USB flash drive contents replaced with a single shortcut
I encountered a weird virus lately that has been infecting USB flash drives. It hides all your files inside an invisible folder and places a shortcut that seems to be pointing to the flash drive itself.
If you check the target location of the shortcut, it points to rundll32.exe which run a file with a name that starts with ‘~’. It seems to be running the code inside the desktop.ini too. Suspicious eh?
Enough with the talk. Let’s proceed with the steps. Assuming your tech savvy-ness is at least Level 1.
1. open the command prompt. (If you can’t even do this, srsly..)
2. assuming that your target drive letter is L, type the following…
C:\> cd /d L:
L:\> attrib -s -h -a -r /s /d *.*
3. You should now see all the invisible files along with the shortcut. Delete them except the autorun.inf file.
5. Use the Unlocker and determine the process that is using the autorun.inf
6. Open the Process Explorer and look for the process. Press CTRL+L and sort the ‘type’ column. Scroll down to the ‘file’ type.
7. You should see the autorun.inf being used by the process. If you don’t see it, you are looking at the wrong process. Right click the row and select Close handle.
8. The autorun.inf should be removable already. Next we need to see if there is already a backdoor in our computer. Look again at the ‘files’ being used by the process and search something suspicious. Typically found in your C:\users\your-username-here. Look for something like this.
9. Close the handle, just like what you did in autorun.inf then remove the file inside your drive.
That’s is all for now. I just did this quick post since someone asked me in twitter how to remove it.
@kapitanluffy hi there:) i had the same usb problem “usb flash drive contents replaced with a single shortcut” how did you fix it? 😀
— Miko H. Espiritu (@Okimbap) February 27, 2013
You don’t really expect me to fit this tutorial in just 140 characters do you?
So you can’t find the backdoor file? Here’s an update!
For those who cannot find the pif file, take note that the file indicated is what I found in my system. Assuming from the name of the file itself, it is very random. This means that the backdoor file (the pif file I am referring to) might be named other than mstuaespm.pif. It might use other extensions and might be found in a different folder. To find the backdoor you need to find the suspicious file that is being used by the host process.
To help you find the file, you may want to check the MD5 hash of that file. Just go search for hashing tools online.
Here is the MD5 hash of the pif file I found
If your suspected file has the same hash, it definitely means that you already caught the backdoor file. I suggest you check out my prior investigation on superuser site. Checkout the ‘additional information’ in the analysis of the pif file I found here. You will see below the different filenames used by the backdoor.
Since it has been detected by common antivirus softwares already, you might just do a ‘Full Scan’ of your system if that is what you want. Still, I don’t like antiviruses though. It hogs my already-slow laptop.