SOLVED Urgh! Can't delete infected files! They're from another install

Peter Principle

Ok, I my original operating system disk is infected with some of those shit files that were going around...appartenly embedded in web page advertisements. I don't know, doesn't matter.

I have this drive, and I need the profile on it so I can get some encrypted files (otherwise I'd just nuke and reboot...although hammering a nail thru the platters to teach it a valuable life lesson is starting to sound like a good idea, too). Anyway, it's infected. Well, if I boot from the disk it runs the viruses and that disables my antivirus. But if I stick the drive in another computer and run a virus scan, I can't delete the viruses it detects because I apparently don't have permission to access those files. If I go the tedious route of taking "ownership" of the files to get to them and then try to delete the infected files manually, I get the same error message. Ugh. Someone help me before I go curbstomp a Carebear.

shadydentist

Boot from a Ubuntu liveCD.

Goetterdaemmerung

Unfortunately you know you can't do that because of the file encryption.

Are these viruses stopping you from logging in and copying out your encrypted files? If so, how?

Peter Principle

These are not the encrypted files, as far as I can tell. They aren't colored green. They're just files in folders that I haven't "taken ownership of".

They all appear to be in E:\Documents and Settings\[my login name]\Local Settings\

and then either Application Data\ or

\Temp or

\Temporary Internet Files\Content.IE5\etc.

Is there some way to just "take ownership" of every file on a HD?

Like the first one, was E:\Documents and Settings\[my login name]\Local Settings\Application Data\av.exe

and when I go to this file, I can "take ownership" of each folder with this tedious suck-ass process until I get to the av.exe file, and then I can't do anything to the exe file without typing "E:\Documents and Settings\[my login name]\Local Settings\Application Data\av.exe" in the navigation line, which, I would assume, would execute av.exe. And the last thing I want to do is execute an infected exe file.

But to answer your question, my original set up was one HD with XP installed, and another HD that was my storage drive. When the virus initially asserted itself, one of the first things it apparently did was rewrite the boot sector on my storage drive. Thread here: http://forums.penny-arcade.com/showthread.php?t=112470

I got that squared away, and now I'm trying to fix the HD that had XP installed, so I can retrieve the encrypted files that I recovered on my storage drive.

Goetterdaemmerung

Mm you didn't answer the important question: can you log on to your XP HD (it looks like maybe you can't?) and why not? Did it also rewrite the boot sector on your XP HD? i.e. what exactly happens when you try to boot to your XP HD to log in/decrypt your files?

Tofystedeth

You can take ownership of an entire drive, simply right-click on it from it's icon in My Computer and go to it's advanced properties. Heads up, this will take a while to go through all the files. If it won't let you delete them, will it let you rename them? Sometimes you can get away with that.

ronya

Goetterdaemmerung wrote: »

Unfortunately you know you can't do that because of the file encryption.

Nope. As silly as it sounds, NTFS access controls only apply when the operating system accessing it chooses to respect said rules, which means an ubuntu livecd will indeed immediately allow access to the files.

However, since the OP has it hooked up to a Windows machine already, consider running takeown on the drive to simply reassign all permissions.

Goetterdaemmerung

ronya wrote: »

Goetterdaemmerung wrote: »

Unfortunately you know you can't do that because of the file encryption.

Nope. As silly as it sounds, NTFS access controls only apply when the operating system accessing it chooses to respect said rules, which means an ubuntu livecd will indeed immediately allow access to the files.

However, since the OP has it hooked up to a Windows machine already, consider running takeown on the drive to simply reassign all permissions.

The op didn't link, but this is about efs, and the necessity of having access to/logging in under the encrypting profile. I think he's trying to make his old profile bootable/login-able (?).

Tofystedeth

Doesn't EFS only apply to files with encryption on them? The Ubuntu disc should be able to delete the virus files, hopefully making his profile usable enough to copy the encrypted files out.

Peter Principle

Goetterdaemmerung wrote: »

Mm you didn't answer the important question: can you log on to your XP HD (it looks like maybe you can't?) and why not?

I can, I am just reluctant to do so because the virus is operant. Although, I haven't tried loging on into safe mode to delete the files...

Did it also rewrite the boot sector on your XP HD?

No, it didn't. I think it wants to leave that up and running, and it wants me to click buttons that will probably give it full control so it can perhaps run out and infect other systems or do whatever it wants to do.

i.e. what exactly happens when you try to boot to your XP HD to log in/decrypt your files?

Right now, nothing because the two drives aren't in the same computer. I moved the infected OS drive to another computer to try to run a virus scan on it. The storage HD is in the original, primary computer with a new (as it were) HD running a new install of XP.

If I boot to the infected OS drive, the virus becomes operant and tries to pass itself off as some sort of official windows virus protection program. If I nuke the process av.exe, it reasserts itself. This makes me nervous so I've been trying to kill this virus shit without booting to that drive.

ronya

Goetterdaemmerung wrote: »

ronya wrote: »

Goetterdaemmerung wrote: »

Unfortunately you know you can't do that because of the file encryption.

Nope. As silly as it sounds, NTFS access controls only apply when the operating system accessing it chooses to respect said rules, which means an ubuntu livecd will indeed immediately allow access to the files.

However, since the OP has it hooked up to a Windows machine already, consider running takeown on the drive to simply reassign all permissions.

The op didn't link, but this is about efs, and the necessity of having access to/logging in under the encrypting profile. I think he's trying to make his old profile bootable/login-able (?).

Nah, from the description of needing to take ownership, it's not encrypted, just tied to NTFS access control. I've had to deal with this before on multiple times, usually due to ill-advised attempts to manipulate user accounts (accidentally nuking the main account and the hidden Administrator account? Is not cool. Especially less cool when it is crucial to get the same machine working without formatting for a variety of reasons. Eventually I got in by logging in as SYSTEM so I could undo all the horrendous damage).

Just run takeown from your other, clean hard drive and grant read to Administrators, get your files off, then wipe the disk clean. You are logging in as Administrator on the other computer, right?

Goetterdaemmerung

If all you need to do is get the encrypted files off this drive, log in normally, copy the encrypted files to a disc/usb drive (making sure the copies aren't also encrypted), then scan those files on a clean computer (and reformat your infected drive or throw it in a fire). There are very, very few viruses that would impede this.

If your objective is to restore this entire computer (HD) to good health... good luck.

Peter Principle

Starting in safe mode appears to be allowing me to remove these infected files. I'm hopeful. Will update shortly.

ronya

Good luck.

Remember, even if it works, your computer may be considered permanently compromised - use it just long enough to retrieve your stuff, then wipe the disc and reinstall Windows.

ashridah

Taking ownership of a file doesn't necessarily automatically give you permission to modify them.

Take ownership of the files, AND give yourself 'full control'.

Peter Principle

So, booting to the infected HD in safe mode let me modify & delete files without activating the virus. I then reattached the storage drive and removed the encryption from the encrypted files. I can now access them when I boot from the HD that reinstalled windows onto. Yay, problem solved. And it only took two weekends to fix. Heh.

TetraNitroCubane

Peter Principle wrote: »

So, booting to the infected HD in safe mode let me modify & delete files without activating the virus. I then reattached the storage drive and removed the encryption from the encrypted files. I can now access them when I boot from the HD that reinstalled windows onto. Yay, problem solved. And it only took two weekends to fix. Heh.

Good to hear you got it sorted! But for the love of Niels Bohr, be sure to disable autorun for your USB devices before you reconnect the backup drive and restore your files to a clean machine. I'd highly recommend both a good A/V and a MBAM scan on the backup drive before you move over files, as well.

Infection from backup is becoming increasingly popular, and you don't want to put yourself right back into the same carebare-curbstomping position after going through all that mess.