2

Briefly, I have phantom USB drives that showed up a week ago. Rolling back to a "clean" backup that was stored on a disconnected disk didn't solve the problem. I had that previously when I had a major malware infection problem. I would like to
(1) trace the executable/process/registry key that is responsible for emulating these USB drives
(2) Find the host of malware. Does it reside on a Clonezilla image? USB keyboard memory? Protected area of an HDD?

Here are some details

I had a three months long atypical infection of my home computers. It would first reveal it's presence by "ghost usb drives". The number of USB icons increased each time I plugged in and removed a USB drive. Was it counting infected drives? I don't know.
USB drives were plugged in and then ejected. These disks are not accessible, but the icons are still visible in "My Computer"

enter image description here

Malware would spread by usb drives (possibly usb keyboards) and home network. It penetrates immunodeficient Windows(r)(tm)(c) without a problem and ignores sandbox, antiviruses and firewall. Initially it would prevent antivirus software from running/installing. I tried removing it, but wasn't too successful. Eventually, during this struggle malware got modified/corrupted somehow. It would make bios unbootable. Clearing CMOS (take out battery for at least a day) helped to revive BIOS., but reinfection would happen soon after. Eventually I moved to Linux, formatted all usb drives using Gparted, password protected BIOS of each computer, etc. Recently I've installed Windows 10 on one of the computers. At first, everything went OK, but when I plugged in and ejected my formatted usb in I saw the ghost usb again.

Is it normal to see these ghost drives? How can I find out where the reference to this usb is stored, which module created it, etc? How can I check if the suspicious USB drive is issuing any unusual commands on plug-in? Can files on usb be hidden from Ubuntu if "show hidden files" is enabled?

I repeated steps suggested here: How to "eject" non-existing USB drive from Windows 7 host? . USBs indeed disapeared. I rebooted Windows. It said "installing updates". After reboot all ghost USBs were back.

Community
  • 1
stepan wot
  • 41
  • 1
  • 5

2 Answers2

2

I talked to the motherboard manufacturer. Surprisingly they were nice enough to help (it took them an hour, but they fixed the problem).

They rebooted computer in safe mode and uninstalled drives. Attempts to uninstall drives in standard mode fails, but in safe mode it works. I don't know what is the Voodoo magic behind it, but attempts to uninstall drives in standard mode fail, but in safe mode it works.

They seemed to do some other steps but they didn't tell me what exactly they are doing. Now it is hard to say if it was a glitch, or a broken malware, that they fully removed or if the malware hid itself. Personally, I would call it a success.

stepan wot
  • 41
  • 1
  • 5
2

Not exactly answering the question, but hope I may help some who were as confused as I was by "USB Drive (D:)" showing in my list of drives. In my Windows 10 Dell computer, this is the SD-card slot "designation." Easily checked by inserting an SD card into your slot and see if shows the SC contents. When the SD card is removed, the "extra" USB Drive disappears.

RoyinHB
  • 21