Is USB Flash Drive Infected?

[T-Ruth]

Sorry if this is the wrong forum to post this in.  This is my first time posting on these forums.

I was wondering if there's a way to confirm if a USB flash drive is free of viruses, malware, and/or ransomware?

I used this USB flash drive back on Feb. 23rd with a computer (Windows XP) that was a part of a network.  The server was infected with Ransomware and all the files on the shared network were encrypted on Feb. 25th.  Supposedly nobody used any of the computers on the network on the 25th, so I suspect that the infection happened earlier and activated the Ransomware at a later date (I don't know if this is even possible).

I always remove the flash drive from the computer when I'm not using it, however, since I don't know when exactly the infection occurred, I really don't know if it was infected or not.

The tech that was hired was unable to decrypt the files and couldn't contact the hacker to pay the ransom, so we ended up replacing the computer with Windows 10 and restoring some of the files from an older backup.

There are files I'd like to transfer from the flash drive to the new Windows 10 computer (Computer #1) and to an older spare computer running Windows XP (Computer #2), as the backup the tech used did not have copies of these files.

After avoiding the flash drive for weeks, I decided to test it out on Computer #1 (Apr. 3rd), since I thought Windows 10 would be more secure.  After plugging it in, there was a notification saying "There is a problem with this drive. Scan the drive now and fix it."  I ran Windows Defender and the scan detected "no threats" on the USB flash drive.  I also ran a full system scan and it was also clean.

Since then, I have been saving documents to the flash drive and opening files on it (always while using Computer #1), but I've refrained from copying the flash drive's files to Computers #1 and #2 because of a lingering fear of infection.  Every time I plug it in, I always get the same notification to scan & fix it, but every time I scan it with Windows Defender, no threats are ever found.

It's been over two weeks now since I've tried inserting the flash drive and nothing bad has happened to Computer #1 (or the rest of the network for that matter).  I've avoided using the flash drive on Computer #2, because I worry Windows XP will be more vulnerable or the infection will only effect XP but not 10.

 

Questions:

1) MAIN QUESTION:  Is the USB Flash Drive safe to use (free of Ransomware, Malware, Viruses, etc.)?

2) Does Ransomware usually wait a period of time before activating or take awhile to encrypt files?

3) Are Windows Defender and Avast Antivirus even capable of detecting Ransomware or am I wasting time running scans with them?

4) Have I made a big mistake by opening files on the flash drive with Computer #1, and spread malware on the network?

5) Does Ransomware even make copies of itself and spread like viruses do?

EDIT: Another thing I noticed is that the Flash Drive is supposed to have a size of 16 GB, but according to Windows Explorer, its total size is only 14.9 GB.  Is this just false advertisement of the product, or is something wrong with the flash drive?

 

Notes:
USB Flash Drive: SanDisk Cruzer Glide 16GB

Computer #1: Windows 10

Computer #2: Windows XP (Service Pack 3)

Windows Defender: Updates automatically (up to date) - for Computer #1

Avast Antivirus: Updates automatically (up to date) - for Computer #2

* The USB Flash Drive is usually plugged into a computer for 2 hours or less.  I very rarely leave it in for a long duration.

 

Thanks for your help,

T-Ruth

Edited April 19, 2018 by T-Ruth

[AdvancedSetup]

Hello @T-Ruth and

I would suggest scanning the USB drive using a Custom scan with Malwarebytes and tell it to scan for rootkits, inside archives, and all files.

Then also scan with the Kaspersky antivirus scanner.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats on the USB drive

Kaspersky Virus Removal Tool

Once those are done, you can also upload files to https://virustotal.com  to have the files scanned by many different vendors.

Thank you

Ron

 

[T-Ruth]

Quick question:

Would reformatting the USB Flash Drive completely remove any viruses, malware, ransomware, etc. that might be hiding in it?

Since I've scanned the flash drive with Windows Defender and no threats were detected, I was thinking about copying some of the important documents to the desktop of my Windows 10, and then reformatting the flash drive.

Would this work?

[AdvancedSetup]

Yes, it will work. Make sure you scan the files with https://virustotal.com first though, just in case since they came from a previously infected computer.

 

[T-Ruth]

I scanned all of the files on the flash drive with Windows Defender before moving them to a desktop folder on the Windows 10.  I also tried using VirusTotal like you suggested, but they have a file size limit, so I wasn't able to scan everything.  The files I could scan, were all clean though.

The flash drive was now empty (I have Windows Explorer set to show all hidden files and folders), but a Windows Defender scan result claims there were 8 items scanned.

I reformatted the flash drive to be on the safe side. Afterwards, I scanned the empty and reformatted flash drive again with Windows Defender. No threats were detected, however, according to the scan results there are 2 items on the flash drive. Whatever these 2 invisible files are, Windows Defender doesn't consider them to be a threat.

Questions:

1) Is it normal for an empty flash drive to still have invisible items in the scan results?

2) I selected "Quick Format" for formatting the flash drive. Is this less thorough? Should I have unchecked this option and performed a full format?

3) Even after formatting, the flash drive does not have 16GB of free space. According to Windows Explorer, the total size of the flash drive is 14.9GB. Is this normal?

 

Thanks,

 

T-Ruth

[AdvancedSetup]

Full format should be selected. Yes, it's normal for the size to be lower because of how the file system allocates the data. It takes up a certain amount of space for that and is very normal.

Often the System Restore can add hidden data to the drive. As long as you've done a full format on a clean computer it should be good.

 

[T-Ruth]

Okay, I've completed a full format.  Windows Defender still says there's 2 files on it for some reason.  Since the flash drive is really 14.8GB instead of the advertised 16GB, I'm guessing there's something in the flashdrive necessary for it to function, and that's probably what those 2 files are for.

Anyway, I went and individually scanned the files before moving them back onto the flash drive.  Interestingly, some files count as several files!  For example, a single JPG would normally count as 1 file, but a few counted as 2 files, and one even counted as 475,682 files.  The file size itself wasn't too big, but what they had in common were long names.  When I renamed the big "475,682" file to a shorter name, it dropped down to 2 files.

Also, different types of files would be counted differently.  PDF files usually counted as more than 1 file, as did some spreadsheets.

T-Ruth

Edited April 26, 2018 by T-Ruth

[AdvancedSetup]

Not sure what you mean by file counts. A file is a file regardless of size. If I have a 20GB file it is 1 file that is 20GB in size. Can you explain more what you mean or show me a screen shot please?

Thanks

Ron

 

[T-Ruth]

Let's say I do a custom scan of a picture called "Sample.JPG".  This would be one file, but the scan result would show "2 files scanned", despite the fact I was only scanning one item.

After scanning each file one at a time, I've noticed that it's usually the PDFs that tend to show up as having more "files" scanned than what I highlighted for scanning.

According to this thread, a file can actually contain other files.  That being said, I find it strange that an image file could contain another file inside it.

T-Ruth

[AdvancedSetup]

Ah... There are many different things going on as part of any scan. File or Object numbers can vary.

Aside from that issue, if you've now scanned with multiple av programs the computer should be safe at this time.

 

[T-Ruth]

Thanks!  I'm still nervous about trying out the flash drive, but I realize this is probably an irrational fear, after all the virus scans and reformatting.

Anyway, thanks for all your help!

T-Ruth

[AdvancedSetup]

You can run the following scans and post the logs and I'll review for you if you like.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[T-Ruth]

I'm pretty sure the USB Flash Drive is clean, I just have an annoying tendency to worry.  I'll keep the above information handy if something happens, and post the logs here.

Thanks again.

T-Ruth

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks