PDA

View Full Version : Virus in Windows Me System Restore files



08-09-2001, 07:49 AM
A scheduled virus scan by PC-cillin on my Windows Me home system found what it called pe_magistr.dam (though I think it usually goes by another name) in a file (A0056636.CPY) in the C:\_restore\temp\ folder.

Regular directory system viewing toools like Search, MyComputer and Windows Explorer refuse to acknowledge that the _restore folder even exists, and Norton AntiVirus apparently doesn't look at it!

I have no idea how the virus got in past PC-cillin and NAV (belt and braces, but the reseller gave me PC-cillin for free so I thought I may as well leave it in).

But anyway, pe_magistr.dam seems to have got to _restore without being detected. PC-cillin, Trend Micro tells me, cannot delete files from the _restore folder, or repair or quarantine the virus.

On their advice, I went through a long and reasonably complex procedure involving first decreasing the restore file to minimum size to try and force it out on a FIFO basis, and when that didn't work, turning off the restore capability altogether - which seems to have fixed it.

Why doesn't Microsoft allow you to get at these _restore files? is their existence effectively another 'spy in the computer' like the infamous ContentIE5 folder. And why does NAV - always my favoured antivirus precaution - apparently not see or check these files? I have the NAV 2002 version, so it surely should be Me-savvy.

Steve B.

08-09-2001, 08:25 AM
Small correction: I said Windows Explorer doesn't display the _restore folder. It does, but it doesn't display the Annnnnnn.cpy files in it that are clearly there.

08-09-2001, 08:27 AM
Small correction: I said Windows Explorer doesn't display the _restore folder. It does, but it doesn't display the Annnnnnn.cpy files in it that are clearly there.

08-09-2001, 10:28 AM
Hi Stephen. You have the latest virus. Are you not able to update pc-cillin? if it was an oem install chances are you have run out of updates,or maybe never did them. If you cannot udate see if you have made virus retstore disks from the existing pc-cillin.They would set the puter up again. Maybe borrow someone else's! Then when up and running you may have to take pc-cillin out of the machine and put another virus checker in.You cannot have two. AVG is free and provides free updates.Also are you running zone alarm. You can email me if you want.Cheers alister

08-09-2001, 04:17 PM
Anti-Virus Tools Cannot Clean Infected Files in the _ Restore Folder:
(http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP)

From McAfee:
Windows ME Info:
NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.

Disabling the Restore Utility:

Right click the My Computer icon on the Desktop.
Click on the Performance Tab.
Click on the File System button.
Click on the Troubleshooting Tab.
Put a check mark next to 'Disable System Restore'.
Click the Apply button.
Click the Close button.
Click the Close button again.
You will be prompted to restart the computer.
Click Yes. NOTE: The Restore Utility will now be disabled.

Restart the computer in Safe Mode.

Run a scan with VirusScan to delete all infected files, or browse the file's located in the C:\_Restore folder and remove the file's.

After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to 'Disable System Restore'.
The infected file's are removed and the System Restore is once again active.