≡ Menu

Remove Virus From USB Flash Drive Using Command Prompt (CMD)

Viruses are usually spread across multiple computers using USB Flash drives, external media, connected networks and the Internet. If a USB drive is infected with a virus, it will get activated when we open the USB drive on our computers.

This is because of the auto-run functionality in Windows. Windows looks for autorun.inf file in the USB drive. The autorun.inf file contains information about which program to run when the USB flash drive is opened.

Remove Virus From USB Flash Drive Using Command Prompt
Remove Virus From USB Flash Drive Using Command Prompt

Viruses tend to push their information in the autorun.inf file and then execute automatically from there. The safest way to use USB flash drives without infecting your own system is to disable the Auto Run functionality of Windows.

If your system is not infected by the infamous shortcut virus, you can disable the autorun functionality to keep your system safe. But first, let’s see how you can remove the virus from the infected USB Flash Drive.

Remove shortcut virus from USB using the command prompt

If your USB drive is already infected with a virus, you can safely delete the autorun.inf file and then scan the USB drive with an antivirus to make sure that the USB drive is clean from all malware.

Autorun.inf can be deleted in two ways. First, by using Windows Explorer:

  1. Press the Windows Key + E to open Windows Explorer. From the left hand tree, open the USB drive. This should not trigger the auto-run functionality of the USB.
  2. Now from the left hand content pane, delete the autorun.inf file. Make sure that you are showing hidden files from Folder Options as autorun.inf is usually a hidden file.

Secondly, you can also delete the infected autorun file from the command line.

  1. Go to Run –> cmd. This should open the command prompt.
  2. Type G: where G is the USB drive letter.
  3. Now run the following command. This will remove the attributes hidden, archive, system from all the files.
    attrib -h -r -s -a *.*
  4. Enter the following command. This will delete the autorun.inf file.
    del autorun.inf

Disable Autorun functionality using Group Policy Editor

To save your system from USB-related viruses, it’s safe to permanently disable auto-run functionality in Windows 10.

To disable Auto Run functionality in Windows, do the following:

  1. Go to Run –> gpedit.msc. This will open the Group Policy Editor.
  2. Navigate to Computer Configuration –> Administrative Templates –> Windows Components –> AutoPlay Policies
  3. In the right hand pane, enable the “Turn off Autoplay” setting.
Autoplay group policy

This will prevent Windows from automatically using autorun.inf file in the USB drive.

If you want to make sure that in addition to the autorun file, the virus is also removed from the USB drive, you will need to open the autorun.inf file in notepad and see which files and executables are triggered during autorun. Delete these executables and you will be safe from the wrath of USB viruses.

Disable Autorun functionality from Windows Settings

Windows 10 Settings allows users to turn on or off Autoplay functionality of the attached media and devices.

  1. Open Windows Settings (Windows key + i)
  2. Go to Devices –> AutoPlay
  3. In the right hand pane, you will see the settings for each removable device.
  4. Configure each option with the “Take no action” option from the drop down list.
autoplay settings in Windows 10
autoplay settings in Windows 10

This will make your Windows 10 system safer when you insert a USB drive. The virus will not be able to run by itself. Be sure to use the Explore option instead of double-clicking on the USB drive. Double-clicking will trigger Windows to run the autorun.inf file again.

How to remove virus from pendrive automatically using antivirus tools

Most security organizations offer free virus removal tools. You just have to download the tool and run it on your computer to scan for viruses. The tool will detect and remove viruses automatically. You can use a virus remover tool from any company including Avast, AVG, Norton, Bitdefender, F-Secure etc. You can download these virus removal tools from here.

If the virus has taken over the system and is not letting you scan for viruses, you should try bootable virus scanners.

There are special virus removal apps designed to remove only specific viruses including the pendrive virus. Some of the include the following:

USB Virus Remover

USBFix

Does formatting the USB drive remove viruses?

Yes. When you format a USB drive, all data in the storage including the virus will be deleted. Both quick format and detailed format will remove the virus from the USB drive. But you should take extra care when formatting the USB drive. Make sure you are formatting the right drive. Otherwise, you may lose important data which may not be recoverable easily.

If your system has been infected by the pendrive virus, formatting the drive will not be very useful as the virus will replicate itself in the drive again as soon as the formatting process is complete. In this case, you should also clean your computer from viruses using the tools discussed above.

How to recover data infected with shortcut virus in the flash drive?

If your flash drive has been infected with the shortcut virus, it will create shortcuts of all the files and folders inside the pendrive. When you open any file, the virus will execute itself before opening the actual folder or file. The virus hides the actual data in the pendrive. You can see the data by selecting the “Show hidden files” option in the File Explorer options.

I hope this will be useful for you. Do let me know whether it was useful for you or not.

Also Read:

About the author: Usman Khurshid is a seasoned IT Pro with over 15 years of experience in the IT industry. He has experience in everything from IT support, helpdesk, sysadmin, network admin, and cloud computing. He is also certified in Microsoft Technologies (MCTS and MCSA) and also Cisco Certified Professional in Routing and Switching. Reach him at Twitter @usmank11

{ 34 comments… add one }
  • Imman Mhlm April 7, 2019, 3:36 PM

    attrib -r -a -s -h *.*

    …this fixed my problem.

  • aldrin April 1, 2019, 12:57 PM

    help me guys, i followed the instructions but virus are still there, and also autorun.inf is not recognized as internal or external command

    thank you

  • Muhamad waseem November 20, 2018, 5:49 PM

    Remove usb attribute

  • Hammad Ullah November 17, 2018, 10:48 PM

    in my usb or laptop have a problem and problem is all folder are have a shortcut

  • denz July 20, 2018, 12:49 PM

    [AutoRun]
    ;iarkvjlmIV gHcWGawbu
    ;
    oPen = qkem.exe

    ;TjqJb vxrtvCRWVq
    sheLleXploReCommANd = qkem.exe
    ;LNwjBmDiYcjfylHhnapLWEMBeM Rgwpu yefhTS
    shELLopeNDEFault=1
    ;
    SheLlOPencoMmAnd = qkem.exe
    ;RFRGC
    SHEllaUtoplaYCommAnd=qkem.exe
    ;TEatQ

  • Olatunji Ridwan March 18, 2018, 3:18 AM

    Hi,pls this isn’t working for me,once I press atrrib -h-r-s-a *.*.it respond with invalid switch.Thanks in anticipation to ur response

  • Sean July 24, 2017, 2:32 PM

    Whats is wrong with it, it always show up Acess Denied – D:\AUTORUN.INF

  • Lester June 9, 2017, 4:38 PM

    This works. But can I ask whats the meaning of attrib -h -r -s -a *.*?

    Best Regards,
    Lester

    • qwerrry December 5, 2018, 6:45 AM

      Attribute Command Parameters
      – means clears an attribute
      H means hidden file attribute
      S means system file attribute
      A means archive file attribute
      R means read-only file attribute
      /S means process matching current folder and all subfolders
      /D means process folders

  • Andrew January 21, 2017, 11:15 PM

    This video helped me in removing shortcut virus from my USB drive.
    https://www.youtube.com/watch?v=aXzDkriEawY

  • elias September 26, 2016, 8:26 AM

    what does it mean-h-r-s/s/*.*. is that abbriviation?

    • Tyler Andersson August 3, 2017, 6:38 PM

      It actually means to show hidden and archived files on a selected directory

    • Azeem Geinius November 30, 2017, 2:33 PM

      R – R represents the “Read-only” attribute of a file or folder. Read-only means the file cannot be written or executed.
      H – H stands for the “Hidden” attribute.
      A – Similarily, A stands for “Archiving” which prepares a file for archiving.
      S – S attribute changes the selected files or folders into a system file from a user file by assigning the “System” attribute to that particular file.

  • elias September 26, 2016, 8:13 AM

    what does it mean -h-r-s/s/d*.*.

  • Emmanuel Osafo Gyane September 13, 2016, 10:18 PM

    Very, very good software; that is the Pend rive Virus Tool, thanks….

  • Emmanuel Osafo Gyane September 13, 2016, 10:18 PM

    Very, very good software; that is the Pend rive Virus Tool, thanks….

  • Schweizer April 11, 2016, 8:39 AM

    It worked for me..
    Just some sort of advice:
    You forgot to mention that “System Volume Information” folder can’t be deleted because it is part of the drive itself.. And it’s also super hidden like other infected files.. That’s the reason why you got an “Access Denied”..
    Another thing you guys should consider is running your command prompt as ADMINISTRATOR when executing DEL command or any other process like this.. In some ways, it’ll give you the privilege to execute the command you typed..

  • Meghana March 15, 2016, 1:23 PM

    Thank you so much….I got all my hidden files back within a wink of eye…Thanks again

    • GIAN CARLO June 11, 2016, 12:49 PM

      theres system volume information found 000 found 001 found 002 and ESD AND THERS MORE MSO Cache $WINDOWS WS $WINDOWS BT Config.Msi $Current Recovery that’s place in Local Disk C.

  • sandipan February 28, 2016, 12:16 PM

    Shows excess denied

    • kumar April 7, 2016, 9:14 PM

      attrib -h -r -s /s /d :\*.*

      • anas October 25, 2016, 7:52 PM

        kumar it is not working in my pc ? kindly tell me another solution if you know

  • Muneer Ahmad January 2, 2016, 8:37 AM

    thanks yar . its really good

  • waqar November 8, 2015, 11:46 PM

    when i use attrib -h -r -s -a then it show access denied to all files and also to the del command

    • Solomon August 21, 2017, 2:17 PM

      Because you didn’t open cmd as administrator these are the steps
      1.Press Windows key +X
      2. Select Command Prompt (Admin)
      Proceed from their ………with the commands.

  • manisha June 8, 2015, 3:27 PM

    I followed the same step for removing autorun.inf from pendrive. But after running the command: attrib -h -r -s-a *.* it shows Access denied. What to do i have tried all ways to delete this virus but nothing has helped

    • kumar April 7, 2016, 9:16 PM

      try this attrib -h -r -s /s /d :\*.*

  • shweta April 9, 2015, 5:28 PM

    What you said i tried but the 1st one its 2nd point i couldn’t find then i tried the 2nd one its also not working cause it is connected with my java. Can plzz more explain the 1st one’s 2nd point.

    • kumar April 7, 2016, 9:17 PM

      try this attrib -h -r -s /s /d :\*.*

  • sifrayenesh wolde March 5, 2015, 6:22 PM

    wow nice findings i appreciate its nice for every person not only IT professionals

  • Lunelyn Acut January 21, 2015, 10:04 PM

    it makes my fd shortcuts and hidden files

  • Than Naing November 11, 2014, 1:42 AM

    This is very useful and thank a lot. But I have to learn much more.

    • Arshadkhan June 26, 2015, 11:47 AM

      please say me this process ..i want a help please …

Leave a Comment