Need some help on removing a Bagle worm from windows

**rwhboston** · 06-25-2006, 09:43 AM

Hey everyone my names Rob I'm new to this forum and to knoppix but am enjoying it so far. Now everything so far has worked I've located the infected file using knoppix but now I was told to go into windows safe mode with command prompt under admin. and del the file but I can't boot to windows at all not even the command prompt any other way to get this file off the hd or can it be removed through knoppix?

**Harry Kuhman** · 06-25-2006, 10:48 AM

If it's an NTFS partition, no. There actually has been a rumor that the new 5.0.1 can write to NTFS "in some cases", whatever that means, but I've yet to see any reports that it works or is safe. If you have NTFS partitions I suggest that you read the rescue faq in the wiki and use Knoppix to make backups of what you need, then install fresh.

If it's a FAT partition, yes, if you can find the bad file then you can delete it. See answer #6 for details.

**rwhboston** · 06-25-2006, 04:33 PM

It's a FAT partition and I'm still unclear on the way I'd go about removing the file through knoppix..

**Harry Kuhman** · 06-25-2006, 05:33 PM

use above link information to mount partition with write access, open partition from desktop icon and browse to the file that you hase identified as the infection. delete it.

Are you saying that you don't know what file is infected? I would have expected whatever identified the infection to tell you that. Or are you saying you are not comfortable navigating through the FAT file system with the Linux tools? Or is it some other issue that I'm missing?

**rwhboston** · 06-25-2006, 05:39 PM

Yea I'm not to comfortable navigationg yet but I was kind of learning as I go, I thought by clicking on the hda1 icon on the kde desktop was just like /mnt from the CLI I didn't see options for deleting the file when I right clicked but I guess I didn't try the del key...is it as simple as that or is there something else

**rwhboston** · 06-25-2006, 05:51 PM

damn I'm an idiot thanks for the support on that Harry, I appreciate getting great support right away I like this forum, the seasoned knoppix users don't rub it in about our new user questions, and thats a classy way to be, I did have one follow up question though..there has been a progress dialog up for a few minutes with no activity and know it looks like the screen might be freezing up..is this normal or do you have any suggestions or comments?

**Harry Kuhman** · 06-25-2006, 06:03 PM

Originally Posted by rwhboston

..there has been a progress dialog up for a few minutes with no activity and know it looks like the screen might be freezing up..is this normal or do you have any suggestions or comments?

not normal. A progress dialog on what? deleting a file? Some application that you are running? booting Knoppix (which sounds like you already have working ok)? What is this dialog saying?

**rwhboston** · 06-25-2006, 06:07 PM

yea I hit the delete key when the file was highlighted and a progress dialog box popped up at the bottom of the screen with a progress bar that reads 0% then everything freezes up

**Harry Kuhman** · 06-25-2006, 06:47 PM

Well, I jus went through the steps. Here's my experience:

Coaxed my testbed system to boot the Knoppix 5.0.1 CD. Not sue why it didn't want to this morning; it booted it many times last night without complaint, but it was an effort this morning. But eventually Knoppix booted.

I looked at all of those nice hda icons on my desktop and picked hda5, knowing it was a logical FAT drive with files ripe for deletion.

I right clicked on it expecting to use the actions sub-menu to make it writable, but to my surprise version 5.0.1 has changed this menu! So I'll have to update some documentation. Still, I saw the option to make the mount read/write when I did the right click. I tried it, was informed that I had to mount the partition first.

So I clicked on it, Konquror open and displayed the partition. I confirmed that I could not delete a file (it was still read only access). I right clicked on the hda5 icom and chose to make it read/write. It questioned me about this but then let me do it.

I picked something that I could afford to delete. Rather than just hit delete I looked at the menu and under Edit I found that Delete was "move to Trash" and Shift-Delete was a true delete. Frankly I would feel better about making a true delete, both since it's a virus that you really want to get rid of and because I question how well Linux impliments the Microsoft trash system, but in the end I decided to do the same delete that you are trying to do, so I just hit the delete key while the sacrificial file was highlighted.

I did indeed see the progress bar pop up, but it was so quick that if I wasn't looking for it I would have missed it. So I don't know why you are having the problem that you report. Is this infected file huge? Are you deleting more than one file (an entire directoy and sub-directory structure perhaps)? My best guess is that your file system may not be in very good shape, which I'm also inclined to think is the case since you are trying to delete the bad file with Knoppix rather than just using DOS (wihich obviously deletes files on a FAT system quite well).

**rwhboston** · 06-26-2006, 12:50 AM

I'ts my friends computer and everything about this computer seems bad, file system most of all.. the file was found by clamscan as hiberfil.sys: worm.Bagle.BB-gen I'm not sure if it's the computer that's the problem or the file that's throwing it off