m4s0n501
Sanchit's Blog » Removing Viruses From Thumb Drives
Home > Do It Yourself > Removing Viruses From Thumb Drives

Removing Viruses From Thumb Drives

You’ve probably come across Thumb Drive Viruses when you connect your thumb drive to a computer at work or at school.

These viruses copy themselves onto a thumb drive as soon as it is connected to an infected computer and the second they’re connected to any other computer, the virus spreads on that machine as well.

Since you may not be able to remove the virus from the infected computer (due to insufficient admin privileges, etc.), you can ensure that the virus on the thumb drive does not spread on another machine.

Suppose you’re not sure if your thumb drive is infected or not and wish to connect it to your computer without taking the risk of infecting it. To ensure that the virus does not start, Hold Shift and insert the thumb drive into the USB Port. This will prevent the AutoPlay function from being executed from the thumb drive, and hence does not start the virus when the thumb drive is inserted.

Now that you’ve connected your thumb drive, it’s time to check if it has a virus or not. Most Thumb drive viruses can be detected by using these 2 techniques:

1) Check Drive Icon:

Although the virus is an exe file, it uses the directory icon to fool users into clicking it.  Though not all viruses do this, it’s still worthwhile to check if the icons have been changed.

This what an uninfected thumb-drive looks like:

not_infected

An infected thumb-drive looks like this:

infected

Now, if you want to access the files in this pen-drive, DO NOT DOUBLE-CLICK THE THUMB-DRIVE ICON as it starts AutoPlay and will execute the virus program.

donts

Instead, right-click the icon and choose Explore OR click the Folders icon on the menu bar and select the thumb drive from the left pane as shown below:

dos2

dos1

Now it’s time to find the viruses and remove them. If you look at your directory contents it will look like this:

virus_before

You won’t see any viruses as they are hidden. What’s worse, since they are also marked as system files some anti-virus programs ignore virus scans on such files. This is the time to use the second technique.

2) The ATTRIB Test

Click Start->Run and type cmd and press Enter. Once you see the command prompt, type [USBDriveLetter]: and press Enter i.e. E: in this example.

Now type attrib and press Enter. The output should look like this:

virus_check

You’ll notice a few files with the SHR File attributes in this window. One of these files will be autorun.inf, which instructs the OS which applications to run when the thumb drive is inserted. The other files will be .exe, .vbs or .pif files and are usually the viruses that you are looking for.

To remove all file attributes type this command: attrib -s -h -r <filename.extension>

After you type this command for all the filenames set with SHR file attributes, type attrib again and observe the result:

after_attrib

Cool, now open Windows Explorer and you’ll notice that the viruses are now visible.

virus_after

The next part is simple, choose all the viruses and delete them. You should also delete the autorun.inf file unless your thumb drive is made by SanDisk (SanDisk thumb drives depend on autorun.inf to start its own utility programs). If your thumb drive is manufactured by SanDisk, open the autorun.inf file and simply remove all lines that contain the virus filenames.

That’s all. Your Thumb Drive is no longer infected.

There’s something you should take care of though. Many Thumb Drive viruses make copies of itself in every directory on the thumb drive. If that’s the case then you will have to perform the above steps for each folder or use attrib -s -h -r /s *.* to unset SHR attributes of all files in your thumb drive. You can then delete them individually.

To play safe, instead of relying on pressing Shift every time you insert your thumb drive, it is wiser to disable autorun for all removal drives so that Autorun.inf is never executed when your thumb-drive is inserted.

To do that in Windows XP, download a powertoy called TweakUI and disable autoplay for all removable devices as shown below:

tweakui

Once that is done, you no longer have to press Shift to disable autorun every time you connect your thumb drive.

However, you will still need to use the attrib command to unset file attributes and delete the files manually.

You can also use Ninja PenDisk to do the same thing automatically but I suggest doing this on your own as Ninja Pendisk may not be able to detect and remove all viruses.

UPDATE:

Some “USB-Viruses” hide all directories on your thumb drive and replace them with exe files (i.e. the virus) having the same name.

In that case, change your attrib command to this:

attrib –s –h –r /s /d *.*

This will make all the hidden directories visible again.

  1. Laeh
    April 7th, 2009 at 20:59 | #1

    Hello,

    Thanks for the info. I wanna learn more about how to defend yourself from viruses… Where am i gonna start? How did you come up with this idea?
    I was able to protect our computer from a certain virus and i deleted it. Do you have other techniques? Please Email me for more interesting sites.

  2. May 6th, 2009 at 08:12 | #2

    good info. thanks!

  3. October 3rd, 2009 at 19:19 | #3

    thanks for sharing.. :)

  4. May 25th, 2010 at 17:52 | #4

    Hey, hopefully someone can make use of this :)

    If you are having issues running virus scanners whilst your computer is turned on, try to start into ‘Safe Mode’.

    If you’re using a version of Windows, you’ll be able to do this. (Windows XP, Windows Vista & Windows 7)

    Safe Mode:
    Turn computer off
    Turn computer on whilst tapping F8. When prompted select ‘safe mode with networking’
    When prompted, click Yes & start into Windows as normal.

  5. mostyfriedman
    August 7th, 2010 at 23:34 | #5

    very nice read dude :)

  6. July 5th, 2011 at 06:03 | #6

    Being significantly pleased to reveal this web-site.I wanted up to credit must go throughout the the part of your in attentiveness of such ideal impute on!! Which i without-doubt delighted with each individual website minimal amount of trace from it and i partake individual book-marked so that it will interested in real bushy-tailed things the person writing.

  7. November 14th, 2011 at 10:35 | #7

    An intriguing discussion is worth comment. I’m confident which you just write regarding this topic, could possibly not be considered a taboo subject but typically persons are too small to communicate on such topics. To another. Cheers

  1. No trackbacks yet.