Pendrive autorun viruses

Follow these tips to avoid infections from pendrives and also see tips on how to remove autorun based viruses.

  • Always scan the media before accessing its contents. Keep your antivirus up to date. If you find that the icon of media has been changed from default drive to a folder or something, that means you are carrying an infection in your drive.

  • Instead of auto running the device, click on explore, this avoids malicious code from being executed by mistake if it escapes anti virus data base. Upon right clicking on your media, if the there is autorun on top instead of open or when some unknown language being displayed, be certain you have a virus waiting to execute on double click.
  • Beware of suspicious looking files. Always uncheck the “hide extensions for known file types” option in folder options. This lets you keep an eye on suspicious stuff like a folder with “.exe” extension, a media file with “.avi.exe” extension etc. Same implies to New folders that pops out of nowhere. Usually virus files set themselves super hidden attributes to avoid being seen.

Note: Super hidden files means system files, i.e. those files that comes visible when you go to tools-folder options-view-and tick show hidden files and folders and untick hide operating system files. In DOS it is called SH attribute, SYSTEM HIDDEN or nick named super hidden.

After enabling show hidden, uncheck hide protected OS files and uncheck hide extension, delete all folders carrying a .exe extension. Also delete the COM, BAT files and recycler folder in the pendrive.

Note: Recycler folder is present on NTFS volumes and it is the space you allot to recycle bin for that drive. A recycler folder on your partitions is a system folder, which stores the files in your recycle bin. But we know when we delete the files from pendrives, they are permanently deleted, doesnt go to recycle bin, hence this means there is no system recycler folder on pendrive. Also, pendrives are usually formatted in FAT system, and in FAT, there is no recycler folder, its called RECYCLED there! Thus,  any recycler folder on a pendrive got a trojan inside it, which is usually run by autorun.inf files.

  • Keep track of files that you have on your pen drive/hard disk. Any new file with a suspicious extension should be avoided to be innocently checked.
  • There may arise an occasion when you see that opening your folders take a hell lot of time in your pendrive. Point to any folder and see its size. If a folder containing a movie shows a size of 300 Kb to 1 Mb, this means your pendrive and your PC is infected now. These kind of viruses when they enter our pendrive hides all folders available in it and set up their off springs which are .exe files but carry icon of a folder and names of your folder. When ever you double click these files, tricked that they are your folders, the code executes and then the virus takes you to the folder which is actually hidden to avoid suspicion.

Or there may be a lucky occasion that on scanning your pendrive before access, your antivirus detects a lot of infections and deletes them. But on opening your pendrive you find all your folders missing. They are actually super hidden now.

In case you find that your system isn’t showing you hidden files/ super hidden files, that means your system is in grip of an infection or an infection had made a malicious entry in system registry.

Firstly download Malwarebytes, install it and run a full scan. Then download the registry defaults tool and run it to restore registry defaults, this enables the disabled features. Restart to fix the issue.

But if you want to change back the attributes of the SH folders and files back to normal, it cant usually be done by file\folder properties. Use command prompt and attrib command to do that. Open a new cmd window and write & execute this command-

attrib -s -h -r X:\*.* /s /d

where X: is the drive letter of your removable media.

  • In case you end up executing a suspicious code, check in task manager if you got a new process running. It can stopped temporarily from there. But the damage to registry can’t be easily undone. Use application like process manager if you find your task manager has been disabled. Use kill box to delete the malicious file. In case you arent comfortable removing it manually, scan PC with Malwarebytes.
  • Always try to recognize processes in task manager from time to time, especially when you install new applications. This helps you identify foreign processes running in case of a virus infection. Enthusiasts can use the application InstallRite to keep eye on all files and registry entries copied by an application install. Half the job is done when you identify the virus in processes.
  • Create a folder AUTORUN.INF in all your drives and hide it for convenience. ( E.g. – create the folder just inside C: drive, another in D: drive etc.) This makes sure that malicious codes aren’t able to autorun themselves on double clicking the drives. Same case implies to your pendrives, create a folder of specified name and avoid malicious code execution.

Note: Many viruses that spread from flash drives use a mechanism of autorun to spread. They copy themselves to target drive and make a autorun.inf file having code that makes the virus execute whenever the drive is double clicked (note carefully, it’s a file not folder). If we have made a folder named AUTORUN.INF, already present in our drives, the autorun.inf file made by virus can’t be created, since a folder and a file can never have same name at same location. A file can replace a file, a folder can replace a folder, but a file can’t replace a folder. Hence, even though the virus copies itself to your pendrive/system drives, it isn’t executed even on double clicking the drive.

If your drives aren’t opening on double clicking or opens in a new window, there must be a super hidden autorun.inf file in your drive root. Search for it, delete it and restart. This fixes the problem. You can also use killbox to delete the autorun.inf files as shown below-

  • Ever annoyed by file not getting deleted, renamed, or pendrive being not safely removed with file in use error? The solution is- Unlocker. This little tool installs a explorer extension that comes visible when you right click on a file or drive. Unlocker displays all the processes using (or locking) the file/ folder/drive. This locking handle can prevent the file from being deleted or renamed or prevents the pendrive from being safely removed with drive/ file in use error. In that case, just right click on the object and click on unlock. A list of applications using the object is displayed. Click unlock all and proceed.
  • Keep an eye on applications registered at startup using the tool Autoruns. Find them in logon tab. If you ever feel you executed a malicious file, check the startup and delete the malicious file autorun entry ( remember to see the key too, since it points to address of malicious file, which too has to be deleted ).