Go Back   The macosxhints Forums > OS X Help Requests > System



Reply
 
Thread Tools Rate Thread Display Modes
Old 03-22-2011, 03:49 PM   #1
dmicklem
Prospect
 
Join Date: Mar 2011
Posts: 2
Undeletable folders on USB flash drive after windows virus

I recently picked up an autorun trojan horse when I put a FAT16-formatted USB drive into a Windows machine.

I noticed the unexpected files in the Finder and was able to delete the actual virus with no trouble other than unlocking the file.

But the folders that the virus was in were (nearly) impossible to delete.

The folders were named

RESTORE

and

RESTORE/k-1-3542-4232123213-7676767-8888886

All attempts to remove these in the Finder or using Terminal failed.

The Finder requested authentication but then did nothing.
In Terminal:

Code:
sudo rm -rf RESTORE/
password:
rm: RESTORE//k-1-3542-4232123213-7676767-8888886: Operation not permitted
rm: RESTORE/: Directory not empty
I wasn't able to do anything else with the directories either: no mv, no chmod, nothing. And there I was thinking that root was all-powerfull

Extensive searching revealed similar problems involving the uchng and schng 'immutable' flags so I checked with

Code:
 ls -lOA
drwxrwxrwx  1 dmicklem  dmicklem  hidden     16384 18 Mar 19:27 RESTORE
Removing the 'hidden' flag with:

Code:
chflags -R nohidden *
successfully removed the flag

Code:
DRM-MacBook:DISK_IMG dmicklem$ ls -lAO
...
drwxrwxrwx  1 dmicklem  dmicklem  - 16384 18 Mar 19:27 RESTORE

DRM-MacBook:RESTORE dmicklem$ ls -AlO
total 32
drwxrwxrwx  1 dmicklem  dmicklem  - 16384 18 Mar 14:25 k-1-3542-4232123213-7676767-8888886
But the directories were still undeletable.

Attempts to remove other flags (even though none are reported) also failed both in the Terminal and in Single-User mode

e.g lots of variants on:
Code:
DRM-MacBook:RESTORE dmicklem$sudo chflags -R -L noarch,nohidden,nosappnd,noschange,nouappend,nouchange k-1-3542-4232123213-7676767-8888886/

The only other solutions I found online were to mount the disk on a windows machine (or virtual machine) and manipulate the flags with:


Code:
attrib -r -s -h foldername
or to reformat the disk.

I don't have easy access to a PC, and anyway I was looking for a Mac solution so I backed up everything to my hard disk (where the folders were easily deleted) planning to reformat the drive.

Since I was planning to zap the drive anyway I thought I'd poke around a bit using a disk sector editor iBored:

http://www.macupdate.com/app/mac/30217/ibored

It recognised the disk straight away, and the View Structure (cmd-D) command identified the FAT:Cluster area.

Double-clicking and selecting the FAT:Directory Start Block template revealed the top level directory entries.

Looking under Restore gave two pieces of useful info:

1) the attributes flag, which was set to 23 (hex 17)
2) a pointer to the subdirectories "first cluster lo" (218)

I don't know what each bit of the attributes flag means, but the other (well behaved) directories had the attribute flag set to 16 (hex 10).

I modified the attributes flag to 16 (hex 10) after unmounting the disk and using BlockView->Make Writable.

Then I followed the pointer by filling 217 (ie 218-1) into the box at the top-left of the window and selecting the FAT:DIrectory Start Block template again.

(It sometimes seems to be necessary to move one cluster up and down again to make this work).

That led to the k-1-3_~1 directory.
It also had attribute flag set to 23, and I reset it to 16.

After remounting the disk I was able to delete the directories without any problem.

So... this is a solution, but it isn't very elegant.

Is there a better way? Using command-line tools?

David
dmicklem is offline   Reply With Quote
Old 03-22-2011, 04:12 PM   #2
trevor
Moderator
 
Join Date: Jun 2003
Location: Boulder, CO USA
Posts: 19,839
I think I missed why you didn't just reformat the drive?

Trevor
trevor is offline   Reply With Quote
Old 03-23-2011, 07:19 AM   #3
appleman_design
Hall of Famer
 
Join Date: Apr 2004
Posts: 2,550
mee too...
appleman_design is offline   Reply With Quote
Old 03-24-2011, 03:19 AM   #4
dmicklem
Prospect
 
Join Date: Mar 2011
Posts: 2
Mostly curiosity at finding something that root couldn't do...

But it is not always convenient to find free space to backup even a flash drive - and this problem could in principle affect much bigger drives too.

Now that I know how to fix this I think I could do it quicker with the disk editor than by reformatting - but a proper command-line way of doing it would be even better.

I was rather hoping someone here would know why the Mac can't handle folders like this properly.

Maybe the Unix - General forum would have been a better place to post?
dmicklem is offline   Reply With Quote
Old 03-24-2011, 12:07 PM   #5
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,459
I don't think the problem is related to lack of power in the 'root' account.
It is merely that the commands you are using (e.g. 'rm') are not able to deal with these file/folders for some reason. This is a not uncommon occurrence when the filesystem is corrupted or the filenames contain characters that are not normally allowed - the commands cannot deal with these cases. You could consider it a bug with the commands like 'rm'.
__________________
hayne.net/macosx.html
hayne is offline   Reply With Quote
Reply

Tags
chflags, fat16, immutable, undeletable, virus

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 05:22 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.