usb flash drive contents replaced with a single shortcut - the captain's log
DESCRIPTION
How to clean USB driveTRANSCRIPT
![Page 1: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/1.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 1/26
USB flash drive contents replaced with a single shortcut 27 Feb, 2013 in Tutorials tagged backdoor / flash drive / shortcut / stackoverflow / usb / virus by kapitanluffy
I encountered a weird virus lately that has been infecting USB flash drives. It hides all your filesinside an invisible folder and places a shortcut that seems to be pointing to the flash drive itself.
If you check the target location of the shortcut, it points to rundll32.exe which run a file with aname that starts with ‘~’. It seems to be running the code inside the desktop.ini too. Suspiciouseh?
showing you the real contents of your flash drive. Ta Da!
Enough with the talk. Let’s proceed with the steps. Assuming your tech savvy-ness is at leastLevel 1.
1. open the command prompt. (If you can’t even do this, srsly..)
2. assuming that your target drive letter is L, type the following…
84
The Captain's Log
![Page 2: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/2.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 2/26
2. assuming that your target drive letter is L, type the following…
C:\> cd /d L:L:\> attrib -s -h -a -r /s /d *.*
3. You should now see all the invisible files along with the shortcut. Delete them except theautorun.inf file.
4. Download Process Explorer by Sysinternals and Unlocker 1.9 by Collomb.
5. Use the Unlocker and determine the process that is using the autorun.inf
sorry for the image, imgur.com kills the quality. In the image, wuauclt.exe is using the autorun.inf
6. Open the Process Explorer and look for the process. Press CTRL+L and sort the ‘type’ column.Scroll down to the ‘file’ type.
![Page 3: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/3.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 3/26
Those green thingys? Well that’s just the virus trying to create a backdoor. neat right? :D
7. You should see the autorun.inf being used by the process. If you don’t see it, you are looking atthe wrong process. Right click the row and select Close handle.
8. The autorun.inf should be removable already. Next we need to see if there is already abackdoor in our computer. Look again at the ‘files’ being used by the process and searchsomething suspicious. Typically found in your C:\users\your-username-here. Look for somethinglike this.
AppData\Local\Temp\mstuaespm.pif
9. Close the handle, just like what you did in autorun.inf then remove the file inside your drive.
That’s is all for now. I just did this quick post since someone asked me in twitter how to removeit.
@kapitanluffy hi there:) i had the same usb problem "usb flash drive contents replaced with a single shortcut" how did you fix it? :D10:19 PM 27 Feb 2013
OiC AciD @Okimbap
Follow
You don’t really expect me to fit this tutorial in just 140 characters do you?
![Page 4: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/4.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 4/26
You don’t really expect me to fit this tutorial in just 140 characters do you?
Here is my original question (investigation) at Stackoverflow
So you can’t find the backdoor file? Here’s an update!
For those who cannot find the pif file, take note that the file indicated is what I found in mysystem. Assuming from the name of the file itself, it is very random. This means that thebackdoor file (the pif file I am referring to) might be named other than mstuaespm.pif. It mightuse other extensions and might be found in a different folder. To find the backdoor you need tofind the suspicious file that is being used by the host process.
To help you find the file, you may want to check the MD5 hash of that file. Just go search forhashing tools online.
Here is the MD5 hash of the pif file I found
0ad45ef45df58feaca5b35765cc5db6e
If your suspected file has the same hash, it definitely means that you already caught thebackdoor file. I suggest you check out my prior investigation on superuser site. Checkout the‘additional information’ in the analysis of the pif file I found here. You will see below the differentfilenames used by the backdoor.
Since it has been detected by common antivirus softwares already, you might just do a ‘Full Scan’of your system if that is what you want. Still, I don’t like antiviruses though. It hogs my already-slow laptop.
Share Love:
Facebook Twitter 5 Google LinkedIn Reddit Tumblr Pinterest Pocket
Ads by Google ► Anit Virus ► USB Flash ► USB Copy ► Recover USB
Like this:
Loading...
Related
Creating multiple Firefoxprofiles
Creating multiple FirefoxprofilesIn "Tutorials"
Enabling multisite on your
What are Clean URLs?if you have used CodeIgniter,you will notice it uses cleanURLs. Each segment in the urlhas a specific value. Like for thefirst and the second segments
In "Web Development & Design"
![Page 5: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/5.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 5/26
About kapitanluffythe pirate geek
View all posts by kapitanluffy →
✒ Leave a Reply
Enter your comment here...
84 thoughts on “USB flash drive contents replaced with a singleshortcut”
Enabling multisite on yourWordpressIn "Tutorials"
In "Web Development & Design"
Reply ↓Dom
![Page 6: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/6.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 6/26
Reply ↓DomFebruary 28, 2013 at 9:53 pm
Hi! The unlocker for my case does not does not detect any locking handle. Anydetails as to how to proceed? Thank you very much!
Reply ↓lufi Post author
March 1, 2013 at 9:22 pm
It means no one is using the autorun.inf file which ‘might’ mean that yourcomputer is not infected. Just delete the autorun.inf and retry inserting the
flash drive. If you see the same files with the autorun.inf, your computer is infected
Reply ↓DomMarch 1, 2013 at 11:37 pm
My antivirus program seemed to have detected the problem anddeleted the worm on its own. Thanks a lot for your help!
Reply ↓edison uyMarch 2, 2013 at 10:31 pm
which antivirus did you use?
lufi Post author
March 3, 2013 at 9:00 pm
I don’t use an antivirus .it hogs my memory
Reply ↓Joel JuniorMarch 2, 2013 at 1:33 pm
PROBLEM SOLVED: USB – Shortcut link (is it a virus?)CUT your files from the shortcut link (the virus) and PASTE it on your original USB
STORAGE device (on the same place where the shortcut was). Delete that shortcut link, safetyremove the usb, and restart your computer. Then reinsert the usb. The link doesn’t show up again.:p weeeeeeee
Reply ↓
lufi Post author
March 3, 2013 at 9:01 pm
I really wouldn’t recommend opening that link. If you bothered to
![Page 7: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/7.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 7/26
I really wouldn’t recommend opening that link. If you bothered tocheck the ‘Target Location’ of that link, it is way too suspicious to callrundll32.exe just to open your flash drive. right?
Reply ↓MarielMarch 5, 2013 at 4:27 am
I followed everything here and was able to do it but when I reinsert my flashdrive,the same problem occurs again.
Reply ↓lufi Post author
March 6, 2013 at 6:41 am
it means the backdoor (*.pif file) is not removed and still running.
Reply ↓flashMarch 10, 2013 at 1:11 am
I followed everything but still, when I reinsert my flash drive, theshortcut appears again. I have removed the *.pif file already. I even
formatted my flash drive but the same thing happens.
Reply ↓lufi Post author
March 10, 2013 at 8:10 am
it means the .pif file is not the backdoor. is the .pif file locking theautorun.inf file?
flashMarch 10, 2013 at 7:41 pm
I don’ think so. Anyway, I’ve fixed it, well, my antivirus did. Isaw the same problem posted on their website so I thought
they have a solution for it. So, I updated my antivirus, backed up my files,ran a full scan, and restarted my computer. It found, I think three .pif fileswhich Process Explorer only found one (I just did what you have postedabove).
Thanks by the way!
Reply ↓Essirahc
![Page 8: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/8.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 8/26
Reply ↓EssirahcMarch 5, 2013 at 3:22 pm
When I close the handle, an error is pooping out hich says, “Closing handlerequires administrative rights”. what shud i do? pls help…
Reply ↓lufi Post author
March 6, 2013 at 6:40 am
run the process explorer as administrator
Reply ↓Josiah DiazMarch 6, 2013 at 5:15 am
What if my autorun does not work? unlocker says it doesn't find anything…thanks! please help
Reply ↓lufi Post author
March 6, 2013 at 7:01 pm
what do you mean it doesn’t work? if it doesn’t find anything delete it. itmeans (maybe) that your computer is not infected
Reply ↓David Kawa?koJuly 7, 2013 at 4:40 pm
I had the same problem, next day I tried it and it worked, maybe just restartYour computer? (I did this)
Reply ↓JeffMarch 7, 2013 at 1:38 am
Hi there, what if the process tree of the virus is in svchost.exe? does that meanthat my computer is the one who has the virus?
Reply ↓
lufi Post author
March 7, 2013 at 6:33 am
yes, if it doesnt have sub processes try ending it. don’t worry ifyour computer crashes though.
![Page 9: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/9.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 9/26
your computer crashes though.
Reply ↓JimMarch 28, 2013 at 4:53 am
Mine is indeed on the tree of svchost.exe and it has a ton of subprocesses. what do i do?
Reply ↓lufi Post author
April 6, 2013 at 8:12 am
99% it is not the process you are looking for.
Reply ↓t23March 8, 2013 at 3:51 am
really helpful
Reply ↓Macky SagalesMarch 10, 2013 at 11:07 am
I already encounter this virus.. srsly..
Reply ↓a12March 15, 2013 at 10:54 am
I can’t see any “green thingys” on my process explorer. What should I do?
Reply ↓lufi Post author
March 17, 2013 at 6:33 am
you might not have the backdoor too. since it indicates that the backdoor isconnecting to the internet
Reply ↓janlancer (@janlancer)
![Page 10: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/10.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 10/26
janlancer (@janlancer)March 16, 2013 at 2:02 pm
Hey, Thanks for this post.I’m having a problem locating this backdoor .pif file. I followed everything up to step 8. After that Icouldn’t locate the .pif file. Will you help me?
Reply ↓lufi Post author
March 17, 2013 at 6:32 am
it might just mean that you don’t have the backdoor
Reply ↓reaganMarch 18, 2013 at 7:36 am
hello im having problem locating the .pif file ..if there is no such file in mypc..then why ,everytime i insert a flash drive the same thing happens?
Reply ↓lufi Post author
March 18, 2013 at 11:29 pm
check out the update reagan
Reply ↓FrostMarch 18, 2013 at 10:05 pm
I cant locate the .pif file.Proces Explorrer doesnt show any .pif files,and tempfolder doesnt contain any of these files.But after reinserting flash drive,it is
infected again.
Reply ↓lufi Post author
March 18, 2013 at 11:30 pm
Check out the update mr frost
Reply ↓
Jham AshMarch 18, 2013 at 3:46 pm
@lufi this is a win sality virus that embed on auto run and hide allfolders and subfolders and make read only, and it duplicates also the
![Page 11: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/11.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 11/26
folder and make.exe files
Reply ↓ZoloMarch 20, 2013 at 11:57 am
and this comment is helpful how?
Reply ↓lufi Post author
March 22, 2013 at 8:12 am
Isn’t that the old school virus for XP? where you insert the USb .open it inexplorer and voila it would become koko crunch?
Reply ↓brianMarch 19, 2013 at 11:31 pm
what do i do if my computer is infected?
Reply ↓rensisMarch 21, 2013 at 9:39 pm
i know that my computer is infected and i cant find those green thingys .i alreadysearched the processes that uses the autorun.inf file and came up with nothing,…i
followed your instructions carefully and i missed nothing for sure…what can be the alternative fixbesides scanning the whole system??my hard drives are full and it will take too long to scan forthose stupid viruses/worms.
Reply ↓lufi Post author
March 22, 2013 at 8:11 am
You don’t need to scan your whole filesystem. Try scanning the importantparts like the temp folder and the windows directory.
Reply ↓
reaganMarch 22, 2013 at 11:11 am
hello lufi man…checked the update ..doesn’t help ….done the wholething on the tutorial…but every time a memory stick would be plugged…the whole
![Page 12: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/12.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 12/26
thing on the tutorial…but every time a memory stick would be plugged…the wholething starts up all over again..only a shortcut would be found upon opening theflash drive..
I think that the virus is in my PC..but when i check out the rest of the tutorial on checking the viruson drive C..i found no such .pif file tried it many times…
i am using the latest avast…but running all the scan results to 0 threats found..if you have another way to remove the damn virus..pls. post..thanks in advance….
Reply ↓AmirDApril 4, 2013 at 8:54 pm
Thanks for your help
Reply ↓PolApril 5, 2013 at 10:43 pm
Use “virus total” online to find out if the suspicious file on your hard drive used bythe process is the backdoor file. Mine is not a pif file but a cmd file with a different
file name and it got a 29/46 detection ratio. Anti virus program sucks. XD
Reply ↓marlcarloApril 12, 2013 at 5:58 am
hey guys i have the same problem.. can anyone suggest me a good anti virus thatcan deal with the said virus? the instruction is a bit tricky for me because i am not
good in dealing with things like this
Reply ↓awp3leApril 13, 2013 at 5:42 pm
Hello there. Basically I founded out how to lock and disable this kind of virus toexecute again even if you run that shortcut.. I know just for windows 7 32-Bit and
windows 7 64-Bit as I’m working for IT/Administrator for my company. Where customers workingwith my companies computers they don’t know that this kind of shortcut execute virus commandline.. And I don’t have time for every single one to explain why and how.. So I Sit down and start
searching for it how to disable forever. First thing how you can detect if virus is running. Open taskmanager. If you are using 64-Bit Win-7 then you have to look for (svchost.exe *32) if you are using32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe)
![Page 13: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/13.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 13/26
32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe)
1. Kill running process svchost.exe *32 for 64-Bit Windows 72. Kill running process wuauclt.exe for 32-Bit Windows 73. Kill All running process’s DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 74. Open C:\ and if you can find there Temp folder open it.5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files and folders.6. IF you can find application by name TrustedInstaller.exe then you 100% have infected PC7. What you can do.—– 1. Leave it.—– 2. Right click on TrustedInstaller.exe and then choose Properties—– 3. Click on Security Tab and then Click on Edit button.—– 4. Next Click on Administrators Group And Check all Deny check boxes—– 5. Do the same for Users Group—– 6. Then Apply and OK—– 7. Restart your PC8. You are ready to use your PC to check if your PC is protected Plug in your USB and your foldersand files do not turn anymore to one single shortcut. Even if you still have Old infected USB withfiles you 100% can execute that shortcut because we blocked TrustedInstaller.exe to run virusagain…
So best of luck and hope I helped someone
Best regards awp3le..
Reply ↓George CecisApril 13, 2013 at 11:36 am
Hello there. Basically I founded out how to lock and disable this kind of virus toexecute again even if you run that shortcut.. I know just for windows 7 32-Bit and
windows 7 64-Bit as I’m working for IT/Administrator for my company. Where customers workingwith my companies computers they don’t know that this kind of shortcut execute virus commandline.. And I don’t have time for every single one to explain why and how.. So I Sit down and startsearching for it how to disable forever. First thing how you can detect if virus is running. Open taskmanager. If you are using 64-Bit Win-7 then you have to look for (svchost.exe *32) if you are using32-Bit Win-7 then you have to look for (wuauclt.exe) and for 64-Bit and 32-Bit (DllHost.exe).
1. Kill running process svchost.exe *32 for 64-Bit Windows 7.2. Kill running process wuauclt.exe for 32-Bit Windows 7.3. Kill All running process’s DllHost.exe for 32-Bit Windows 7 and 64-Bit Windows 7.4. Open C: and if you can find there Temp folder open it.5. USE FOLDER AND SEARCH OPTIONS to show all hidden and system protected files and folders.6. IF you can find application by name TrustedInstaller.exe then you 100% have infected PC.7. What you can do.
—– 1. Leave it.—– 2. Right click on TrustedInstaller.exe and then choose Properties.—– 3. Click on Security Tab and then Click on Edit button.
![Page 14: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/14.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 14/26
—– 3. Click on Security Tab and then Click on Edit button.—– 4. Next Click on Administrators Group And Check all Deny check boxes.—– 5. Do the same for Users Group.—– 6. Then Apply and OK.—– 7. Restart your PC.8. You are ready to use your PC to check if your PC is protected Plug in your USB and your foldersand files do not turn anymore to one single shortcut. Even if you still have Old infected USB withfiles you 100% can execute that shortcut because we blocked TrustedInstaller.exe to run virusagain….
So best of luck and hope I helped someone.
Best regards awp3le..
Reply ↓Chuong PhamApril 17, 2013 at 9:45 am
Is this TrustedInstaller.exe the same as the one used by Windows ModuleInstaller? If not the same, and it is something relating to the virus, why don't
we just delete it?
Reply ↓awp3leApril 18, 2013 at 2:22 pm
because. If in my case customer run that usb shortcut command againthen trustedinstaller regenerates again. and no it is not the same one
win. up. use another one. More update for it. TrustedInstalled creates new folder Fornow TMP .. I. coded Tool that puts Instaler in blockand do not alow for executing it. Iwill post my app if some one ask.
Reply ↓Alexandru IvanJune 15, 2013 at 3:42 pm
Hi! I have an problem with this and I can't change permissions, can you helpme? Please
Reply ↓awp3leJune 18, 2013 at 3:24 pm
For now it is good method to use 30 days kaspersky trial. It detect this kinds of thingbut also there is problem, with hidden files in USB as Hidden exe or whatever,kaspersky is not detecting it, till you make it visible.. I did program a small tool for WIN8
![Page 15: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/15.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 15/26
kaspersky is not detecting it, till you make it visible.. I did program a small tool for WIN8WIN7/32-63 you can fix your USB after that Kaspersky do rest of the job. If you need it,PM me..
Reply ↓Seno PaulApril 13, 2013 at 11:44 am
Wow, that's , its really helpful, now heading to finding the hide process.
Reply ↓bushaApril 30, 2013 at 7:58 am
cool! Thanks for the info
Reply ↓Ernesto Fabián Rodríguez CoimbraApril 30, 2013 at 3:24 pm
Thank you so much for this investigation, you're right about the.pif in my case Ifound a.scr file in the temp directory, removed and all's good now.
Reply ↓JohnMay 6, 2013 at 12:21 am
Has anyone lost any files from this virus? I seem to have lost the first folder on myUSB stick. I double clicked the shortcut, got to my contents, everything else seems
to be there. So I most likely picked this up from an infected computer? Does formatting the USBsolve the problem? I don’t have the ability to follow the steps (only have access at computer cafes)and I just want to try to avoid the bad computer. Is it infected as soon as you put it in an affectedcomputer? Thanks for all the help.
Reply ↓kandisMay 11, 2013 at 12:13 am
Just use Comand Line, paste that attrib line, delete schorcut and .exe file, scanwith AVAST your PC, restart PC and your’re ready to go :).
Reply ↓kandisJune 1, 2013 at 3:02 am
![Page 16: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/16.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 16/26
This method didn’t help me. Event after deleting all the files. Got serious autorunvirus. AVIRA can’t find it. All 4 USB pens are infected. Tried all anti-autorunvirus
programs. Not a single could solve it.
Reply ↓HKJune 8, 2013 at 4:09 am
I Just got i simple method to remove this nasty virus.
Reply ↓HKJune 8, 2013 at 4:12 am
First you just download Malwarebytes Anti-Malware. It free. Then you run thatsoftware. Next, you just quick scan your computer by using that software. It will
detect all this nasty virus that cause this kind of shortcut. Then, you delete the virus and restartyour computer. Done. Hope it is useful.Thanx
Reply ↓dnylpzJune 11, 2013 at 12:56 pm
how much damage can it does to win 8?
Reply ↓Jad HarmoushJune 15, 2013 at 7:16 pm
I repaired it using unlocker. I just do what u did and then I open unlocker for theusb, kill all processes and remove the files. easy
Reply ↓Maimai Rea CondeJuly 6, 2013 at 3:10 pm
help please. I got up to step 6 but when I click close handle it says "closing handleneeds administrative rights".
Reply ↓Maimai Rea CondeJuly 6, 2013 at 3:40 pm
I got it now. the unlocker is all that I need. thank you so much for this post. this
![Page 17: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/17.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 17/26
I got it now. the unlocker is all that I need. thank you so much for this post. thisautorun virus is really annoying me for the past couple of days. I tried lots of how-
to videos from youtube but nothing worked. thank you so much! God bless you.
Reply ↓Rahman NoorJuly 14, 2013 at 5:15 pm
Thank u Lufi. i was stuck with this virus fore two days, Thanks to your post , Ifollowed the process accordingly and gor rid of this freaky virus, thank you very
much
Reply ↓Bilzzzzzzzzzz.....July 18, 2013 at 5:20 am
Thanks….It works…
Reply ↓MarviJoi DiMagna-oNgJuly 19, 2013 at 1:29 pm
SOmebody help me… I was able to found the "autorun.inf" thingy but the when Itried to do the next step or the "close handle" one…. It says it requires
administrative rights.. what to do? It really sucks me whenever I format my usb then it's empty thenwhen I insert it again, the shortcut is still visible.. sucks… >.< please DM me.. really need help.
Reply ↓Amir Muhammad MousaviJuly 21, 2013 at 1:27 pm
Hey Guys, there is an application that I’ve just created for removing virus fromyour PC and USB.
Note: Run the application as administrator.Note: The application only works on Windows 8 64bit, Windows 7 32&64bit and windows XP SP3.
Reply ↓
Fiqh as_SabilAugust 20, 2013 at 12:33 pm
alhamdulillah…. it’s WORKS..!!!
![Page 18: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/18.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 18/26
Reply ↓???? ?????September 7, 2013 at 8:16 pm
same problem with me
Reply ↓Mahmoud EljammaliSeptember 9, 2013 at 7:32 pm
I don't have autorun file I have file with this name "tmxnftcqgr" and the unlockercan't find a process run it what should I do?
Reply ↓Vieira VillarealSeptember 23, 2013 at 7:00 am
Run your Process Explorer. Go to FILE and click on 'Show Details for all Processes'.I had the same problem and this worked for me.
Reply ↓Vieira VillarealSeptember 23, 2013 at 7:00 am
Thanks for this post! Worked for me. The backdoor file was on mine was .exe..Thanks again!
Reply ↓Usman RazaOctober 1, 2013 at 7:35 pm
This Technique Perfectly Worked For me.
1.open the command prompt via administrative priviledges.
2. assuming that your target drive letter is L, type the following…
C:> cd /d L:
L:> attrib -s -h -a -r /s /d *.*3. You should now see all the invisible files along with the shortcut.Delete all the files and foldersincluding autorun.inf file and vbscript files except your folders which are transparent, becoz thoseare your data.
![Page 19: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/19.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 19/26
are your data.
4.Goto folder options(for windows user) and select show hidden files and uncheck two options justbelow it which are "Hide extentions for known file types" and "Hide Protected Operating systemfiles".
5.Now Goto C:usersyour-username-hereAppDataLocalTemp
6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody vbscript filewhich is the damn cause for generating shortcuts).Just Delete all the .vbs files in temp folder andyou are good to go.
It Seriously worked for me,you should give a try to it.May God Bless You ALL
RegardsUsman Raza
Reply ↓Usman RazaOctober 1, 2013 at 7:41 pm
This Technique Perfectly Worked For me.
1.open the command prompt via administrative priviledges.
2. assuming that your target drive letter is L, type the following…
C:> cd /d L:
L:> attrib -s -h -a -r /s /d *.*3. You should now see all the invisible files along with the shortcut.Delete all the files and foldersincluding autorun.inf file and vbscript files except your folders which are transparent, becoz thoseare your data.
4.Goto folder options(for windows user) and select show hidden files and uncheck two options justbelow it which are "Hide extentions for known file types" and "Hide Protected Operating systemfiles".
5.Now Goto C:usersyour-username-hereAppDataLocalTemp
6.Inside the Temp Folder search for the files which have extension .vbs (this is bloody vbscript filewhich is the damn cause for generating shortcuts).Just Delete all the .vbs files in temp folder andyou are good to go.
It Seriously worked for me,you should give a try to it.May God Bless You ALL
RegardsUsman Raza
![Page 20: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/20.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 20/26
Reply ↓AnonymousOctober 1, 2013 at 10:41 pm
i follow your step but i dont have autorun.inf on my usb but is a <brysswhwbt.vbs> . Here is a pic http://oi39.tinypic.com/2aik30w.jpg ,
Reply ↓Usman RazaOctober 2, 2013 at 4:08 am
Alba,
I ve seen your posted pic,no problem if you dont find autorun.inf file .Its justbecoz of that vbscript file.Your goal should be delete this vbs file from your system, not just fromyour removeable media.
Just Delete All your shortcuts and files like Sthumbsdb, Sthumbsdb.tdb, and that vbscript file too.Remeber one thing Dont Refresh in your flash drive after deleting all these stuff.
Now continue step 5 and 6.
Cheers.Waiting for your next reply
Reply ↓Zulfiqar TariqOctober 8, 2013 at 5:32 pm
great solution <3 finally got rid of this
Reply ↓Saleem HassanOctober 15, 2013 at 4:37 pm
Hy guys install avast antivirus and scan your full system your problem removedthanks
03022234075 contact me for more help
Reply ↓
JoeyApril 20, 2015 at 6:14 pm
how to fix this on windows 8?
![Page 21: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/21.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 21/26
Reply ↓rchrdshmbngMay 15, 2015 at 4:30 am
Hello Lufi. I didn’t find the autorun.inf. After I enter command prompt there werejust the shortcut to rundll32 and the transparent folder which contains my file. I
cannot continue to step 5 and the rest. What to do next? Thanks in advance.
Reply ↓rg2796May 20, 2015 at 8:15 pm
ran the command to show the filesbut it is not detecting autorun.inf as running… probably because it seems to no
longer be on the usbNow that I have once again have acces to my files is there anything else I need to worry about?
Reply ↓DeniseMay 22, 2015 at 3:02 am
Hi! In my case, I don’t have the autorun.inf but instead, a ‘desktop.ini’ shows up. Itried using Unlocker on it but it does not does not detect any locking handle. I
also tried formatting my flash drive but whenever I plug it again and add files to it, a shortcut is stillcreated. Am running on Windows 8. What to do?
Reply ↓TeodorMJune 26, 2015 at 4:52 pm
Hello there. I cannot find any aoutorun.inf file. What should wedo
Reply ↓kapitanluffy Post author
June 27, 2015 at 2:03 pm
It means it won’t run when you insert the drive but that does not guaranteethat there aren’t any viruses in your flash drive.
Reply ↓TeodorMJune 27, 2015 at 2:47 pm
I formated the drive, then insert it for the first time.Then I put one file in, removethe drive and then insert it again, and there it is, the shortcut again. When I
![Page 22: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/22.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 22/26
← Live it UP! – UP Fair 2013 – Got your tickets?
Why create your own web framework? Do you need to reinvent the wheel? →
the drive and then insert it again, and there it is, the shortcut again. When Icomplete step 2, there is one folder with no name with my file and 3 more, desctop.ini, one file thatis the path of the shortcut *.DDD. That is all there is. the virus is still in the PC i presume.
Reply ↓kapitanluffy Post author
June 29, 2015 at 1:55 am
Yes, you must look for it in the PC. Once you inserted the drive, if you can’t“safely” remove it, check out the process locking it and you can go from
there.
Reply ↓TeodorMJuly 1, 2015 at 4:06 pm
Actually when i try to “safely” remove it the drive dissapears from the computerbut the icon that is showing on the right bottom corner is still showing like it is not
removed. But how can i find the process, that is doind that, when the drive is no longer in the fileexplorer.
Reply ↓TeodorMJuly 1, 2015 at 4:16 pm
When I use the onlocker on the whole drive it sait that there are fourprocesses. The CMD which I used to unhidden my file, an Explorer and a
msiexec.exe file in c:\Windows\SysWOW64 folder. I found somewhere that I can change theowner of this folder but it messed up everything and I returned to origynal settings. I’m notsure that this process is locking it or this is how it should be with the flashdrives
P o s t n a v i g a t i o n
![Page 23: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/23.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 23/26
SearchSearch for:
Search
Subscribe to our newsletter!
email address
Subscribe
Recent Posts
Recent Comments
Torrent This Movie! Ant-Man›
What is Dependency Injection?›
Torrent This Movie! Tangerine›
Project Ascension – a project to unify all game launchers›
Funkopop Jon Snow from Game of Thrones›
KaliKot on Fix twitch.tv grey screen not loading›
kapitanluffy on Fix twitch.tv grey screen not loading›
![Page 24: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/24.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 24/26
Top Posts & Pages
1
Algester on Fix twitch.tv grey screen not loading›
kapitanluffy on Fix twitch.tv grey screen not loading›
Nero on Fix twitch.tv grey screen not loading›
USB flash drive contents replaced with a single shortcut
Fix twitch.tv grey screen not loading
Centos - configuring virtualbox bridged adapter
Will there be Bite Me season 3?
Torrent This Movie! Tangerine
Torrent This Movie! Ant-Man
Battle Realms 2 - Lair of the Lotus coming soon!
Use Openshift as a free Shoutcast server
Happy Birthday Bamboo Mañalac!
How to make FTP Passive Mode on Oracle Virtualbox work
![Page 25: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/25.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 25/26
Ci vediamo a presto, Cesena.... xxx Davideyoutu.be/JozAmXo2bDE @rockin_1000
Retweeted by kapitanluffy ☠
Foo Fighters @foofighters
Show Media
31 Jul
ArchivesArchives
Select Month
Tags
apache band bittorrent chicosci codeigniter concert copyright download email facebookfirefox franco free game of thrones gloc 9 google google plus hacking internet javascript
kamikazee lamp live in manila microsoft mod_rewrite mozilla new year oracle parokya ni edgar
philippines piracy piratebay privacy sandwich social network ticket price torrent twitterubuntu up fair urbandub vulnerability windows wordpress zombie
Stalk Me
7 Pirates online
3 Pirates browsing this page
Be the first of your friends to like this
The Captain's Log162 likes
Like Page Share
![Page 26: USB Flash Drive Contents Replaced With a Single Shortcut - The Captain's Log](https://reader034.vdocuments.us/reader034/viewer/2022051002/5695d42b1a28ab9b02a08af9/html5/thumbnails/26.jpg)
8/4/2015 USB flash drive contents replaced with a single shortcut The Captain's Log
http://blog.piratelufi.com/2013/02/usbflashdrivecontentsreplacedwithasingleshortcut/ 26/26
Back to top
Show Media
Stephen Hawking AMA on Reddit collecting questions at the moment bit.ly/1DJ0bS6 ﴾bit.ly/1D1YLHs﴿
Retweeted by kapitanluffy ☠
Hacker News 20 @newsyc20 27 Jul
Check out these links!Jedcore's Blog
Your Digital Turf – Web Hosting
Pir8Geek
Rootcon Blog
· © 2015 The Captain's Log · Designed by Press Customizr ·
››
››