Enjoy Top Ten’s

I was asked by my friend that he is the only user in his computer, his account is having administrative rights, but he is not able to open Orkut, and it says Orkut is banned. Another friend had told that he is not able to use Mozilla Firefox and it asks him to use Internet Explorer. I just told it must be some virus, but really didn’t care much about that. But none of the antivirus software could detect or remove this malware.

My friend had given me a pen drive. I remembered it while browsing net on Firefox. When I put that in my PC and double clicked, it didn’t open. I knew at once: I had activated a virus. But I didn’t have any idea about the kind of virus that might have come to my PC, until I switched back to Firefox. Immediately a message box was displayed: I DNT HATE MOZILLA BUT USE IE OR ELSE… with title as USE INTERNET EXPLORER U DOPE. I just remembered the experiences of my friends. I tried to locate the virus by running the Task Manager. But there were no suspicious entries there. I had to bow the owner of the virus. I used Internet Explorer to search about it. The first entry in Google took me to the Mozilla Forum page, and after going through some pages, I came to know that the same virus also displayed another message when you opened Orkut. Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!! with title ORKUT IS BANNED. Well, a similar message was displayed for YouTube also. So I went through all the posts, and finally found a solution given here:

1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
8. Now go to Start –> Run and type Regedit
9. Go to the menu Edit –> Find
10. Type “heap41a” here and press enter. You will get something like this “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt”
11. Select that and Press DEL. It will ask “Are you sure you want to delete this value?”, click Yes
12. Now close the registry editor.

Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

If you can’t see a folder starting with “heap” or “heaps” or “heap41a” or “heaps64″, never mind… just try open your MyComputer in “Explore” mode and type “C:/heap41a” or “C:/heaps64″ and it is very likely that the folder will be listed in the Explorer pane on left. Just delete the folder and your PC is clean now.

UPDATE
It seems that they have named this malware as w32.USBWorm and according my friend, Avast is able to detect and remove it. I hope the other antivirus software will also be able to remove it soon.

This virus is not responsible for disabling Folder Options in the Tools Menu and not allowing hidden files to be shown. It is some other virus, and the solution is explained in the post Hidden Files Not Shown

Want to know how? A consequence of using an infected USB. This virus is spreading through USB drives.

As Kalai points out:

Update:
If you can’t see a folder starting with “heap” or “heaps” or “heap41a” or “heaps64″, never mind… just try open your MyComputer in “Explore” mode and type “C:/heap41a” or “C:/heaps64″ and it is very likely that the folder will be listed in the Explorer pane on left. Just delete the folder and your PC is clean now.

W32.USBWorm spreads through USB drives. Prevents user from using Firefox, shows message which reads, “I DNT HATE MOZILLA BUT USE IE OR ELSE…” The message header reads, “USE INTERNET EXPLORER YOU DOPE.” Firefox is then closed by force. Also blocks “Orkut” and “YouTube” sites.

Solutions

Format the usb drive first (your data may loose) which carries the virus
Update : No need to frmat the USB Pen Drive, delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.

Press Alt+Ctrl+Del –> you can see ‘Task Manager’ –> click on Process tab –> Locate ‘SVCHOST.EXE’ (will see many SVCHOST.EXE, but select the one having ‘User Name’ same as your Windows login name). –> Click End Process button

Now proceed the following

Way 1

Open Task Manager by holding Ctrl + Alt + Del and click on the process tab.

- Ignore the warning messages and stop the SVC.Host for the system’s user name.

- Navigate to C:/Heap41a and delete the contents of the folder. Smile.

Way 2

Start Menu>Run>regedit press enter key

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue reset it back to 1 from 2. ( to do that right click CheckedValue>modify>value data >

Beware of using USB Pen drive especially in the browsing center. Found some browsing centers in Bangalore too.

go to C:\heap41a and delete this folder, If the folder called test.exe delete that too from your desktop.

Clear all the key entries from this registry

HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ with entry called heap41a
W32.USBWorm

i dont hate mozilla

Update : Don’t Unintall FireFox, some people are experiencing issues with OS after uninstalling Fire Fox after infecting the virus. Instead of removing the virus, if you uninstall the system will refuse to boot in normal / safe mode