Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Usb Memory Stick Infection -- Folders Hidden(?) And Unreachable


  • Please log in to reply
5 replies to this topic

#1 Billermo

Billermo

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 23 August 2007 - 12:05 AM

Today my memory stick was used by a co-worker to save some files from another computer. When it came back to me, it was obviously infected with some kind of virus.

I just ran McAfee Virus Scan on the memory stick and it did not find anything.

It is obvious that it missed it. Previously on the memory stick were a number of folders, and also some files not in folders on the top level. Those folders were all replaced using the same names as the folders with .exe files.

So if there was a folder before that was named "Photos", now instead there was a .EXE file with the name Photos.exe. I use Display Extensions, so it was immediately obvious to me the virus had replaced my folders with itself. All the file sizes of these .exe files were 230K. There were about 10 folders replaced this way.

Now in the past when a similar virus has infected my USB, all I needed to do was scan it with McAfee, which would kill the virus one file at a time, and then after that go to Explore, Tools, Folder Options, View, choose Show Hidden Files and Folders (the virus had selected Do Not Show Hidden Files and Folders). All the old folders, which had been hidden, would then reappear.

This time when I do that, the lost folders don't reappear.

My first reaction was that they had been deleted by the virus.

However, when I go to Explorer and right click on my USB memory stick drive (it shows up as drive E there), it shows 170mb used, 330 free on the memory stick. I only have about 3mb of files left on this memory stick after deleting all the .exe files. As a double-check, I also deleted everything else that was still left on the USB memory stick, so there should be nothing left, totally empty. Well, no. Now when I right-click on the USB in Windows Explorer, it shows 167mb used. I think that the files were hidden on the USB in some new way that is not just hidden folders. The virus may also have hidden itself in there , but that's just speculation.

Any ideas how to fix this ? Any help would be appreciated.

Ideally, I'd love to be able to recover my folders and files on the USB again. If that's impossible, at least I'd like to be able to clean the memory stick so I can use it again knowing it's safe (and not lose a third of its total space to permanently emtombed files!).

Thanks

Edited by Billermo, 23 August 2007 - 12:13 AM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 23 August 2007 - 07:21 AM

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • Wait until it has finished scanning and then exit the program.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Reboot your computer when done.
You can also download "ClamWin Portable", install it on your USB Flash Drive, update its definition files and perform a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Billermo

Billermo
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 23 August 2007 - 10:32 AM

OK I just tried the Flash Disinfector but that did not work.

Earlier tonight at work, I looked at the USB stick at an office computer. That computer had ACDSee installed and there was a right click option to Explore using ACDSee -- I tried it. When I did, the old folders appeared inside the ACDSee Explorer window as being there. I tried to copy them onto the desktop, copy and paste -- and that worked to a point. I was able to copy them into a folder there on the desktop (named "USB" by me), and if I right click on that folder and choose Properties, it shows that it contains 167mb. But when I choose Explore in the right click option and open it, inside it appears there is NOTHING. So the virus has figured out a way to HIDE everything so that Windows can't display it, even though it is there, and so it appears to be empty. But at the same time, Windows knows the 167mb are there.

I'll try the ClamWin program but my hopes aren't high. No anti-virus program has been able to dent this thing so far. I've tried Flash Disinfector, McAfee and Free AVG, all fully updated.

By the way, since most of the files are Word documents, I just opened Word and tried to explore it using Word, but again, nothing shows up.

---------------------

I just finished scanning using ClamWin, and it did not find any infections. As it was scanning, I was able to watch it scanning all the old files I had on the USB stick, so they are all there. They're just not accessible to me. It may be that the virus is gone from the USB but the method it used to conceal the files is still intact.

Actually when I was infected by something similar previously, after the scan and removal of the virus from the USB stick, I still needed to go unhide all the folders the virus had hidden. So it looks to me like this virus did the same thing, but by some way other than just hiding the files using Hide Files/Folders.

Edited by Billermo, 23 August 2007 - 11:39 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 25 August 2007 - 06:42 AM

From what you are describing, I'm not so sure your dealing with a flash drive infection. There does not appear to be evidence of the usual symptoms or the presence of Autorun.inf. Further, when a flash drive becomes infected, the Trojan normally infects a computer system when it is inserted and you don't seem to have that issue in this scenario.

May be time to consider Formatting a Flash Drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Billermo

Billermo
  • Topic Starter

  • Members
  • 110 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 31 August 2007 - 09:32 AM

Thanks for the help.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 31 August 2007 - 09:37 AM

Your welcome and good luck. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users