Is this a virus? Shortcut pointing to rundll32.exe has "replaced" all my data

[inf1nity]

I have a pen drive, which had lots of files. I took it to a friend's PC. When I plugged it into his PC, the drive's content showed up, I saw that all my files had been replaced by a shortcut that has the same name as that of my drive.

This shortcut points to this target:

C:\Windows\System32\rundll32.exe  \dichx2w.Hp5zF9.rlfkpjo.din.ns8DIYd.SpYdXGAQ.tyEJOeYv.inhxy,lqvpjoichbgafZI1

I need to launch that shortcut to see my files. The files are all still there, but they do not show up in the drive. Instead I get the aforementioned shortcut.

I brought to my PC and scanned it. Norton reported that it was infected by Downloader.Dromedan (named as packeddromedan!gen17) by the AV. It said that the infection has been fixed and no further action is required.

I brought it another computer and scanned it with avast free, it says that no threats found.

However, the file structure is the same. That weird shortcut is still there. I really don't want to launch it as I do internet banking worth lakhs of rupees on my PC and i'm afraid that it might compromise my data.

Formatting the drve is an option, however, I don't want to lose my data.

What do I do?

 

[SparkyJJO]

Delete the shortcut, then check to see if the files are just hidden (show hidden files in explorer).

 

[Mushkins]

Sounds like your friend's PC had a virus that propagated to the USB stick when you plugged it in.

Do you have a backup of the data? If so I would format the USB stick and restore from backup, I would not personally trust the data on that USB stick. If you don't have a backup, your best bet would be to boot into a Linux livecd and pull the files out of the weird shortcut then scan them with every AV and malware checker you possibly can. Even then there's no guarantee they're safe.

And then you plugged it into your PC, which is bad news. If you're that concerned about online banking, I would be formatting that PC and doing a clean reinstall as well.

 

[inf1nity]

Well, how was I supposed to do anything with the drive without plugging into the PC?

I did some googling on this issue. Turns out this is not a new issue by any means. Many people have faced this issue. After "fixing" the drive with Norton, I scanned it with avast and MBAM. Both of them reported no problems.

I found this post on the internet. After reading it ran the command attrib with the specified switches, which resulted in the hidden folders being revealed. There was a folder with no name, which contained all my files, and two more files: a desktop.ini and one other file the name of which I can't recall at the moment.

I thought of copying the files back to my files computer, but then I decided against it because i didn't want any viruses in the drive to get copied to my PC.

I have done a full format of the drive(losing some of the files in the process). Gonna run a few scans to see if the virus has entered the PC. Although I have autoplay disabled, you can never be too sure..

Any more advice for me...?

 

[Bubbaleone]

Unprotected flash drives are a major vector for malware propagation and the solution is to install a good "portable" AV on all your flash drives so your data's protected from infected PCs you have to plug into, and vice-versa. Here's an informative article on securing your flash drives using the excellent, open source (GPL), ClamWin portable antivirus: Open Source Anti-Virus for USB Flash Drives.

.

 

[inf1nity]

Thanks Bubbaleone, will check it out.

 

[mikeymikec]

Unprotected flash drives are a major vector for malware propagation and the solution is to install a good "portable" AV on all your flash drives so your data's protected from infected PCs you have to plug into, and vice-versa. Here's an informative article on securing your flash drives using the excellent, open source (GPL), ClamWin portable antivirus: Open Source Anti-Virus for USB Flash Drives.

.

I'm not sure (what you think) that's what that product is intended to do for you, considering that there's a potential for your flash drive to be infected soon after you've plugged it in (ie. a "portable AV" product is "just a bunch of files on a flash drive" just like the OP had), perhaps before you can spend ~45 minutes scanning the host PC before you can logically start working on it.

The solution you're suggesting is to protect additional PCs against the infection circulating amongst all the computers you use, but even then it's still an odd thing to suggest since surely all the PCs have anti-virus installed? Who would resort to a second AV product unless they think their first one has failed them?

The OP's memory stick was infected, but apparently not their main PC.

 

[TeknoBug]

Oh wow, that's scary- I'd toss that stick and your clothes in a fire and take a long shower.

I'd hate the thought of my USB sticks getting infected, I use encrypted sticks to transfer sensitive documents rather than using the stupid cloud.

 

[dave_the_nerd]

::does the Linux happy dance::

That sucks, OP. Glad you got it cleaned up though.