDelete
  40. Way1 works Perfectly!!!! Thanks a TOn!

    ReplyDelete
  41. thanks a lot man
    it helped me

    ReplyDelete
  42. Hi Yogi

    >i just cant see the folder >heap41a..

    when you open the folder in your explorer, type in "C:\heap41a". immediately it is opened.

    >but when i try to do it via >command prompt.. i can enter the >directory heap41a .. and see the >file using dir command..
    >i tried 'del' it says access >denied..

    first you end the "svchost.exe" process, with the same username as the one you have used to log in with. then it can be deleted.

    ReplyDelete
  43. Hi Rajesh
    Thanks for helping who has the 'heap' problem

    ReplyDelete
  44. Dear all,
    Thanx for such a useful info. I tried ur method but couldn't locate the heap41 a folder. I tried both da methods, e.g. hidden folder option nad by typing the address in explore..
    Could u plz suggest me any oder way

    Thanx

    ReplyDelete
  45. Himanshu BhardwajAugust 29, 2007

    Hey SHylock ... just copy and paste: C:/Heap41a in the run command and the folder will appear ....

    ReplyDelete
  46. Thanks bro it really helped me. thanks again.

    ReplyDelete
  47. hey thanks a lot man...worked fine..

    ReplyDelete
  48. hi,

    Thanks so much it helped me a lot,
    in my PC i am using Pen drives a lot. Is there any possibility of repeating this problem

    ReplyDelete
  49. hey guys thanx for the research u have done
    it really helped
    thnx a lot

    ReplyDelete
  50. Thanx a lot dude....
    it works

    ReplyDelete
  51. Dudes... Thanks a lot..Really...I really dint know what to do when that came and it wasnt even my computr... Thanks a lot. I learnt a lesson.. nevger use a third guys flash drive unless U know him/her quite well!!! BEcause if that happens U can shout at them!!!

    ReplyDelete
  52. Fantastic post. Concise and complete. I have linked to your post and copied the "Solution" to my blog at http://6by13.blogspot.com/

    If you would like me to remove the copied text, please lemme know as a comment to my post. Thanks!

    ReplyDelete
  53. Hi All,

    The blog was really helpful.

    Thanks a lot...

    ReplyDelete
  54. @Swapz, @Loganathan Happy to hear that you removed the virus with out any issues.

    @Swapz, >>If you would like me to remove the copied text, please lemme know as a comment to my post. Thanks!

    No at all. Share the information and let others get help to solve the issue. Thanks for linking me in your site

    ReplyDelete
  55. thanks alot! it worked! =)

    ReplyDelete
  56. Thank you very much !!!!!!!!
    I love you !!!!!!!
    Muahahahahahaha!!!!!!!!!!!

    ReplyDelete
  57. Hi Great help...

    But there is a small variation.. in my system checked value was set to 0 (not 2). then I've changed that to 1. and it is working..

    Thank you very much...

    Siva
    www.bluebizit.com

    ReplyDelete
  58. thanks cipson.,
    facing the same w32.usbworm problem ,but solved by ur comment .thanks
    -------------- gdhakad

    ReplyDelete
  59. hey,Thanks Boss..
    Very Nice......

    ReplyDelete
  60. Hi there.
    Sharm here. This blog here has been a great help. I was attacked as well. It is true that the Heap file is hidden, and the best way to locate it is to cut and paste the link onto the address bar.
    Thanks again!

    ReplyDelete
  61. ow thankyou....thankyou very much.....

    ReplyDelete
  62. hey guys.. i really wished i came here without doing anything..
    I just recently discovered the problem and have actually deleted firefox (dumb me.. i know but i'm pretty bad at computers).. I need help tho.. i stopped svchost thingy and deleted heap41... however, i didn't regedit... so how? gahhh!!

    ReplyDelete
  63. anyawys... i just took ur advice.. eventhough i uninstalled ff.. :(( i hope it works..

    ReplyDelete
  64. Hey Thank you.. It worked like a charm for me.

    ReplyDelete
  65. it's really work on my pc dude! thank you very much!!! pheww!

    ReplyDelete
  66. Thanks for the help with this "dnt hate mozilla" worm...

    I've followed some of your suggestions, but can not delete one of the .exe files from my pen drive. All the others deleting fine, but this one says I "don't have authority" or something like that.

    Any "forced delete" command?

    Thanks!!!
    Paul (California Math/Science teacher here in Bangalore for 5 month teacher exchange at a KV)

    ReplyDelete
  67. Dude, thank u SOOOOOOOOOOOOOOOO much for that, it helped me to get rid of that dumb virus!!! It was reallly useful!!! And thanx to that, i could get rid of the virus before it caused much damage. U rock man!!

    ReplyDelete
  68. Happy to hear that @ Anna, Braxis, Siva, ganesh, tiger, Sharm, Kxin, Anonymous guys solved the issues.

    @ Karen & Paul Amstutz , Welcome to Bangalore and hope you settled well here. For removing the files, double click on my computer> select the pen drive: check the drive name of pen drive like F: E: (choose it correctly)

    Now follow the procedure
    Start> Run > type CMD > press enter key
    A cmd window (black & white appear)
    there type E: (assume your pen drive is E:)

    Now you reach E prompt and type format E:
    E:\>Format E:
    Press Y once it asked.
    It will format the entire pen drive.

    Make sure you have backup of important files

    ReplyDelete
  69. Thanks for advice...
    But I can NOT delete all the .exe files on the pen drive?!
    One last .exe always says something like "no access" or "you don't have priviledge to access this file."

    How do I force delete this file?

    ReplyDelete
  70. Ooops... sorry Cipson for repeating my question!

    I had an old "saved as" version of your blog, and didn't see your response to us!

    Thanks, I'll give it a try!

    -Paul

    ReplyDelete
  71. cheers so much for this blog thingy...hadn't a notion what was happening to my computer, but then i saw this.
    i think its all fixed so thanks again

    :D

    ReplyDelete
  72. Thanks dude, your advice worked a treat!

    ReplyDelete
  73. thnx a tonne!! it wrked fr me ...back to scrappin ppl cheers

    ReplyDelete
  74. Thanks, It worked for me. Smile.

    ReplyDelete
  75. dear cipson and all
    iam sriram
    this query is not related to . the the PC WORM.
    this is another .
    my windows search option is not working . i think i may have deleted some important file which is the base for the search option.
    so can u help me out.

    ReplyDelete
  76. sriram , put the windows OS CD select repair option, It will fix the probelm

    ReplyDelete
  77. <a href="http://paydayadvisors.org">PaydayLoans</a>October 30, 2007

    MqcQ6u You have a talant! Write more!

    ReplyDelete
  78. Hi,
    i'm using a pc in a cyber cafe. This PC had the same problem whenever i run Mozilla. After reading solution in this page i told the cc owner to remove the worm. he told me he can do that but doing it everyday is kinda....... So is there any solution to prevent from future infection ?

    ReplyDelete
  79. <a href="http://hydrocodone.99k.org/index.php">Hydrocodone</a>November 02, 2007

    O71qWN The best blog you have!

    ReplyDelete
  80. thanx dude..ur blog was great help! was frustrated trying to rid my comp of this sick virus! IE can be exhausting 2 use once u've gotten used to firefox!

    thanks so much! God bless ya!

    ReplyDelete
  81. Hi,
    I experienced the same worm. The procedure you mentioned really works.Thanx a lot.

    Raj

    ReplyDelete
  82. i think microsoft wrote this, LOL!

    ReplyDelete
  83. removel tool for this virs is available @ http://tec-updates.blogspot.com/2007/07/remove-heap41a-win32usbworm-worm.html

    ReplyDelete
  84. Youve been very helpful, thank you

    ReplyDelete
  85. i have created a remover for the same virus
    http://prashobms.blogspot.com/2007/12/orkut-is-banned-you-fool-administrators.html
    just visit my blog and download the tool. It can heal and revert back ur registry.
    Thanks

    ReplyDelete
  86. Hey Guys.
    im not getting any Taskbar to end process.
    and also unable to open registry from RUN.
    on doing expriments found svchost.exe in c drive but unable to delete that file

    please help me out to solve this problem

    ReplyDelete
  87. ooohh.. Thanks a lot guys..! Actually i was effected by this damn virus.. it came with my pen drive after thaking some files from school!! I was scared ! But i deleted all the contents of heap41a.. Did everything! The problem is solved now...Thank you very much... Good bless you...

    ReplyDelete
  88. Thanks for your comments

    ReplyDelete
  89. Okay..will keep in touch with you guys.. You ppl are a great support to each and very one who uses a computer... Keep up this good work

    ReplyDelete
  90. Thanks I searched for the file in C:/ and reoved it- it worked

    ReplyDelete
  91. i C:/Heap41a -just found and deleted it- it worked-Thanks

    ReplyDelete
  92. 1)Go to Task Manager (Press Ctrl+Alt+Del)
    2)Goto Processes Tab
    3)End all processes with the name svchost.exe (only those with your user name to its right)
    4)Note that you shouldn't end the system process svchost.exe(the SYSTEM process)
    5)Goto Start>Run
    6)Type in regedit and click OK
    7)Navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL and on the right pane doubleclick CheckedValue and change it back to 1
    8)Now navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run and delete the winlogon key on the right pane
    9)Now close regedit and searh your computer for a file named svchost.exe (enable Search hidden files and folders)
    10)You will see a file with a green H icon in the search result(There will be another svchost.exe file in system32. Ignore it.Its a system file.)
    11)Open that file location and delete the the folder that contained this file.
    13)Now the virus is gone.

    ReplyDelete
  93. hi cipson

    when i use mozilla to access certain sites (see example below)the page closes at once...just like that. do u know what could be wrong??

    www.emirates.com
    www.arcelormittal.com

    sibhu

    ReplyDelete
  94. Thanks so much for the solution:))

    ReplyDelete
  95. Simple way to delete all viruses like these kind is to use a linux pc, plug in the USB drive , u will see all the files n worms ... delete it safely because .exe files doesnt have any impact on linux. CHEERS
    binnyjeshan.co.nr

    ReplyDelete
  96. thanks much! my little cousin was about to cry! :)

    ReplyDelete
  97. Michael JuliusMarch 05, 2008

    Thanks a lot, dude. it worked just fine.

    ReplyDelete
  98. hey cipson i have deleted all the files of heap41a but only svchostt is left. in my taskk manager there are many is such as svchost.exe username-local services,network service,system,network service,system. dude which one to delete?

    ReplyDelete
  99. hi DJ
    "Press Alt+Ctrl+Del --> you can see 'Task Manager' --> click on Process tab --> Locate 'SVCHOST.EXE' (will see many SVCHOST.EXE, but select the one having 'User Name' same as your Windows login name). --> Click End Process button"

    Has to select the one with the windows user name which u logged in

    ReplyDelete
  100. Thanks a lot..I am able to work with Mozilla now..Thanks for your help..Gayatri

    ReplyDelete
  101. Hi..
    Thanks a lot frined, its was easy and the way that you give is the easiest way to remove this intruder..
    Nice job..

    ReplyDelete
  102. auto78900July 07, 2008

    please can you tell me how I delete
    the Virus off my USB stick ?

    I have not yet infected my home PC.

    So Im a bit worried putting my usb stick in it.

    When I delete all 3 files ,10 seconds they come back again.
    What caution can I take that the usb stick does not infect my pc ,before I put my USB stick in ?????

    ReplyDelete
  103. hi.
    i think instead of deleting the files from your USB stick. it's better to format your USB stick.
    this will completely erase your virus from that..

    ReplyDelete
  104. No , I can not reformat the stick because I have important data on them.

    Also I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !

    ReplyDelete
  105. No , I can not reformat the stick because I have important data on them.

    Also I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !

    ReplyDelete
  106. AnonymousJuly 08, 2008

    No , I can not reformat the stick because I have important data on them.

    Also I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !

    ReplyDelete
  107. auto78900July 08, 2008

    No I can not delete with reformat

    I have important data on that usb.

    I also tried the removal program,but it does nothing ,just goes in a loop ,after message "restart your pc" and its still there.

    ReplyDelete
  108. i dont see any heaps folder..

    help me guys

    ReplyDelete
  109. Thanks for the help guys.
    I followed the first method and it's working. Haven't restarted my PC but I can access everything (FF, Orkut, Youtube)

    Great work guys......thanks once again

    ReplyDelete
  110. Hi all, Thanks for your comments

    ReplyDelete
  111. I caught this in Paris from a public wireless outlet (accessed from Eurostar). I got it off my laptop by reverting to an earlier configuration (XP pro). But it had spread to my 4gb key, and reformatting this didn't remove the virus: I assumed it had, and in this way infected my desktop. That refused to revert to an earlier configuration. Eventually I cured both desktop and key by downloading a paid version of Spyware Doctor.

    ReplyDelete
  112. Thanks a lot. Its working

    ReplyDelete
  113. This was a really helpful post and I was able to remove the entire virus. Thanks a lot.

    The only problem was that the actual folder "heap41a" is not being deleted. I changed the registry entry and its showing other folders and not this one.

    I managed to delete the contents of the folder by going to the address bar and typing the address as suggested and deleted the files inside "heap41a" but wasn't able to delete the actual folder.

    I suppose its not really a problem, but it'd be nice if I could actually find the folder and delete that too.

    Anyway, thanks a lot for all the details mentioned up here.

    ReplyDelete