Remove W32.USB Worm (Heap41a)
W32.USB Worm or Heap41a attempts to periodically copy itself to removable drives and USB keys. The worm also tries to create a hidden file Autorun.inf on removable drive. Additionally, W32.USB will drop its own malicious file called MicrosoftPowerPoint.exe to any detected removable drive. It will monitor Internet browser activities and display the following messages:
- “USE INTERNET EXPLORER YOU DOPE, I DON’T HATE MOZILLA BUT USE IE OR ELSE…”
- “Orkut is BANNED you fool. The administrators didn’t write this program guess who did??”
Removal Procedure:
1. Press CTRL+ALT+DEL to open Windows Task Manager and go to the Processes tab
2. Find the Image Name svchost.exe that is running under the current Username (Login Name)
End malicious process from Task Manager
3. Click End Process at bottom right of the Windows Task Manager to kill the running process. When prompted with a warning, press Yes
4. Repeat and find other svchost.exe in the same status. Do not end svchost.exe with SYSTEM, Local Service or Network Service. They are process necessary in running Windows.
5. Close Windows Task Manager when done
6. Open My Computer
7. In the address bar, type C:\heap41a and press Enter. This is a hidden folder and not visible by simply browsing.
8. Delete all the files including the folder
9. Go to Start > Run and type Regedit
10. Go to the Menu > Edit > Find
11. Search for “heap41a”. You will have a results similar to “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt”
12. Select and Delete the registry string. Click Yes if it prompts you to delete the registry entries.
13. Exit registry editor.
How to Clean the USB Drive
1. Before inserting the USB Drive please disable autorun to prevent the virus from infecting your computer again.
How to Disable USB Drive to autorun (Windows XP):
a. Click on Start > Run. Alternatively, you can use [Windows Key]+[R] on your keyboard.
b. Type Gpedit.msc in the box. Click OK or press Enter on keyboard.
c. It will prompt for Administrator password. Please continue by providing the password and click on Continue.
d. Local Group Policy Editor will open.
e. Go to Computer Configuration, click on Administrative Templates, click on Windows Components and then click on Autoplay Policies.
f. Click Enabled.
g. Select specific drive on Turn off Autoplay to disable Autorun on that drive.
2. Insert USB Drive and scan with updated AntiVirus Software
3. Look for autorun.inf and autorun.exe and delete themRestoring View of Hidden Files and Folders (Optional)
1. Go to Start > Regedit
2. Navigate to the following registry entry and modify the value.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] Value: DWORD “NoFolderOptions” from 1 change to 0.
Nishant
Nov 12, 2007 @ 14:22:47
Thanks!!
It worked for me.
Cheers!
abdul hafiz b. ibrahim
Nov 14, 2007 @ 13:47:08
tq very2 much now i can watch youtube again. hehehe. i like to say tq in my national language ” terima kasih yang tidak terhingga diucapkan semoga anda berjaya didalam hidup anda, terima kasih “
hakeem
Nov 18, 2007 @ 15:39:41
thank you so much…
harrisvisa
Nov 18, 2007 @ 20:00:31
i remove the worm.
But i can’t view the hide files.I use the above procedure any one known tell me
Thank you admin
Brijesh
Nov 19, 2007 @ 16:28:13
it worked. thanks.
Sunny
Nov 22, 2007 @ 13:25:45
Thanks it worked fine. there is another one C3645EE0.DLL which i am suspecting bc it is affecting my runing processes like services.exe csrss.exe spoolsv.exe etc any help?
The trojan is Backdoor.win32.Agent.ahj on Kaspersky.
Any help will be appreciated
Said
Nov 27, 2007 @ 05:37:53
I could not even open my task manger. It seems that “TaskManager has been disabled by your administrator”.
Although i am the administrator!
Any help would be appreciated.
Dilip Manivala
Dec 04, 2007 @ 12:24:30
I was so shocked to hear some one laugh and say that “ORKUT IS BANNED…”. Now i am a much relieved person.
Thanks a lot….
Regards,
Dilip
Yamuna
Dec 06, 2007 @ 11:38:49
Thanks a ton!!!!! I couldn’t open orkut and youtube 4 so long becuz of this! Its perfectly fine now!
Sajeh Mohan
Dec 09, 2007 @ 03:11:53
thank you so much…
hendra
Dec 12, 2007 @ 03:28:38
PCku kena virus heap41a samapi heng g bisa dibuka.kapan hari udah tak coba cara tersebut tapi masih tetep.sbnrnya sudah bisa tinggal nilangin run .exe nya.
Yunus
Dec 20, 2007 @ 18:58:01
GR8 It works… Cheers!!!
Abdul Bari
Dec 21, 2007 @ 10:40:14
Hi,
Thanks for the instructions given by u in removing the heap41a.
My system is infected by some worm and i am unable to do many activities such as writing a CD or using any of the thumb drive. Whenever i am connecting any thumb drive, it is working for that time only after removing the thumb drive they are getting crashed. please if u have any idea about this threat let me know.
Shiva
Dec 24, 2007 @ 22:04:07
It goodly Worked yaar I’m very happy by do this now I can open orkut THANKS plz send any virus information on my Email shiva_uparkar@rediffmail.com
Once again thank’s & I’m waiting other new virus who infect my pc After closed Any app window get close there looks only backgroun of pc now what i do
Red Devil
Jan 02, 2008 @ 16:02:44
Thanx for the info ,.. but .. it is not working … autorun.inf and two other files infected with viruses are not getting deleted .. It says ” Cannot read from Source file or from disk ” … Help me solve the problem …
sunny
Jan 02, 2008 @ 16:35:25
yea I remove Heap41a, thanks but i cannot view hidden files.
it resets after applying.
any one with info? Thanks
webmaster
Jan 03, 2008 @ 10:12:02
Sunny. Please see this link to Enable Show Hidden Files and Folders
bhargav -good looking rascal
Jan 07, 2008 @ 09:42:44
coool man i was fed up
bhargav -good looking rascal
Jan 07, 2008 @ 09:43:17
gr8 it worked man
P.Sardar
Jan 12, 2008 @ 13:26:23
But in my computer the Task Manager has become inactive. Can the same be activated? How? Plz. help.
GS
Jan 14, 2008 @ 05:18:58
Great stuff, worked exactly as described. I can now use Firefox again. Thanks a lot
webmaster
Jan 14, 2008 @ 08:58:48
To PSardar, visit the link to enable Task Manager: http://www.precisesecurity.com/tools-resources/troubleshooting/how-to-enable-windows-task-manager/
Raja Iyer
Jan 23, 2008 @ 05:01:55
to successfully view hidden files / folders again after removal of the worm you need to get the ‘hidden.reg’ which is a registry entry file. Getthe values written in the system registry.
Or you need to get a prog named RRT which allows you to control the file / folder views on the machine.
Raja
be4truth
Jan 24, 2008 @ 06:22:42
This worked for me. Thx for the posting.
vartika
Jan 25, 2008 @ 09:25:53
thanx it worked
it releaved me
it was headache for me
Viral
Jan 30, 2008 @ 09:22:15
I got orkut virus problem…
but thanks a lot.. i got solution & when next time i will get this problem .. i wll apply this…hope my prob will get solve…
Thanks a lot again
vijay
Feb 17, 2008 @ 07:46:31
i got it!
its working
thx
robin
Mar 16, 2008 @ 00:47:47
to view hidden files you have to perfom the above mentioned steps and also unhide it manually frm folder view options
Draco
Mar 23, 2008 @ 02:22:24
Thanx it worked.
rana
Mar 31, 2008 @ 17:57:27
thank you very much..
it work realy good..
i used lots of antivirus..
but i can’t..
thanks again.
kahar
Apr 09, 2008 @ 03:25:09
now i can watch Fernando Torres song on youtube hapily ever after…
thanks mate
Luis_Brasil
Apr 18, 2008 @ 13:24:39
Thks a lot. It have solved my problem. Great Stuff.
The Problem was: “USE INTERNET EXPLORER YOU DOPE, I DNT HATE MOZILLA BUT USE IE OR ELSE…”
Problem: Fixed.
Rahul
Apr 29, 2008 @ 08:07:06
Thankx a Ton Sir….. i really greatful to you…orkut is my love and you helped me to gat it back…thanx man..
ggz
May 15, 2008 @ 19:44:29
Even my task manager is blocked…
it says “sorry: sam”
Cant find dat registry in regedit…
cant delete svchost…
doesnt seem to be workin for me….
ny solution in sight…??? :o
same with me
May 16, 2008 @ 20:05:12
same with me :-(
Dipen
Jun 08, 2008 @ 09:18:14
Hi…Thanks very much…it really worked….
pulkit
Jun 17, 2008 @ 18:16:43
i have the same problem. when i follow this procedure its seaches it and remover its also but when i restart my computer i happens again…what to do
ERWIN
Jun 20, 2008 @ 13:07:22
sscvhost it sbnrnya virus tau ap? soal nya d tmpt ku sering komputer muncul itu akhr2 ini, sblm nya g prnh, klu mmg virus, gmana sih mngatasinya?
Bikramjit Singh
Jun 30, 2008 @ 06:02:31
In my case the problem is a bit severe
Neither i’m able to open Task manager (by any mean) nor the regedit is getting opened.
Even the folder options isn’t available.
If anybody have solution of my problem then plz let me know
pulkit
Jul 01, 2008 @ 18:11:18
pls solve my problem..
Banti Agrawal
Jul 05, 2008 @ 11:44:29
Thanks a ton…
this worked for me also.
please keep on posting your helps, this was very useful and learning information
Thanks Again, Banti
Zeeshan Khan
Aug 20, 2008 @ 04:34:27
thanks buddy u did the job very well thank u very much
Urvil
Aug 23, 2008 @ 05:12:41
it didnt work for me…:((
everytime i press ctrl + alt +del….it sez “windows task manager has been blocked by your admin”
and everytime i try to run regedit…it sayz “edit your registry later you fool ! “
Teruterubozu
Aug 31, 2008 @ 17:11:14
Cannot delete or Vault “MicrosoftPowerPoint.exe” fr my USB & PC after scan ?? How ??
samantha
Sep 05, 2008 @ 16:29:24
Thanks so much. I got the “youtube is Banned muahaha” and nobody could help me until i found this page and now i can watch youtube until im blue in the face !!!!! lol
thanks a million
xxxxxxxxxxxxx
T O JOSE
Oct 07, 2008 @ 11:06:59
GR8. It solved.
nathik
Oct 11, 2008 @ 01:36:58
hey it worked but iam unable to change the folder option
help
Oct 11, 2008 @ 12:48:13
i am not able to open task manager itself…please help soon…
please help me
Oct 11, 2008 @ 20:48:06
i can’t clear my threats because it doesn’t reconize my email address…………please help!!!!!!!!
Spencer
Oct 15, 2008 @ 12:43:46
Even my task manager is blocked…
it says “sorry: sam”
Cant find dat registry in regedit…
cant delete svchost…
doesnt seem to be workin for me….
ny solution in sight…???
mr_byeng
Oct 24, 2008 @ 03:59:48
the same problem with nathik (i think?!?)
i cannot change the hidden file attribute.
and i cannot delete the folder heap41a in c:
still checking if there are any problems left, as of now everything looks fine.
thanks for the help!
Subrata
Oct 30, 2008 @ 06:50:57
Thanks a lot………………….
alfa
Nov 15, 2008 @ 20:46:56
really help full………………….i love u …..:)
thankssssssssssss a lot…
JowyAnderson
Nov 27, 2008 @ 06:33:07
This method is awesome !!!! It works !!!!! Thanks a lot !!!!
varun
Dec 10, 2008 @ 18:54:36
Its working!!Thank U very much.
Selwyn
Dec 12, 2008 @ 09:54:03
I thank u 4 making me aware of heap41a. I deleted it though, Task Manager closes within few minutes I open it, and also cannot open registry editor. If I open it says “registory editor has been disabled by your administrator” . Please help me with this.
Thank you.
Rahul Pawar
Feb 24, 2009 @ 05:55:53
hey it is a really helpful mechanism ..and now finally my computer is back to normal
ankur
Aug 18, 2009 @ 07:25:23
thanx. my problem has been solved
Antonio
Sep 03, 2009 @ 13:14:02
Thanks !!!!
Dharmesh
Oct 05, 2009 @ 21:36:39
Thanx a ton dudeu just made my day.. i tries so much of S**t today but nothing worked.. u rock…….
Joe C.
Feb 20, 2010 @ 02:26:24
Thanks it worked immediately for me!!!!
sly
Nov 25, 2010 @ 00:06:25
There is something wrong with m USB. When I try to open it, It said Please insert a disk drive into drive G:. When I looked into properties it said I have 0 used space and 0 free space