Solved

winme hidden folder and deletion

Posted on 2002-04-18
10
311 Views
Last Modified: 2013-12-11
How to delate files in win ME hidden folder c:\_restore\temp ? I found there are 133 virus infected files in there using virus scanner, trying to access through MSDOS mode and safe mode but failed. The virus is WORM_KLEZ.G.
0
Comment
Question by:mpyw
10 Comments
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
This Microsoft Knowledge Base article should help you:

Q263455  Antivirus Tools Cannot Clean Infected Files in the _Restore Folder

--------------------------------------------------------------------------------
The information in this article applies to:

Microsoft Windows Millennium Edition

--------------------------------------------------------------------------------


SYMPTOMS
When you run an antivirus program, you may receive a report that indicates that one or more files in the _Restore\Temp or the _Restore\Archive folders contain a virus or are infected with a virus. Also, your antivirus program may indicate an inability to remove the virus from the file or files.



CAUSE
This behavior occurs because the System Restore feature in Windows Millennium Edition (Me) protects all folders and files in the _Restore folder on the Windows Me system partition. This folder and all of its subfolders are the data store that the System Restore feature uses to restore your computer's operating system to a previous state from a previous point in time.

Although some antivirus programs may have the ability to work with files that have been compressed or stored in .zip or .cab file format, the System Restore feature does not permit these utilities to manipulate these files within the data store. The data store is protected for data integrity purposes, and the System Restore feature is the only method you can use to obtain access to the data store. Because of this, the antivirus program is unable to remove the virus from the file or files in the data store. The files in the data store are inactive and can be used only by the System Restore feature.



RESOLUTION
To work around this behavior, use the appropriate method.

Use the First In First Out (FIFO) Feature
The FIFO routine purges the oldest restore points so that newer, more current restore points can be added to the data store. FIFO starts automatically when the files in the data store reach 90 percent of the maximum size of the data store. System Restore purges the oldest files first until the files in the data store occupy no more than 50 percent of the maximum size of the data store.

For example, if the maximum size of the data store is 400 megabytes (MB), 90 percent of this is 360 MB and 50 percent is 200 MB. If the data store is 200 MB when you view the properties of the _Restore folder, it is 50 percent of the maximum size. If you adjust the size of the data store to the minimum size of 200 MB, FIFO occurs when you click Apply.

NOTE: If the data store is less than 90 percent (180 MB) of the minimum (200 MB) value, adjusting the size does not have any effect in purging restore points. In this scenario, you must carefully consider the use of the methods that are described in this article.

Over a period of time, the data store purges restore points on a FIFO basis as the maximum size of the data store is reached. There are a few scenarios in which FIFO can be used to purge older restore points to retain more recent restore points on the computer.
FIFO Method 1
No action is required if the system has been cleaned and only the data store is reported by the antivirus tool to have suspicious files. Until all infected files are processed out on a FIFO basis, the antivirus tool may still report that there are infected files that it cannot obtain access to within the data store.
FIFO Method 2
You can trigger the FIFO feature to remove older restore points from the data store by resizing the data store. To use the System Restore feature to adjust the size of the data store:
View the properties of the _Restore folder to determine how much data is actually in the data store. You do this to determine if this step will have any effect on the data store. If the data store uses less than 90 percent (less than 180 MB) of the minimum value (200 MB), this method may have no effect on purging the restore points. If less than 90 percent of the data store is used, even at the minimum settings you should consider using FIFO method 1 or using the "Manually Purge the Data Store" method that is listed later in this article.


Click Start, point to Settings, and then click Control Panel.


Double-click System, and then click the Performance tab.


Click File System.


Adjust the System Restore disk space use slider to the approximate lower amount, and then click Apply.

Note that you can use the System Restore disk space use slider to select the minimum amount of space to allocate for the data store, the maximum amount, or a size in between. Adjusting the slider to a lower value changes the the values that trigger FIFO. You may need to restart your computer for any changes to take effect.


Click OK, and then click OK to close System properties.


Use the antivirus tool to scan the computer to verify that the virus-infected files have been purged from the data store. If there are still infected files in the data store, repeat the previous steps and lower the data store size until the data store is clear of infected files.

Note that you can also use the calendar page in the System Restore tool to view how far back the restore points were purged.


After the infected files have been cleared from the data store by using this method, return the slider to the original or appropriate size, click OK to close any open windows, and then restart your computer.


If there still is an infected file in the data store after you resize the data store to the minimum size, you can either wait for it to be processed out on a FIFO basis (FIFO method 1), or you may want to consider using the "Manually Purge the Data Store" method that is described later in this article to remove all restore points on your computer.
Manually Purge the Data Store
To completely and immediately remove the infected file or files in the data store, disable and re-enable the System Restore feature.

WARNING: Using the following steps will completely remove all restore points from the data store. Do not use this method if this will cause problems. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer.
Click Start, point to Settings, and then click Control Panel.


Double-click System, and then click the Performance tab.


Click File System, and then click the Troubleshooting tab.


Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK.


Restart the computer when you are prompted to do so. When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.





STATUS
This behavior is by design.



MORE INFORMATION
The _Restore folder is protected by default and prevents programs from using or manipulating the files that are within this folder. These files are inactive while in the data store and are not used by any utility other than System Restore.

The System Restore feature is not designed to detect or scan for virus infections or virus activity. Most computer virus infections seek or attack files with extensions such as .exe or .com. These are file types that the System Restore feature is designed to monitor.

NOTE: If you restore your computer to a previous state when you did not have an installed antivirus tool, you must install an antivirus tool and clean any files that were restored and are infected.

Additional query words: cpy sr anti virus

Keywords : kbenv kbtool kbWinME
Issue type : kbprb
Technology : kbWinMEsearch kbWinME
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 300 total points
Comment Utility
Take a look at this link at the bottom it gives instructions on how to remove the virus.
 
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html
0
 
LVL 1

Expert Comment

by:Mridul_Trehan
Comment Utility
Hi mpyw,
Easiest way to do this is to boot from some other Operating system and delete it from there. If u don't have any other O.S, attach ur hardisk to ur friends machine and do it from there. It will then behave like normal folder. Other way is to boot from a bootable floppy of Windows O.S other than Me e.g win 98 and delete it from there. I am not sure this one works but it should work. And please note and note one thing these files some times have big size so first check if u r able to delete one file from bootable floppy and then try to all other files. I know the answer looks like a non technical one but we want to solve our problem Don't we?
0
 
LVL 1

Expert Comment

by:Mridul_Trehan
Comment Utility
Hi mpyw,
I again read your problem. You have written that you were unable to access the folder thru MS DOS mode! Are you talking abt. Dos prompt that you can access after booting in windows or the Dos you use before booting by pressing F8. Anyway I have done the experiment for you and the good news is that after booting from any bootable floppy of windows 98 or other O.S of Windows 9x platform. You can delete them.
But before you do you need to know few things.
1)     You system restore will not be able to restore until you develop some new system restore points.
2)     If you r like me and decide to delete all files rather than finding and deleting each file than let me tell you it is going to take huge time. Huge means huge!!! Your CPU may show a little or may be no activity but give it a little time. It won’t be a bad idea if you delete it in parts for example deleting A001*.cpy will delete only files with name prefixed with A001 and will not delete others. And even better if your infected files have something common in their names. Wild cards will help you a lot.
Hope this solve your problem.    
0
 
LVL 1

Expert Comment

by:Mridul_Trehan
Comment Utility
Hi mpyw,
Please inform us if ur problem has been solved or any further developments
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:mpyw
Comment Utility
HI Trehan & others,
Thanks for all your information, I have done some virus cleaning job and the virus in those system backup files doesn't seem to release to the normal system.

Trehan,
I've tried boot up using win 98 boot disk and try to del all *.cpy files but the system hang without any activity. I have to reboot by power off the notebook.

I think for the moments, I'll leave the think there first and come back to it when I have more free time.

Thanks though.

Cheers.
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Did you try Microsoft's method of trying to "squeeze" the virus infected files out by decreasing the System Restore folder's amount of space allocated?  If this doesn't do it, then you can try the article's second method, which involves turning off System Restore, using your virus scanner, and then turning System Restore again; but, as the article says, this would mean you would lose all your Restore Points.  Here's a more detailed description of the second procedure that I copied into my computer database from somewhere (don't remember where):

NOTE: Windows ME utilizes a backup utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. These instructions explain how to remove the infected files from the C:\_Restore folder.
Disabling the Restore Utility

1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with VirusScan to delete all infected files, or browse the the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 remove the check mark next to "Disable System Restore". The infected file's are removed and the System Restore is once again active.
0
 
LVL 1

Expert Comment

by:Mridul_Trehan
Comment Utility
Hi mpyw,
Sorry if u don't have time but haven't I told u that sytem will seem to be hanging while it is not. It takes HUGE TIME to delete files. SO BE PATIENT. This is a perfect solution and I have tried it on my sytem. During that I came to know about one more thing. There r some files which r hidden too, so it won't be a bad idea to first run the command attrib -r -s -h *.cpy. MAKE SURE 'to do all attributes together' as otherwise u won't be able to remove the attributes.
I am sorry if this disturbs u but I just want to be sure that the solution that has already worked should help few more people.
0
 
LVL 1

Expert Comment

by:Mridul_Trehan
Comment Utility
Hi mpyw,
Sorry if u don't have time but haven't I told u that sytem will seem to be hanging while it is not. It takes HUGE TIME to delete files. SO BE PATIENT. This is a perfect solution and I have tried it on my sytem. During that I came to know about one more thing. There r some files which r hidden too, so it won't be a bad idea to first run the command attrib -r -s -h *.cpy. MAKE SURE 'to do all attributes together' as otherwise u won't be able to remove the attributes.
I am sorry if this disturbs u but I just want to be sure that the solution that has already worked should help few more people.
0
 
LVL 1

Expert Comment

by:Mridul_Trehan
Comment Utility
Hi mpyw,
Please tell us the status of ur problem.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Lockdown of laptops 10 37
Droid 4 15 59
Device to access my home phone over the Internet 19 60
Cant protect clients on DPM 2012 R2 2 25
For a variety of reasons, it sometimes makes sense to reboot a Windows-based computer on a regular, perhaps daily basis. This "cures" a lot of ills by resetting processes, flushing caches, refreshing memory, and reestablish network connections. In a…
Several part series to implement Internet Explorer 11 Enterprise Mode
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now