Probably you're one of those who have had this frustrating experience. More frustrating is, some one suggested that you reformat your USB disk to get rid of the virus... (along with your very important files!)
In my experience reformat is always the last recourse in dealing with viruses and malwares! The best solution is understand how these viruses behave. (One of these days I'll explain why reformatting a disk is a BAD way -- if not the worst -- of dealing with viruses)
Most of the viruses (or to be precise Malwares) these days are commonly transferred by inserting your USB disk into an infected computer thus infecting your USB disk and making it a carrier of the malware. Then you insert your USB disk to your computer opened it the usual way then Congratulations! You have just successfully infected your computer!
Is there a way to prevent this? Yes of course.
How does this happen? First I would like to refer you to my previous post http://tekbytes.blogspot.com/2010/04/my-usb-has-autorun-virus-what-should-i.html. It should give you some explanation how the Autorun feature of Windows was exploited and some of the preventive measures.
Now how to handle these malwares. Note: The following steps is not 100% guaranteed to work but so far it works with me and this is only tested in Windows XP so far. I'm not sure if this will work on Vista or Windows 7
First of all, let's assume that the malware is already active and now in the memory of your computer.
- Press CTRL-ALT-Delete to bring the Windows Task Manager.
- Click the Processes tab.
- In my own observation a clean explorer.exe will show in all small letters take only a small amount of memory, if very few or no program is running. If a malware is active, then you will probably see it as Explorer.exe. Now this could be a sign that your system is already infected!
- Select the explorer.exe
- Click -> End Process. Your desktop will go blank temporarily and your Task Bar will disappear. (Don't panic! It's part of the process)
- In the Task Manager, click File -> New Task (Run)
- On the input box type 'c:' This will bring the explorer back again. But it should be all in small letters this time. Usually the memory resident part of the malware is already eliminated (Unless it uses the svchost.exe or rundll to keep it in the memory).
- Now click the Start button of your desktop, and click Run. (Or you can do this from the Task Manager also.)
- Type CMD then press the Enter key. The MS-DOS window will appear (Yes the black one with white text on it)
- On the prompt, type the letter of the USB disk, followed by a colon. Ex G:. (upper case or lower case will do.
Usually the malware is hidden and the autorun.inf is hidden as well that you can not see it on your USB drive window. (PLEASE don't open your USB drive using the explorer at this point, or else you will have to go back to step 3!)
- Type dir /ah - this will give you a list of all hidden files and folders in your USB disk.
If necessary make a list of these hidden files, you need to change their attributes to un-hide and delete them.
- Now type attrib -h -s -r autorun.inf (Assuming that autorun.inf is also hidden). attrib is a command that changes the attributes of a file. -h -s -r removes the hidden, system, and read-only attributes respectively.
Repeat this step with the other hidden files, which I would assume the malwares (unless it was you who hid those files). The command is attrib -h -s -r (name of the file. extension).
Usuall malware files have .vbs or .exe extension.
- You can delete them one by one by typing del (name of the file. extension).
Ex: del autorun.if
(There's a short cut but I'm afraid you might delete a valid file accidentally)
- Or after deleting autorun.inf you can open the windows explorer but make sure you right click your USB disk and click explore.
You should be able to see files that were hidden and you can delete them now.
Caution! DO NOT DOUBLE CLICK any of these files.
- Unmount or safely remove your USB disk and insert it again.
Have a safer computing!