USB drive has a worm.

I have a Patriot XT 8gb thumb drive that is only used as Boost and has no other programs or files on it, so it was a bit surprising when my AV came on to tell me that it was cleaning a worm from this drive.
I tried to format it but i get the message "this file is in use" and after that "windows is unable to format this drive"
Is there any way i can force a format or do i have to throw it in the trash ??

the worm in question is "Win32/Delf.NFB" worm

 

Boot with a Linux Live CD (Puppy Linux a good choice). The live CD will run in ram only. Once booted to the desktop you will see the pc's drives in the bottom left hand corner.

Plug in your flash drive and a new icon [probably labelled sda1] will appear. The icon to the flash drive will look like a flash drive.

Then use Gparted, the Linux formating utility. Look for it in the 'Start Menu'. Once you have opened GParted, the GUI will be easy for you to navigate, it's like Partition Magic.

You may need to mount the drive [can't remember] this is done by clicking on it and the drive will have a little green spot next to it.

Once you have formated the stick [probably FAT32 but other choices available], you may need to unmount the drive prior to shut down and reboot.

To unmount drive, right click on it and select 'unmount' and the green dot will go away.

Whilst in Linux you could also have a look at the contents of your other partitions, just click on them and mount then. Just don't forget to unmount prior to powering off or rebooting.

I have given you the full 'blow by blow' but I am sure that this process has probably just escaped your attention.

Otherwise you could use the HP USB Disk Storage Format Tool, from windows. I am sure that it will also do the trick. Just search for it on the net, it's readily available. I use it especially for formatting stubborn ipods.

Alternatively, SwissKnife utility. Also very good.

If all the above options fail, which is extremely unlikely, BiNG will work. Just boot from floppy or CD, enable USB2 in the interface, plug the usb stick in and format away.

Good Luck

 

Well i managed to format it with Swissknife, it is now an empty drive but Eset is still flagging it as an infection.
Thanks for pointing me the right way, I had just forgotten how to do it.:confused

 

http://www.avira.com/en/threats/section/fulldetails/id_vir/4424/worm_autorun.edc.1.html

Looks like this is the little critter.

Avira description says:

Seems that it may [in part] live in the recycling bin...very odd....

I would guess that having formatted the flash drive it is hard to see how that infection could have survived.

Make all system files visible and then have a look at the contents of your Recycling bin. If all looks clear delete all contents.

Also delete all System Restore points and then run NOD32.

Good Luck

 

Ok i have tried all you suggested,
I do not believe it's in the PC but just in the drive because if i haul it out i don't get the flag but the moment i put it in it shows up on (J) which is the usb drive.

I am really baffled now as your link says it's win xp and i am running Vista Ultimate.

 

You could be right about the recycle bin, Risk - isn't Recycler-blah,blah a file with contents of the recycle bin?

http://www.latrobe.edu.au/health/cats/kbp/entry/64/

But I would have thought that the USB drive's recycle was stored on the drive... Does System Restore on the computer keep recycle info for removable drives?

 

Well system restore on XP does on disk drives [i think] but I can't remember if that is the case on flash drives. I think not.

Tend to turn off system restore most of the time as it's just a waste of time. Easier to just image.

I wasn't sure that flash drives could have the mbr's / partition tables zeroed / deleted but it must be possible if Halo says so and in which case I would try that.

I would also consider using the HP utility, it really does do a great job too.

Good Luck

 

@ David
Thank you the link you gave worked,
I must save that as i have used it before and forgotten about it.

 

For clarity the link and instructions you followed was

http://kurtsh.spaces.live.com/blog/cns!DA410C7F7E038D!1665.entry

Cheers

 

It was paragraph 2 but i spoke too soon i tried it in my other PC and it flagged it straight away, so it,s back to the drawing board.
It appears to have only been a temporary fix.

 

OK now i am getting worried !
I put a different flash drive in and am getting the same flag from my AV.
I have tried several and they all flag it the same, so out of curiosity i put 2 sticks in at the same time and the PC promptly crashed.
I am open to any suggestion.

 

Ok lets get this straight.

1. You applied the Halo fix and it worked at first.

2. You then tried the [original] Patriot XT 8gb thumb drive in another pc and it flagged the same warning message.

3. You tried other flash drives in the original pc but also got the same warning message.

I think that is correct

4. For clarity thumb drives other than the Patriot XT 8gb connected to other pcs ie not the one that gave the original message are fine?

Good Luck

 

Points 1,2 and 3 are correct, point 4 no.
I tried the Patriot in another PC running windows 7 also with Eset AV and it flagged the same info so i tried two other flash drives (not Patriot but Integral) in the original PC and they all flagged up the same "Win32/Delf.NFB worm" so i am not sure if i am getting a false positive as it is not slowing the PC down at all but just annoying me with this pop up from my AV.
I have looked through the system 32 files and can not see anything relating to this but i am a novice when it comes to system files and Dlls.
I have tried the suggestion from Halo again and it does not stop it.
The link by "chookers" (http://www.latrobe.edu.au/health/cats/kbp/entry/64/) will open the page but the download will not open so i don't know if that's a solution.

 

I borrowed a copy of Avanquest suite 9 from a friend unloaded my AV (eset) and loaded avanquest, all the flash drives that were flagging the worm showed nothing so i Can only assume the problem was Eset.

 

Hi David.
I still have the Avanquest loaded for the moment to evaluate it.
I find it needs to learn your habits in the beginning as it is always asking if each operation should be allowed.
The one thing i do dislike is the firewall because it really slowed down the internet connection as it checks every page you open, I know its the firewall because if i set it to allow everything the internet speed is back to normal.
I do rather like it other than that so i will give it a chance.

 

Bill, if you were referring to the link that starts \\healthserver7\ there are two reasons it won't work. The first is that the link is incorrectly written. It only includes \\healthserver7\pc-install\admin but should include all of this: \\healthserver7\pc-install\admin tools\autoruns\autoruns.exe which you may have figured out. The second and more important reason for most of us is that the link leads to a location on one of the university's own computers that can only be accessed from a computer attached to that network. The part that makes this clear is that it starts \\ instead of http://. They give links down at the bottom of the page that can be accessed from outside the uni - the autoruns link leads to Microsoft.

I mainly posted that link to to point out that Risk was probably on the right track and to toss in some more food for thought so never thought the links might need explaining. Sorry for the confusion!