W32.USBWorm spreads through USB drives. Prevents user from using Firefox, shows message which reads, "I DNT HATE MOZILLA BUT USE IE OR ELSE..." The message header reads, "USE INTERNET EXPLORER YOU DOPE." Firefox is then closed by force. Also blocks "Orkut" and "YouTube" sites.Solutions
Format the usb drive first (your data may loose) which carries the virus
Update : No need to frmat the USB Pen Drive, delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.
Press Alt+Ctrl+Del --> you can see 'Task Manager' --> click on Process tab --> Locate 'SVCHOST.EXE' (will see many SVCHOST.EXE, but select the one having 'User Name' same as your Windows login name). --> Click End Process button
Now proceed the following
Way 1
Open Task Manager by holding Ctrl + Alt + Del and click on the process tab.
- Ignore the warning messages and stop the SVC.Host for the system's user name.
- Navigate to C:/Heap41a and delete the contents of the folder. Smile.
Way 2
Start Menu>Run>regedit press enter key
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue reset it back to 1 from 2. ( to do that right click CheckedValue>modify>value data >
Beware of using USB Pen drive especially in the browsing center. Found some browsing centers in Bangalore too.
go to C:\heap41a and delete this folder, If the folder called test.exe delete that too from your desktop.
Clear all the key entries from this registry
HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ with entry called heap41a
W32.USBWorm
i dont hate mozilla
Update : Don't Unintall FireFox, some people are experiencing issues with OS after uninstalling Fire Fox after infecting the virus. Instead of removing the virus, if you uninstall the system will refuse to boot in normal / safe mode
For further reference check out here
Warning : Try out this at your own risk
dude... thanks for ur comment.
ReplyDeletebut in way 2 also i think you will need to terminate the svchost process first otherwise..
it wont stop...
Rajavanya, Thanks for pointing out this. Updated in the post
ReplyDeletehi,
ReplyDeletei am experiencin the same virus attack..but to add to my distress my laptop says 'Task Manager has been disabled by administrator' or 'registry editor has been disabled by administrator' ..now whadda i do??
pls help.
keerthy
Hi keerthy
ReplyDeleteYou have to contact to your administrator to do this for you
but i am the administrator..
ReplyDelete"registry editor has been disabled by administrator" give a search in google and it is showing lot of solution how to fix this issue. or check out what Microsoft says http://support.microsoft.com/kb/555480
ReplyDeleteBoot up in safe mode, and search under C:\ (root drive) for a system folder called heap81 or something. This contains the script files containing the text messages that you see. The folderr also contains a copy of svchost.exe
ReplyDeleteDelete the folder and contents.
Reboot normally.
This worked for me.
reg editor done.. thanks a lot..
ReplyDeletebut i dont see any heap41a in my c drive..
heap41a is a hidden folder and not visible by default. In the address bar, type C:\heap41a and press enter.
ReplyDeleteHope you can see that now
or Go to windows explorer > Menu> Tools >Folder Options..> View>Show hidden files and folders ->select that, it will show all the hidden folders
ReplyDeletetried viewin thru hidden file option..not working..
ReplyDeletetried searchin..that too dint show any results.
hey..thanks,
ReplyDeleteworked some how or the other (tried thru run window)..
problem solved.. thanks a lot man.
That is fine.. i can use firefox now.. But the hidden files in system cannot be seen.. how to solve this issue
ReplyDeleteNewbies can look at this site which has got some gifs and screen shots to
ReplyDeleteremove the worm.
w32.USBWorm-remove.html
hi , i also had the same problem of "I DNT HATE MOZILLA...." and "ORKUT IS BANNED..." but after deleting the folder heap41a and after making changes in registry (i,e "HKEY_LOCAL_MACHINE->software->microsoft->windows->current
ReplyDeleteversion->explorer->advanced->folder->hidden->showall->CheckedValue" to 1 instead of the 0)......
after making these changes i am facing a new problem in "shutting down my Laptop"....
it is taking too much time to shut down and it is not shutting down properly....
Please help me dudes...
Hi , Anonymous
ReplyDeleteIts clearly said that if the registr value is 2 then make it to 1 . You did like 0 to 1 which you should not do. Be serious if you play around with registry.
hey ppl hi
ReplyDeletei had the same problem the only one thing i did was system restore u ppl can try tat. mine is solved.its the most simple solution.
Thanks, works great
ReplyDeleteThanks for the info. I was facing the same problem. By the looks of the content of the folder, it looked like a simple program and not a virus. Just a Virus-like program. Didnt harm the PC. On running svchost.exe, it created a text file. Apparently this nifty script (virus?) has been created using AutoHotKey (http://www.autohotkey.com/)!! So this guys not a geek, or a computer wizard, but just some poor old jobless guy. I pity him.
ReplyDeleteThanks to some great documentation on the web, I have managed to rid my system off the worm. But try as I did, I couldn't delete the autorun.inf from my pen drive. Every time I undertake a data transaction via the pen drive, my registry gets altered so that i cant see the hidden files anymore. I tried changing the registry value too. But, contrary to written documentation the value was 0 initially and not 2. Can anyone help me to rid the worm from my drive forever? I tried formatting, that doesnt help. My pen drive is a U3 Cruzer make, if that helps.
ReplyDeleteThanks a lot....Using slide show i got corrected...
ReplyDeleteMallesh.J
Dear cipson,
ReplyDeleteI have a serious problem and I hope you can help me out to which I will be eternally grateful.
There are two PCs in our home. My GF's comp and mine. My GF's comp is connected to the net while mine isn't. My GF's comp has just got infected with the "I DNT HATE MOZILLA BUT USE IE OR ELSE" virus. So we uninstalled FF through safe mode.
Now her comp just wont boot!!! Either through safe mode or normal, it cannot boot.
So here I am connecting to the net from my comp (her connection), hoping you can help us with our plea. What are we supposed to do? We cannot even go to the HKEY registry etc because her comp cannot boot.
Sincerely yours,
Kima and Hmai.
Hi illusionaire,
ReplyDeleteThis is an odd problem and looks serious. Instead of uninstalling the FireFox, you should have to follow the procedure mentioned in my blog. Try to repair your comptuer with the OS CDs.
Note to others : If you are a victim of this virus, DONT uninstall the FireFox, instead of just remove the virus . Else you may also end up with what illusionaire is facing now.
Thanx Clipsen. Yes I now know I shouldn't have uninstalled FF. That's what everybody seems to tell me in all the Forums I've posted.
ReplyDeleteAnyway, I was hoping I could add one more point regarding this virus.
During my research, I read that McAfee can clean this virus while AVG can't. That explained the reason why my GF's PC crashed while mine didnt, because a friend of ours came and connected her i-Pod to BOTH our PCs last night but only my GF's PC was infected. My GF use AVG while I use McAfee.
When our friend first connected her i-Pod to my PC (McAfee) USB drive my PC hanged, so she connected to my GF's PC (AVG) where it didnt hang. I guess my PC hanged because my McAfee tried to block the virus or something like that.
Hope that helps a bit.
hey there,
ReplyDeletethanks a lot,
your suggestion helped me out.
ankit.
hey ,
ReplyDeletenow whenever i reboot the error reappears,
i go thr' the way2 again, it solves the problem but only for that session,
again when i switch off and start the comp. the virus reappears,
but now heap41a the file which i had deleted in first place does not reappear.
any suggestions,
ankit.
That was a reliever...thanz a lot!
ReplyDeletethaanz a lt dude...dat was a reliever...such a strange worm!....
ReplyDeletehi thanks a lot.can open firefox now but for some reason my firefox can only go to the polish version of youtube(ithink) (cuz its http://pl.youtube.com). cant access the english version. If u know a way to fix tht pls let me know . thank you. Surya
ReplyDeleteSurya
ReplyDeleteJust clear your browser history and content may solve your problem
Yuppp.Thanks a lot man :)
ReplyDeletehi,
ReplyDeletei have a problem. i wont able to find out c:/Heap41a . its also not available in hiden file. so, what to do.... plz help me..
It might be hidden
ReplyDeleteOpen Windows Explorer > Menu > Tools > Folder Options > View >
select "show hidden files and folders" and try.
hi i tried doing all the above .. but for me it does not work..
ReplyDeletei just cant see the folder heap41a..
i followed both method 1 and
method 2.. also changed the instruction to ' show hidden files' but i still cant see the folder..
but when i try to do it via command prompt.. i can enter the directory heap41a .. and see the file using dir command..
i tried 'del' it says access denied..
so what should i do..
when going via the task manger.. on doing end file.. the worm open more svchost.exe..
kindly help
thank u guru
ReplyDeleteHow to get rid of this virus from my Pen drive ? please help..
ReplyDeletehi im having this orkut banned problem, i tried both the ways mentioned but none worked as no task manager is responding n no regedit file opens from start menu>run. niether my laptop is going into safe mode. i had tried for restoration of system but the virus folder keeps on coming up its c:\heap41a\reproduced.txt
ReplyDeletekindly help
>>How to get rid of this virus from my Pen drive ?
ReplyDeleteTO prevent to spread this virus, format the pen drive. Transfer ONLY your important data before doing this
ANKIT
ReplyDeleteAre you using the same pen drive again in your comptuer ? Format the pen drive, else when ever you connect the pen drive the virus will appear again and again.
yogi
ReplyDeleteCheck out you have the admin rights to do it
>>no task manager is responding n no regedit file opens from start menu>run
ReplyDeleteCheck out you have the administrator rights in your computer. Still if you cannot open the task manager, looks like the problem is something else with your computer.
Way1 works Perfectly!!!! Thanks a TOn!
ReplyDeletethanks a lot man
ReplyDeleteit helped me
Hi Yogi
ReplyDelete>i just cant see the folder >heap41a..
when you open the folder in your explorer, type in "C:\heap41a". immediately it is opened.
>but when i try to do it via >command prompt.. i can enter the >directory heap41a .. and see the >file using dir command..
>i tried 'del' it says access >denied..
first you end the "svchost.exe" process, with the same username as the one you have used to log in with. then it can be deleted.
Hi Rajesh
ReplyDeleteThanks for helping who has the 'heap' problem
Dear all,
ReplyDeleteThanx for such a useful info. I tried ur method but couldn't locate the heap41 a folder. I tried both da methods, e.g. hidden folder option nad by typing the address in explore..
Could u plz suggest me any oder way
Thanx
Hey SHylock ... just copy and paste: C:/Heap41a in the run command and the folder will appear ....
ReplyDeleteThanks bro it really helped me. thanks again.
ReplyDeletehey thanks a lot man...worked fine..
ReplyDeletehi,
ReplyDeleteThanks so much it helped me a lot,
in my PC i am using Pen drives a lot. Is there any possibility of repeating this problem
hey guys thanx for the research u have done
ReplyDeleteit really helped
thnx a lot
Thanx a lot dude....
ReplyDeleteit works
Dudes... Thanks a lot..Really...I really dint know what to do when that came and it wasnt even my computr... Thanks a lot. I learnt a lesson.. nevger use a third guys flash drive unless U know him/her quite well!!! BEcause if that happens U can shout at them!!!
ReplyDeleteFantastic post. Concise and complete. I have linked to your post and copied the "Solution" to my blog at http://6by13.blogspot.com/
ReplyDeleteIf you would like me to remove the copied text, please lemme know as a comment to my post. Thanks!
Hi All,
ReplyDeleteThe blog was really helpful.
Thanks a lot...
@Swapz, @Loganathan Happy to hear that you removed the virus with out any issues.
ReplyDelete@Swapz, >>If you would like me to remove the copied text, please lemme know as a comment to my post. Thanks!
No at all. Share the information and let others get help to solve the issue. Thanks for linking me in your site
thanks alot! it worked! =)
ReplyDeleteThank you very much !!!!!!!!
ReplyDeleteI love you !!!!!!!
Muahahahahahaha!!!!!!!!!!!
Hi Great help...
ReplyDeleteBut there is a small variation.. in my system checked value was set to 0 (not 2). then I've changed that to 1. and it is working..
Thank you very much...
Siva
www.bluebizit.com
Thanks! It worked for me...
ReplyDeletethanks cipson.,
ReplyDeletefacing the same w32.usbworm problem ,but solved by ur comment .thanks
-------------- gdhakad
hey,Thanks Boss..
ReplyDeleteVery Nice......
Hi there.
ReplyDeleteSharm here. This blog here has been a great help. I was attacked as well. It is true that the Heap file is hidden, and the best way to locate it is to cut and paste the link onto the address bar.
Thanks again!
ow thankyou....thankyou very much.....
ReplyDeletehey guys.. i really wished i came here without doing anything..
ReplyDeleteI just recently discovered the problem and have actually deleted firefox (dumb me.. i know but i'm pretty bad at computers).. I need help tho.. i stopped svchost thingy and deleted heap41... however, i didn't regedit... so how? gahhh!!
anyawys... i just took ur advice.. eventhough i uninstalled ff.. :(( i hope it works..
ReplyDeleteHey Thank you.. It worked like a charm for me.
ReplyDeleteit's really work on my pc dude! thank you very much!!! pheww!
ReplyDeleteThanks for the help with this "dnt hate mozilla" worm...
ReplyDeleteI've followed some of your suggestions, but can not delete one of the .exe files from my pen drive. All the others deleting fine, but this one says I "don't have authority" or something like that.
Any "forced delete" command?
Thanks!!!
Paul (California Math/Science teacher here in Bangalore for 5 month teacher exchange at a KV)
Dude, thank u SOOOOOOOOOOOOOOOO much for that, it helped me to get rid of that dumb virus!!! It was reallly useful!!! And thanx to that, i could get rid of the virus before it caused much damage. U rock man!!
ReplyDeleteHappy to hear that @ Anna, Braxis, Siva, ganesh, tiger, Sharm, Kxin, Anonymous guys solved the issues.
ReplyDelete@ Karen & Paul Amstutz , Welcome to Bangalore and hope you settled well here. For removing the files, double click on my computer> select the pen drive: check the drive name of pen drive like F: E: (choose it correctly)
Now follow the procedure
Start> Run > type CMD > press enter key
A cmd window (black & white appear)
there type E: (assume your pen drive is E:)
Now you reach E prompt and type format E:
E:\>Format E:
Press Y once it asked.
It will format the entire pen drive.
Make sure you have backup of important files
Thanks for advice...
ReplyDeleteBut I can NOT delete all the .exe files on the pen drive?!
One last .exe always says something like "no access" or "you don't have priviledge to access this file."
How do I force delete this file?
Ooops... sorry Cipson for repeating my question!
ReplyDeleteI had an old "saved as" version of your blog, and didn't see your response to us!
Thanks, I'll give it a try!
-Paul
cheers so much for this blog thingy...hadn't a notion what was happening to my computer, but then i saw this.
ReplyDeletei think its all fixed so thanks again
:D
Thanks dude, your advice worked a treat!
ReplyDeletethnx a tonne!! it wrked fr me ...back to scrappin ppl cheers
ReplyDeleteThanks, It worked for me. Smile.
ReplyDeletedear cipson and all
ReplyDeleteiam sriram
this query is not related to . the the PC WORM.
this is another .
my windows search option is not working . i think i may have deleted some important file which is the base for the search option.
so can u help me out.
sriram , put the windows OS CD select repair option, It will fix the probelm
ReplyDeleteMqcQ6u You have a talant! Write more!
ReplyDeleteHi,
ReplyDeletei'm using a pc in a cyber cafe. This PC had the same problem whenever i run Mozilla. After reading solution in this page i told the cc owner to remove the worm. he told me he can do that but doing it everyday is kinda....... So is there any solution to prevent from future infection ?
O71qWN The best blog you have!
ReplyDeletethanx dude..ur blog was great help! was frustrated trying to rid my comp of this sick virus! IE can be exhausting 2 use once u've gotten used to firefox!
ReplyDeletethanks so much! God bless ya!
Hi,
ReplyDeleteI experienced the same worm. The procedure you mentioned really works.Thanx a lot.
Raj
i think microsoft wrote this, LOL!
ReplyDeleteremovel tool for this virs is available @ http://tec-updates.blogspot.com/2007/07/remove-heap41a-win32usbworm-worm.html
ReplyDeleteYouve been very helpful, thank you
ReplyDeletei have created a remover for the same virus
ReplyDeletehttp://prashobms.blogspot.com/2007/12/orkut-is-banned-you-fool-administrators.html
just visit my blog and download the tool. It can heal and revert back ur registry.
Thanks
Hey Guys.
ReplyDeleteim not getting any Taskbar to end process.
and also unable to open registry from RUN.
on doing expriments found svchost.exe in c drive but unable to delete that file
please help me out to solve this problem
Clipson, thanks a lot
ReplyDeleteooohh.. Thanks a lot guys..! Actually i was effected by this damn virus.. it came with my pen drive after thaking some files from school!! I was scared ! But i deleted all the contents of heap41a.. Did everything! The problem is solved now...Thank you very much... Good bless you...
ReplyDeleteThanks for your comments
ReplyDeleteOkay..will keep in touch with you guys.. You ppl are a great support to each and very one who uses a computer... Keep up this good work
ReplyDeleteThanks I searched for the file in C:/ and reoved it- it worked
ReplyDeletei C:/Heap41a -just found and deleted it- it worked-Thanks
ReplyDelete1)Go to Task Manager (Press Ctrl+Alt+Del)
ReplyDelete2)Goto Processes Tab
3)End all processes with the name svchost.exe (only those with your user name to its right)
4)Note that you shouldn't end the system process svchost.exe(the SYSTEM process)
5)Goto Start>Run
6)Type in regedit and click OK
7)Navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL and on the right pane doubleclick CheckedValue and change it back to 1
8)Now navigate to HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run and delete the winlogon key on the right pane
9)Now close regedit and searh your computer for a file named svchost.exe (enable Search hidden files and folders)
10)You will see a file with a green H icon in the search result(There will be another svchost.exe file in system32. Ignore it.Its a system file.)
11)Open that file location and delete the the folder that contained this file.
13)Now the virus is gone.
hi cipson
ReplyDeletewhen i use mozilla to access certain sites (see example below)the page closes at once...just like that. do u know what could be wrong??
www.emirates.com
www.arcelormittal.com
sibhu
Thanks so much for the solution:))
ReplyDeleteSimple way to delete all viruses like these kind is to use a linux pc, plug in the USB drive , u will see all the files n worms ... delete it safely because .exe files doesnt have any impact on linux. CHEERS
ReplyDeletebinnyjeshan.co.nr
thanks much! my little cousin was about to cry! :)
ReplyDeleteThanks a lot, dude. it worked just fine.
ReplyDeletehey cipson i have deleted all the files of heap41a but only svchostt is left. in my taskk manager there are many is such as svchost.exe username-local services,network service,system,network service,system. dude which one to delete?
ReplyDeletehi DJ
ReplyDelete"Press Alt+Ctrl+Del --> you can see 'Task Manager' --> click on Process tab --> Locate 'SVCHOST.EXE' (will see many SVCHOST.EXE, but select the one having 'User Name' same as your Windows login name). --> Click End Process button"
Has to select the one with the windows user name which u logged in
Thanks a lot..I am able to work with Mozilla now..Thanks for your help..Gayatri
ReplyDeleteHi..
ReplyDeleteThanks a lot frined, its was easy and the way that you give is the easiest way to remove this intruder..
Nice job..
please can you tell me how I delete
ReplyDeletethe Virus off my USB stick ?
I have not yet infected my home PC.
So Im a bit worried putting my usb stick in it.
When I delete all 3 files ,10 seconds they come back again.
What caution can I take that the usb stick does not infect my pc ,before I put my USB stick in ?????
hi.
ReplyDeletei think instead of deleting the files from your USB stick. it's better to format your USB stick.
this will completely erase your virus from that..
No , I can not reformat the stick because I have important data on them.
ReplyDeleteAlso I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !
No , I can not reformat the stick because I have important data on them.
ReplyDeleteAlso I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !
No , I can not reformat the stick because I have important data on them.
ReplyDeleteAlso I tried using that removal program ,all it does is display "please relogin or restart your computer" after I pressed remove, it then just goes in a loop. Why should you have to restart your computer ? I just want those 3 files removed off my sticks !
No I can not delete with reformat
ReplyDeleteI have important data on that usb.
I also tried the removal program,but it does nothing ,just goes in a loop ,after message "restart your pc" and its still there.
i dont see any heaps folder..
ReplyDeletehelp me guys
Thanks for the help guys.
ReplyDeleteI followed the first method and it's working. Haven't restarted my PC but I can access everything (FF, Orkut, Youtube)
Great work guys......thanks once again
Hi all, Thanks for your comments
ReplyDeleteI caught this in Paris from a public wireless outlet (accessed from Eurostar). I got it off my laptop by reverting to an earlier configuration (XP pro). But it had spread to my 4gb key, and reformatting this didn't remove the virus: I assumed it had, and in this way infected my desktop. That refused to revert to an earlier configuration. Eventually I cured both desktop and key by downloading a paid version of Spyware Doctor.
ReplyDeleteThanks a lot. Its working
ReplyDeleteThis was a really helpful post and I was able to remove the entire virus. Thanks a lot.
ReplyDeleteThe only problem was that the actual folder "heap41a" is not being deleted. I changed the registry entry and its showing other folders and not this one.
I managed to delete the contents of the folder by going to the address bar and typing the address as suggested and deleted the files inside "heap41a" but wasn't able to delete the actual folder.
I suppose its not really a problem, but it'd be nice if I could actually find the folder and delete that too.
Anyway, thanks a lot for all the details mentioned up here.
cool
ReplyDelete