USB transfers files to a "DEVICE" inside it and creates a shortcut to a drive

Jan 29, 2019
6
0
10
Hello all,

I plugged my USB drive today and all the files on it were missing, after enabling the hidden files view option I found out that they were moved to a invisible folder called "DEVICE" and also a shortcut to a "removable drive" was created. I suppose the drive got infected somehow, I've tried every tutorial and troubleshoot with no results (.BAT files, CMD Attributes, etc), formated the USB with Hard Disk Low Level Tool, run Avast, Avira and Windows defender and none found any virus on any drive on the computer. Hoping that someone can help, thanks in advance!
 

Ralston18

Titan
Moderator
At the print shop did you give the USB drive to anyone and let the drive go "out of sight"?

Or did you just plug the USB drive into a printer and print out some documents yourself?

Seems strange that any meaningful virus would reveal itself in such a manner; i.e., moving and hiding files inside of an invisible folder named "DEVICE". And leave all files still available and readable. Which is the situation - correct?

Because all of your scans did not find any viruses etc., my thought is that your USB may actually been the victim of some faulty or misguided software.

Difficult to know unless you create some expendable USB drive with no personal information on it, go back to the print shop, and see if the files get moved and hidden again.

Ask what software is being used to read and print the files.

Consider placing the USB in RO (Read Only) to determine what happens.

One way or another there should be some explanation about it all.




 

howtobeironic

Honorable
Jun 16, 2018
396
23
11,115
Sounds like the old "My Removable Drive" virus, had to deal with that a few times. Stubborn, but doesn't do much. It creates an hidden file with no name, plants a shortcut ("My Removable Drive(X:)"), an autorun pointing at it, and inside the folder, a few more randomly named files (supposedly payload). Shortcut points to svchost.exe though, once it runs it's really hard to disinfect, and will copy itself on every USB plugged in. To explain I can give an example of my school computers, %95 of them were infected by that, a full wipe was needed nonetheless. Strangely only old AV's pick that up.

I genuinely hope you did not open that shortcut nor you clicked "Open in Explorer" in autorun if you had one. If you did, I don't know how to remove it. I don't guarantee this is the same variation that didn't copy itself on the files, so I'll give you how I handled my variation Obviously this needs you to plug it in, so potentially unsafe.

1)First off go disable autorun, and never try this on a PC with important data.
2)Install USBDiskSecurity, this should let you open it safely (didn't experiment if safe open works)
3)Head to Folder Options, check "Show Hidden Files" and uncheck "Hide system files"
4)Hope for the best, plug it in.
5)Explore the drive, find the hidden folder.
6)Delete anything that isn't familiar, even though Windows warns you about it being a system file.
7)Copy your files off, do a scan.
8)Format the drive and see if it happens again.