usb flash drive contents replaced with a single shortcut _ the captain's log.pdf

3/20/2014 USB flash drive contents replaced with a single shortcut | The Captain's Log

http://blog.piratelufi.com/2013/02/usb-flash-drive-contents-replaced-with-a-single-shortcut/ 1/15

By kapitanluffy pirata (hayme) | February 27, 2013 74 Comments

The Captain's Log logging our internet journeys one blog at a t ime

USB flash drive contents replaced with a singleshortcut

I encountered a weird virus lately that has been infecting USB flash drives. It hides all your files inside an

invisible folder and places a shortcut that seems to be pointing to the flash drive itself.

If you check the target location of the shortcut, it points to rundll32.exe which run a file with a name that

starts with ~. It seems to be running the code inside the desktop.ini too. Suspicious eh?



showing you the real c ontents of your flash drive. Ta Da!

Enough with the talk. Lets proceed with the steps. Assuming your tech savvy-ness is at least Level 1.

1. open the command prompt. (If you cant even do this, srsly..)

2. assuming that your target drive letter is L, type the following

C:\> cd /d L:

L:\> attrib -s -h -a -r /s /d *.*



3. You should now see all the invisible files along with the shortcut. Delete them except the autorun.inf

file.

4. Download Process Explorer by Sysinternals and Unlocker 1.9 by Collomb.

5. Use the Unlocker and determine the process that is using the autorun.inf

sorry for the image, imgur.c om kills the quality. In the image, wuauc lt .exe is using the autorun.inf

6. Open the Process Explorer and look for the process. Press CTRL+L and sort the type column. Scroll

down to the file type.



Those green thingys? Well thats just the virus trying to c reate a bac kdoor. neat right? :D

7. You should see the autorun.inf being used by the process. If you dont see it, you are looking at the

wrong process. Right click the row and select Close handle.

8. The autorun.inf should be removable already. Next we need to see if there is already a backdoor in our

computer. Look again at the files being used by the process and search something suspicious. Typically

found in your C:\users\your-username-here. Look for something like this.

AppData\Local\Temp\mstuaespm.pif



9. Close the handle, just like what you did in autorun.inf then remove the file inside your drive.

Thats is all for now. I just did this quick post since someone asked me in twitter how to remove it.

@kapitanluffy hi there:) i had the same usb problem usb flash drive contents replaced with a

single shortcut how did you fix it?

Miko H. Espiritu (@Okimbap) February 27, 2013

You dont really expect me to fit this tutorial in just 140 characters do you?

Here is my original question (investigation) at Stackoverflow

So you cant find the backdoor file? Heres an update!

For those who cannot find the pif file, take note that the file indicated is what I found in my system.

Assuming from the name of the file itself, it is very random. This means that the backdoor file (the pif file I

am referring to) might be named other than mstuaespm.pif. It might use other extensions and might be

found in a different folder. To find the backdoor you need to find the suspicious file that is being used by

the host process.

To help you find the file, you may want to check the MD5 hash of that file. Just go search for hashing

tools online.

Here is the MD5 hash of the pif file I found

0ad45ef45df58feaca5b35765cc5db6e

If your suspected file has the same hash, it definitely means that you already caught the backdoor file. I

suggest you check out my prior investigation on superuser site. Checkout the additional information in

the analysis of the pif file I found here. You will see below the different filenames used by the backdoor.

Since it has been detected by common antivirus softwares already, you might just do a Full Scan of your

system if that is what you want. Still, I dont like antiviruses though. It hogs my already-slow laptop.



Share Love:

Google+ kapitanluffy pirata (hayme)

Like this: Like

Be the f irst to like this.

Category: Tutorials Tags: backdoor , flash drive , shortcut , stackoverflow, usb , virus

About kapitanluffy pirata (hayme)

the pirate geek

View all posts by kapitanluffy pirata (hayme)

74 Comments The Captain's Log Login

Sort by Best Share

Join the discussion

Reply

Amir Muhammad Mousavi 8 months ago

Hey Guys, there is an application that I've just created for removing virus from your PC

and USB.

Note: Run the application as administrator.

Note: The application only works on Windows 8 64bit, Windows 7 32&64bit and windows

XP SP3.

8

Usman Raza 6 months ago

This Technique Perfectly Worked For me.

1.open the command prompt via administrative priviledges.


Favorite

Share

115 people like this. Be the f irst of your friends.Like

Facebook 115 Twitter 4 Google LinkedIn Reddit StumbleUpon Digg Tumblr

Pinterest Pocket



Reply

C:> cd /d L:

L:> attrib -s -h -a -r /s /d *.*

3. You should now see all the invisible files along with the shortcut.Delete all the files and

folders including autorun.inf file and vbscript files except your folders which are

transparent, becoz those are your data.

4.Goto folder options(for windows user) and select show hidden files and uncheck two

options just below it which are "Hide extentions for known file types" and "Hide Protected

Operating system files".

5.Now Goto C:usersyour-username-hereAppDataLocalTemp

6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody

vbscript file which is the damn cause for generating shortcuts).Just Delete all the .vbs files

in temp folder and you are good to go.

It Seriously worked for me,you should give a try to it.

May God Bless You ALL

Regards

Usman Raza

2

Reply

Anonymous 6 months ago

i follow your step but i dont have autorun.inf on my usb but is a . Here

is a pic http://oi39.tinypic.com/2aik30... ,

1

Reply

Fiqh as_Sabil 7 months ago

alhamdulillah.... it's WORKS..!!!

1

Reply

Saleem Hassan 5 months ago

Hy guys install avast antivirus and scan your full system your problem removed thanks

03022234075 contact me for more help

Reply

Zulfiqar Tariq 5 months ago

great solution



Reply

I ve seen your posted pic,no problem if you dont find autorun.inf file .Its just becoz of that

vbscript file.Your goal should be delete this vbs file from your system, not just from your

removeable media.

Just Delete All your shortcuts and files like Sthumbsdb, Sthumbsdb.tdb, and that vbscript

file too.

Remeber one thing Dont Refresh in your flash drive after deleting all these stuff.

Now continue step 5 and 6.

Cheers.

Waiting for your next reply

Reply

Usman Raza 6 months ago

This Technique Perfectly Worked For me.

1.open the command prompt via administrative priviledges.


C:> cd /d L:

L:> attrib -s -h -a -r /s /d *.*

3. You should now see all the invisible files along with the shortcut.Delete all the files and

folders including autorun.inf file and vbscript files except your folders which are

transparent, becoz those are your data.

4.Goto folder options(for windows user) and select show hidden files and uncheck two

options just below it which are "Hide extentions for known file types" and "Hide Protected

Operating system files".

5.Now Goto C:usersyour-username-hereAppDataLocalTemp

6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody

vbscript file which is the damn cause for generating shortcuts).Just Delete all the .vbs files

in temp folder and you are good to go.

It Seriously worked for me,you should give a try to it.

May God Bless You ALL

Regards

Usman Raza

Vieira Villareal 6 months ago

Thanks for this post! Worked for me. The backdoor file was on mine was .exe.. Thanks

Share

Share



Reply

Thanks for this post! Worked for me. The backdoor file was on mine was .exe.. Thanks

again!

Reply

Vieira Villareal 6 months ago

Run your Process Explorer. Go to FILE and click on 'Show Details for all

Processes'. I had the same problem and this worked for me. :)

Reply

Mahmoud Eljammali 6 months ago

I don't have autorun file I have file with this name "tmxnftcqgr" and the unlocker

can't find a process run it what should I do?

Reply

???? ????? 6 months ago

same problem with me

Reply

MarviJoi DiMagna-oNg 8 months ago

SOmebody help me... I was able to found the "autorun.inf" thingy but the when I tried to do

the next step or the "close handle" one.... It says it requires administrative rights.. what to

do? It really sucks me whenever I format my usb then it's empty then when I insert it

again, the shortcut is still visible.. sucks... >.< please DM me.. really need help.

Reply

Bilzzzzzzzzzz..... 8 months ago

Thanks....

It works...

Reply

Rahman Noor 8 months ago

Thank u Lufi. i was stuck with this virus fore two days, Thanks to your post , I followed the

process accordingly and gor rid of this freaky virus, thank you very much

Reply

Maimai Rea Conde 9 months ago

I got it now. the unlocker is all that I need. thank you so much for this post. this autorun

virus is really annoying me for the past couple of days. I tried lots of how-to videos from

youtube but nothing worked. thank you so much! God bless you.

Maimai Rea Conde 9 months ago

help please. I got up to step 6 but when I click close handle it says "closing handle needs

administrative rights".

Share

Share

Share

Share

Share

Share

Share

Share



Reply

Reply

Jad Harmoush 9 months ago

I repaired it using unlocker. I just do what u did and then I open unlocker for the usb, kill all

processes and remove the files. easy ;)

Reply

dnylpz 9 months ago

how much damage can it does to win 8?

Reply

HK 10 months ago

First you just download Malwarebytes Anti-Malware. It free. Then you run that software.

Next, you just quick scan your computer by using that software. It will detect all this nasty

virus that cause this kind of shortcut. Then, you delete the virus and restart your computer.

Done. Hope it is useful.Thanx

Reply

HK 10 months ago

I Just got i simple method to remove this nasty virus.

Reply

kandis 10 months ago

This method didn't help me. Event after deleting all the files. Got serious autorun virus.

AVIRA can't find it. All 4 USB pens are infected. Tried all anti-autorunvirus programs. Not a

single could solve it.

Reply

kandis 10 months ago

Just use Comand Line, paste that attrib line, delete schorcut and .exe file, scan with

AVAST your PC, restart PC and your're ready to go :).

Reply

John 11 months ago

Has anyone lost any files from this virus? I seem to have lost the first folder on my USB

stick. I double clicked the shortcut, got to my contents, everything else seems to be there.

So I most likely picked this up from an infected computer? Does formatting the USB solve

the problem? I don't have the ability to follow the steps (only have access at computer

cafes) and I just want to try to avoid the bad computer. Is it infected as soon as you put it

in an affected computer? Thanks for all the help.

Ernesto Fabin Rodrguez Coimb 11 months ago

Thank you so much for this investigation, you're right about the.pif in my case I found

Share

Share

Share

Share

Share

Share

Share

Share



Reply

Thank you so much for this investigation, you're right about the.pif in my case I found

a.scr file in the temp directory, removed and all's good now.

Reply

busha 11 months ago

cool! Thanks for the info :)

Reply

Seno Paul 11 months ago

Wow, that's , its really helpful, now heading to finding the hide process.

Reply

George Cecis 11 months ago

see more

Hello there. Basically I founded out how to lock and disable this kind of virus to execute

again even if you run that shortcut.. I know just for windows 7 32-Bit and windows 7 64-Bit

as Im working for IT/Administrator for my company. Where customers working with my

companies computers they dont know that this kind of shortcut execute virus command

line.. And I dont have time for every single one to explain why and how.. So I Sit down and

start searching for it how to disable forever. First thing how you can detect if virus is

running. Open task manager. If you are using 64-Bit Win-7 then you have to look for

(svchost.exe *32) if you are using 32-Bit Win-7 then you have to look for (wuauclt.exe) and

for 64-Bit and 32-Bit (DllHost.exe).

1. Kill running process svchost.exe *32 for 64-Bit Windows 7.

2. Kill running process wuauclt.exe for 32-Bit Windows 7.

3. Kill All running processs DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 7.

4. Open C: and if you can find there Temp folder open it.

5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files

and folders.

6. IF you can find application by name TrustedInstaller.exe then you 100% have infected

PC.

Reply

Alexandru Ivan 9 months ago George Cecis

Hi! I have an problem with this and I can't change permissions, can you help

me? Please :)

awp3le 9 months ago Alexandru Ivan

For now it is good method to use 30 days kaspersky trial. It detect this

kinds of thing but also there is problem, with hidden files in USB as Hidden

exe or whatever, kaspersky is not detecting it, till you make it visible.. I did

program a small tool for WIN8 WIN7/32-63 you can fix your USB after that

Share

Share

Share

Share

Share



Reply

program a small tool for WIN8 WIN7/32-63 you can fix your USB after that

Kaspersky do rest of the job. If you need it, PM me..

Reply

Chuong Pham 11 months ago George Cecis

Is this TrustedInstaller.exe the same as the one used by Windows Module

Installer? If not the same, and it is something relating to the virus, why don't

we just delete it?

Reply

awp3le 11 months ago Chuong Pham

because. If in my case customer run that usb shortcut command again

then trustedinstaller regenerates again. and no it is not the same one win.

up. use another one. More update for it. TrustedInstalled creates new folder

For now TMP .. I. coded Tool that puts Instaler in blockand do not alow for

executing it. I will post my app if some one ask.

Reply

awp3le 11 months ago

see more

Hello there. Basically I founded out how to lock and disable this kind of virus to execute

again even if you run that shortcut.. I know just for windows 7 32-Bit and windows 7 64-Bit

as I'm working for IT/Administrator for my company. Where customers working with my

companies computers they don't know that this kind of shortcut execute virus command

line.. And I don't have time for every single one to explain why and how.. So I Sit down and

start searching for it how to disable forever. First thing how you can detect if virus is

running. Open task manager. If you are using 64-Bit Win-7 then you have to look for

(svchost.exe *32) if you are using 32-Bit Win-7 then you have to look for (wuauclt.exe) and

for 64-Bit and 32-Bit (DllHost.exe)

1. Kill running process svchost.exe *32 for 64-Bit Windows 7

2. Kill running process wuauclt.exe for 32-Bit Windows 7

3. Kill All running process's DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 7

4. Open C:\ and if you can find there Temp folder open it.

5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files

and folders.

6. IF you can find application by name TrustedInstaller.exe then you 100% have infected

PC

marlcarlo 11 months ago

hey guys i have the same problem.. can anyone suggest me a good anti virus that can

deal with the said virus? the instruction is a bit tricky for me because i am not good in

Share

Share

Share

Share



Reply

dealing with things like this

Reply

Pol a year ago

Use "virus total" online to find out if the suspicious file on your hard drive used by the

process is the backdoor file. Mine is not a pif file but a cmd file with a different file name

and it got a 29/46 detection ratio. Anti virus program sucks. XD

Reply

AmirD a year ago

Thanks for your help

Reply

reagan a year ago

hello lufi man...checked the update ..doesn't help ....done the whole thing on the

tutorial...but every time a memory stick would be plugged...the whole thing starts up all

over again..only a shortcut would be found upon opening the flash drive..

I think that the virus is in my PC..but when i check out the rest of the tutorial on checking

the virus on drive C..i found no such .pif file tried it many times...

i am using the latest avast...but running all the scan results to 0 threats found..

if you have another way to remove the damn virus..pls. post..thanks in advance....

Reply

rensis a year ago

i know that my computer is infected and i cant find those green thingys .i already searched

the processes that uses the autorun.inf file and came up with nothing,...i followed your

instructions carefully and i missed nothing for sure...what can be the alternative fix besides

scanning the whole system??my hard drives are full and it will take too long to scan for

those stupid viruses/worms.

Reply

lufi a year ago rensis

You don't need to scan your whole filesystem. Try scanning the important parts like

the temp folder and the windows directory.

Reply

brian a year ago

what do i do if my computer is infected?

Jham Ash a year ago

@lufi this is a win sality virus :) that embed on auto run and hide all folders and subfolders

Share

Share

Share

Share

Share

Share

Share



Reply

and make read only, and it duplicates also the folder and make.exe files :P

Reply

lufi a year ago Jham Ash

Isn't that the old school virus for XP? where you insert the USb .open it in explorer

and voila it would become koko crunch?

Reply

Zolo a year ago Jham Ash

and this comment is helpful how?

Reply

Frost a year ago

I cant locate the .pif file.Proces Explorrer doesnt show any .pif files,and temp folder doesnt

contain any of these files.But after reinserting flash drive,it is infected again. :(

Reply

lufi a year ago Frost

Check out the update mr frost :D

Reply

janlancer (@janlancer) a year ago

Hey, Thanks for this post.

I'm having a problem locating this backdoor .pif file. I followed everything up to step 8. After

that I couldn't locate the .pif file. Will you help me?

Reply

reagan a year ago janlancer (@janlancer)

hello im having problem locating the .pif file ..if there is no such file in my pc..then

why ,everytime i insert a flash drive the same thing happens?

Reply

lufi a year ago reagan

check out the update reagan :D

Reply

lufi a year ago janlancer (@janlancer)

it might just mean that you don't have the backdoor

Reply

a12 a year ago

I can't see any "green thingys" on my process explorer. What should I do?

Share

Share

Share

Share

Share

Share

Share

Share

Share

Share



Iconic One Theme | Powered by Wordpress

Load more comments

Need beta invites for the next little thing

called Koding?

3 comments 6 months ago

Tahmid Can You send me an Invitation

[email protected]

automatically kill windows processes

with Crash Me


Amoi Bien oo nga wlang kamalay malay.

Isohunt shuts down. Initiating self

destruct


kapitanluffy That can do, but I think RIAA

will focus on the people who are organizing

them instead of tracking all the users.

The Pursuit of Happyness Why is

Happiness mispelled?


Jude Anthony Suangco asteeg! at

rakenrowl! :))

ALSO ON THE CAPTAIN'S LOG WHAT'S THIS?

Subscribe Add Disqus to your site

usb flash drive contents replaced with a single shortcut _ the captain's log.pdf

Documents