No antivirus can detect this malware; it infects any USB driver connected, and then when you put your USB drive in your computer, it installs a system able to infect any other drive connected.
Fortunately, the files on the USB drives are still available via an annoying shortcut, so nothing has gone missing, but this is a virus, so it can open doors for other malware.
1) On the PC infected, make hidden and system files visible (flag apposite control boxes from folders view options).
2) Locate your files and save them from the infected USB drive on the computer. Do not copy any other “strange” file such as “explorer.ps1” or link file (.lnk)
3) Format your USB drives infected using another PC with Windows XP or Linux (I have not tested Win 7, so I am not sure it can infect such OS).
4) On the PC infected, press Ctrl+alt+canc and choose Task Manager.
5) In the active processes, look for RuntimeBroker .exe (there is a space between “r” and “.exe”) and kill it (or kill all you can find), you can kill whatever RuntimeBroker for safety.
6) Go to the C:\windows location on your drive, search RuntimeBroker .exe, and delete it!
7) At this point, the virus no longer infects the USB drive but is still there. A reboot of the system will replace the file that was just deleted, so do not restart the machine.
8) Search for the folder: WinSoft Update Service; it should be in: C:\Programs or C:\Programs(x86). This is a Python routine that the virus uses to rebuild the exe file.
Delete the entire folder: WinSoft Update Service.
9) Now the virus is gone, and you can restart the machine. However, I suggest to format and reinstall the operating system on the first occasion.
Astroparticelle 