Before you advise me on the option of saving my files and formatting the drive using gparted, please understand that I could have done that hours back and that would have taken only a few minutes. Actually, I want to understand, what is really happening here. The situation is trashing all my experiences gained over the years.
I was under the impression that if I insert a virus infected flash drive to my Ubuntu machine, all I need to do is to simply delete the virus files and I am good to go.
Today, I collected some files in an NTFS formatted flash drive from a Windows machine fully knowing that the machine is virus infected. When I inserted the flash drive to my machine, I found that indeed, it has collected many files and folders. I have deleted most of them. The only one showing hard resistance is a RECYCLER directory (and its subdirectories).
The attributes of this directory.
drwx------ 1 masroor masroor 4.0K May 7 16:01 RECYCLER/
If I execute the
sudo rm -rvf RECYCLER/
I get a long output in the line of,
rm: cannot remove `RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/OagFrAIX.exe': Input/output error rm: cannot remove `RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/viJbcvrJ.cpl': Input/output error <rest snipped>
What is interesting, the above reported files are shown by the
ls command with some
myriad set of attributes.
ls -l RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/ ls: cannot access RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/OagFrAIX.exe: Input/output error ls: cannot access RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/viJbcvrJ.cpl: Input/output error total 0 -????????? ? ? ? ? ? OagFrAIX.exe -????????? ? ? ? ? ? viJbcvrJ.cpl
If try to find the attributes of those offending folders,
ls -dl RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/
drwx------ 1 masroor masroor 4096 May 7 15:58 RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/
chmod to make the RECYCLER folder world writable fails.
sudo chmod -vR ugo+w RECYCLER/
The output is in the line of.
mode of `RECYCLER/' changed from 0700 (rwx------) to 0722 (rwx-w--w-) mode of `RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537' changed from 0700 (rwx------) to 0722 (rwx-w--w-) chmod: cannot access `RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/OagFrAIX.exe': Input/output error <snipped>
These folders contained a number of
.exe and other files most of which I have already deleted successfully (except the above reported ones).
If I check the attributes of one of these folders,
lsattr -ad RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/
lsattr: Inappropriate ioctl for device While reading flags on RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/
I have run
clamtk on this device as suggested here. However, it fails to find a threat.
I understand that I can simply save my flash drive contents somewhere and then format it. However, I am more interested in finding out which attributes have been set in these folders which are resisting further changes. (And definitely, I will want to disinfect my flash drive as well.)
Further to the comment from Patro.
- When the folders are visited, those files with myriad attributes are not shown, even when I try to view them as hidden files.
- Deleting these files fails. The command
rm -rvf *inside the directory
S-2-4-27-3777257131-1806073332-421880436-8537fails with input/output error.
Here are the outputs.
sudo ntfsck /dev/sdc1 Unsupported: replay_log() Unsupported: check_volume() Checking 7796 MFT records. Unsupported cases found.
sudo ntfsfix -d /dev/sdc1 Mounting volume... OK Processing of $MFT and $MFTMirr completed successfully. NTFS volume version is 3.1. NTFS partition /dev/sdc1 was processed successfully.
But the initial situation still persists. There has not been any improvement.
UPDATE 3 (SOLVED)
As advised in this post, I inserted my drive in a Windows machine and
executed (from a terminal),
chkdsk <drive letter> /R
There was a flurry of activities about checking and repairing. There were some messages regarding bad sectors as well. The task
was finished in less than a minute.
Then I found that some new folders have been created for recovered areas.
I reinserted the flash drive to a Linux machine, and the RECYCLER folder could be deleted without any problem.
As an added step, now I have formatted the drive (using gparted, to NTFS) since I think that I have gained my insight.
Looks like the virus is indeed capable of causing (temporary/soft) hardware
problem. Please see the above mentioned post for a detailed technical explanation.