USBWorm: The Virus that prevents Firefox from running and hides all hidden files
June 20, 2007 Internet Browsers, Mozilla, News, Troubleshooting, Virus & Worms
I’ve recently encountered a severe Virus (or should we say, a Worm) called USBWorm. It doesn’t actually destroy any files or cause anything else to crash. But it does the major damage to the User activity.
First of all, let me tell you what happens when this worm has affected your system from any of your friend’s USB Flash Drives or USB Sticks.
- It hides all the hidden files in the System and won’t allow you to select Show hidden files and folders from the Tools -> Folder Options dialog.
- It shows a dialog whenever you tried to run any of Mozilla products after closing them shortly that has the Title: USE IE DOPE! with the Message: I DDNT HATE MOZILLA BUT USE IE OR ELSE…
- Whenever you tried to browse the websites Orkut and YouTube (even from IE) your browser will be closed immediately and a message is shown as: Orkut is banned you fool. The Administrators didn’t write this program guess who did? Mahahahaa. And it also plays a sound that is of evil nature.
So, how to remove this one? That’s the problem! No Internet Security or Antivirus Product as of now neither detects nor removes this Worm from your system. So, I’ve been very much frustrated and searched in google for the Worm name and found nothing. At last, I’ve tried this keyword: Virus prevents Mozilla and got the first hit that explained me all I need to know about this Worm and it’s ways of removal. You can find that one here.
But the problem is the fixing methods shown in the above site didn’t worked perfectly well so, I’ve decided to provide you the much detailed way in which I’ve successfully eliminated this virus.
- Get HiJackThis! (it’s free)
- Run this Program and click on the Do the Scan only button and then immediately navigate to the list item that says “O4 – HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt” and check the box near it and click on Fix Checked button from the left bottom corner. Don’t close the Dialog yet.
- Open Task Manager by right clicking on the Task Bar and choosing Task Manager or pressing Ctrl + Alt + Del.
- End the Processes that says svchost.exe in your Computer User Name (Please NOTE that only end the processes that says your computer user name, not the ones that says SYSTEM or NETWORK SERVICE)
- Go back to HiJackThis! and click on the Main Menu button in the bottom center. Again, go through the step 2.
- Now, close Task Manager and HiJackThis!. Go to Start -> Run and type: C:\Heap41a. Once inside this, delete all the contents of this folder with Shift + Delete button. (i.e. Don’t send them to Recycle Bin)
- If you face Access Denied in the above folder when you try to delete something, use the utility called Unlocker which is available for free. After installing Unlocker, just select the files and folders and right click on them and choose Unlocker which opens a dialog in which select Delete as the action and click on the Unlock All button.
- After the folder is successfully deleted, restart your system and voila, this Problem is gone for ever.
- Just be careful before inserting any USB Drives given by your friends as none of your Antivirus products will detect it (as of now, I think BitDefender detects it though but still it can’t remove it).
Edit [17th July 2007]
If you are still not able to view the hidden files and folders, please follow the method below to restore that functionality:
- Open Start Menu -> Run and type REGEDIT and press Enter
- In the Registry Editor, navigate to My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL - Change the keys CheckedValue and DefaultValue to 1 (Double click on them to Edit)
- Close the Registry Editor and Open Windows Explorer by pressing Windows Key + E
- Open Tools -> Folder Options and select View tab and check the Show all files and folders under Hidden files and folders option.
- You’re Done!
Let me know your comments and suggestions…
Comments (20)
Hi,
Thanx dude!
I didnt find the
O4 – HKLM..PoliciesExplorerRun: [winlogon] C:heap41asvchost.exe C:heap41astd.txt
line in HijackThis
Though remaining part was surely there,….done with it.
Still hidden files are not displayed…..
Hi,
Thanx dude!
I didnt find the
O4 – HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
line in HijackThis
Though remaining part was surely there,….done with it.
Still hidden files are not displayed…..
Hi SandeshG,
For showing the hidden files, you need to change a Registry key, I've modified my Post above with the change. For your information, here is the key you need to change.
Step 1: Open Registry Editor by Start -> Run -> REGEDIT
Step 2: Navigate to My ComputerHKEY_LOCAL_MACHINESOFTWARE
MicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALL
Step 3: Change the CheckedValue and DefaultValue to 1
Step 4: Close the Registry Editor and Open Windows Explorer by pressing Windows Key + E
Step 5: Open Tools -> Folder Options and select View tab and check the Show all files and folders under Hidden files and folders option.
Step 6: You're Done!
Thanks…
Hi SandeshG,
For showing the hidden files, you need to change a Registry key, I’ve modified my Post above with the change. For your information, here is the key you need to change.
Step 1: Open Registry Editor by Start -> Run -> REGEDIT
Step 2: Navigate to My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Step 3: Change the CheckedValue and DefaultValue to 1
Step 4: Close the Registry Editor and Open Windows Explorer by pressing Windows Key + E
Step 5: Open Tools -> Folder Options and select View tab and check the Show all files and folders under Hidden files and folders option.
Step 6: You’re Done!
Thanks…
Thanks man…. all's working…!
Hi SandeshG,
I'm glad it helped you out. Please let the word spread so that so many other people will get benefited.
Thanks…
Thanks man…. all’s working…!
Hi SandeshG,
I’m glad it helped you out. Please let the word spread so that so many other people will get benefited.
Thanks…
recently i have been infected by my friend's mobile.
recently i have been infected by my friend’s mobile.
Dear Sankaranand,
What do you mean by you've been recently affected by friend's mobile? As far as I know, this Virus doesn't spreads through Mobiles. I guess your friend might've used the Extended Memory Card as an USB Drive and got this Virus loaded in that. In that case, you can use the same methods specified above to clear it.
Let me know whether you cleared it…
Dear Sankaranand,
What do you mean by you’ve been recently affected by friend’s mobile? As far as I know, this Virus doesn’t spreads through Mobiles. I guess your friend might’ve used the Extended Memory Card as an USB Drive and got this Virus loaded in that. In that case, you can use the same methods specified above to clear it.
Let me know whether you cleared it…
Thanks a lot
I had the same issue,and its solved
Mangal
Thanks a lot
I had the same issue,and its solved
Mangal
Hi Mangal,
I'm glad it helped you out.
Thanks for visiting my Blog…
Hi Mangal,
I’m glad it helped you out.
Thanks for visiting my Blog…
my system was suffering from virus/warm heap41a. I went through your blogs and followed ur solution and it solved.
only i would like to ask you is in windows explorer whether i have to click to hidden files again after solving the problem.
thank you very much
Dipen
Hi Dipen,
You've to make Hidden files show again to make sure your problem is solved. Once you're able to see hidden files, you can safely turn them off if you wish.
Thanks…
my system was suffering from virus/warm heap41a. I went through your blogs and followed ur solution and it solved.
only i would like to ask you is in windows explorer whether i have to click to hidden files again after solving the problem.
thank you very much
Dipen
Hi Dipen,
You’ve to make Hidden files show again to make sure your problem is solved. Once you’re able to see hidden files, you can safely turn them off if you wish.
Thanks…