Attempting to remove U3 with Linux

A friend found a 2 GB SanDisk Cruzer left in a Walmart shopping cart. There wasn’t anything fun on it, but it did have an annoying auto-run program on it called U3.

I’m trying this method from a post at:


Peter wrote at 21 January, 2009 05:21…
So hopefully someone will find this useful. After lots of googling I found that there weren’t any instructions for removing U3 under linux. Truth be told, it’s really easy, but the solution is as obscure as it is easy.

1)Mount the U3 “cd” partition
2)Run Mount to find out the name of the device that U3 is on. It should be some thing like scd#, the important part is the number there.
2.5) Just to be sure you’ve got the right device check that /dev/sr# is a symlink to /dev/scd# that you just found.
3) Now that you know which device you’re looking for you can start the actual removal. cd to /sys/class/block/sr#/device/
4)In this directory is a file named delete, it’s write only by root, and if you write to it (I’ve only ever tried with “1″) the U3 partition will be removed. With root privileges ‘echo “1″ > delete’ removes it quite nicely.

Here was my results:

1) I just plugged it in, it automounted
2) jim@mickey:~$ mount
… /dev/sdb1 on /media/disk type vfat (rw,nosuid,nodev,shortname=mixed,uid=1000,utf8,umask=077)
2.5) jim@mickey:~$ ls -l /dev/sr0
lrwxrwxrwx 1 root root 4 2009-05-12 07:04 /dev/sr0 -> scd0
3) jim@mickey:~$ cd /sys/block/sr0/device/
jim@mickey:/sys/block/sr0/device$ ls -l delete
–w——- 1 root root 4096 2009-05-14 11:32 delete
jim@mickey:/sys/block/sr0/device$ sudo -i
root@mickey:~# cd /sys/block/sr0/device
root@mickey:/sys/block/sr0/device# echo “1″ > delete
root@mickey:/sys/block/sr0/device# exit

After all that, it didn’t appear to do anything. I must be missing a step. I plugged it into a Win2k machine, and the U3 launchpad came up. I removed the software using the uninstall feature of U3.

So I guess that was a bust, but I’ll have more drives in the future to try this with.



  1. captain said,

    December 14, 2011 at 9:34 pm

    Borrowing a windoze box to nuke this crap. Then *never* buying another !@#$ing Sandisk USB key again. Jesus! WTF were they thinking??? AAARGH!

  2. Andrew said,

    September 14, 2011 at 2:24 pm

    Worked like a charm for me! Thank you so much. I had tried everything. Just followed the steps and it finally removed U3. Thanks again

  3. Luke said,

    February 2, 2011 at 11:48 pm

    One method which seems to work directly:

  4. Chase said,

    May 13, 2010 at 11:25 pm

    it worked for me and i follwd every step u did. Srry it didnt wrk 4 u.

  5. jimcooncat said,

    February 15, 2010 at 5:16 pm

    Bryan Harris: That’s excellent! Thanks for sharing. For the extremely paranoid (like me), best to start with a machine that’s OFF before plugging in.

    Alex: Sorry, no idea at all! After all, I didn’t even get the delete right.

  6. Alex said,

    February 14, 2010 at 4:22 am


    While you can echo as root (sudo) you may not have permissions to write to ‘delete’. ‘echo 1|sudo tee delete’ — however, while that does keep u3 from mounting, as you point out, it also kills the kernel block device.

    Any idea how to get it back? 😀

  7. Bryan Harris said,

    December 24, 2009 at 9:50 pm

    I used to think of U3 as crap, but it can actually to useful things – check this out:

  8. Eldar said,

    December 22, 2009 at 9:35 pm

    I ran into this via Google, and u3-tools ended up working for me, too. For anyone else who ends up directed here, I basically just ‘wrote’ a CD image of size 0 to the device with:

    # ./u3-tool -vp0 /dev/sdb1

    Where ‘sdb1’ was the mount point for my cruzer. I don’t get the annoying CD auto-mount when I plug it in anymore, and it looks like I got the 24 MB from the disc image back as storage now:

    # ./u3-tool -i /dev/sdb1
    Total device size: 3.77 GB (4051697664 bytes)
    CD size: 24.00 MB (25165824 bytes)
    Data partition size: 3.75 GB (4022337536 bytes)

    # ./u3-tool -i /dev/sdb1
    Total device size: 3.77 GB (4051697664 bytes)
    CD size: 0.00B (0 bytes)
    Data partition size: 3.77 GB (4051697664 bytes)

    I don’t have a Windows box to test this on, but I’m not having any trouble with it in Fedora so far.

  9. Fishy said,

    December 13, 2009 at 8:41 am

    U3-tools worked perfectly for me, thanks!

    Go for it !

  10. Andy Merrall said,

    November 1, 2009 at 9:59 am

    Ok. Your idea worked. I can no longer see it. I have had trouble with this U3 stuff. I’ve tried forcing sr# to mount using. mount -w /dev/sr# /mnt/laptop.
    ignore the name of the mount point. It’s just one I use for mounting logical volumes on an old laptop hard drive. That failed.
    Now it doesn’t show up. I still can’t see it in gparted though. I’ll have to see if I can use one of the windows computers at work to remove it fully.

  11. Tristan Lear said,

    October 18, 2009 at 11:11 am

    Has anyone tried using the windows u3 uninstall utility under VirtualBox? if you download the full version from their website, i believe they’ve had direct USB forwarding since version 2.0 … so like … it’s as good has having a usb thing plugged directly into windows. I tried it once with my magicJack and it worked.

  12. daviedev said,

    October 7, 2009 at 5:07 am

    The libusb version of U3-tool is only for compatibility with old linux kernels < ~2.6.20. U3-tool now uses SCSI generic as default subsystems, which work out of the box on Ubuntu 8.04+. Although finding out the right device to use might be somewhat hard for the less experienced Linux user(the highest /dev/sgX is probably a good bet)

  13. jimcooncat said,

    September 20, 2009 at 6:16 am

    @dangerjim: Thanks very much! I’ll give it a shot when I get back to work.

  14. dangerjim said,

    September 18, 2009 at 2:38 am

    You might try this tool:

    My friend who was infected with the U3 virus was able to build and run it on Linux.
    He said that libusb didn’t work, but libsgutils did.

  15. Neil Greenwood said,

    May 27, 2009 at 3:04 pm

    I did the write to /sys/class/block/sr0/device/delete, then followed it with a write to /sys/class/block/sdc/device/delete (where sdc was the other device showing up in fdisk -l).

    This seems to have done the trick, and I now only have one partition on my USB stick.

    Admittedly, it wasn’t a U3 device, but the extra partition was a ‘secure’ one.


  16. jimcooncat said,

    May 15, 2009 at 7:43 am

    I’m guessing that this method only removes the cdrom device from the Linux kernel, doesn’t actually modify the flash drive itself. A promising project is youthree, very much in its infancy. I hope Zinx, the author, is able to progress on this, or at least open up his blog for comments.

  17. jimcooncat said,

    May 14, 2009 at 2:19 pm

    @will_in_wi, it’s tougher than it looks. U3 is embedded in the firmware; that is, it has an emulated CD-ROM embedded, as well as a regular flash drive. The flash drive is simple to overwrite, it’s this CD-ROM that causes me fits — errors in Linux, auto-running in Windows. Since it’s Read Only, it can’t be overwritten by dd.

    The post above gave me some hope, but I’m sure I did something a little wrong, or there was a step missing at the end (perhaps obvious to the original author).

  18. will_in_wi said,

    May 14, 2009 at 12:24 pm

    I have not dealt with U3 yet, but from looking at the tutorial perhaps repartitioning the drive would work. If you use fdisk or gparted to wipe the partition table and recreate it, that might eliminate U3.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: