Hunter College > Social Sciences Lab > section > page title

Check Your Computer for USB-based Viruses

Note: IF you had to update the Symantec AntiVirus Virus (SAV) Defintions File, you should reboot and then scan your hard drive(s) to detect and remove any viruses that may already exist on your computer. Full Scans can take an hour or more. For instructions on how to scan, follow this link.

  1. Click on Start > Programs > Symantec Client Security > Symantec AntiVirus. (Or, RIGHT-click the gold shield in the system tray and then LEFT-click Open Symantec AntiVirus...)

  2. Click the plus (+) sign next to View Folder to expand the folder so you can view the Quarantine Folder.


    viewquar

  3. Highlight the the Quarantine folder by LEFT-clicking on it. If your computer was hit by a virus, Filenames will appear in the Quarantine section on the right. (The quarantine folder shown below is empty.) IT IS IMPORTANT TO STRESS THAT GETTING HIT BY A VIRUS IS NOT THE SAME AS GETTING A VIRUS. Read on to understand the difference.



    origloc

In the Quarantine Log, if SAV has found a virus in any of the following directories, listed in the “Original Location” column of the Quarantine section, you have been hit by the USB-based virus.

Any Drive Letter:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013
Any Drive Letter:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033
Or Possibly
Any Drive Letter:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-10xx where 10xx is greater than 1012

[Since the virus is transmitted via Flash Drives, the Drive Letter will normally match the Drive Letter to which your Flash Drive is mapped, usually E:\ or F:\. SanDisk Flash Drives normally use two different drive letters which can help confuse matters.]

If the "Original Location" of the virus shows up on Drive Letter C:\ as in:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1033
Or Possibly
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-10xx where 10xx is greater than 1012

This means that the virus migrated from your USB device and infected your local hard drive. If that is the case, there is a good chance your computer is still infected and will need to be cleaned manually. (If the virus ONLY shows up on drive letters associated with Flash Drives, in all likelihood, SAV stopped it from infecting your Hard Drive and you are safe.)

The USB-based virus family has been assigned MANY different names (see the "Risk" column above) too numerous to list here. IF your computer is infected, the USB-based virus MAY spawn virus filenames that do not have the original location mentioned above. If these keep reappearing after every computer REBOOT, it indicates that you are infected and will need to contact the Hunter Helpdesk for assistance in cleaning your Hard Disk of the HIDDEN virus files.


This page was last updated on December 2, 2008

Hunter College, Social Sciences Computing Lab
East Building, Room B118, 695 Park Avenue, New York, NY 10065
phone: 212-772-5605
email address: sscl@hunter.cuny.edu