TheMalwareMaster

Level 20
Verified
Trusted
Dear all,
I am dealing with an infected USB flash drive to clean-up. A family member bring this flash-drive at home, after it got infected with a worm on an other windows computer. The flash drive was inserted in my home system (I was not present at that time), however it didn't get infected because the worm was stopped by Windows Defender: it detected a lnk file and a vbs script in the pendrive (I also had VoodooShield which didn't report any threat was blocked, and that machine is running a standard user account). I double checked running processes, startup files and services (didn't notice anything suspicious) and ran Hitman Pro and Malwarebytes and the system came up clean.
However, now I would like to safely restore the files on that pendrive. Unfortunately, I wrongly deleted the worm in windows defender quarantine, so I don't know exactly what kind of malware it was, but, from the description provided, I understood that it's the typical worm that replaces each file with a shortcut to itself.
I don't have any linux box available at the moment, so I need to clean the usb and restore file re-inserting the key in a windows machine. I think the key is clean now, however I don't want to risk an infection on the machine (I remeber some of you guys were mentioning software such as MCShield to prevent this)
Any suggestion of what to do?
How do I recover files?
Thanks in advance

Update: I read microsoft docs about worms Worms
And I remembered the name of the worm was Jenxcus
 
Last edited:

davisd

Level 2
Verified
Trying to disinfect already affected files may break them unrecoverable. Disable AutoPlay for all media and devices attached. See what's left and if any important document information can be saved manually. Best option would be to format USB and move on.
 

Raur

Level 1
Just for anyone's info, MCShield hasn't been updated since 12 April 2014: Link

Care to share the commands used (Windows 7/Windows 10) to remove the USB hidden attributes via CMD prompt? Just for the benefit of those who are not yet familiar with CMD :giggle:
 

rockstarrocks

Level 19
Verified
Just for anyone's info, MCShield hasn't been updated since 12 April 2014: Link

Care to share the commands used (Windows 7/Windows 10) to remove the USB hidden attributes via CMD prompt? Just for the benefit of those who are not yet familiar with CMD :giggle:
If I remember correctly this is what I used back in days
Run cmd as admin
Code:
G:
del *.lnk
attrib -s -r -h *.* /s /d
Change G: to the driver letter of USB drive.
PS: All of this is to be done after removing the malware from USB.
 
Last edited:

TheMalwareMaster

Level 20
Verified
Trusted
Yeah, I noticed the latest Mcshield database update was of 2016, but it basically worked and removed some residual lnk files (maybe the worm was old). Just remove any lnk file on your pendrive and you are ok. Then, the worm was already cleaned by Windows Defender so there was not much work to do, and I had autorun and windows script host disabled on that machine using a registry tweak.
Here you have a guide with all the steps
Do you know other alternatives? I will take a look at USBFix.
In any case, it's not recommended to insert again a flash drive in a windows computer (if you aren't 100% sure that the worm was already cleaned by an AV), as it may get infected. Just use a linux machine or live ISO.
In my case, I was almost sure the infection was gone (as it was), but in any case I had autorun and windows script host disabled, as well as Vodooshield realtime, MCshield and other second opinion scanners realtime (Zemana and Malwarebytes), which were installed just to check the USB and then removed. So in case the malware was still present, there was no risk of infection (especially because of autorun and windows script host disabled)
 
Last edited:

WinXPert

Level 24
Verified
Trusted
Malware Hunter
If your PC is clean, you can simply use ATTRIB on your USB drive

at the CMD Prompt type (Replace Drive: with the appropriate drive assignment)

ATTRIB [DRIVE:] -S -H /S /D

If you have McShield enable Always unhide items on flash drive

360 TS would unhide folders and files if infections are detected.

If your PC is infected, that's a different story. You have to kill the malware first and disinfect before you clean your USB drive. Since you mentioned vbs script, try to kill all wscript.exe processes first and delete its startup entry with a utility like System Explorer. If there are no wscript.exe running, look for any process with random filename with the same icon as wscript.exe.