This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Manual malware cleanup required: 'Troj/LnkRun-CU' at 'D:\D (5GB).lnk'"

Hello Labs,

we are receiving a lot of alert like this one "Manual malware cleanup required: 'Troj/LnkRun-CU' at 'D:\D (5GB).lnk'" when a user insert an usb drive in the PC.

The alert is for every inserted usb drive and for every PC protected by "Intercept X Advanced"

I followed the document indicated in the alert message ( but no luck.

Can you help me to fix this behaviour?

This thread was automatically locked due to age.
  • Hi Pino,

    This type of virus is very common with infected USB sticks. It typically starts because of a user downloading pirated software or movies (but there are other ways) when the user runs the executable file it may work as expected but in the background it is also installing a virus. This virus will typically look for executable files (.exe) on the machine and removable drives and will either delete or hide them, replacing them with a shortcut link file (.lnk) that has the same name as the original file, sometimes the same icon. When a user takes the USB stick and plugs it into a different machine it will look like all the files are still there, but in reality they are gone and you just have shortcuts in their place. This can trick the user into clicking on them, thinking they are the real file. The shortcut when clicked will then launch the virus on that new machine and repeat the process.

    This works very well as shorcut files don't display the .lnk extension, even if you have Windows set to show extensions. Making it very hard to spot it is a shortcut and not the original file. 

    If you right click on one of the shortcuts and select properties, you will be able to see what file is actually executed when someone clicks on the shortcut. That file is the virus and needs to be located and removed. If you find that file and it isn't getting detected automatically please send a copy of it to You may find that the file is no longer there and the virus has actually been removed, leaving only the .lnk files, which by themselves aren't actually malicious, but also aren't needed so should be removed. 

    The manual cleanup required message is likely due to the user ejecting the USB stick after the detections are reported, but before cleanup finishes. The best advice is to tell users if they see those messages then they should bring the USB stick to someone in IT where it will be wiped. You can then also acknlowedge/clear any of manual clean up messages. You could also advise them to leave the USB in the machine until the cleanup complete messages pop-up, but given you don't know what else might be on this infected USB it is probably safer to wipe the USB anyway.

    However, this isn't going to solve your problem as you have a few issues here that are allowing this virus to remain on your network. Firstly visrus like this are actually very old and very basic. It really doesn't matter that much which Anti-Virus software you use, almost all of them will have the abilities to detect these virus as they really are that basic. The problem you have is that you will have unprotected machines that are infected and users are plugging in USB sticks to these, infecting them and then plugging them into protected machines in your network, which then report the detections. 

    This actually means the machines reporting the detections aren't your problem, it is the ones you don't know are infected and are causing this to continue. This could even be users home computers. Find the unprotected machines and put Sophos on them, that will remove the virus and stop those machines from infecting others. Until you do that you will continue to get detections like this reported and USB sticks getting reinfected.

    Also make sure you haven't got any keygens or software cracks authorized in your exclusions, these are the type of tools that spread these viruses as well as the pirated software they are used with. 

    For reference the purpose of these viruses, other than to spread is typically either data theft where they steal information about the user (usernames, passwords etc), or they might install other malware on the machine, for example a coin miner or a bot. None of this is good so you should definitely identify the unprotected machines this issue is stemming from.