Just installed (& ran) a new McAfee Virus Scan 2004
program, which found 23 infected files. It cleaned several
but remaining files could not be "cleaned or quarratined".
And a few could not be deleted (auto-write?). How do I
know what can be deleted and how to do it & what to do
with the rest? HELP

The infected files should be deleted if McAfee can not clean them. Most executables are
useless files that are them selves the infector. Often the term viruses is used for two
other type of infectors; Trojans and worms and act differently. Viruses truly infect other
files whiles Worms and Trojans can't infected other files but are themselves the "payload".

Any file found to be infected in normal mode that can't be deleted, should be scanned and
deleted in Safe Mode. If it a truly WinME file required by the OS, it can be replaced from
the WinME distribution files.

Dave



"JanyceJ" <anonymous@discussions.microsoft.com> wrote in message
news:3bd401c3fd9a$5ff72850$a101280a@phx.gbl...
| Just installed (& ran) a new McAfee Virus Scan 2004
| program, which found 23 infected files. It cleaned several
| but remaining files could not be "cleaned or quarratined".
| And a few could not be deleted (auto-write?). How do I
| know what can be deleted and how to do it & what to do
| with the rest? HELP

McAfee should provide general information in the help files and more specific
information on their web site where you will find details about removing and
cleaning each of the viruses/worms/trojans concerned.

In the vent that you are referring to files that cannot be cleaned or
quarantined that are located in one of the C:\_RESTORE sub folders (either a
CPY file in TEMP or in an RG*.CAB file in ARCHIVE) the following may be of
some assistance to you.

There is no need to be concerned about any virus in the _RESTORE archive as
they are harmless there and can only cause problems if you later choose to
restore to a checkpoint created AFTER infection and BEFORE you cleaned your
system. Something I hope you won't be doing after reading this post. Any
worms, trojans and viruses in the _restore archive will automatically be
discarded in time as newer data is archived and older files discarded The
problem with disabling system restore is that it flushes the _restore archive
and whilst that removes any virus remnants it also removes any good usable
checkpoints you might have and you never know when you might want to use that
lifebelt.

However If you are worried about this, then there are two approaches to
resolving your problem:
Firstly try reducing the space allocated to the System Restore archive as this
could flush out these unwanted files. Do this using the slider found at
System | Performance | File System | Hard Disk and reduce the allocated space
until you flush out the unwanted files.

If that fails, reset System Restore:
System | Performance | File System | Troubleshooting and check "Disable
System Restore", Apply and IMMEDIATELY reboot. This will flush you restore
folder and erase all checkpoints, then,
System | Performance | File System | Troubleshooting and uncheck "Disable
System Restore", Apply and again IMMEDIATELY reboot. This should now
automatically create a new checkpoint immediately following the restart.
Finally adjust the space allocated to the restore folder,
System | Performance | File System | Hard Disk and adjust the restore slider
to your preferred setting. A figure of 200MB is normally more than adequate
for day to day use allowing perhaps a week of checkpoints to be available
although increasing this to perhaps 400-500MB for a few days during periods of
large installs such Microsoft Office is advisable.

See also MS KB 263455 - "Antivirus Tools Cannot Clean Infected Files in the
_Restore Folder" (http://support.microsoft.com?kbid=263455).
--
Mike Maltby MS-MVP
mcmaltby@hotmail.com


JanyceJ <anonymous@discussions.microsoft.com> wrote:

Thanks so much, David. I'm goinng to give it a try. I'm
a novice, so keep your fingers crossed. Also, what is
SAFE MODE? (yes I'm really PC illiterate!)

Safe Mode -- A mode Windows Operating Systems start into to load only "core" Windows
programs and won't load "extras" you may have installed or infectors that may have installed
themselves. It a troubleshooting mode of operation.

The problem is if the program is running when you try to clean/delete the file it can't.
When you boot into Safe Mode many of these programs are not executed and therefore you can
clean/delete them.

You can get to Safe Mode by rebooting the PC and before the Windows splash screen, hitting
the "F8" key. You will then be confronted with a menu of choices. You would choose "Safe
Mode" from that menu.

Dave



"JanyceJ" <anonymous@discussions.microsoft.com> wrote in message
news:3bef01c3fd9d$7d6f6110$a101280a@phx.gbl...
| Thanks so much, David. I'm goinng to give it a try. I'm
| a novice, so keep your fingers crossed. Also, what is
| SAFE MODE? (yes I'm really PC illiterate!)
|
| >-----Original Message-----
| >The infected files should be deleted if McAfee can not
| clean them. Most executables are
| >useless files that are them selves the infector. Often
| the term viruses is used for two
| >other type of infectors; Trojans and worms and act
| differently. Viruses truly infect other
| >files whiles Worms and Trojans can't infected other files
| but are themselves the "payload".
| >
| >Any file found to be infected in normal mode that can't
| be deleted, should be scanned and
| >deleted in Safe Mode. If it a truly WinME file required
| by the OS, it can be replaced from
| >the WinME distribution files.
| >
| >Dave
| >
| >
| >
| >"JanyceJ" <anonymous@discussions.microsoft.com> wrote in
| message
| >news:3bd401c3fd9a$5ff72850$a101280a@phx.gbl...
| >| Just installed (& ran) a new McAfee Virus Scan 2004
| >| program, which found 23 infected files. It cleaned
| several
| >| but remaining files could not be "cleaned or
| quarratined".
| >| And a few could not be deleted (auto-write?). How do I
| >| know what can be deleted and how to do it & what to do
| >| with the rest? HELP
| >
| >
| >.
| >

On Fri, 27 Feb 2004 21:02:55 -0500, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

It's also not all that "safe" because:
- it writes to the HD (bad if file system is bent or HD is failing)
- it runs malware within OS code files
- it runs malware patched into the OS via less obvious ways

The last two are pertinent here.

For example, if a Win32PE file infector such as CIH, Elkern, Kriz,
Magistr, Jeefo etc. infected executable files that are part of
Windows, then running those files will run the malware. May be only
when you run certain files that are infected, e.g. Regedit.exe, or it
may be that simply starting WIndows has already run them.

For example of the third point; while Safe Mode skips the startup axis
such as Runxx keys and StartUp groups, it still follows System.ini's
shell=, file associations such as .exe -> exefile, and other CLSID
integrations such as persistent handlers or context menu dialog tabs.

That's almost the best-case. The worst-case is if the malware objects
to being cleaned (say, thread A notices that thread B stops) and is
coded to take punitive action.

"Safe Mode" may be formal for many, if not most, of today's malware -
but it would be foolish to consider it a satisfactory replacement for
a maintenance OS. WinME still has a maintenance OS in the form of DOS
mode, which for these purposes is best run from bootable diskettes.

See http://users.iafrica.com/c/cq/cquirke/virtest.htm

Oops - sorry if my post is a bit "geeky". Quote bits you don't
understand and I'll de-terse as required!

Axiom: Never delete what you can rename or comment out.

Caveat: Do this from OUTSIDE Windows; sometimes Windows will track and
still use a file that is renamed within Windows!

And if it's a newer version, or from some legitimate add-on, you...?

Running a Windows-based av to kill active malware is like striking a
match to see if what you are standing in is water or petrol.

cquirke, You mean...

In Win9x/ME in the SYSTEM.INI it has the directive...
shell=explorer.exe

Some infectors will replace the line with...
shell=explorer.exe infector.exe

In Win2K and WinXP the shell is done in the Registry as...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe"

Some infectors will replace the shell key with...
"Shell"="Explorer.exe infector.exe"

Note that in Safe Mode the infector will still be executed this way unlike those in the
Registry RUN locations.

Dave :-)