Remove W32.USB Worm (Heap41a)

By: webmaster | Under: Threat Removal

21 Oct

W32.USB Worm or Heap41a attempts to periodically copy itself to removable drives and USB keys. The worm will attempt to create a hidden file Autorun.inf on the removeable drive and copy itself to the removeable drive as MicrosoftPowerPoint.exe. It will monitor internet brwser activities and display the following messages:

“USE INTERNET EXPLORER YOU DOPE, I DNT HATE MOZILLA BUT USE IE OR ELSE…”
“Orkut is BANNED you fool, The adminstrators didn’t write this program guess who did??”

Removal Procedure:

1. Press CTRL+ALT+DEL to open Windows Task Manager and go to the Processes tab
2. Find the Image Name svchost.exe that is running under the current Username (Login Name)

3. Click End Process at bottom right of the Windows Task Manager to kill the running process. When prompted with a warning, press Yes
4. Repeat and find other svchost.exe in the same status. Do not end svchost.exe with SYSTEM, Local Service or Network Service. They are process necessary in running Windows.

5. Close Windows Task Manager when done
6. Open My Computer
7. In the address bar, type C:\heap41a and press Enter. This is a hidden folder and not visible by simply browsing.
8. Delete all the files including the folder

9. Go to Start > Run and type Regedit
10. Go to the Menu > Edit > Find
11. Search for “heap41a”. You will have a results similar to “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt”
12. Select and Delete the registry string. click Yes if it prompts you to delete the registry entries.
13. Exit registry editor.

Cleaning the USB Drive
1. Before inserting the USB Drive please disable autorun to prevent the virus from infecting your computer again.

How to Disable USB Drive to autorun (Windows XP):
a. Open Windows Explorer or press the Windows + “e” key.
b. Right-click the drive of the USB Drive. Then select Properties. Drive Properties will appear.
c. Select the AutoPlay tab.
d. Choose Select an Action to Perform
e. At the bottom of the selection, click Take no Action, then click Apply.
f. Click OK to exit Drive Properties.

2. Insert USB Drive and scan with an updated AntiVirus Software
3. Look for autorun.inf and autorun.exe and delete them

Restoring View of Hidden Files and Folders (Optional)
1. Go to Start > Regedit
2. Navigate to the following registry entry and modify the value
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value: DWORD “NoFolderOptions” from 1 change to 0

60 Responses for "Remove W32.USB Worm (Heap41a)"

Nishant November 12th, 2007 at 2:22 pm 1
Thanks!!
It worked for me.
Cheers!
abdul hafiz b. ibrahim November 14th, 2007 at 1:47 pm 2
tq very2 much now i can watch youtube again. hehehe. i like to say tq in my national language ” terima kasih yang tidak terhingga diucapkan semoga anda berjaya didalam hidup anda, terima kasih “
hakeem November 18th, 2007 at 3:39 pm 3
thank you so much…
harrisvisa November 18th, 2007 at 8:00 pm 4
i remove the worm.
But i can’t view the hide files.I use the above procedure any one known tell me

Thank you admin
Brijesh November 19th, 2007 at 4:28 pm 5
it worked. thanks.
Sunny November 22nd, 2007 at 1:25 pm 6
Thanks it worked fine. there is another one C3645EE0.DLL which i am suspecting bc it is affecting my runing processes like services.exe csrss.exe spoolsv.exe etc any help?
The trojan is Backdoor.win32.Agent.ahj on Kaspersky.

Any help will be appreciated
Said November 27th, 2007 at 5:37 am 7
I could not even open my task manger. It seems that “TaskManager has been disabled by your administrator”.
Although i am the administrator!

Any help would be appreciated.
Dilip Manivala December 4th, 2007 at 12:24 pm 8
I was so shocked to hear some one laugh and say that “ORKUT IS BANNED…”. Now i am a much relieved person.

Thanks a lot….

Regards,
Dilip
Yamuna December 6th, 2007 at 11:38 am 9
Thanks a ton!!!!! I couldn’t open orkut and youtube 4 so long becuz of this! Its perfectly fine now!
Sajeh Mohan December 9th, 2007 at 3:11 am 10
thank you so much…
hendra December 12th, 2007 at 3:28 am 11
PCku kena virus heap41a samapi heng g bisa dibuka.kapan hari udah tak coba cara tersebut tapi masih tetep.sbnrnya sudah bisa tinggal nilangin run .exe nya.
Yunus December 20th, 2007 at 6:58 pm 12
GR8 It works… Cheers!!!
Abdul Bari December 21st, 2007 at 10:40 am 13
Hi,

Thanks for the instructions given by u in removing the heap41a.

My system is infected by some worm and i am unable to do many activities such as writing a CD or using any of the thumb drive. Whenever i am connecting any thumb drive, it is working for that time only after removing the thumb drive they are getting crashed. please if u have any idea about this threat let me know.
Shiva December 24th, 2007 at 10:04 pm 14
It goodly Worked yaar I’m very happy by do this now I can open orkut THANKS plz send any virus information on my Email shiva_uparkar@rediffmail.com
Once again thank’s & I’m waiting other new virus who infect my pc After closed Any app window get close there looks only backgroun of pc now what i do
Red Devil January 2nd, 2008 at 4:02 pm 15
Thanx for the info ,.. but .. it is not working … autorun.inf and two other files infected with viruses are not getting deleted .. It says ” Cannot read from Source file or from disk ” … Help me solve the problem …
sunny January 2nd, 2008 at 4:35 pm 16
yea I remove Heap41a, thanks but i cannot view hidden files.
it resets after applying.
any one with info? Thanks
webmaster January 3rd, 2008 at 10:12 am 17
Sunny. Please see this link to Enable Show Hidden Files and Folders
bhargav -good looking rascal January 7th, 2008 at 9:42 am 18
coool man i was fed up
bhargav -good looking rascal January 7th, 2008 at 9:43 am 19
gr8 it worked man
P.Sardar January 12th, 2008 at 1:26 pm 20
But in my computer the Task Manager has become inactive. Can the same be activated? How? Plz. help.
GS January 14th, 2008 at 5:18 am 21
Great stuff, worked exactly as described. I can now use Firefox again. Thanks a lot
webmaster January 14th, 2008 at 8:58 am 22
To PSardar, visit the link to enable Task Manager: http://www.precisesecurity.com/tools-resources/troubleshooting/how-to-enable-windows-task-manager/
Raja Iyer January 23rd, 2008 at 5:01 am 23
to successfully view hidden files / folders again after removal of the worm you need to get the ‘hidden.reg’ which is a registry entry file. Getthe values written in the system registry.
Or you need to get a prog named RRT which allows you to control the file / folder views on the machine.
Raja
be4truth January 24th, 2008 at 6:22 am 24
This worked for me. Thx for the posting.
vartika January 25th, 2008 at 9:25 am 25
thanx it worked
it releaved me
it was headache for me
Viral January 30th, 2008 at 9:22 am 26
I got orkut virus problem…
but thanks a lot.. i got solution & when next time i will get this problem .. i wll apply this…hope my prob will get solve…
Thanks a lot again
vijay February 17th, 2008 at 7:46 am 27
i got it!
its working
thx
robin March 16th, 2008 at 12:47 am 28
to view hidden files you have to perfom the above mentioned steps and also unhide it manually frm folder view options
Draco March 23rd, 2008 at 2:22 am 29
Thanx it worked.
rana March 31st, 2008 at 5:57 pm 30
thank you very much..
it work realy good..
i used lots of antivirus..
but i can’t..
thanks again.
kahar April 9th, 2008 at 3:25 am 31
now i can watch Fernando Torres song on youtube hapily ever after…
thanks mate
Luis_Brasil April 18th, 2008 at 1:24 pm 32
Thks a lot. It have solved my problem. Great Stuff.

The Problem was: “USE INTERNET EXPLORER YOU DOPE, I DNT HATE MOZILLA BUT USE IE OR ELSE…”

Problem: Fixed.
Rahul April 29th, 2008 at 8:07 am 33
Thankx a Ton Sir….. i really greatful to you…orkut is my love and you helped me to gat it back…thanx man..
ggz May 15th, 2008 at 7:44 pm 34
Even my task manager is blocked…
it says “sorry: sam”

Cant find dat registry in regedit…

cant delete svchost…

doesnt seem to be workin for me….
ny solution in sight…???
same with me May 16th, 2008 at 8:05 pm 35
same with me
Dipen June 8th, 2008 at 9:18 am 36
Hi…Thanks very much…it really worked….
pulkit June 17th, 2008 at 6:16 pm 37
i have the same problem. when i follow this procedure its seaches it and remover its also but when i restart my computer i happens again…what to do
ERWIN June 20th, 2008 at 1:07 pm 38
sscvhost it sbnrnya virus tau ap? soal nya d tmpt ku sering komputer muncul itu akhr2 ini, sblm nya g prnh, klu mmg virus, gmana sih mngatasinya?
Bikramjit Singh June 30th, 2008 at 6:02 am 39
In my case the problem is a bit severe
Neither i’m able to open Task manager (by any mean) nor the regedit is getting opened.
Even the folder options isn’t available.
If anybody have solution of my problem then plz let me know
pulkit July 1st, 2008 at 6:11 pm 40
pls solve my problem..
Banti Agrawal July 5th, 2008 at 11:44 am 41
Thanks a ton…

this worked for me also.

please keep on posting your helps, this was very useful and learning information

Thanks Again, Banti
Zeeshan Khan August 20th, 2008 at 4:34 am 42
thanks buddy u did the job very well thank u very much
Urvil August 23rd, 2008 at 5:12 am 43
it didnt work for me…:((
everytime i press ctrl + alt +del….it sez “windows task manager has been blocked by your admin”
and everytime i try to run regedit…it sayz “edit your registry later you fool ! “
Teruterubozu August 31st, 2008 at 5:11 pm 44
Cannot delete or Vault “MicrosoftPowerPoint.exe” fr my USB & PC after scan ?? How ??
samantha September 5th, 2008 at 4:29 pm 45
Thanks so much. I got the “youtube is Banned muahaha” and nobody could help me until i found this page and now i can watch youtube until im blue in the face !!!!! lol

thanks a million
xxxxxxxxxxxxx
T O JOSE October 7th, 2008 at 11:06 am 46
GR8. It solved.
nathik October 11th, 2008 at 1:36 am 47
hey it worked but iam unable to change the folder option
help October 11th, 2008 at 12:48 pm 48
i am not able to open task manager itself…please help soon…
please help me October 11th, 2008 at 8:48 pm 49
i can’t clear my threats because it doesn’t reconize my email address…………please help!!!!!!!!
Spencer October 15th, 2008 at 12:43 pm 50
Even my task manager is blocked…
it says “sorry: sam”

Cant find dat registry in regedit…

cant delete svchost…

doesnt seem to be workin for me….
ny solution in sight…???
mr_byeng October 24th, 2008 at 3:59 am 51
the same problem with nathik (i think?!?)
i cannot change the hidden file attribute.
and i cannot delete the folder heap41a in c:

still checking if there are any problems left, as of now everything looks fine.

thanks for the help!
Subrata October 30th, 2008 at 6:50 am 52
Thanks a lot………………….
alfa November 15th, 2008 at 8:46 pm 53
really help full………………….i love u …..:)
thankssssssssssss a lot…
JowyAnderson November 27th, 2008 at 6:33 am 54
This method is awesome !!!! It works !!!!! Thanks a lot !!!!
varun December 10th, 2008 at 6:54 pm 55
Its working!!Thank U very much.
Selwyn December 12th, 2008 at 9:54 am 56
I thank u 4 making me aware of heap41a. I deleted it though, Task Manager closes within few minutes I open it, and also cannot open registry editor. If I open it says “registory editor has been disabled by your administrator” . Please help me with this.

Thank you.
Rahul Pawar February 24th, 2009 at 5:55 am 57
hey it is a really helpful mechanism ..and now finally my computer is back to normal
ankur August 18th, 2009 at 7:25 am 58
thanx. my problem has been solved
Antonio September 3rd, 2009 at 1:14 pm 59
Thanks !!!!
Dharmesh October 5th, 2009 at 9:36 pm 60
Thanx a ton dudeu just made my day.. i tries so much of S**t today but nothing worked.. u rock…….