Cannot delete read only files in virus infected thumb drive

This is a step by step guides on how to recover a virus infected thumb drive using Linux operating system. If a normal virus, we can just delete the virus file and related directories from the thumb drive. However, if the thumb drive has been infected by some viruses that created a read only files and input output error, that's trouble. This tutorial is a guide for those who need to fix this kind of problem. For this example, an input output error virus infected thumb drive and Ubuntu Desktop as Linux operating system are used.

A thumb drive automatically detected and mounted in Ubuntu Desktop by default. If you change the configuration or if you are using other Linux distribution such as Slackware, you need to manually mount the thumb drive. See How to mount and unmount usb drive or thumb drive in Linux tutorial if you need help on this issue.

Ubuntu Desktop opens the thumb drive directory if it has been successfully mounted. Click View menu and choose Show Hidden Item to view all files in the thumb drive. This tutorial shows a thumb drive that has been infected by viruses but cannot be cleaned. It has been deleted using Linux and all the infected files have been moved to .Trash-1000 directory. When we open the '.Trash-1000' directory, we can see two sub-directories, 'files' and 'info'. See the example picture below:

Thumb drive folder image

If we try to delete those files, we'll get the 'Read Only' error. See example picture below:

Error while deleting thumb drive folder image

Now, open a command line terminal to see all the permissions in detail. We need root permission to complete this job, so type sudo su and enter your password if hate to type 'sudo' and provide password each time you need root privilege later. See the example below:

[email protected]:~$ sudo su
[sudo] password for kkcjlab:
[email protected]:/home/kkcjlab#

Change into the thumb drive directory which is the /media/disk. Use Linux 'ls -al' command to view all files including hidden files. See all the steps in the example below:

[email protected]:/home/kkcjlab# cd /media/disk/
[email protected]:/media/disk# ls -al
total 1656
drwx------ 4 kkcjlab root 4096 1970-01-01 07:30 .
drwxr-xr-x 4 root root 4096 2010-04-07 11:16 ..
drwx------ 2 kkcjlab root 4096 2010-03-07 18:04 B Borang Berkaitan Tugas Rasmi
-rwx------ 1 kkcjlab root 1679360 2010-02-04 01:04 ELM 2005A.xls
drwx------ 4 kkcjlab root 4096 2010-03-07 11:09 .Trash-1000
[email protected]:/media/disk#

Let's see what happen when a thumb drive has been infected by viruses. The picture below shows the 'handout' directory that has been infected by a viruses viewed in GUI or x-window:

Thumb drive virus infected directory image

This is what it looks like when we view using a command line terminal:

[email protected]:/media/disk/.Trash-1000/files/kursus-joomla/handout# ls -al
ls: cannot access ═èu*E."╬╞: Input/output error
ls: cannot access d-*üçÑyΓ.│ÿé: Input/output error
ls: cannot access )4╒δ$¿╩ª.╧εm: Input/output error
[email protected]:/media/disk/.Trash-1000/files/kursus-joomla/handout#

If you plugged this thumb drive in Windows XP or Vista operating system, you'll get error when you try to unmount the drive. This thumb drive can't be unmount properly because Windows said that it's being used and ask you to close any open files. You need to shutdown the computer and pull off the thumb drive to properly unmount the drive.

What you need to do now is just delete the directory, right? You are already root, so just enter 'rm -rf' command. So let's see what happen:

[email protected]:/media/disk/.Trash-1000/files# rm -rf kursus-joomla/
rm: cannot remove `kursus-joomla/Joomla_1.5.14-Stable-Full_Package.zip': Read-only file system
rm: cannot remove `kursus-joomla/handout/joomla_15_quickstart.pdf': Read-only file system
rm: cannot remove `kursus-joomla/handout/joomla-installation.pdf': Read-only file system
rm: cannot remove `kursus-joomla/handout/1.5_Installation_Manual_version_0.5.pdf': Read-only file system
rm: cannot remove `kursus-joomla/joomla-installation.ppt': Read-only file system
rm: cannot remove `kursus-joomla/joomla-installation.odp': Read-only file system
rm: cannot remove `kursus-joomla/joomla-screen.odt': Read-only file system

So, even as root you cannot remove the directory. Just forget about changing the directory permission. It fails too.

Here is the easy solution. Copy all important files in the thumb drive to another directory in your Ubuntu Desktop. You need to format the whole thumb drive manually from the command line terminal using Linux fdisk command. Here are the complete steps:

1) Check the thumb drive mount point using fdisk command:

[email protected]:~# fdisk -l

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xea4ba281

Device Boot Start End Blocks Id System
/dev/sda1 1 12158 97659103+ 83 Linux
/dev/sda2 12159 12523 2931862+ 82 Linux swap / Solaris
/dev/sda3 * 12524 19457 55697355 83 Linux

Disk /dev/sdb: 4009 MB, 4009754624 bytes
51 heads, 51 sectors/track, 3010 cylinders
Units = cylinders of 2601 * 512 = 1331712 bytes
Disk identifier: 0x04030201

Device Boot Start End Blocks Id System
/dev/sdb1 1 3011 3915204 b W95 FAT32

2) Invoke the fdisk command below to open the thumb drive (We can see our thumb drive in this example is /dev/sdb. Please watch carefully what your thumb drive is.).

[email protected]:~# fdisk /dev/sdb

The number of cylinders for this disk is set to 3010.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK

3) Press 'p' to print partition table available in the thumb drive:

Command (m for help): p

Disk /dev/sdb: 4009 MB, 4009754624 bytes
51 heads, 51 sectors/track, 3010 cylinders
Units = cylinders of 2601 * 512 = 1331712 bytes
Disk identifier: 0x04030201

Device Boot Start End Blocks Id System
/dev/sdb1 1 3011 3915204 b W95 FAT32

Command (m for help):

4) Press 'd' to delete a partition:

Command (m for help): d
Selected partition 1

5) Press 'n' to create a new partition. Enter 'p' for primary partition. Choose 1 for the first cylinder and just press enter to accept the default value for the last cylinder. See all the steps below:

Command (m for help): n
Command action
e extended
p primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-3010, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-3010, default 3010):
Using default value 3010

6) Use 'p' to see the new partition that we just created:

Command (m for help): p

Disk /dev/sdb: 4009 MB, 4009754624 bytes
51 heads, 51 sectors/track, 3010 cylinders
Units = cylinders of 2601 * 512 = 1331712 bytes
Disk identifier: 0x04030201

Device Boot Start End Blocks Id System
/dev/sdb1 1 3010 3914479+ 83 Linux

7) The new partition is Linux formatted file system. We don't want that. We need a Windows FAT file system like the original. The original id (see fdisk result above when we first print the partition table) is 'b'. So press 't' to change file system id and enter the HEX Code, which is 'b'. See the steps below:

Command (m for help): t
Selected partition 1
Hex code (type L to list codes): b
Changed system type of partition 1 to b (W95 FAT32)

Command (m for help): p

Disk /dev/sdb: 4009 MB, 4009754624 bytes
51 heads, 51 sectors/track, 3010 cylinders
Units = cylinders of 2601 * 512 = 1331712 bytes
Disk identifier: 0x04030201

Device Boot Start End Blocks Id System
/dev/sdb1 1 3010 3914479+ b W95 FAT32

8) Press 'a' to toggle a bootable flag for the new partition. Enter 1 for the first partition:

Command (m for help): a
Partition number (1-4): 1

Command (m for help): p

Disk /dev/sdb: 4009 MB, 4009754624 bytes
51 heads, 51 sectors/track, 3010 cylinders
Units = cylinders of 2601 * 512 = 1331712 bytes
Disk identifier: 0x04030201

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 3010 3914479+ b W95 FAT32

9) Now press 'w' to write all the changes and exit fdisk:

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.

WARNING: If you have created or modified any DOS 6.x
partitions, please see the fdisk manual page for additional
information.
Syncing disks.
[email protected]:~#

10) Finally, format the partition using Linux 'mkfs' command:

[email protected]:~# umount /media/disk/
[email protected]:~# mkfs -t vfat /dev/sdb1
mkfs.vfat 3.0.1 (23 Nov 2008)

That's all.

Add new comment