USB drive gets infected every time I plug it into my laptop

Whenever I plug in my USB flash drive into my laptop running Windows XP, an AutoRun.inf file gets created inside it. Also a hidden folder called "Cache" which uses the Recycle bin icon gets created.

AutoRUn.inf file cannot be opened in Windows. Both the Autorun.inf file and the "Cache" folder cannot be deleted.

I opened the AutoRun.inf file using Ubuntu. I saw that it is trying to run a file Cache\TMP983.exe.

I ran all anti-spywares, anti-malwares, anti-viruses, USB autorun eaters, but to no avail.

How do I fix this?

ashwnacharya

Posted 2009-10-23T09:44:19.663

Reputation: 512

1Jeff is right, reinstall the OS; it's the root cause. But also remember to sanitize your USB drive too. Good luck. – GeneQ – 2009-10-23T10:22:07.607

Answers

For unknown viruses and stuff I use sysinternals.

With Process Explorer try to find strange process (or a process that has a handle on the EXE file in the cache folder.) With autoruns look at everything that is starting automatically. Remove suspicious entry's.

Be careful, before removing anything. Google it, it might be needed. You can wreck your system this way. Advantage of this is that you also might find that you have some kind of program running that has this behaviour, and all you might have to do is uninstall it.

Hope this helps.

KeesDijk

Posted 2009-10-23T09:44:19.663

Reputation: 176

Process Explorer also lets you add columns to show the Image Path, which makes it easier to identify executables running from suspicious locations (anywhere in Documents and Settings, Temp or Recycler). Unfortunately doesn't help so much with DLLs or other items not directly executed. – fencepost – 2010-03-15T21:10:18.680

Awesome! Autoruns helped me find the registry key that was running a program at startup. It was executing an exe in C:\recycler. Deleted the registry key, somehow deleted the the exe and an INI file. Problem solved! – ashwnacharya – 2009-10-23T15:32:44.037

Okay but keep looking ! Sometimes there still is a process running that might recreate it. At least do a reboot and check. Nice I could help. – KeesDijk – 2009-10-23T18:35:31.060

Sadly, I recommend that you back up your data files, reformat, and reinstall Windows XP.

Clearly you're infected, because the USB drive is getting files written on it from Windows XP upon insertion.

If you've run a lot of security / anti-virus tools and can't detect anything, I think it's safest to format the machine and start fresh.

Jeff Atwood

Posted 2009-10-23T09:44:19.663

Reputation: 22 108

I'd go so far as to say even if something found it, still reinstall. Once infected, I wouldn't trust the system again. – Zurahn – 2010-03-15T23:54:37.380

I agree with @Jeff and @Zurahn. – Alex – 2010-03-16T00:20:01.097

Before giving up and reformatting and reinstalling Windows, here are some more options:

Google for "antivirus online scan" and use a couple of the best-known ones to scan the computer (each takes some hours to complete).
Some that I like are Trend Micro House Call and Kaspersky Labs Free Virus Scan.
Please note that they might require you to use Internet Explorer as your browser
Use a rescue live-CD virus scanner : I like best Avira AntiVir Rescue System because it gets updated several times a day and so the download CD is up-to-date.

I once had an infection problem, and I ran quite a few scans before I found the one that succeeded in finding the virus.

You're lucky in the sense that's quite easy for you to verify if the virus was really eradicated.

harrymc

Posted 2009-10-23T09:44:19.663

Reputation: 306 093

There always the option of going nuclear on the bad guys. Have you tried to reformat your USB flash drive from within Ubuntu? That should kill of the annoying things hiding in your boot sector.

Before proceeding copy all the data from the drive to somewhere on your Ubuntu and sanitize it using something like Clam AV.

To format your USB device, at the Linux command prompt type:

Step 1.

fdisk -l

The command above will show you a list of devices.

Assuming your USB drive is sda1, you'll need to unmount the flash disk, so:

Step 2.

umount /dev/sda1

Once done, enter the following command to format the flash device to FAT32

Step 3.

mkdosfs -F 32 -I /dev/sda1

I doubt anything can survive this. ;-)

But if it still persists, use this as a last resort:

dd if=/dev/zero of=/dev/hda bs=512 count=1

I will destroy the partition table of your device ... completely. Mutually assured destruction. Sweet.

Now repeat step 1-3 and the bad guys will be gone forever.

GeneQ

Posted 2009-10-23T09:44:19.663

Reputation: 4 581

2but isn't the problem that Windows XP is infected, not the flash drive itseld? That's what is copying over, from XP to the flash drive. – Jeff Atwood – 2009-10-23T10:03:24.493

2Reinstalling XP is a must. But often if you don't sanitize the flash drive it will reinfect your pristine XP. I've seen some nasty home grown stuff which resides within the MBR and that two mainstream AV can't remove. – GeneQ – 2009-10-23T10:11:04.633

An application called UsbFix, as generic as it might sound, seems to find and clean and restore USB devices messed up by some USB or shortcut virus which aren't detected by normal antivirus applications like Avast.

David d C e Freitas

Posted 2009-10-23T09:44:19.663

Reputation: 3 498

BleepingComputer has some great resources and several volunteers who can help you identify and remove any infections.

MalwareBytes' Anti-Malware and Microsoft Security Essentials are some good tools for detecting/removing spyware.

Trend Micro's HijackThis will create a report that can be used to identify spyware that's actively running.

SDfix is a lower-level tool that helped me nuke some very persistent malware a while back.

rob

Posted 2009-10-23T09:44:19.663

Reputation: 13 188