Jump to content



Photo

remove shortcut virus from USB?


  • Please log in to reply
6 replies to this topic

#1 mak123

mak123

    Linux Motivator

  • 705 posts
  • Joined: 01-April 10
  • Location: At World's end

Posted 19 November 2010 - 18:46

hi;
while i insert one pen drive and i use to open through autoplay it show in shortcut files... :unsure:
how to remove virus? or otherwise i ready to format pen drive but unable to format.....


#2 Singh400

Singh400

    Neowinian Senior

  • 5,839 posts
  • Joined: 02-February 10

Posted 19 November 2010 - 19:24

Disable autoplay across the system, and then remove the infection.

#3 OP mak123

mak123

    Linux Motivator

  • 705 posts
  • Joined: 01-April 10
  • Location: At World's end

Posted 20 November 2010 - 05:01

how to remove....????

#4 Hum

Hum

    totally wAcKed

  • 61,785 posts
  • Joined: 05-October 03
  • Location: Odder Space
  • OS: Windows XP, 7

Posted 20 November 2010 - 12:59

^ Use an anti-virus program, such as AVG.

Or if you can identify the file from the list, simply Delete it.

#5 Lup0Solitari0

Lup0Solitari0

    Resident One Post Wonder

  • 1 posts
  • Joined: 17-August 11

Posted 17 August 2011 - 02:26

Solution for anyone facing the Autorun.inf virus which changes the attributes of folders on your USB device creating shortcuts to all folders located on the USB device.

This virus (secure32.exe) is launched through the auturun.inf file when a USB device is connected to your computer. The virus adds a line to the autorun.inf file, creates shortcuts of folders, changes the attributes of folders to hidden and also creates a random numbered folder on the USB (9584549). Within this random numbered folder you will find .exe files which are linked to the shortcuts of your original folders.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

***************************
*ORIGINAL AUTORUN.INF FILE*
***************************


[autorun]
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
UseAutoPlay=1

***************************
*INFECTED AUTORUN.INF FILE*
***************************


[autorun]
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
UseAutoPlay=1
shellexecute=secure32.exe

/\/\/\/\/\/\
/\ INFO /\
/\/\/\/\/\/\


The line shellexecute=secure32.exe executes the virus when a USB Device is connected to the Computer. This line has been added to the Autorun.inf file by the virus by either editing the autorun.inf file or removing and creating a new version of the file.

****************************
*MY EDITED AUTORUN.INF FILE*
****************************


[autorun]
icon=%SystemRoot%\system32\SHELL32.dll,4
shellexecute=F:\USB_Shortcu-Temp_Viri_Fix\USB_Shortcut_Temp_Viri_Fix.bat
action=Open folder to view files
UseAutoPlay=1

/\/\/\/\/\/\
/\ INFO /\
/\/\/\/\/\/\


The Line (shellexecute=F:\USB_Shortcu-Temp_Viri_Fix\USB_Shortcut_Temp_Viri_Fix.bat) located in my edited autorun.inf file was used to initiate the batch file I created to run through the process of Altering File and Folder Attributes, Delete the Virus file, Delete the Random Numbered Folder and Files and Delete and Replace the Autorun.inf file.


*****************************************************************
*BATCH FILE USED TO AUTOMATE ATTRIBUTE AND VIRUS REMOVAL PROCESS*
*****************************************************************


@ECHO OFF
color 0C
prompt LS:


ECHO *****************************
ECHO *Altering Folder Permissions*
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO *This Make Take A While *
ECHO *Depending On The Amount Of *
ECHO *Hidden Folders On The USB *
ECHO *****************************

ECHO.
@ECHO OFF
attrib -h -r -s /s /d F:\*.*

ECHO.
ECHO **********************
ECHO *Deleting Autorun.inf*
ECHO **********************
@ECHO OFF
del F:\autorun.inf
del F:\secure32.exe

ECHO.
ECHO ****************************
ECHO *Copying Edited Autorun.inf*
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO * And *
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO *Altering File Attributes *
ECHO ****************************
@ECHO OFF
copy F:\USB_Shortcu-Temp_Viri_Fix\autorun.inf F:\
attrib +r F:\autorun.inf

@ECHO OFF
start F:\

ECHO.

ECHO **********************************************
ECHO * Process Completed *
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO *Delete Unwanted Shortcut Files From Your USB*
ECHO *And Folder 9584549 *
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO * Brought To You By Lupo Solitario *
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO * Thank You Come Again!!! *
ECHO **********************************************


ECHO @@@@ @@@@
ECHO @ @ @ @
ECHO @@@@ @@@@

ECHO @
ECHO @
ECHO @@@@
ECHO.
ECHO @ @
ECHO @ @
ECHO @@@@@@@@

ECHO.
pause

/\/\/\/\/\/\
/\ NOTE /\
/\/\/\/\/\/\


The batch files and autorun.inf option was a temp fix until I got an antivirus software to completely remove the virus. When the batch file and option is used is removes the attributes (-r -h -s) added to the folder(s)by the virus and relates the virus and numbered folder but the virus is still hidden somewhere on the system. The batch file can be used after running Kaspersky Virus Removal Tool 2011 to change the file and folder permissions. The Shortcut folders will still need to be deleted manually and also maybe the Random Numbered folder created by the Virus.

If using the batch file or remember to change the drive letters to the letters corresponding to the USB Device letters. The lines that need to have changes to it:

attrib -h -r -s /s /d F:\*.*

del F:\autorun.inf

del F:\secure32.exe

copy F:\USB_Shortcu-Temp_Viri_Fix\autorun.inf F:\

attrib +r F:\autorun.inf

start F:\

The drive letter F:\ will need to be changed to the letter which corresponds to the USB device, if not the commands will not work. The batch file may take a while depending on the amount of File and Folders located on the USB Device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SHELLEXECUTE =

The SHELLEXECUTE command opens a document or starts an application. Mostly used to open documents automatically. If this command is used with a document, an associated program that can open the document will be automatically run. This command requires Windows ME/2000 or newer.

This is the method the secure32.exe virus uses to run when a USB device is connected to the computer. Editing or Deleting the autorun.inf file from the use does not help as when the system is infected it will repeat the process when another USB device is connected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

****************************
* STEP 1 *
****************************
* GETTING RID OF THE VIRUS *
****************************


I have tried many different AntiMalware, Spyware and Antivirus Software to no avail, (This may also be due to the useless IT Technician at my company and the use of LAME USB Modems which meant all systems were not connected to the net to properly update antivirus and System Software). I finally tried Kaspersky Virus Removal Tool 2011 which detected the virus (secure32.exe) and also the .exe files created and stored in the Randomly Numbered folder.

(1) Download Kaspersky Virus Removal Tool 2011 (http://www.kaspersky...val-tool?form=1)
(2) Connect the infected USB device(s) to the system
(3) Run Kaspersky Virus Removal Tool 2011
(4) Go into the settings (Gear wheel to the right of the program and make sure the USB device(s) is/are selected from the list I would recommend selecting Local C, My Computer, My Documents and any other drive on your system to make sure the virus is not hidden anywhere else on the system)
(5) Go Back to Automatic Scan and perform a system scan (you will be prompted for an action on what to do when the virus is detected some option may require the system to be restarted)
(6) When the scan has completed go to Step 2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

****************************
* STEP 2 *
****************************
*OPENING THE COMMAND PROMPT*
****************************


Opening the Command Prompt

OPTION 1

(1) Click on Start
(2) Run
(3) In the Run popup box type in cmd and press Enter

OR

OPTION 2

(1) Press the Windows Key + R
(2) In the Run popup box type in cmd and press Enter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

****************************
* STEP 3 *
****************************
*CHANGING FOLDER ATTRIBUTES*
****************************


When the Command Prompt has opened type in

attrib -r -s -h /s /d e:\*.*


That command will (attrib -r -s -d) remove the Hidden feature, Read only and System Attributes added to the file by the virus. The (/s) will process matching files in the current folder and subfolders and (/d) processes folders as well. The Letter e:\ refers to the USB device infected by the virus, change the letter e:\ to represent the drive letter of your infected USB device. The (*.*) option tells the system to apply the attribute to all files and folders located on the device.

/\/\/\/\/\/\
/\ INFO /\
/\/\/\/\/\/\


For help with Dos Commands type Help followed by the command name
E.G. help attrib

/\/\/\/\/\/\
/\ NOTE /\
/\/\/\/\/\/\


Once The Attributes have been change you will now be able to view and access your original folders which were hidden once everything was done correctly you should now be free of the aurotun.inf shortcut virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


***************************************************
*BATCH FILE USED TO AUTOMATE ATTRIBUTE CHANGE *
***************************************************
*BELOW THIS BATCH FILE ONLY CHANGES THE ATTRIBUTES*
***************************************************


@ECHO OFF
color 0C
prompt LS:


ECHO *****************************
ECHO *Altering Folder Permissions*
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO *This Make Take A While *
ECHO *Depending On The Amount Of *
ECHO *Hidden Folders On The USB *
ECHO *****************************

ECHO.
@ECHO OFF
attrib -h -r -s /s /d F:\*.*

@ECHO OFF
start F:\

ECHO.

ECHO **********************************************
ECHO * Process Completed *
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO *Delete Unwanted Shortcut Files From Your USB*
ECHo *And Folder 9584549 *
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO * Brought To You By Lupo Solitario *
ECHO *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*
ECHO * Thank You Come Again!!! *
ECHO **********************************************


ECHO @@@@ @@@@
ECHO @ @ @ @
ECHO @@@@ @@@@

ECHO @
ECHO @
ECHO @@@@
ECHO.
ECHO @ @
ECHO @ @
ECHO @@@@@@@@

ECHO.
pause

DOWNLOAD LINKS

Batch File: http://www.filefacto...mp_Viri_Fix.rar

Kaspersky Virus Removal Tool: http://www.kaspersky...val-tool?form=1

<><><><><><><><><><><><><>
<> <><><><><><><><><><><>
<> GOOD LUCK LUPO SOLITARIO <>
<> <><><><><><><><><><><>
<><><><><><><><><><><><><>



#6 +warwagon

warwagon

    Only you can prevent forest fires.

  • 25,696 posts
  • Joined: 30-November 01
  • Location: Iowa

Posted 17 August 2011 - 02:34

Boot off a linux Live CD or bartpe cd and nuke it off the usb drive.

#7 babypp2

babypp2

    Neowinian

  • 4 posts
  • Joined: 13-August 11

Posted 17 August 2011 - 08:16

Use an anti-virus program, such as AVG.
Posted Image



Click here to login or here to register to remove this ad, it's free!