Please report all spam threads, posts and suspicious members. We receive spam notifications and will take immediate action!
Results 1 to 7 of 7

Thread: Unable to delete/clean infected CPY files (klez-h)




  1. #1
    Join Date
    Jun 2003
    Posts
    3

    Default

    Yes, we've been struck by this pesty worm and though there were many problems for a little while now everything is pretty much cleaned up.

    However, there are approximately 116 CPY files infected that can not be cleaned, moved, renamed or deleted. Basically, they are inaccessible.

    How do I completely correct this situation if I can't rid the PC of all infected files?


    I was told in the past to simply view all hidden files/folders and then my virus protection could clean the CPY's. But this obviously didn't work.

    Any help would be GREATLY appreciated.

  2. #2
    Join Date
    Nov 2001
    Location
    New England Highlands, Australia
    Posts
    21,907

    Default

    Checkout this page at Symantec.

  3. #3
    Join Date
    Jun 2003
    Posts
    3

    Default

    I had already downloaded and run a similar tool before my initial post. Unfortunately, the tool cleans or removes all of the infected files except for those located in C:\_RESTORE.

    For each of the files located in this folder I get an error message stating the file is inaccessible and can not be cleaned, removed or renamed.

    Is there any way to get to these files?

  4. #4
    Join Date
    Nov 2001
    Location
    New England Highlands, Australia
    Posts
    21,907

    Default

    Here's a copy & paste that should help ya out but this should also be detailed in the readme that came with the tool.
    This applies to all anti-virus not just NAV. Disable System Restore (SR), restart when prompted, then run a updated virus scan before re-enabling System Restore. Re-enabling SR is highly recommended!

    The following applies to all Anti-Virus programs.

    Cannot repair, quarantine, or delete a virus found in the _RESTORE folder

    Situation:
    Norton AntiVirus (NAV) has detected a virus in the _RESTORE folder, but it cannot repair, quarantine, or delete it.

    Solution:
    One of the new features of Windows Me is System Restore. This feature, which is enabled by default, is used by Windows to restore files on your computer in case they become damaged. Windows Me keeps the restore information in the _RESTORE folder. A _RESTORE folder is created on each hard drive on the computer; these folders are updated when the computer restarts.

    If the computer is infected with a virus, then it is possible that the virus could be backed up in the _RESTORE folder. By default, Windows prevents System Restore from being modified by outside programs. Because of this, any repair attempts made by Norton AntiVirus will fail. To work around this, you must disable System Restore, and restart the computer. This will purge the contents of the _RESTORE folder. You must then run a full system scan.

    To disable System Restore:
    1. Close all open programs.
    2. Right-click My Computer on the Windows desktop, and then click Properties.
    3. Click the Performance tab.
    4. Click File System.
    5. Click the Troubleshooting tab.
    6. Check Disable System Restore, click OK, and then click Close.
    7. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted.
    8. Run a full system scan, making sure that NAV (or your anti-virus) is set to scan all files and all drives.
    9. After cleaning the infected files, repeat steps 1 through 7, except in step 6, uncheck Disable System Restore.

    For additional information, and an alternative to disabling System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

  5. #5
    Join Date
    Jun 2003
    Posts
    3

    Default

    Ok, thank you for helping me out . . . your suggestion worked for the Restore files.

    However, the virus scan now indicates that there are quite a few files in C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.UI that are infected. The files are password protected there they are uncleanable as well.

    Is there a way to clean those?

  6. #6
    Join Date
    Nov 2001
    Location
    New England Highlands, Australia
    Posts
    21,907

    Default

    Sorry but I don't recognise the path details though it wouldn't be ya AV's quarantine folder by any chance? :confused:

    If it is then you'll just have to dump them wholesale I guess thru ya AV's control panel.

  7. #7
    Join Date
    Dec 2002
    Location
    caves of bedrock
    Posts
    3,129

    Default

    i agree with wiggo...that seems to be the directory created by McAfee.
    i don't have McAfee so can't be of much help but quarantine seems to be the case here.
    Latest Microsoft Security Updates.
    Last Updated:
    10th MARCH


    If you are a security freak: Use Microsoft Baseline Security Analyzer (NT/2000/XP/2003)
    ======================
    icq : 203189004
    jabber : asklepios20@jabber.org
    =======================
    Linux user since: April 24, 2003 312478
    yabaa dabaa doo...
    Customized for 1024x768

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •