USB flash drive contents replaced with a single shortcut

I encountered a weird virus lately that has been infecting USB flash drives. It hides all your files inside an invisible folder and places a shortcut that seems to be pointing to the flash drive itself.

If you check the target location of the shortcut, it points to rundll32.exe which run a file with a name that starts with ‘~’. It seems to be running the code inside the desktop.ini too. Suspicious eh?

showing you the real contents of your flash drive. Ta Da!

 

Enough with the talk. Let’s proceed with the steps. Assuming your tech savvy-ness is at least Level 1.

1. open the command prompt. (If you can’t even do this, srsly..)

2. assuming that your target drive letter is L, type the following…

C:\> cd /d L:

L:\> attrib -s -h -a -r /s /d *.*

3. You should now see all the invisible files along with the shortcut. Delete them except the autorun.inf file.

4. Download Process Explorer by Sysinternals and Unlocker 1.9 by Collomb.

5. Use the Unlocker and determine the process that is using the autorun.inf

sorry for the image, imgur.com kills the quality. In the image, wuauclt.exe is using the autorun.inf

 

6. Open the Process Explorer and look for the process. Press CTRL+L and sort the ‘type’ column. Scroll down to the ‘file’ type.

Those green thingys? Well that’s just the virus trying to create a backdoor. neat right? :D

 

7. You should see the autorun.inf being used by the process. If you don’t see it, you are looking at the wrong process. Right click the row and select Close handle.

8. The autorun.inf should be removable already. Next we need to see if there is already a backdoor in our computer. Look again at the ‘files’ being used by the process and search something suspicious. Typically found in your C:\users\your-username-here. Look for something like this.

AppData\Local\Temp\mstuaespm.pif

9. Close the handle, just like what you did in autorun.inf then remove the file inside your drive.

That’s is all for now. I just did this quick post since someone asked me in twitter how to remove it.

You don’t really expect me to fit this tutorial in just 140 characters do you?

Here is my original question (investigation) at Stackoverflow

 

So you can’t find the backdoor file? Here’s an update!

For those who cannot find the pif file, take note that the file indicated is what I found in my system. Assuming from the name of the file itself, it is very random. This means that the backdoor file (the pif file I am referring to) might be named other than mstuaespm.pif. It might use other extensions and might be found in a different folder. To find the backdoor you need to find the suspicious file that is being used by the host process.

To help you find the file, you may want to check the MD5 hash of that file. Just go search for hashing tools online.

Here is the MD5 hash of the pif file I found

0ad45ef45df58feaca5b35765cc5db6e

If your suspected file has the same hash, it definitely means that you already caught the backdoor file. I suggest you check out my prior investigation on superuser site. Checkout the ‘additional information’ in the analysis of the pif file I found here. You will see below the different filenames used by the backdoor.

Since it has been detected by common antivirus softwares already, you might just do a ‘Full Scan’ of your system if that is what you want. Still, I don’t like antiviruses though. It hogs my already-slow laptop.

 

About kapitanluffy
the pirate geek

74 Comments on USB flash drive contents replaced with a single shortcut

  1. Hi! The unlocker for my case does not does not detect any locking handle. Any details as to how to proceed? Thank you very much!

    • It means no one is using the autorun.inf file which ‘might’ mean that your computer is not infected. Just delete the autorun.inf and retry inserting the flash drive. If you see the same files with the autorun.inf, your computer is infected

  2. PROBLEM SOLVED: USB – Shortcut link (is it a virus?)
    CUT your files from the shortcut link (the virus) and PASTE it on your original USB STORAGE device (on the same place where the shortcut was). Delete that shortcut link, safety remove the usb, and restart your computer. Then reinsert the usb. The link doesn’t show up again. :p weeeeeeee

    • I really wouldn’t recommend opening that link. If you bothered to check the ‘Target Location’ of that link, it is way too suspicious to call rundll32.exe just to open your flash drive. right?

  3. I followed everything here and was able to do it but when I reinsert my flashdrive, the same problem occurs again.

    • it means the backdoor (*.pif file) is not removed and still running.

      • I followed everything but still, when I reinsert my flash drive, the shortcut appears again. I have removed the *.pif file already. I even formatted my flash drive but the same thing happens.

        • it means the .pif file is not the backdoor. is the .pif file locking the autorun.inf file?

          • I don’ think so. Anyway, I’ve fixed it, well, my antivirus did. I saw the same problem posted on their website so I thought they have a solution for it. So, I updated my antivirus, backed up my files, ran a full scan, and restarted my computer. It found, I think three .pif files which Process Explorer only found one (I just did what you have posted above).

            Thanks by the way!

  4. When I close the handle, an error is pooping out hich says, “Closing handle requires administrative rights”. what shud i do? pls help…

  5. Josiah Diaz // March 6, 2013 at 5:15 am // Reply

    What if my autorun does not work? unlocker says it doesn't find anything… thanks! please help

    • what do you mean it doesn’t work? if it doesn’t find anything delete it. it means (maybe) that your computer is not infected

    • David Kawa?ko // July 7, 2013 at 4:40 pm // Reply

      I had the same problem, next day I tried it and it worked, maybe just restart Your computer? (I did this)

  6. Hi there, what if the process tree of the virus is in svchost.exe? does that mean that my computer is the one who has the virus?

  7. really helpful

  8. Macky Sagales // March 10, 2013 at 11:07 am // Reply

    I already encounter this virus.. srsly..

  9. I can’t see any “green thingys” on my process explorer. What should I do?

  10. Hey, Thanks for this post.
    I’m having a problem locating this backdoor .pif file. I followed everything up to step 8. After that I couldn’t locate the .pif file. Will you help me?

  11. I cant locate the .pif file.Proces Explorrer doesnt show any .pif files,and temp folder doesnt contain any of these files.But after reinserting flash drive,it is infected again. :(

  12. @lufi this is a win sality virus :) that embed on auto run and hide all folders and subfolders and make read only, and it duplicates also the folder and make.exe files :P

  13. what do i do if my computer is infected?

  14. i know that my computer is infected and i cant find those green thingys .i already searched the processes that uses the autorun.inf file and came up with nothing,…i followed your instructions carefully and i missed nothing for sure…what can be the alternative fix besides scanning the whole system??my hard drives are full and it will take too long to scan for those stupid viruses/worms.

    • You don’t need to scan your whole filesystem. Try scanning the important parts like the temp folder and the windows directory.

  15. hello lufi man…checked the update ..doesn’t help ….done the whole thing on the tutorial…but every time a memory stick would be plugged…the whole thing starts up all over again..only a shortcut would be found upon opening the flash drive..

    I think that the virus is in my PC..but when i check out the rest of the tutorial on checking the virus on drive C..i found no such .pif file tried it many times…

    i am using the latest avast…but running all the scan results to 0 threats found..
    if you have another way to remove the damn virus..pls. post..thanks in advance….

  16. Thanks for your help

  17. Use “virus total” online to find out if the suspicious file on your hard drive used by the process is the backdoor file. Mine is not a pif file but a cmd file with a different file name and it got a 29/46 detection ratio. Anti virus program sucks. XD

  18. hey guys i have the same problem.. can anyone suggest me a good anti virus that can deal with the said virus? the instruction is a bit tricky for me because i am not good in dealing with things like this

  19. Hello there. Basically I founded out how to lock and disable this kind of virus to execute again even if you run that shortcut.. I know just for windows 7 32-Bit and windows 7 64-Bit as I’m working for IT/Administrator for my company. Where customers working with my companies computers they don’t know that this kind of shortcut execute virus command line.. And I don’t have time for every single one to explain why and how.. So I Sit down and start searching for it how to disable forever. First thing how you can detect if virus is running. Open task manager. If you are using 64-Bit Win-7 then you have to look for (svchost.exe *32) if you are using 32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe)

    1. Kill running process svchost.exe *32 for 64-Bit Windows 7
    2. Kill running process wuauclt.exe for 32-Bit Windows 7
    3. Kill All running process’s DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 7
    4. Open C:\ and if you can find there Temp folder open it.
    5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files and folders.
    6. IF you can find application by name TrustedInstaller.exe then you 100% have infected PC
    7. What you can do.
    —– 1. Leave it.
    —– 2. Right click on TrustedInstaller.exe and then choose Properties
    —– 3. Click on Security Tab and then Click on Edit button.
    —– 4. Next Click on Administrators Group And Check all Deny check boxes
    —– 5. Do the same for Users Group
    —– 6. Then Apply and OK
    —– 7. Restart your PC
    8. You are ready to use your PC to check if your PC is protected Plug in your USB and your folders and files do not turn anymore to one single shortcut. Even if you still have Old infected USB with files you 100% can execute that shortcut because we blocked TrustedInstaller.exe to run virus again…

    So best of luck and hope I helped someone :)

    Best regards awp3le..

  20. Hello there. Basically I founded out how to lock and disable this kind of virus to execute again even if you run that shortcut.. I know just for windows 7 32-Bit and windows 7 64-Bit as I’m working for IT/Administrator for my company. Where customers working with my companies computers they don’t know that this kind of shortcut execute virus command line.. And I don’t have time for every single one to explain why and how.. So I Sit down and start searching for it how to disable forever. First thing how you can detect if virus is running. Open task manager. If you are using 64-Bit Win-7 then you have to look for (svchost.exe *32) if you are using 32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe).

    1. Kill running process svchost.exe *32 for 64-Bit Windows 7.
    2. Kill running process wuauclt.exe for 32-Bit Windows 7.
    3. Kill All running process’s DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 7.
    4. Open C: and if you can find there Temp folder open it.
    5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files and folders.
    6. IF you can find application by name TrustedInstaller.exe then you 100% have infected PC.
    7. What you can do.
    —– 1. Leave it.
    —– 2. Right click on TrustedInstaller.exe and then choose Properties.
    —– 3. Click on Security Tab and then Click on Edit button.
    —– 4. Next Click on Administrators Group And Check all Deny check boxes.
    —– 5. Do the same for Users Group.
    —– 6. Then Apply and OK.
    —– 7. Restart your PC.
    8. You are ready to use your PC to check if your PC is protected Plug in your USB and your folders and files do not turn anymore to one single shortcut. Even if you still have Old infected USB with files you 100% can execute that shortcut because we blocked TrustedInstaller.exe to run virus again….

    So best of luck and hope I helped someone.

    Best regards awp3le..

    • Is this TrustedInstaller.exe the same as the one used by Windows Module Installer? If not the same, and it is something relating to the virus, why don't we just delete it?

      • because. If in my case customer run that usb shortcut command again then trustedinstaller regenerates again. and no it is not the same one win. up. use another one. More update for it. TrustedInstalled creates new folder For now TMP .. I. coded Tool that puts Instaler in blockand do not alow for executing it. I will post my app if some one ask.

    • Hi! I have an problem with this and I can't change permissions, can you help me? Please :)

      • For now it is good method to use 30 days kaspersky trial. It detect this kinds of thing but also there is problem, with hidden files in USB as Hidden exe or whatever, kaspersky is not detecting it, till you make it visible.. I did program a small tool for WIN8 WIN7/32-63 you can fix your USB after that Kaspersky do rest of the job. If you need it, PM me..

  21. Wow, that's , its really helpful, now heading to finding the hide process.

  22. cool! Thanks for the info :)

  23. Ernesto Fabián Rodríguez Coimbra // April 30, 2013 at 3:24 pm // Reply

    Thank you so much for this investigation, you're right about the.pif in my case I found a.scr file in the temp directory, removed and all's good now.

  24. Has anyone lost any files from this virus? I seem to have lost the first folder on my USB stick. I double clicked the shortcut, got to my contents, everything else seems to be there. So I most likely picked this up from an infected computer? Does formatting the USB solve the problem? I don’t have the ability to follow the steps (only have access at computer cafes) and I just want to try to avoid the bad computer. Is it infected as soon as you put it in an affected computer? Thanks for all the help.

  25. Just use Comand Line, paste that attrib line, delete schorcut and .exe file, scan with AVAST your PC, restart PC and your’re ready to go :).

  26. This method didn’t help me. Event after deleting all the files. Got serious autorun virus. AVIRA can’t find it. All 4 USB pens are infected. Tried all anti-autorunvirus programs. Not a single could solve it.

  27. I Just got i simple method to remove this nasty virus.

  28. First you just download Malwarebytes Anti-Malware. It free. Then you run that software. Next, you just quick scan your computer by using that software. It will detect all this nasty virus that cause this kind of shortcut. Then, you delete the virus and restart your computer. Done. Hope it is useful.Thanx

  29. how much damage can it does to win 8?

  30. Jad Harmoush // June 15, 2013 at 7:16 pm // Reply

    I repaired it using unlocker. I just do what u did and then I open unlocker for the usb, kill all processes and remove the files. easy ;)

  31. help please. I got up to step 6 but when I click close handle it says "closing handle needs administrative rights".

  32. I got it now. the unlocker is all that I need. thank you so much for this post. this autorun virus is really annoying me for the past couple of days. I tried lots of how-to videos from youtube but nothing worked. thank you so much! God bless you.

  33. Rahman Noor // July 14, 2013 at 5:15 pm // Reply

    Thank u Lufi. i was stuck with this virus fore two days, Thanks to your post , I followed the process accordingly and gor rid of this freaky virus, thank you very much

  34. Bilzzzzzzzzzz..... // July 18, 2013 at 5:20 am // Reply

    Thanks….
    It works…

  35. MarviJoi DiMagna-oNg // July 19, 2013 at 1:29 pm // Reply

    SOmebody help me… I was able to found the "autorun.inf" thingy but the when I tried to do the next step or the "close handle" one…. It says it requires administrative rights.. what to do? It really sucks me whenever I format my usb then it's empty then when I insert it again, the shortcut is still visible.. sucks… >.< please DM me.. really need help.

  36. Hey Guys, there is an application that I’ve just created for removing virus from your PC and USB.
    Note: Run the application as administrator.
    Note: The application only works on Windows 8 64bit, Windows 7 32&64bit and windows XP SP3.

  37. Fiqh as_Sabil // August 20, 2013 at 12:33 pm // Reply

    alhamdulillah…. it’s WORKS..!!!

  38. same problem with me

  39. I don't have autorun file I have file with this name "tmxnftcqgr" and the unlocker can't find a process run it what should I do?

  40. Run your Process Explorer. Go to FILE and click on 'Show Details for all Processes'. I had the same problem and this worked for me. :)

  41. Thanks for this post! Worked for me. The backdoor file was on mine was .exe.. Thanks again!

  42. This Technique Perfectly Worked For me.

    1.open the command prompt via administrative priviledges.

    2. assuming that your target drive letter is L, type the following…

    C:> cd /d L:

    L:> attrib -s -h -a -r /s /d *.*
    3. You should now see all the invisible files along with the shortcut.Delete all the files and folders including autorun.inf file and vbscript files except your folders which are transparent, becoz those are your data.

    4.Goto folder options(for windows user) and select show hidden files and uncheck two options just below it which are "Hide extentions for known file types" and "Hide Protected Operating system files".

    5.Now Goto C:usersyour-username-hereAppDataLocalTemp

    6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody vbscript file which is the damn cause for generating shortcuts).Just Delete all the .vbs files in temp folder and you are good to go.

    It Seriously worked for me,you should give a try to it.
    May God Bless You ALL

    Regards
    Usman Raza

  43. This Technique Perfectly Worked For me.

    1.open the command prompt via administrative priviledges.

    2. assuming that your target drive letter is L, type the following…

    C:> cd /d L:

    L:> attrib -s -h -a -r /s /d *.*
    3. You should now see all the invisible files along with the shortcut.Delete all the files and folders including autorun.inf file and vbscript files except your folders which are transparent, becoz those are your data.

    4.Goto folder options(for windows user) and select show hidden files and uncheck two options just below it which are "Hide extentions for known file types" and "Hide Protected Operating system files".

    5.Now Goto C:usersyour-username-hereAppDataLocalTemp

    6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody vbscript file which is the damn cause for generating shortcuts).Just Delete all the .vbs files in temp folder and you are good to go.

    It Seriously worked for me,you should give a try to it.
    May God Bless You ALL

    Regards
    Usman Raza

  44. i follow your step but i dont have autorun.inf on my usb but is a <brysswhwbt.vbs > . Here is a pic http://oi39.tinypic.com/2aik30w.jpg ,

  45. Alba,

    I ve seen your posted pic,no problem if you dont find autorun.inf file .Its just becoz of that vbscript file.Your goal should be delete this vbs file from your system, not just from your removeable media.

    Just Delete All your shortcuts and files like Sthumbsdb, Sthumbsdb.tdb, and that vbscript file too.
    Remeber one thing Dont Refresh in your flash drive after deleting all these stuff.

    Now continue step 5 and 6.

    Cheers.
    Waiting for your next reply

  46. Zulfiqar Tariq // October 8, 2013 at 5:32 pm // Reply

    great solution <3 finally got rid of this

  47. Saleem Hassan // October 15, 2013 at 4:37 pm // Reply

    Hy guys install avast antivirus and scan your full system your problem removed thanks
    03022234075 contact me for more help

Leave a Reply

%d bloggers like this:
Your Digital Turf
Host your website at Your Digital Turf!
Only for 3.99$ with free domain