Remove Virus From USB Flash Drive Using Command Prompt

35

Viruses are usually spread across multiple computers using USB Flash drives, external media, connected networks and the Internet. If a USB drive is infected with a virus, it will get activated when we open the USB drive on our computers.

This is because of the auto-run functionality in Windows. Windows looks for autorun.inf file in the USB drive. The autorun.inf file contains information about which program to run when the USB flash drive is opened.

The viruses tend to push their information in the autorun.inf file and then execute automatically from there. The safest way to use the USB flash drives without infecting your own system is to disable the Auto Run functionality of Windows.

To disable Auto Run functionality in Windows, do the following:

  1. Go to Run –> gpedit.msc. This will open the Group Policy Editor.
  2. Navigate to Computer Configuration –> Administrative Templates –> Windows Components –> AutoPlay Policies
  3. In the right hand pane, enable “Turn off Autoplay” setting.

Autoplay group policy

This will prevent Windows from automatically using autorun.inf file in the USB drive.

If your USB drive is already infected with a virus, you can safely delete the autorun.inf file and then scan the USB drive with an antivirus to make sure that the USB drive is clean from all malware.

Autorun.inf can be deleted in two ways. First by using Windows Explorer:

  1. Press Windows Key + E to open Windows Explorer. From the left hand tree, open the USB drive. This should not trigger the auto run functionality of USB.
  2. Now from the left hand content pane, delete the autorun.inf file. Make sure that you are showing hidden files from Folder Options as autorun.inf is usually a hidden file.

Secondly, you can also delete the infected autorun file from command line.

  1. Go to Run –> cmd. This should open the command prompt.
  2. Type g: where g is the USB drive letter.
  3. Now run the following command: attrib -h -r -s -a *.*. This will remove the attributes hidden, archive, system from all the files.
  4. Type del autorun.inf. This will delete the autorun.inf file.

If you want to make sure that in addition to the autorun file, the virus is also removed from the USB drive, you will need to open the autorun.inf file in notepad and see which files and executables are triggered during autorun. Delete those executables and you will be safe from the wrath of USB viruses.

I hope this will be useful for you. Do let me know whether it was useful for you or not.

Must Read Articles:

35 Comments

  1. help me guys, i followed the instructions but virus are still there, and also autorun.inf is not recognized as internal or external command

    thank you

  2. [AutoRun]
    ;iarkvjlmIV gHcWGawbu
    ;
    oPen = qkem.exe

    ;TjqJb vxrtvCRWVq
    sheLleXploReCommANd = qkem.exe
    ;LNwjBmDiYcjfylHhnapLWEMBeM Rgwpu yefhTS
    shELLopeNDEFault=1
    ;
    SheLlOPencoMmAnd = qkem.exe
    ;RFRGC
    SHEllaUtoplaYCommAnd=qkem.exe
    ;TEatQ

  3. Olatunji Ridwan on

    Hi,pls this isn’t working for me,once I press atrrib -h-r-s-a *.*.it respond with invalid switch.Thanks in anticipation to ur response

    • Attribute Command Parameters
      – means clears an attribute
      H means hidden file attribute
      S means system file attribute
      A means archive file attribute
      R means read-only file attribute
      /S means process matching current folder and all subfolders
      /D means process folders

    • R – R represents the “Read-only” attribute of a file or folder. Read-only means the file cannot be written or executed.
      H – H stands for the “Hidden” attribute.
      A – Similarily, A stands for “Archiving” which prepares a file for archiving.
      S – S attribute changes the selected files or folders into a system file from a user file by assigning the “System” attribute to that particular file.

  4. It worked for me..
    Just some sort of advice:
    You forgot to mention that “System Volume Information” folder can’t be deleted because it is part of the drive itself.. And it’s also super hidden like other infected files.. That’s the reason why you got an “Access Denied”..
    Another thing you guys should consider is running your command prompt as ADMINISTRATOR when executing DEL command or any other process like this.. In some ways, it’ll give you the privilege to execute the command you typed..

    • Because you didn’t open cmd as administrator these are the steps
      1.Press Windows key +X
      2. Select Command Prompt (Admin)
      Proceed from their ………with the commands.

  5. I followed the same step for removing autorun.inf from pendrive. But after running the command: attrib -h -r -s-a *.* it shows Access denied. What to do i have tried all ways to delete this virus but nothing has helped

  6. What you said i tried but the 1st one its 2nd point i couldn’t find then i tried the 2nd one its also not working cause it is connected with my java. Can plzz more explain the 1st one’s 2nd point.

Leave A Reply