|03-22-2011, 03:49 PM||#1|
Join Date: Mar 2011
Undeletable folders on USB flash drive after windows virus
I recently picked up an autorun trojan horse when I put a FAT16-formatted USB drive into a Windows machine.
I noticed the unexpected files in the Finder and was able to delete the actual virus with no trouble other than unlocking the file.
But the folders that the virus was in were (nearly) impossible to delete.
The folders were named
All attempts to remove these in the Finder or using Terminal failed.
The Finder requested authentication but then did nothing.
sudo rm -rf RESTORE/ password: rm: RESTORE//k-1-3542-4232123213-7676767-8888886: Operation not permitted rm: RESTORE/: Directory not empty
Extensive searching revealed similar problems involving the uchng and schng 'immutable' flags so I checked with
ls -lOA drwxrwxrwx 1 dmicklem dmicklem hidden 16384 18 Mar 19:27 RESTORE
chflags -R nohidden *
DRM-MacBook:DISK_IMG dmicklem$ ls -lAO ... drwxrwxrwx 1 dmicklem dmicklem - 16384 18 Mar 19:27 RESTORE DRM-MacBook:RESTORE dmicklem$ ls -AlO total 32 drwxrwxrwx 1 dmicklem dmicklem - 16384 18 Mar 14:25 k-1-3542-4232123213-7676767-8888886
Attempts to remove other flags (even though none are reported) also failed both in the Terminal and in Single-User mode
e.g lots of variants on:
DRM-MacBook:RESTORE dmicklem$sudo chflags -R -L noarch,nohidden,nosappnd,noschange,nouappend,nouchange k-1-3542-4232123213-7676767-8888886/
The only other solutions I found online were to mount the disk on a windows machine (or virtual machine) and manipulate the flags with:
attrib -r -s -h foldername
I don't have easy access to a PC, and anyway I was looking for a Mac solution so I backed up everything to my hard disk (where the folders were easily deleted) planning to reformat the drive.
Since I was planning to zap the drive anyway I thought I'd poke around a bit using a disk sector editor iBored:
It recognised the disk straight away, and the View Structure (cmd-D) command identified the FAT:Cluster area.
Double-clicking and selecting the FAT:Directory Start Block template revealed the top level directory entries.
Looking under Restore gave two pieces of useful info:
1) the attributes flag, which was set to 23 (hex 17)
2) a pointer to the subdirectories "first cluster lo" (218)
I don't know what each bit of the attributes flag means, but the other (well behaved) directories had the attribute flag set to 16 (hex 10).
I modified the attributes flag to 16 (hex 10) after unmounting the disk and using BlockView->Make Writable.
Then I followed the pointer by filling 217 (ie 218-1) into the box at the top-left of the window and selecting the FAT:DIrectory Start Block template again.
(It sometimes seems to be necessary to move one cluster up and down again to make this work).
That led to the k-1-3_~1 directory.
It also had attribute flag set to 23, and I reset it to 16.
After remounting the disk I was able to delete the directories without any problem.
So... this is a solution, but it isn't very elegant.
Is there a better way? Using command-line tools?
|03-24-2011, 03:19 AM||#4|
Join Date: Mar 2011
Mostly curiosity at finding something that root couldn't do...
But it is not always convenient to find free space to backup even a flash drive - and this problem could in principle affect much bigger drives too.
Now that I know how to fix this I think I could do it quicker with the disk editor than by reformatting - but a proper command-line way of doing it would be even better.
I was rather hoping someone here would know why the Mac can't handle folders like this properly.
Maybe the Unix - General forum would have been a better place to post?
|03-24-2011, 12:07 PM||#5|
Join Date: Jan 2002
I don't think the problem is related to lack of power in the 'root' account.
It is merely that the commands you are using (e.g. 'rm') are not able to deal with these file/folders for some reason. This is a not uncommon occurrence when the filesystem is corrupted or the filenames contain characters that are not normally allowed - the commands cannot deal with these cases. You could consider it a bug with the commands like 'rm'.
|chflags, fat16, immutable, undeletable, virus|
|Display Modes||Rate This Thread|