# Ubuntu – Remove RECYCLER directory from virus infected flash drive

malwarentfsntfs-3gusb-drivewindows

Before you advise me on the option of saving my files and formatting the drive using gparted, please understand that I could have done that hours back and that would have taken only a few minutes. Actually, I want to understand, what is really happening here. The situation is trashing all my experiences gained over the years.

I was under the impression that if I insert a virus infected flash drive to my Ubuntu machine, all I need to do is to simply delete the virus files and I am good to go.

Today, I collected some files in an NTFS formatted flash drive from a Windows machine fully knowing that the machine is virus infected. When I inserted the flash drive to my machine, I found that indeed, it has collected many files and folders. I have deleted most of them. The only one showing hard resistance is a RECYCLER directory (and its subdirectories).

The attributes of this directory.

drwx------ 1 masroor masroor 4.0K May  7 16:01 RECYCLER/


If I execute the rm command,

sudo rm -rvf RECYCLER/


I get a long output in the line of,

rm: cannot remove RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/OagFrAIX.exe': Input/output error
rm: cannot remove RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/viJbcvrJ.cpl': Input/output error
<rest snipped>


What is interesting, the above reported files are shown by the ls command with some

ls -l RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/

ls: cannot access RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/OagFrAIX.exe: Input/output error
ls: cannot access RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/viJbcvrJ.cpl: Input/output error
total 0
-????????? ? ? ? ?            ? OagFrAIX.exe
-????????? ? ? ? ?            ? viJbcvrJ.cpl


If try to find the attributes of those offending folders,

ls -dl RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/


I get,

drwx------ 1 masroor masroor 4096 May  7 15:58 RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/


Command chmod to make the RECYCLER folder world writable fails.

sudo chmod -vR ugo+w RECYCLER/


The output is in the line of.

mode of RECYCLER/' changed from 0700 (rwx------) to 0722 (rwx-w--w-)
mode of RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537' changed from 0700 (rwx------) to 0722 (rwx-w--w-)
chmod: cannot access RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/OagFrAIX.exe': Input/output error
<snipped>


These folders contained a number of .exe and other files most of which I have already deleted successfully (except the above reported ones).

If I check the attributes of one of these folders,

lsattr -ad RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/


I get

lsattr: Inappropriate ioctl for device While reading flags on RECYCLER/S-2-4-27-3777257131-1806073332-421880436-8537/


I have run clamtk on this device as suggested here. However, it fails to find a threat.

I understand that I can simply save my flash drive contents somewhere and then format it. However, I am more interested in finding out which attributes have been set in these folders which are resisting further changes. (And definitely, I will want to disinfect my flash drive as well.)

UPDATE 1

Further to the comment from Patro.

1. When the folders are visited, those files with myriad attributes are not shown, even when I try to view them as hidden files.
2. Deleting these files fails. The command rm -rvf * inside the directory S-2-4-27-3777257131-1806073332-421880436-8537 fails with input/output error.

UPDATE 2

After the comments from soulsource and girardengo I have tried to run
ntfsck and ntfsfix. Also, this question helped.

Here are the outputs.

ntfsck

sudo ntfsck  /dev/sdc1

Unsupported: replay_log()
Unsupported: check_volume()
Checking 7796 MFT records.
Unsupported cases found.


ntfsfix

sudo ntfsfix -d /dev/sdc1

Mounting volume... OK
Processing of $MFT and$MFTMirr completed successfully.
NTFS volume version is 3.1.
NTFS partition /dev/sdc1 was processed successfully.


But the initial situation still persists. There has not been any improvement.

UPDATE 3 (SOLVED)

As advised in this post, I inserted my drive in a Windows machine and
executed (from a terminal),

chkdsk <drive letter> /R


There was a flurry of activities about checking and repairing. There were some messages regarding bad sectors as well. The task
was finished in less than a minute.
Then I found that some new folders have been created for recovered areas.

I reinserted the flash drive to a Linux machine, and the RECYCLER folder could be deleted without any problem.

As an added step, now I have formatted the drive (using gparted, to NTFS) since I think that I have gained my insight.

Looks like the virus is indeed capable of causing (temporary/soft) hardware
problem. Please see the above mentioned post for a detailed technical explanation.

Ok I gotta clear a couple of things here:

1. The reverse-engineer part about NTFS does not apply here, especially for a formatted NTFS flash drive. Even if it did that would be something really out of the normal. I have worked with many NTFS formatted Flash drives, formatted in Windows XP, Vista, 7 and 8.

So a problem with the Linux not detecting NTFS correctly is not it. the NTFS-3G proyect is not slow nor incompatible to that level, you can even see that the last update was a couple of months ago this same year. It sure has a couple of issues from time to time like caching support and huge CPU usage, but like I said, for a Flash Drive it would be something very unlikely to happen or would be with a very small chance..

2. I have had similar problems with Flash drives showing either ????? symbols or simply wrong symbols altogether (EG: !@#%\$@%#@ instead of the filename). Some users recommend using ntfsfix or ntfck but if you can't fix them with that run chkdsk on Windows on the drive. The Boot record/filesystem for it might be having some issues.

3. The owner of the file/folder does not matter as long as he uses sudo. It could be any user but when he uses the sudo command rm will remove it regardless of who owns it. Again this applies to this NTFS formatted Flash drive.

4. When I first saw the question I was going to ask to run the command as sudo but I read you already did. Then was going to suggest the ntfs repair tools, but you already did. then I saw the Input/output error at the end. That and seeing how the name of the files appeared all messed up simply told me there was an actual filesystem problem which can be corrected only by:

• Using chkdsk on Windows. Neither ntfsfix nor ntfsck` will fix a couple of issues that chkdsk can only fix.

• At this moment it does not look like a hardware problem, more likely a filesystem problem. If chkdsk does not work, then the only solution is to format the flash drive again (No need for low level). In the case a simple format does not help (and tested in Windows and gparted), then we are looking at a hardware level problem.

If a virus actually had to do anything with this problem, it would be because it affected/attached to the filesystem table (MFT). This would create problems like seeing parts of the filesystem OK and others BAD. Not seeing files on one system and seeing them in another. Seeing all files or some corrupted (eg:!@#!#!LOL!@#!) and other weird stuff that could happen if the file system table is corrupt. It could be as simple as the virus changing one of the fields in the filesystem table or it could be as horrible as the virus changing the size of the MFT or several files.

Virus aside you should know that if the problem is so bad that you can't format the drive (Fresh filesystem) which would be rare to see a virus do that, then it is more probable that you have a flash drive hardware problem caused by heat, impact, etc..

For the corruption of data on the flash drive, or in any storage unit but especially flash drives, the cause in many cases is removing the unit before all information was correctly saved. This can happen in both, Windows and Linux if a user removes the flash drive without making sure that everything has finished writing and the session for the device is closed.

In the case of Linux you will start getting warnings about read/write operations not permitted in the whole flash drive or files (like movies) missing 50% of more of the whole size (Like a 1.2GB movie weighing only 500MB and everything in it corrupted). fsck can fix this in most cases. In the case of Windows it will show input/output errors and can go as far as corrupting the whole unit because the MFT did not save correctly the info. So it is recommend to either wait for the session to close or use a "safely remove" option when available.