29 May 2007


W32.USBWorm spreads through USB drives. Prevents user from using Firefox, shows message which reads, "I DNT HATE MOZILLA BUT USE IE OR ELSE..." The message header reads, "USE INTERNET EXPLORER YOU DOPE." Firefox is then closed by force. Also blocks "Orkut" and "YouTube" sites.


Format the usb drive first (your data may loose) which carries the virus
Update : No need to frmat the USB Pen Drive, delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

Press Alt+Ctrl+Del --> you can see 'Task Manager' --> click on Process tab --> Locate 'SVCHOST.EXE' (will see many SVCHOST.EXE, but select the one having 'User Name' same as your Windows login name). --> Click End Process button

Now proceed the following

Way 1

Open Task Manager by holding Ctrl + Alt + Del and click on the process tab.

- Ignore the warning messages and stop the SVC.Host for the system's user name.

- Navigate to C:/Heap41a and delete the contents of the folder. Smile.

Way 2

Start Menu>Run>regedit press enter key

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue reset it back to 1 from 2. ( to do that right click CheckedValue>modify>value data >

Beware of using USB Pen drive especially in the browsing center. Found some browsing centers in Bangalore too.

go to C:\heap41a and delete this folder, If the folder called test.exe delete that too from your desktop.

Clear all the key entries from this registry

HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ with entry called heap41a

i dont hate mozilla

Update : Don't Unintall FireFox, some people are experiencing issues with OS after uninstalling Fire Fox after infecting the virus. Instead of removing the virus, if you uninstall the system will refuse to boot in normal / safe mode

For further reference check out here

Warning : Try out this at your own risk


  1. dude... thanks for ur comment.

    but in way 2 also i think you will need to terminate the svchost process first otherwise..

    it wont stop...

  2. Rajavanya, Thanks for pointing out this. Updated in the post

  3. hi,
    i am experiencin the same virus attack..but to add to my distress my laptop says 'Task Manager has been disabled by administrator' or 'registry editor has been disabled by administrator' ..now whadda i do??
    pls help.

  4. Hi keerthy
    You have to contact to your administrator to do this for you

  5. "registry editor has been disabled by administrator" give a search in google and it is showing lot of solution how to fix this issue. or check out what Microsoft says http://support.microsoft.com/kb/555480

  6. Boot up in safe mode, and search under C:\ (root drive) for a system folder called heap81 or something. This contains the script files containing the text messages that you see. The folderr also contains a copy of svchost.exe

    Delete the folder and contents.

    Reboot normally.

    This worked for me.

  7. reg editor done.. thanks a lot..
    but i dont see any heap41a in my c drive..

  8. heap41a is a hidden folder and not visible by default. In the address bar, type C:\heap41a and press enter.
    Hope you can see that now

  9. or Go to windows explorer > Menu> Tools >Folder Options..> View>Show hidden files and folders ->select that, it will show all the hidden folders

  10. tried viewin thru hidden file option..not working..
    tried searchin..that too dint show any results.

  11. hey..thanks,
    worked some how or the other (tried thru run window)..
    problem solved.. thanks a lot man.

  12. That is fine.. i can use firefox now.. But the hidden files in system cannot be seen.. how to solve this issue

  13. AnonymousJune 12, 2007

    Newbies can look at this site which has got some gifs and screen shots to
    remove the worm.

  14. AnonymousJune 14, 2007

    hi , i also had the same problem of "I DNT HATE MOZILLA...." and "ORKUT IS BANNED..." but after deleting the folder heap41a and after making changes in registry (i,e "HKEY_LOCAL_MACHINE->software->microsoft->windows->current
    version->explorer->advanced->folder->hidden->showall->CheckedValue" to 1 instead of the 0)......
    after making these changes i am facing a new problem in "shutting down my Laptop"....
    it is taking too much time to shut down and it is not shutting down properly....
    Please help me dudes...

  15. Hi , Anonymous
    Its clearly said that if the registr value is 2 then make it to 1 . You did like 0 to 1 which you should not do. Be serious if you play around with registry.

  16. AnonymousJune 19, 2007

    hey ppl hi

    i had the same problem the only one thing i did was system restore u ppl can try tat. mine is solved.its the most simple solution.

  17. AnonymousJune 20, 2007

    Thanks, works great

  18. Thanks for the info. I was facing the same problem. By the looks of the content of the folder, it looked like a simple program and not a virus. Just a Virus-like program. Didnt harm the PC. On running svchost.exe, it created a text file. Apparently this nifty script (virus?) has been created using AutoHotKey (http://www.autohotkey.com/)!! So this guys not a geek, or a computer wizard, but just some poor old jobless guy. I pity him.

  19. Thanks to some great documentation on the web, I have managed to rid my system off the worm. But try as I did, I couldn't delete the autorun.inf from my pen drive. Every time I undertake a data transaction via the pen drive, my registry gets altered so that i cant see the hidden files anymore. I tried changing the registry value too. But, contrary to written documentation the value was 0 initially and not 2. Can anyone help me to rid the worm from my drive forever? I tried formatting, that doesnt help. My pen drive is a U3 Cruzer make, if that helps.

  20. Thanks a lot....Using slide show i got corrected...


  21. Dear cipson,

    I have a serious problem and I hope you can help me out to which I will be eternally grateful.

    There are two PCs in our home. My GF's comp and mine. My GF's comp is connected to the net while mine isn't. My GF's comp has just got infected with the "I DNT HATE MOZILLA BUT USE IE OR ELSE" virus. So we uninstalled FF through safe mode.

    Now her comp just wont boot!!! Either through safe mode or normal, it cannot boot.

    So here I am connecting to the net from my comp (her connection), hoping you can help us with our plea. What are we supposed to do? We cannot even go to the HKEY registry etc because her comp cannot boot.

    Sincerely yours,

    Kima and Hmai.

  22. Hi illusionaire,

    This is an odd problem and looks serious. Instead of uninstalling the FireFox, you should have to follow the procedure mentioned in my blog. Try to repair your comptuer with the OS CDs.

    Note to others : If you are a victim of this virus, DONT uninstall the FireFox, instead of just remove the virus . Else you may also end up with what illusionaire is facing now.

  23. Thanx Clipsen. Yes I now know I shouldn't have uninstalled FF. That's what everybody seems to tell me in all the Forums I've posted.

    Anyway, I was hoping I could add one more point regarding this virus.

    During my research, I read that McAfee can clean this virus while AVG can't. That explained the reason why my GF's PC crashed while mine didnt, because a friend of ours came and connected her i-Pod to BOTH our PCs last night but only my GF's PC was infected. My GF use AVG while I use McAfee.

    When our friend first connected her i-Pod to my PC (McAfee) USB drive my PC hanged, so she connected to my GF's PC (AVG) where it didnt hang. I guess my PC hanged because my McAfee tried to block the virus or something like that.

    Hope that helps a bit.

  24. hey there,
    thanks a lot,

    your suggestion helped me out.


  25. hey ,

    now whenever i reboot the error reappears,

    i go thr' the way2 again, it solves the problem but only for that session,
    again when i switch off and start the comp. the virus reappears,

    but now heap41a the file which i had deleted in first place does not reappear.

    any suggestions,


  26. That was a reliever...thanz a lot!

  27. thaanz a lt dude...dat was a reliever...such a strange worm!....

  28. hi thanks a lot.can open firefox now but for some reason my firefox can only go to the polish version of youtube(ithink) (cuz its http://pl.youtube.com). cant access the english version. If u know a way to fix tht pls let me know . thank you. Surya

  29. Surya
    Just clear your browser history and content may solve your problem

  30. Yuppp.Thanks a lot man :)

  31. hi,
    i have a problem. i wont able to find out c:/Heap41a . its also not available in hiden file. so, what to do.... plz help me..

  32. It might be hidden
    Open Windows Explorer > Menu > Tools > Folder Options > View >

    select "show hidden files and folders" and try.

  33. hi i tried doing all the above .. but for me it does not work..
    i just cant see the folder heap41a..
    i followed both method 1 and
    method 2.. also changed the instruction to ' show hidden files' but i still cant see the folder..
    but when i try to do it via command prompt.. i can enter the directory heap41a .. and see the file using dir command..
    i tried 'del' it says access denied..

    so what should i do..
    when going via the task manger.. on doing end file.. the worm open more svchost.exe..

    kindly help

  34. How to get rid of this virus from my Pen drive ? please help..

  35. hi im having this orkut banned problem, i tried both the ways mentioned but none worked as no task manager is responding n no regedit file opens from start menu>run. niether my laptop is going into safe mode. i had tried for restoration of system but the virus folder keeps on coming up its c:\heap41a\reproduced.txt
    kindly help

  36. >>How to get rid of this virus from my Pen drive ?

    TO prevent to spread this virus, format the pen drive. Transfer ONLY your important data before doing this

  37. ANKIT

    Are you using the same pen drive again in your comptuer ? Format the pen drive, else when ever you connect the pen drive the virus will appear again and again.

  38. yogi

    Check out you have the admin rights to do it

  39. >>no task manager is responding n no regedit file opens from start menu>run

    Check out you have the administrator rights in your computer. Still if you cannot open the task manager, looks like the problem is something else with your computer.

  40. Way1 works Perfectly!!!! Thanks a TOn!

  41. thanks a lot man
    it helped me

  42. Hi Yogi

    >i just cant see the folder >heap41a..

    when you open the folder in your explorer, type in "C:\heap41a". immediately it is opened.

    >but when i try to do it via >command prompt.. i can enter the >directory heap41a .. and see the >file using dir command..
    >i tried 'del' it says access >denied..

    first you end the "svchost.exe" process, with the same username as the one you have used to log in with. then it can be deleted.

  43. Hi Rajesh
    Thanks for helping who has the 'heap' problem

  44. Dear all,
    Thanx for such a useful info. I tried ur method but couldn't locate the heap41 a folder. I tried both da methods, e.g. hidden folder option nad by typing the address in explore..
    Could u plz suggest me any oder way


  45. Himanshu BhardwajAugust 29, 2007

    Hey SHylock ... just copy and paste: C:/Heap41a in the run command and the folder will appear ....

  46. Thanks bro it really helped me. thanks again.

  47. hey thanks a lot man...worked fine..

  48. hi,

    Thanks so much it helped me a lot,
    in my PC i am using Pen drives a lot. Is there any possibility of repeating this problem

  49. hey guys thanx for the research u have done
    it really helped
    thnx a lot

  50. Thanx a lot dude....
    it works

  51. Dudes... Thanks a lot..Really...I really dint know what to do when that came and it wasnt even my computr... Thanks a lot. I learnt a lesson.. nevger use a third guys flash drive unless U know him/her quite well!!! BEcause if that happens U can shout at them!!!

  52. Fantastic post. Concise and complete. I have linked to your post and copied the "Solution" to my blog at http://6by13.blogspot.com/

    If you would like me to remove the copied text, please lemme know as a comment to my post. Thanks!

  53. Hi All,

    The blog was really helpful.

    Thanks a lot...

  54. @Swapz, @Loganathan Happy to hear that you removed the virus with out any issues.

    @Swapz, >>If you would like me to remove the copied text, please lemme know as a comment to my post. Thanks!

    No at all. Share the information and let others get help to solve the issue. Thanks for linking me in your site

  55. thanks alot! it worked! =)

  56. Thank you very much !!!!!!!!
    I love you !!!!!!!

  57. Hi Great help...

    But there is a small variation.. in my system checked value was set to 0 (not 2). then I've changed that to 1. and it is working..

    Thank you very much...


  58. thanks cipson.,
    facing the same w32.usbworm problem ,but solved by ur comment .thanks
    -------------- gdhakad

  59. hey,Thanks Boss..
    Very Nice......

  60. Hi there.
    Sharm here. This blog here has been a great help. I was attacked as well. It is true that the Heap file is hidden, and the best way to locate it is to cut and paste the link onto the address bar.
    Thanks again!

  61. ow thankyou....thankyou very much.....

  62. hey guys.. i really wished i came here without doing anything..
    I just recently discovered the problem and have actually deleted firefox (dumb me.. i know but i'm pretty bad at computers).. I need help tho.. i stopped svchost thingy and deleted heap41... however, i didn't regedit... so how? gahhh!!

  63. anyawys... i just took ur advice.. eventhough i uninstalled ff.. :(( i hope it works..

  64. Hey Thank you.. It worked like a charm for me.

  65. it's really work on my pc dude! thank you very much!!! pheww!

  66. Thanks for the help with this "dnt hate mozilla" worm...

    I've followed some of your suggestions, but can not delete one of the .exe files from my pen drive. All the others deleting fine, but this one says I "don't have authority" or something like that.

    Any "forced delete" command?

    Paul (California Math/Science teacher here in Bangalore for 5 month teacher exchange at a KV)

  67. Dude, thank u SOOOOOOOOOOOOOOOO much for that, it helped me to get rid of that dumb virus!!! It was reallly useful!!! And thanx to that, i could get rid of the virus before it caused much damage. U rock man!!

  68. Happy to hear that @ Anna, Braxis, Siva, ganesh, tiger, Sharm, Kxin, Anonymous guys solved the issues.

    @ Karen & Paul Amstutz , Welcome to Bangalore and hope you settled well here. For removing the files, double click on my computer> select the pen drive: check the drive name of pen drive like F: E: (choose it correctly)

    Now follow the procedure
    Start> Run > type CMD > press enter key
    A cmd window (black & white appear)
    there type E: (assume your pen drive is E:)

    Now you reach E prompt and type format E:
    E:\>Format E:
    Press Y once it asked.
    It will format the entire pen drive.

    Make sure you have backup of important files

  69. Thanks for advice...
    But I can NOT delete all the .exe files on the pen drive?!
    One last .exe always says something like "no access" or "you don't have priviledge to access this file."

    How do I force delete this file?

  70. Ooops... sorry Cipson for repeating my question!

    I had an old "saved as" version of your blog, and didn't see your response to us!

    Thanks, I'll give it a try!


  71. cheers so much for this blog thingy...hadn't a notion what was happening to my computer, but then i saw this.
    i think its all fixed so thanks again


  72. Thanks dude, your advice worked a treat!

  73. thnx a tonne!! it wrked fr me ...back to scrappin ppl cheers

  74. Thanks, It worked for me. Smile.

  75. dear cipson and all
    iam sriram
    this query is not related to . the the PC WORM.
    this is another .
    my windows search option is not working . i think i may have deleted some important file which is the base for the search option.
    so can u help me out.

  76. sriram , put the windows OS CD select repair option, It will fix the probelm

  77. <a href="http://paydayadvisors.org" rel="nofollow">PaydayLoans</a>October 30, 2007

    MqcQ6u You have a talant! Write more!

  78. Hi,
    i'm using a pc in a cyber cafe. This PC had the same problem whenever i run Mozilla. After reading solution in this page i told the cc owner to remove the worm. he told me he can do that but doing it everyday is kinda....... So is there any solution to prevent from future infection ?

  79. <a href="http://hydrocodone.99k.org/index.php" rel="nofollow">Hydrocodone</a>November 02, 2007

    O71qWN The best blog you have!

  80. thanx dude..ur blog was great help! was frustrated trying to rid my comp of this sick virus! IE can be exhausting 2 use once u've gotten used to firefox!

    thanks so much! God bless ya!

  81. Hi,
    I experienced the same worm. The procedure you mentioned really works.Thanx a lot.


  82. i think microsoft wrote this, LOL!

  83. removel tool for this virs is available @ http://tec-updates.blogspot.com/2007/07/remove-heap41a-win32usbworm-worm.html

  84. Youve been very helpful, thank you

  85. i have created a remover for the same virus
    just visit my blog and download the tool. It can heal and revert back ur registry.

  86. Hey Guys.
    im not getting any Taskbar to end process.
    and also unable to open registry from RUN.
    on doing expriments found svchost.exe in c drive but unable to delete that file

    please help me out to solve this problem

  87. ooohh.. Thanks a lot guys..! Actually i was effected by this damn virus.. it came with my pen drive after thaking some files from school!! I was scared ! But i deleted all the contents of heap41a.. Did everything! The problem is solved now...Thank you very much... Good bless you...

  88. Thanks for your comments

  89. Okay..will keep in touch with you guys.. You ppl are a great support to each and very one who uses a computer... Keep up this good work

  90. Thanks I searched for the file in C:/ and reoved it- it worked

  91. i C:/Heap41a -just found and deleted it- it worked-Thanks

  92. 1)Go to Task Manager (Press Ctrl+Alt+Del)
    2)Goto Processes Tab
    3)End all processes with the name svchost.exe (only those with your user name to its right)
    4)Note that you shouldn't end the system process svchost.exe(the SYSTEM process)
    5)Goto Start>Run
    6)Type in regedit and click OK
    7)Navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL and on the right pane doubleclick CheckedValue and change it back to 1
    8)Now navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run and delete the winlogon key on the right pane
    9)Now close regedit and searh your computer for a file named svchost.exe (enable Search hidden files and folders)
    10)You will see a file with a green H icon in the search result(There will be another svchost.exe file in system32. Ignore it.Its a system file.)
    11)Open that file location and delete the the folder that contained this file.
    13)Now the virus is gone.

  93. hi cipson

    when i use mozilla to access certain sites (see example below)the page closes at once...just like that. do u know what could be wrong??



  94. Thanks so much for the solution:))

  95. Simple way to delete all viruses like these kind is to use a linux pc, plug in the USB drive , u will see all the files n worms ... delete it safely because .exe files doesnt have any impact on linux. CHEERS

  96. thanks much! my little cousin was about to cry! :)

  97. Michael JuliusMarch 05, 2008

    Thanks a lot, dude. it worked just fine.

  98. hey cipson i have deleted all the files of heap41a but only svchostt is left. in my taskk manager there are many is such as svchost.exe username-local services,network service,system,network service,system. dude which one to delete?

  99. hi DJ
    "Press Alt+Ctrl+Del --> you can see 'Task Manager' --> click on Process tab --> Locate 'SVCHOST.EXE' (will see many SVCHOST.EXE, but select the one having 'User Name' same as your Windows login name). --> Click End Process button"

    Has to select the one with the windows user name which u logged in

  100. Thanks a lot..I am able to work with Mozilla now..Thanks for your help..Gayatri

  101. Hi..
    Thanks a lot frined, its was easy and the way that you give is the easiest way to remove this intruder..
    Nice job..

  102. auto78900July 07, 2008

    please can you tell me how I delete
    the Virus off my USB stick ?

    I have not yet infected my home PC.

    So Im a bit worried putting my usb stick in it.

    When I delete all 3 files ,10 seconds they come back again.
    What caution can I take that the usb stick does not infect my pc ,before I put my USB stick in ?????

  103. hi.
    i think instead of deleting the files from your USB stick. it's better to format your USB stick.
    this will completely erase your virus from that..

  104. No , I can not reformat the stick because I have important data on them.

    Also I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !

  105. No , I can not reformat the stick because I have important data on them.

    Also I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !

  106. AnonymousJuly 08, 2008

    No , I can not reformat the stick because I have important data on them.

    Also I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !

  107. auto78900July 08, 2008

    No I can not delete with reformat

    I have important data on that usb.

    I also tried the removal program,but it does nothing ,just goes in a loop ,after message "restart your pc" and its still there.

  108. i dont see any heaps folder..

    help me guys

  109. Thanks for the help guys.
    I followed the first method and it's working. Haven't restarted my PC but I can access everything (FF, Orkut, Youtube)

    Great work guys......thanks once again

  110. Hi all, Thanks for your comments

  111. I caught this in Paris from a public wireless outlet (accessed from Eurostar). I got it off my laptop by reverting to an earlier configuration (XP pro). But it had spread to my 4gb key, and reformatting this didn't remove the virus: I assumed it had, and in this way infected my desktop. That refused to revert to an earlier configuration. Eventually I cured both desktop and key by downloading a paid version of Spyware Doctor.

  112. Thanks a lot. Its working

  113. This was a really helpful post and I was able to remove the entire virus. Thanks a lot.

    The only problem was that the actual folder "heap41a" is not being deleted. I changed the registry entry and its showing other folders and not this one.

    I managed to delete the contents of the folder by going to the address bar and typing the address as suggested and deleted the files inside "heap41a" but wasn't able to delete the actual folder.

    I suppose its not really a problem, but it'd be nice if I could actually find the folder and delete that too.

    Anyway, thanks a lot for all the details mentioned up here.