USB Flash Drive Contents Replaced With A Single Shortcut - The Captain's Log

8/4/2015
USBflashdrivecontentsreplacedwithasingleshortcutTheCaptain'sLog
The Captain's Log

USB flash drive contents replaced with a single shortcut
84
27 Feb, 2013 in Tutorials tagged backdoor / flash drive / shortcut / stackoverflow / usb / virus by kapitanluffy
I encountered a weird virus lately that has been infecting USB flash drives. It hides all your files
inside an invisible folder and places a shortcut that seems to be pointing to the flash drive itself.
If you check the target location of the shortcut, it points to rundll32.exe which run a file with a
name that starts with ~. It seems to be running the code inside the desktop.ini too. Suspicious
eh?
showing you the real contents of your flash drive. Ta Da!
Enough with the talk. Lets proceed with the steps. Assuming your tech savvy-ness is at least
Level 1.
1. open the command prompt. (If you cant even do this, srsly..)
2. assuming that your target drive letter is L, type the following
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/
1/26
8/4/2015
C:\> cd /d L:
L:\> attrib -s -h -a -r /s /d *.*
3. You should now see all the invisible files along with the shortcut. Delete them except the
autorun.inf file.
4. Download Process Explorer by Sysinternals and Unlocker 1.9 by Collomb.
5. Use the Unlocker and determine the process that is using the autorun.inf
sorry for the image, imgur.com kills the quality. In the image, wuauclt.exe is using the autorun.inf
6. Open the Process Explorer and look for the process. Press CTRL+L and sort the type column.
Scroll down to the file type.
2/26
8/4/2015
Those green thingys? Well thats just the virus trying to create a backdoor. neat right? :D
7. You should see the autorun.inf being used by the process. If you dont see it, you are looking at
the wrong process. Right click the row and select Close handle.
8. The autorun.inf should be removable already. Next we need to see if there is already a
backdoor in our computer. Look again at the files being used by the process and search
something suspicious. Typically found in your C:\users\your-username-here. Look for something
like this.
AppData\Local\Temp\mstuaespm.pif
9. Close the handle, just like what you did in autorun.inf then remove the file inside your drive.
Thats is all for now. I just did this quick post since someone asked me in twitter how to remove
it.
OiCAciD
@Okimbap
Follow
@kapitanluffyhithere:)ihadthesameusbproblem"
usbflashdrivecontentsreplacedwithasingleshortcut"howdid
youfixit?:D
10:19PM27Feb2013
You dont really expect me to fit this tutorial in just 140 characters do you?
3/26
8/4/2015
You dont really expect me to fit this tutorial in just 140 characters do you?
Here is my original question (investigation) at Stackoverflow
AdsbyGoogle AnitVirus USBFlash USBCopy RecoverUSB
So you cant find the backdoor file? Heres an update!

For those who cannot find the pif file, take note that the file indicated is what I found in my
system. Assuming from the name of the file itself, it is very random. This means that the
backdoor file (the pif file I am referring to) might be named other than mstuaespm.pif. It might
use other extensions and might be found in a different folder. To find the backdoor you need to
find the suspicious file that is being used by the hostprocess.
To help you find the file, you may want to check the MD5 hash of that file. Just go search for
hashing tools online.
Here is the MD5 hash of the pif file I found
0ad45ef45df58feaca5b35765cc5db6e
If your suspected file has the same hash, it definitely means that you already caught the
backdoor file. I suggest you check out my prior investigation on superuser site. Checkout the
additional information in the analysis of the pif file I found here. You will see below the different
filenames used by the backdoor.
Since it has been detected by common antivirus softwares already, you might just do a Full Scan
of your system if that is what you want. Still, I dont like antiviruses though. It hogs my alreadyslow laptop.
Share Love:
Facebook
Twitter
Google
LinkedIn
Reddit
Tumblr
Pinterest
Pocket
Like this:
Loading...
Related
What are Clean URLs?

if you have used CodeIgniter,
you will notice it uses clean
URLs. Each segment in the url
has a specific value. Like for the
first and the second segments
Creating multiple Firefox

profiles
Creating multiple Firefox
profiles
In "Tutorials"
Enabling multisite on your
In "Web Development & Design"

4/26
8/4/2015
Enabling multisite on your

Wordpress
In "Tutorials"
In "Web Development & Design"
About kapitanluffy
the pirate geek
View all posts by kapitanluffy
Leave a Reply
Enteryourcommenthere...
84 thoughts on USB flash drive contents replaced with a single

shortcut
Dom
Reply
5/26
Dom
8/4/2015
Reply
February 28, 2013 at 9:53 pm
Hi! The unlocker for my case does not does not detect any locking handle. Any
details as to how to proceed? Thank you very much!
lufi
Reply
Post author
March 1, 2013 at 9:22 pm
It means no one is using the autorun.inf file which might mean that your
computer is not infected. Just delete the autorun.inf and retry inserting the
flash drive. If you see the same files with the autorun.inf, your computer is infected
Dom
Reply
March 1, 2013 at 11:37 pm
My antivirus program seemed to have detected the problem and

deleted the worm on its own. Thanks a lot for your help!
edison uy
Reply
March 2, 2013 at 10:31 pm
which antivirus did you use?
lufi
Post author
March 3, 2013 at 9:00 pm
I dont use an antivirus .it hogs my memory
Joel Junior
Reply
March 2, 2013 at 1:33 pm
PROBLEM SOLVED: USB Shortcut link (is it a virus?)

CUT your files from the shortcut link (the virus) and PASTE it on your original USB
STORAGE device (on the same place where the shortcut was). Delete that shortcut link, safety
remove the usb, and restart your computer. Then reinsert the usb. The link doesnt show up again.
:p weeeeeeee
lufi
Post author
March 3, 2013 at 9:01 pm
I really wouldnt recommend opening

that link. If you bothered to
Reply
6/26
8/4/2015
I really wouldnt recommend opening that link. If you bothered to

check the Target Location of that link, it is way too suspicious to call
rundll32.exe just to open your flash drive. right?
Mariel
Reply
March 5, 2013 at 4:27 am
I followed everything here and was able to do it but when I reinsert my flashdrive,
the same problem occurs again.
lufi
Reply
Post author
March 6, 2013 at 6:41 am
it means the backdoor (*.pif file) is not removed and still running.
flash
Reply
March 10, 2013 at 1:11 am
I followed everything but still, when I reinsert my flash drive, the

shortcut appears again. I have removed the *.pif file already. I even
formatted my flash drive but the same thing happens.
lufi
Post author
Reply
March 10, 2013 at 8:10 am
it means the .pif file is not the backdoor. is the .pif file locking the
autorun.inf file?
flash
March 10, 2013 at 7:41 pm
I don think so. Anyway, Ive fixed it, well, my antivirus did. I
saw the same problem posted on their website so I thought
they have a solution for it. So, I updated my antivirus, backed up my files,
ran a full scan, and restarted my computer. It found, I think three .pif files
which Process Explorer only found one (I just did what you have posted
above).
Thanks by the way!
Essirahc
Reply
7/26
8/4/2015
Essirahc
Reply
March 5, 2013 at 3:22 pm
When I close the handle, an error is pooping out hich says, Closing handle
requires administrative rights. what shud i do? pls help
lufi
Post author
Reply
March 6, 2013 at 6:40 am
run the process explorer as administrator
Josiah Diaz
Reply
March 6, 2013 at 5:15 am
What if my autorun does not work? unlocker says it doesn't find anything
thanks! please help
lufi
Post author
Reply
March 6, 2013 at 7:01 pm
what do you mean it doesnt work? if it doesnt find anything delete it. it
means (maybe) that your computer is not infected
David Kawa?ko
Reply
July 7, 2013 at 4:40 pm
I had the same problem, next day I tried it and it worked, maybe just restart
Your computer? (I did this)
Jeff
Reply
March 7, 2013 at 1:38 am
Hi there, what if the process tree of the virus is in svchost.exe? does that mean
that my computer is the one who has the virus?
lufi
Post author
March 7, 2013 at 6:33 am
yes, if it doesnt have sub processes try ending it. dont worry if
your computer crashes though.
Reply
8/26
8/4/2015
your computer crashes though.
Jim
Reply
March 28, 2013 at 4:53 am
Mine is indeed on the tree of svchost.exe and it has a ton of sub

processes. what do i do?
lufi
Post author
Reply
April 6, 2013 at 8:12 am
99% it is not the process you are looking for.
t23
Reply
March 8, 2013 at 3:51 am
really helpful
Macky Sagales
Reply
March 10, 2013 at 11:07 am
I already encounter this virus.. srsly..
a12
Reply
March 15, 2013 at 10:54 am
I cant see any green thingys on my process explorer. What should I do?
lufi
Post author
Reply
March 17, 2013 at 6:33 am
you might not have the backdoor too. since it indicates that the backdoor is
connecting to the internet
janlancer (@janlancer)
Reply
9/26
8/4/2015
janlancer
(@janlancer)
March 16, 2013 at 2:02 pm
Hey, Thanks for this post.

Im having a problem locating this backdoor .pif file. I followed everything up to step 8. After that I
couldnt locate the .pif file. Will you help me?
lufi
Post author
Reply
March 17, 2013 at 6:32 am
it might just mean that you dont have the backdoor
reagan
Reply
March 18, 2013 at 7:36 am
hello im having problem locating the .pif file ..if there is no such file in my
pc..then why ,everytime i insert a flash drive the same thing happens?
lufi
Post author
Reply
March 18, 2013 at 11:29 pm
check out the update reagan
Frost
Reply
March 18, 2013 at 10:05 pm
I cant locate the .pif file.Proces Explorrer doesnt show any .pif files,and temp
folder doesnt contain any of these files.But after reinserting flash drive,it is
infected again.
lufi
Post author
Reply
March 18, 2013 at 11:30 pm
Check out the update mr frost
Jham Ash
March 18, 2013 at 3:46 pm
@lufi this is a win sality virus

that embed on auto run and hide all
folders and subfolders and make read only, and it duplicates also the
Reply
10/26
8/4/2015
folder and make.exe files
Zolo
Reply
March 20, 2013 at 11:57 am
and this comment is helpful how?
lufi
Post author
Reply
March 22, 2013 at 8:12 am
Isnt that the old school virus for XP? where you insert the USb .open it in
explorer and voila it would become koko crunch?
brian
Reply
March 19, 2013 at 11:31 pm
what do i do if my computer is infected?
rensis
Reply
March 21, 2013 at 9:39 pm
i know that my computer is infected and i cant find those green thingys .i already
searched the processes that uses the autorun.inf file and came up with nothing,i
followed your instructions carefully and i missed nothing for surewhat can be the alternative fix
besides scanning the whole system??my hard drives are full and it will take too long to scan for
those stupid viruses/worms.
lufi
Post author
Reply
March 22, 2013 at 8:11 am
You dont need to scan your whole filesystem. Try scanning the important
parts like the temp folder and the windows directory.
reagan
March 22, 2013 at 11:11 am
Reply
hello lufi manchecked the update ..doesnt help .done the whole
thing on the tutorialbut every time a memory stick would be pluggedthe whole
11/26
8/4/2015
thing on the tutorialbut every time a memory stick would be pluggedthe whole
thing starts up all over again..only a shortcut would be found upon opening the
flash drive..
I think that the virus is in my PC..but when i check out the rest of the tutorial on checking the virus
on drive C..i found no such .pif file tried it many times
i am using the latest avastbut running all the scan results to 0 threats found..
if you have another way to remove the damn virus..pls. post..thanks in advance.
AmirD
Reply
April 4, 2013 at 8:54 pm
Thanks for your help
Pol
Reply
April 5, 2013 at 10:43 pm
Use virus total online to find out if the suspicious file on your hard drive used by
the process is the backdoor file. Mine is not a pif file but a cmd file with a different
file name and it got a 29/46 detection ratio. Anti virus program sucks. XD
marlcarlo
Reply
April 12, 2013 at 5:58 am
hey guys i have the same problem.. can anyone suggest me a good anti virus that
can deal with the said virus? the instruction is a bit tricky for me because i am not
good in dealing with things like this
awp3le
Reply
April 13, 2013 at 5:42 pm
Hello there. Basically I founded out how to lock and disable this kind of virus to
execute again even if you run that shortcut.. I know just for windows 7 32-Bit and
windows 7 64-Bit as Im working for IT/Administrator for my company. Where customers working
with my companies computers they dont know that this kind of shortcut execute virus command
line.. And I dont have time for every single one to explain why and how.. So I Sit down and start
searching for it how to disable forever. First thing how you can detect if virus is running. Open task
manager. If you are using 64-Bit Win-7 then you have to look for (svchost.exe *32) if you are using
32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe)
12/26
8/4/2015
32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe)
1. Kill running process svchost.exe *32 for 64-Bit Windows 7
2. Kill running process wuauclt.exe for 32-Bit Windows 7
3. Kill All running processs DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 7
4. Open C:\ and if you can find there Temp folder open it.
5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files and folders.
6. IF you can find application by name TrustedInstaller.exe then you 100% have infected PC
7. What you can do.
1. Leave it.
2. Right click on TrustedInstaller.exe and then choose Properties
3. Click on Security Tab and then Click on Edit button.
4. Next Click on Administrators Group And Check all Deny check boxes
5. Do the same for Users Group
6. Then Apply and OK
7. Restart your PC
8. You are ready to use your PC to check if your PC is protected Plug in your USB and your folders
and files do not turn anymore to one single shortcut. Even if you still have Old infected USB with
files you 100% can execute that shortcut because we blocked TrustedInstaller.exe to run virus
again
So best of luck and hope I helped someone
Best regards awp3le..
George Cecis
Reply
April 13, 2013 at 11:36 am
Hello there. Basically I founded out how to lock and disable this kind of virus to
execute again even if you run that shortcut.. I know just for windows 7 32-Bit and
windows 7 64-Bit as Im working for IT/Administrator for my company. Where customers working
with my companies computers they dont know that this kind of shortcut execute virus command
line.. And I dont have time for every single one to explain why and how.. So I Sit down and start
searching for it how to disable forever. First thing how you can detect if virus is running. Open task
manager. If you are using 64-Bit Win-7 then you have to look for (svchost.exe *32) if you are using
32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe).
1. Kill running process svchost.exe *32 for 64-Bit Windows 7.
2. Kill running process wuauclt.exe for 32-Bit Windows 7.
3. Kill All running processs DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 7.
4. Open C: and if you can find there Temp folder open it.
5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files and folders.
6. IF you can find application by name TrustedInstaller.exe then you 100% have infected PC.
7. What you can do.
1. Leave it.
2. Right click on TrustedInstaller.exe and then choose Properties.
13/26
8/4/2015

4. Next Click on Administrators Group And Check all Deny check boxes.
5. Do the same for Users Group.
6. Then Apply and OK.
7. Restart your PC.
8. You are ready to use your PC to check if your PC is protected Plug in your USB and your folders
and files do not turn anymore to one single shortcut. Even if you still have Old infected USB with
files you 100% can execute that shortcut because we blocked TrustedInstaller.exe to run virus
again.
So best of luck and hope I helped someone.
Best regards awp3le..
Chuong Pham
Reply
April 17, 2013 at 9:45 am
Is this TrustedInstaller.exe the same as the one used by Windows Module

Installer? If not the same, and it is something relating to the virus, why don't
we just delete it?
awp3le
Reply
April 18, 2013 at 2:22 pm
because. If in my case customer run that usb shortcut command again

then trustedinstaller regenerates again. and no it is not the same one
win. up. use another one. More update for it. TrustedInstalled creates new folder For
now TMP .. I. coded Tool that puts Instaler in blockand do not alow for executing it. I
will post my app if some one ask.
Alexandru Ivan
Reply
June 15, 2013 at 3:42 pm
Hi! I have an problem with this and I can't change permissions, can you help
me? Please
awp3le
Reply
June 18, 2013 at 3:24 pm
For now it is good method to use 30 days kaspersky trial. It detect this kinds of thing
but also there is problem, with hidden files in USB as Hidden exe or whatever,
kaspersky is not detecting it, till you make it visible.. I did program a small tool for WIN8
14/26
8/4/2015
kaspersky is not USBflashdrivecontentsreplacedwithasingleshortcutTheCaptain'sLog

detecting it, till you make it visible.. I did program a small tool for WIN8
WIN7/32-63 you can fix your USB after that Kaspersky do rest of the job. If you need it,
PM me..
Seno Paul
Reply
April 13, 2013 at 11:44 am
Wow, that's , its really helpful, now heading to finding the hide process.
busha
Reply
April 30, 2013 at 7:58 am
cool! Thanks for the info
Ernesto Fabin Rodrguez Coimbra
Reply
April 30, 2013 at 3:24 pm
Thank you so much for this investigation, you're right about the.pif in my case I
found a.scr file in the temp directory, removed and all's good now.
John
Reply
May 6, 2013 at 12:21 am
Has anyone lost any files from this virus? I seem to have lost the first folder on my
USB stick. I double clicked the shortcut, got to my contents, everything else seems
to be there. So I most likely picked this up from an infected computer? Does formatting the USB
solve the problem? I dont have the ability to follow the steps (only have access at computer cafes)
and I just want to try to avoid the bad computer. Is it infected as soon as you put it in an affected
computer? Thanks for all the help.
kandis
Reply
May 11, 2013 at 12:13 am
Just use Comand Line, paste that attrib line, delete schorcut and .exe file, scan
with AVAST your PC, restart PC and yourre ready to go :).
kandis
Reply
June 1, 2013 at 3:02 am

15/26
8/4/2015
This method didnt help me. Event after deleting all the files. Got serious autorun
virus. AVIRA cant find it. All 4 USB pens are infected. Tried all anti-autorunvirus
programs. Not a single could solve it.
HK
Reply
June 8, 2013 at 4:09 am
I Just got i simple method to remove this nasty virus.
HK
Reply
June 8, 2013 at 4:12 am
First you just download Malwarebytes Anti-Malware. It free. Then you run that
software. Next, you just quick scan your computer by using that software. It will
detect all this nasty virus that cause this kind of shortcut. Then, you delete the virus and restart
your computer. Done. Hope it is useful.Thanx
dnylpz
Reply
June 11, 2013 at 12:56 pm
how much damage can it does to win 8?
Jad Harmoush
Reply
June 15, 2013 at 7:16 pm
I repaired it using unlocker. I just do what u did and then I open unlocker for the
usb, kill all processes and remove the files. easy
Maimai Rea Conde
Reply
July 6, 2013 at 3:10 pm
help please. I got up to step 6 but when I click close handle it says "closing handle
needs administrative rights".
Maimai Rea Conde
Reply
July 6, 2013 at 3:40 pm
I got it now. the unlocker is all that I need. thank you so much for this post. this
16/26
8/4/2015
I got it now. the unlocker is all that I need. thank you so much for this post. this
autorun virus is really annoying me for the past couple of days. I tried lots of howto videos from youtube but nothing worked. thank you so much! God bless you.
Rahman Noor
Reply
July 14, 2013 at 5:15 pm
Thank u Lufi. i was stuck with this virus fore two days, Thanks to your post , I
followed the process accordingly and gor rid of this freaky virus, thank you very
much
Bilzzzzzzzzzz.....
Reply
July 18, 2013 at 5:20 am
Thanks.
It works
MarviJoi DiMagna-oNg
Reply
July 19, 2013 at 1:29 pm
SOmebody help me I was able to found the "autorun.inf" thingy but the when I
tried to do the next step or the "close handle" one. It says it requires
administrative rights.. what to do? It really sucks me whenever I format my usb then it's empty then
when I insert it again, the shortcut is still visible.. sucks >.< please DM me.. really need help.
Amir Muhammad Mousavi
Reply
July 21, 2013 at 1:27 pm
Hey Guys, there is an application that Ive just created for removing virus from
your PC and USB.
Note: Run the application as administrator.
Note: The application only works on Windows 8 64bit, Windows 7 32&64bit and windows XP SP3.
Fiqh as_Sabil
August 20, 2013 at 12:33 pm
alhamdulillah. its WORKS..!!!
Reply
17/26
8/4/2015
???? ?????
Reply
September 7, 2013 at 8:16 pm
same problem with me
Mahmoud Eljammali
Reply
September 9, 2013 at 7:32 pm
I don't have autorun file I have file with this name "tmxnftcqgr" and the unlocker
can't find a process run it what should I do?
Vieira Villareal
Reply
September 23, 2013 at 7:00 am
Run your Process Explorer. Go to FILE and click on 'Show Details for all Processes'.
I had the same problem and this worked for me.
Vieira Villareal
Reply
September 23, 2013 at 7:00 am
Thanks for this post! Worked for me. The backdoor file was on mine was .exe..
Thanks again!
Usman Raza
Reply
October 1, 2013 at 7:35 pm
This Technique Perfectly Worked For me.

1.open the command prompt via administrative priviledges.
C:> cd /d L:
L:> attrib -s -h -a -r /s /d *.*

3. You should now see all the invisible files along with the shortcut.Delete all the files and folders
including autorun.inf file and vbscript files except your folders which are transparent, becoz those
are your data.
18/26
8/4/2015
are your data.
4.Goto folder options(for windows user) and select show hidden files and uncheck two options just
below it which are "Hide extentions for known file types" and "Hide Protected Operating system
files".
5.Now Goto C:usersyour-username-hereAppDataLocalTemp
6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody vbscript file
which is the damn cause for generating shortcuts).Just Delete all the .vbs files in temp folder and
you are good to go.
It Seriously worked for me,you should give a try to it.
May God Bless You ALL
Regards
Usman Raza
Usman Raza
Reply
This Technique Perfectly Worked For me.

1.open the command prompt via administrative priviledges.
C:> cd /d L:
L:> attrib -s -h -a -r /s /d *.*
3. You should now see all the invisible files along with the shortcut.Delete all the files and folders
including autorun.inf file and vbscript files except your folders which are transparent, becoz those
are your data.
4.Goto folder options(for windows user) and select show hidden files and uncheck two options just
below it which are "Hide extentions for known file types" and "Hide Protected Operating system
files".
5.Now Goto C:usersyour-username-hereAppDataLocalTemp
6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody vbscript file
which is the damn cause for generating shortcuts).Just Delete all the .vbs files in temp folder and
you are good to go.
It Seriously worked for me,you should give a try to it.
May God Bless You ALL
Regards
Usman Raza
19/26
8/4/2015
Anonymous
Reply
i follow your step but i dont have autorun.inf on my usb but is a <brysswhwbt.vbs
> . Here is a pic http://oi39.tinypic.com/2aik30w.jpg ,
Usman Raza
Reply
October 2, 2013 at 4:08 am
Alba,
I ve seen your posted pic,no problem if you dont find autorun.inf file .Its just
becoz of that vbscript file.Your goal should be delete this vbs file from your system, not just from
your removeable media.
Just Delete All your shortcuts and files like Sthumbsdb, Sthumbsdb.tdb, and that vbscript file too.
Remeber one thing Dont Refresh in your flash drive after deleting all these stuff.
Now continue step 5 and 6.
Cheers.
Waiting for your next reply
Zulfiqar Tariq
Reply
great solution <3 finally got rid of this
Saleem Hassan
Reply
Hy guys install avast antivirus and scan your full system your problem removed
thanks
03022234075 contact me for more help
Joey
April 20, 2015 at 6:14 pm
how to fix this on windows 8?
Reply
20/26
8/4/2015
rchrdshmbng
Reply
May 15, 2015 at 4:30 am
Hello Lufi. I didnt find the autorun.inf. After I enter command prompt there were
just the shortcut to rundll32 and the transparent folder which contains my file. I
cannot continue to step 5 and the rest. What to do next? Thanks in advance.
rg2796
Reply
May 20, 2015 at 8:15 pm
ran the command to show the files

but it is not detecting autorun.inf as running probably because it seems to no
longer be on the usb
Now that I have once again have acces to my files is there anything else I need to worry about?
Denise
Reply
May 22, 2015 at 3:02 am
Hi! In my case, I dont have the autorun.inf but instead, a desktop.ini shows up. I
tried using Unlocker on it but it does not does not detect any locking handle. I
also tried formatting my flash drive but whenever I plug it again and add files to it, a shortcut is still
created. Am running on Windows 8. What to do?
TeodorM
Reply
June 26, 2015 at 4:52 pm
Hello there. I cannot find any aoutorun.inf file. What should wedo
kapitanluffy
Post author
Reply
June 27, 2015 at 2:03 pm
It means it wont run when you insert the drive but that does not guarantee
that there arent any viruses in your flash drive.
TeodorM
Reply
June 27, 2015 at 2:47 pm
I formated the drive, then insert it for the first time.Then I put one file in, remove
the drive and then insert it again, and there it is, the shortcut again. When I
21/26
8/4/2015
the drive and then insert it again, and there it is, the shortcut again. When I
complete step 2, there is one folder with no name with my file and 3 more, desctop.ini, one file that
is the path of the shortcut *.DDD. That is all there is. the virus is still in the PC i presume.
kapitanluffy
Post author
Reply
June 29, 2015 at 1:55 am
Yes, you must look for it in the PC. Once you inserted the drive, if you cant
safely remove it, check out the process locking it and you can go from
there.
TeodorM
Reply
July 1, 2015 at 4:06 pm
Actually when i try to safely remove it the drive dissapears from the computer
but the icon that is showing on the right bottom corner is still showing like it is not
removed. But how can i find the process, that is doind that, when the drive is no longer in the file
explorer.
TeodorM
Reply
July 1, 2015 at 4:16 pm
When I use the onlocker on the whole drive it sait that there are four
processes. The CMD which I used to unhidden my file, an Explorer and a
msiexec.exe file in c:\Windows\SysWOW64 folder. I found somewhere that I can change the
owner of this folder but it messed up everything and I returned to origynal settings. Im not
sure that this process is locking it or this is how it should be with the flashdrives
Post navigation
Live it UP! UP Fair 2013 Got your tickets?
Why create your own web framework? Do you need to reinvent the wheel?
22/26
8/4/2015
Search
Search for:
Search
Subscribe to our newsletter!

emailaddress
Subscribe
Recent Posts
Torrent This Movie! Ant-Man

What is Dependency Injection?
Torrent This Movie! Tangerine
Project Ascension a project to unify all game launchers
Funkopop Jon Snow from Game of Thrones
Recent Comments
KaliKot on Fix twitch.tv grey screen not loading

kapitanluffy on Fix twitch.tv grey screen not loading
23/26
8/4/2015
Algester on Fix twitch.tv grey screen not loading

kapitanluffy on Fix twitch.tv grey screen not loading
Nero on Fix twitch.tv grey screen not loading
Top Posts & Pages

USB flash drive contents replaced with a single shortcut
Fix twitch.tv grey screen not loading
Centos - configuring virtualbox bridged adapter
Will there be Bite Me season 3?
Torrent This Movie! Tangerine
Torrent This Movie! Ant-Man
Battle Realms 2 - Lair of the Lotus coming soon!
Use Openshift as a free Shoutcast server
Happy Birthday Bamboo Maalac!
How to make FTP Passive Mode on Oracle Virtualbox work
24/26
8/4/2015
Archives
Archives
SelectMonth
Tags
apache band bittorrent chicosci codeigniter
concert copyright download email facebook
firefox franco free game of thrones gloc 9 google google plus hacking internet javascript
kamikazee lamp live in manila microsoft mod_rewrite mozilla new year oracle parokya ni edgar
philippines piracy
privacy sandwich social network ticket price torrent twitter

ubuntu up fair urbandub vulnerability windows wordpress zombie
piratebay
Stalk Me

7 Pirates online
3 Pirates browsing this page
TheCaptain'sLog
162likes
LikePage
Share
Bethefirstofyourfriendstolikethis
Foo Fighters@foofighters
Ci vediamo a presto, Cesena.... xxx Davide
youtu.be/JozAmXo2bDE @rockin_1000
31 Jul
Retweeted by kapitanluffy
Show Media
25/26
8/4/2015
Show Media
Hacker News 20 @newsyc20

27 Jul
Stephen Hawking AMA on Reddit collecting
questions at the moment bit.ly/1DJ0bS6
bit.ly/1D1YLHs
Retweeted by kapitanluffy
Check out these links!
Jedcore's Blog
Your Digital Turf Web Hosting
Pir8Geek
Rootcon Blog
2015 The Captain's Log Designed by Press Customizr

Back to top
26/26

USB Flash Drive Contents Replaced With A Single Shortcut - The Captain's Log

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

USB Flash Drive Contents Replaced With A Single Shortcut - The Captain's Log

Transféré par

Droits d'auteur :

Formats disponibles

8/4/2015

The Captain's Log

showing you the real contents of your flash drive. Ta Da!

2. assuming that your target drive letter is L, type the following

So you cant find the backdoor file? Heres an update!

What are Clean URLs?

Creating multiple Firefox

In "Web Development & Design"

Enabling multisite on your

In "Web Development & Design"

84 thoughts on USB flash drive contents replaced with a single

February 28, 2013 at 9:53 pm

March 1, 2013 at 9:22 pm

March 1, 2013 at 11:37 pm

My antivirus program seemed to have detected the problem and

March 2, 2013 at 10:31 pm

which antivirus did you use?

March 3, 2013 at 9:00 pm

I dont use an antivirus .it hogs my memory

March 2, 2013 at 1:33 pm

PROBLEM SOLVED: USB Shortcut link (is it a virus?)

March 3, 2013 at 9:01 pm

I really wouldnt recommend opening

that link. If you bothered to

I really wouldnt recommend opening that link. If you bothered to

March 5, 2013 at 4:27 am

March 6, 2013 at 6:41 am

March 10, 2013 at 1:11 am

I followed everything but still, when I reinsert my flash drive, the

March 10, 2013 at 8:10 am

March 10, 2013 at 7:41 pm

March 5, 2013 at 3:22 pm

March 6, 2013 at 6:40 am

run the process explorer as administrator

March 6, 2013 at 5:15 am

March 6, 2013 at 7:01 pm

July 7, 2013 at 4:40 pm

March 7, 2013 at 1:38 am

March 7, 2013 at 6:33 am

your computer crashes though.

March 28, 2013 at 4:53 am

Mine is indeed on the tree of svchost.exe and it has a ton of sub

April 6, 2013 at 8:12 am

99% it is not the process you are looking for.

March 8, 2013 at 3:51 am

March 10, 2013 at 11:07 am

I already encounter this virus.. srsly..

March 15, 2013 at 10:54 am

March 17, 2013 at 6:33 am

March 16, 2013 at 2:02 pm

Hey, Thanks for this post.

March 17, 2013 at 6:32 am

it might just mean that you dont have the backdoor

March 18, 2013 at 7:36 am

March 18, 2013 at 11:29 pm

check out the update reagan

March 18, 2013 at 10:05 pm

March 18, 2013 at 11:30 pm

Check out the update mr frost

March 18, 2013 at 3:46 pm

@lufi this is a win sality virus

folder and make.exe files

March 20, 2013 at 11:57 am

L:> attrib -s -h -a -r /s /d .