We have covered Panda USB Vaccine in a previous article. Panda USB Vaccine can protect your USB disks against autorun viruses and malware, by creating a un-removable autorun.inf on the root folder of your USB disk. According to Panda Security, this can be removed only by formatting the USB disk. But there is a workaround.
The technique used by Panda USB Vaccine is that it modifies the file table, making the autorun.inf file inaccessible permanently. We will open the file table and edit it to make the autorun.inf file readable, writable and deletable. Here is the process :
- Download a copy of iBored – a free portable hex editor which can edit the disk sectors.
- Insert the Panda USB Vaccine protected USB key into USB port of your computer.
- Extract the contents of the iBored zip file to a folder. Right-click on iBored.exe and select Run as administrator. iBored must be run with administrator level access because it needs to access the disk sectors.
- iBored will show you a list of detected disks attached to your computer. Be careful to select the USB key. Click View to open the disk sector.
- Select the Raw tab by clicking on it as shown. The Raw tab shows the contents of the sector in raw and hex format.
- Press the key combination Ctrl + F to open the find dialog. You can also open the Find dialog by selecting BlockView → Find from the menubar. In the Find dialog, type AUTORUN INF and click Find button as shown :
- iBored will show and highlight the found string. The found hex values are highlighted in green. We have to edit the very next value to the found values. In this case, it is value 42 in hex (I have marked it with an arrow). This value can be different in your case (e.g., it may be 40).
- From the menubar select BlockView → Make Writable to be able to edit this block. You can also press the key combination Ctrl + Shift + M.
- Click on the value we want to edit and type 20. This would edit the value from 42 to 20.
- Click on the Save button to save the disk sector. Close iBored window.
- That’s it. Now autorun.inf file created by Panda USB Vaccine is accessible, readable, writable and deletable.
does this work for NTFS drives? I can’t seem to find the “AUTORUN INF” string on my panda-vaccinated USB extaernal HDD
(damn panda screwed up my drive without asking!)
Thank you!
will deleting that INF make my hard drive inaccessible or will it delete the contents of my external hard drive,as i have all my years of downloads in it !if i lose it,i will face some serious depression,so please reply as soon as possible.
If you have important data on your disk, then do not mess with it – keep the INF file. Or you can backup all of your data on some other disk first and then attempt to remove the INF file. Theoretically, the process described above should not affect any other file than the INF file.
well thanks for the warning,i’ll better backup everything before trying.
If you have Panda Pro, then it can remove the file itself 🙂
Hi Trisha. No, The “Panda USB Vaccine” cannot removing from windows.
From Linux distribution I could always remove, exception this rare “autorun.inf” that was super-strongly grabbed and hide on USB, even Linux that cannot.
But, normally that not happen.
Hey. How is that? I have an autorun.inf blocked and invisible in Kingston USB (NTFS file system). I think that was wrote by Panda AV pay software.
It is under “Disk” not under “Blockview.
I tried using iBored to undo the write-protection status of my Flash drive (done by using Panda USB vaccine).
But after i found the Hex, changed it to 20, and clicked enter, a message pops out with the text:
“Error while writing to \.PhysicalDrive1”
what does it mean? what can i do?
Perhaps you were not running iBored with administrator access.
If you face the error “Error while writing to \.PhysicalDrive1”, try to select the disk using “diskpart” and make it offline (eject the disk)
1. Run diskpart from command line
2. list disk
3. select disk 1 (1 is the usb drive)
4. offline disk
Now request write access from ibored. It works!
Save
5. online disk
6. exit
😀