Flash drive infections usually involve malware that loads an autorun.inf
file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes a malicious autorun.bat file which calls wscript.exe to run autorun.vbs on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled.
Please insert your flash drive before we begin!Reconfigure Windows XP to show hidden files, folders
. Open My Computer, go to Tools > Folder Options and click on the View tab. Under Hidden Files and Folders
"Show hidden files and Folders
"Hide Protected operating system Files (recommended)
"Hide file extensions for known file types
", and hit Apply > OK.
Open My Computer, right-click on your primary drive (DO NOT double-click)
, select "Explore
", and search for any autorun.inf at the root. Repeat the search on all your drives (including your flash drive and any recent CDs you have used)
. If autorun.inf is present continue as follows:
Reboot your computer in "Safe Mode" or "Safe Mode With Command Prompt
" using the F8
method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode With Command Prompt".
Go to Start > Run and type: cmd
- press Ok.
- At the command prompt, type in your primay drive location, usually C:
- You may need to change the directory. If so type: cd \
- Hit Enter.
- Type: attrib -s -h -r -a autorun.inf
- Hit Enter.
- Type: dir
- Hit Enter. This will allow you to see and confirm the Autorun files.
- Type: del autorun.inf
- Hit Enter.
- Repeat the above commands for each drive on your computer.
- Exit the command prompt and reboot normally.
When done remove the Startup RUN value by downloading and using Autoruns
Please download MsnCleaner.zip
and save to you Desktop. In addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.
- Extract (unzip) the file to your desktop. (click here if your not sure how to do this) but DO NOT use it yet.
- Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
- Double-click MsnCleaner.exe to run the tool.
- Click the "Analyze" button.
- A report will be created after the scan and will be saved to C:\MsnCleaner.txt.
- If it finds an infection, click the "Deleted" button.
- Reboot normally and post the contents of MsnCleaner.txt in your next reply.