LebGeeks

Truepeace

Member

USB malware

my usb got infected when I plugged it in a laptop's shop, and all my files turned into shorcuts or 1 kb files.
Norton 360 cleaned the virus which was called "Bloodhound.VBS.5" plus I rescaned the usb with malwarebytes so I am sure it is now clean.

However, the files are all 1 KB files and I noticed that I have them in duplicate, the first part of them are 1 KB files like starting with ~$ "~$test.pptx" not working if I enter them, and the second part of them are shortcuts of the other files having the same name but if I click them they work.

I searched on the internet and found a solution suggesting checking "show hidden files & folders" and un-checking "Hide extension for known file type" and "Hide protected operating system files (recommended)" then searching for a hidden folder which should contain my files but the problem is I CAN'T find that folder that contains my files and I am sure they are there somewhere since I can open them all with their shortcuts.

I entered the properties of one of the shortcuts and in Target there was "C:\WINDOWS\system32\cmd.exe /c start 3.vbs&start Final" "final" "proposal.docx&exit"
Note that the vbs virus file was cleaned by my antivirus as I mentioned above.

Thanks for help.

Ra8

Member

Re: USB malware

It happened to me once, Show operating system files should do the trick... The files will appear on the root of your usb folder. Anyway try this command on the command line (in Windows) once you are at the root of your usb (when F:\ appears or whatever is the letter):

attrib -r -s -h /s /d

ironman

Member

Re: USB malware

try googling "iReset", you basically drag and drop the folders to it, and press reset. it will reset their attributes (what Ra8 posted but in a graphical interface)

Good luck.

Truepeace

Member

Re: USB malware

@Ra8 that's what a friend suggested me but I had this error: "Unable to change attribute - F:\Autorun.inf\lpt1.UsbFix"
because I had vaccinated my USB with USB Disk Security so it creates a folder with the name Autorun.inf with a file called lpt1.UsbFix inside of it and I don't know what do they do with the permissions of that folder but I think I can't delete it manually unless if I press in the software "Remove Vaccine" but if I do so I have an error "Please check if your usb is read only" since the vaccine was "lost" after the virus thing.

@ironman
I tried putting everything on the usb in the iReset software except the "Autorun.inf" folder but nothing changed when I resetted.
And I don't know if I had this problem before (since I had almost 45 files in my USB) but not all shortcuts are opening my files!! Some of them are opening some of them not, were they deleted?

Edit: All the shorcuts starting with ~$ are not opening (26 files!) and the ones without ~$ are opening.(14 files)
Please help :(
Edit: The usb is for my brother so I don't know which files are what, but is it possible that the 26 non working files were already non working 1 kb files starting ~$ ?

Last edited by Truepeace (March 7 2014)

ironman

Member

Re: USB malware

@Truepeace, do you have access to a Linux live CD or to a MAC? if yes, you'll have access to those files, copy them to your PC , format the USB stick, and copy them back.

Truepeace

Member

Re: USB malware

No I don't. I can maybe manage to ask some friends but can you explain for me why it should work?
I don't know if it may help, but someone on another forum suggested me to post a USBfix log http://tny.cz/e19e41a0

Last edited by Truepeace (March 8 2014)

ironman

Member

Re: USB malware

Because probably the malware won't be active there, and if its active, you will at least have the permission to move or copy your files.

Truepeace

Member

Re: USB malware

"the malware won't be active there" what do you mean by that, because I think my usb is clean, unless you mean that the effect of the virus won't appear.

NoReGreT

Member

Re: USB malware

go to a CMD prompt, go to your flash drive and run "dir /a" without quotes. If you find your folders there, then it's fine. If you don't, then they are deleted.