Magistr32 in hidden directory windows ME
Marco Tieleman
work and cleaned it. Except files in C:\_restore\temp\*.cpy (hidden
directory) couldn't be desinfected.
Who knows the solution?
Thanks in advance.
Marco
Peter M. Leuenberger
news:AFgc7.16804$uN1.2...@e420r-sjo3.usenetserver.com...
Hi Marco,
the files in the restore-directory of WinME can be deleted without getting
trouble, as I know.
Regards
Peter
______________________________________________________
Peter M. Leuenberger
I'm using a nospam-addresse
To reply this message, delete the 123 in the addresse
visit: http://www.pleasure-support.ch
Wheels
"Peter M. Leuenberger" <ple...@pleasure-support.ch> wrote in message
news:p7hc7.114$Ef3....@nreader1.kpnqwest.net...
How do you delete these files? I have tried to do it in Windows Explorer
and it won't let me delete the files because it says that they may be in
use. I'm using Windows ME.
Joe
Peter M. Leuenberger
news:oL5q7.1787$W8.1...@bgtnsc04-news.ops.worldnet.att.net...
Hi Joe,
try to delete it, when you have boot your computer from CD-ROM.
Regards
Peter
Mark W. Brouwer
Viruses in the Restore folder need a special approach.
Read the instructions below.
Windows ME Info:
----------------
NOTE: Windows ME utilizes a backup utility that backs up selected files
automatically to the C:\_Restore folder. This means that an infected
file could be stored there as a backup file, and the AV Scanner will be
unable to delete these files. These instructions explain how to remove
the
infected files from the C:\_Restore folder.
Disabling the Restore Utility
1. Right click the My Computer icon on the Desktop.
2. Click on the Performance Tab.
3. Click on the File System button.
4. Click on the Troubleshooting Tab.
5. Put a check mark next to "Disable System Restore".
6. Click the Apply button.
7. Click the Close button.
8. Click the Close button again.
9. You will be prompted to restart the computer. Click Yes.
NOTE: The Restore Utility will now be disabled.
10. Restart the computer in Safe Mode.
11. Run a scan with AV Scanner to delete all infected files, or browse
the file's located in the C:\_Restore folder and remove the file's.
12. After removing the desired files, restart the computer normally.
NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5
remove the check mark next to "Disable System Restore". The infected
file's
are removed and the System Restore is once again active.
--
Mark W. Brouwer,
Netherlands.
Email not correct due to SPAM.
Please remove WODKA to reply.
-----------------------------------------
Home Page : Virus or Hoax ?
Got Infected? Want info? Search and find!
http://resource.at/virus
(framed/javascript enabled version)
-----------------------------------------
http://members.tripod.lycos.nl/brouw039/
(non-framed/javascript disabled version)
-----------------------------------------
Dmitry O. Gryaznov
Ha-hum! The above instructions, complete with typos, are standard ME-specific
instructions taken from NAI VIL (Virus Information Library) Web site and are
a copyrighted material... See http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 ,
for example (or just about any of the relatively recent viruses) . I wonder why you
failed to provide any references to NAI...
D.Gryaznov,
McAfee AVERT
Network Associates, Inc.
Robert E. Arnold
known fix for Restore since the release of ME. All NAI should get credit
for is a slowdown utility for Windows.
In article <3BA90565...@dial.pipex.com>, gr...@dial.pipex.com
says...
Mark W. Brouwer
> Ha-hum! The above instructions, complete with typos, are standard ME-specific
'cause they were literally supplied through one of the ME ng's.
BTW, why don't you (or anyone else from the great NAI) give any tips
& hint about viruses mentioned here, instead of babbling about credits.
Some of the competitors are giving usefull c.q. detailed info.
But here you go: all credits to NAI for the detailed
instructions how to disable the restore function in WinME
and so being able to remove viruses in the 'C:\restore' folder(s).
You've earned your X-mas bonus (AFTK).
Antivirus Tools Cannot Clean Infected Files in the _Restore Folder
http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP
--
Mark W. Brouwer,
Netherlands.
Email not correct due to SPAM.
Please remove WODKA to reply.
-----------------------------------------
Home Page : Virus or Hoax ?
Got Infected? Want info? Search and find!
http://resource.at/virus
(framed/javascript enabled version)
-----------------------------------------
http://members.tripod.lycos.nl/brouw039/
(non-framed/javascript disabled version)
-----------------------------------------
Dmitry O. Gryaznov
>
> What's the problem? AFAIC, NAI didn't invent this fix and It's been a
> known fix for Restore since the release of ME.
No, NAI did not invent it and never claimed it did. However, whenever
copying someone's write-ups verbatim, it is at list polite (if nothing
else) to give a reference to the author(s) of the write-up.
> All NAI should get credit
> for is a slowdown utility for Windows.
Which, incidentally, stops viruses.
D.Gryaznov
Dmitry O. Gryaznov
>
> > Ha-hum! The above instructions, complete with typos, are standard ME-specific
>
> 'cause they were literally supplied through one of the ME ng's.
So?
>
> BTW, why don't you (or anyone else from the great NAI) give any tips
> & hint about viruses mentioned here, instead of babbling about credits.
I suggest you read alt.comp.virus (where you cross-posted the message to which
I replied) before making such a statement.
> Some of the competitors are giving usefull c.q. detailed info.
As if NAI did not.
> But here you go: all credits to NAI for the detailed
> instructions how to disable the restore function in WinME
> and so being able to remove viruses in the 'C:\restore' folder(s).
I did not say *all* the credits. But don't you know that whenever you
quote someone else's write-up verbatim you should at least mention
the author of the write-up?
> You've earned your X-mas bonus (AFTK).
OK, I'll pass this one on to my boss :)
Mark W. Brouwer
> > Some of the competitors are giving usefull c.q. detailed info.
>
> As if NAI did not.
<C & C> Gjee, must have missed any reply from NAI in the last two years
<g>
> I suggest you read alt.comp.virus (where you cross-posted the message to which
> I replied) before making such a statement.
And who snipped the postings without mentioning, uh,uh?
But you're right. Wasn't the decent thing to do. <sob>
> OK, I'll pass this one on to my boss :)
Not brown nosing, but wish you all the best.
Especially in these difficult days. All the way behind anyone who's
after those lunatics!
--
Mark W. Brouwer,
Netherlands.
Email not correct due to SPAM.
Please remove WODKA to reply.
-----------------------------------------
Home Page : Virus or Hoax ?
Got Infected? Want info? Search and find!
http://resource.at/virus
(framed/javascript enabled version)
-----------------------------------------
http://members.tripod.lycos.nl/brouw039/
(non-framed/javascript disabled version)
-----------------------------------------
Dmitry O. Gryaznov
>
> > > Some of the competitors are giving usefull c.q. detailed info.
> >
> > As if NAI did not.
>
> <C & C> Gjee, must have missed any reply from NAI in the last two years
As I said, read alt.comp.virus . I, for one, do post there occasionally.
> > I suggest you read alt.comp.virus (where you cross-posted the message to which
> > I replied) before making such a statement.
>
> And who snipped the postings without mentioning, uh,uh?
Who indeed? My reply started with "Mark W. Brouwer" wrote".
> But you're right. Wasn't the decent thing to do. <sob>
OK. You're forgiven. Just don't do such a thing again :)
D.Gryaznov
Kryten
program" is caught trying to write to USER.DAT only when shutting down
(not when restarting). NAV intercepts the attempt and prevents it.
If the write is allowed, upon power-up the monitor is shut off as soon
as windows has loaded. In safe mode, the monitor is not shut down.
No, this is not a video driver problem or a PnP monitor *.inf problem.
It is malicious code.
What system programs are normally executed ONLY at shutdown (not
restart), where in the registry are these programs specified, and what
utility can I use to identify the file name of this "unnamed program"
that is trying to run.
Thanks...
Kryten
jv57kpnt
Microsoft's TechNet Archives):
Windows 95 Professional
A Publication of The Cobb Group
Published June 1997
Does one of your computers tend to hang during shutdown? If so, you may just
turn off the power and dismiss the problem as a minor annoyance. However,
powering off your machine before Windows 95 displays the message It's now
safe to turn off your computer can have a negative impact on your system.
In this article, we'll explore the reasons the shutdown process may fail.
We'll also provide a step-by-step method for troubleshooting this situation.
Why bother fixing this problem?
Shutdown failure may seem like a purely cosmetic problem, so you might be
wondering why you should take the time to fix it. The reason is that snags
in the shutdown process can have serious ramifications for your system.
Because the cache may not have finished dumping its contents to disk,
turning off the machine prematurely can lead to data corruption. Improper
shutdowns can also cause your hard disk to slowly fill up, since Windows 95
may not get the chance to remove temporary files.
Programs in the StartUp folder
Sometimes, a corrupt program in the StartUp folder can prevent your computer
from shutting down properly. To find out if this is the case, create a new
folder and move the contents of your StartUp folder into this new directory.
Next, restart your computer and then try to shut it down. If the computer
shuts down successfully, you can assume that you have a problem with one of
the programs in the StartUp folder. To pinpoint the troublemaker, you should
move the programs back into the StartUp folder one at a time. After
replacing each one, restart your computer and immediately try to shut it
down. If the shutdown process fails, you'll know that the last program you
moved back into the StartUp folder is the one causing your problem.
To resolve this situation, you can permanently remove the program from the
StartUp folder. However, this program may be critical to you or your users.
In this case, we recommend reinstalling the program, since it may have a
corrupt file. If none
of the programs in the StartUp folder are causing your system to hang during
shutdown, you'll have to look elsewhere for the source of your problem.
Let's take a look at some other possibilities.
Corrupt sound file
A damaged Exit Windows sound file can also cause your system to hang. To
determine if this is your case, open Control Panel and double-click the
Sounds icon. Next, click on Exit Windows in the Events list box, choose None
in the Name dropdown list, and click OK.
Now try to shut down Windows 95. If the process is successful, your sound
file may be damaged. You should replace the sound file with one that you
know is functioning properly. By assigning a different sound file and trying
to shut down your computer again, you'll find out if the original sound file
is bad or if you've got a bad sound driver.
Bad device driver
A bad device driver is another possible reason for an unsuccessful shutdown.
The culprit can be a sound driver, as we discussed in the previous section,
or any other device driver, including those for a video card or a CD-ROM
drive.
To test for a bad device driver, we'll create a test hardware profile for
your system and then delete devices until we find the troublemaker. To
begin, double-click the System icon in Control Panel and select the Hardware
Profiles tab in the System Properties sheet. Next, select the hardware
profile that you're currently using and click the CopyÉ button.
Windows 95 will now display the Copy Profile dialog box. Type Test
Configuration in the To text box, as shown in Figure A , and click the OK
button.
Figure A To test for a bad driver, create an alternate hardware profile
called Test Configuration.
If your browser does not support inline frames, click here to view on a
separate page.
Now, choose the Device Manager tab to display a list of all your system's
installed devices. Next, select a device and click the Remove button.
Windows 95 will display the Confirm Device Removal dialog box, shown in
Figure B.
Figure B Choose the Remove from specific configuration radio button and
select
Test Configuration.
Choose the Remove from specific configuration radio button and then choose
Test Configuration from the Configuration dropdown list. Finally, click OK
to remove the device from your test hardware profile.
Now, restart your computer. When Windows 95 boots up and asks you which
configuration you want to use, choose Test Configuration. Then, attempt a
shutdown. Repeat this procedure, disabling one device at a time until the
shutdown process is successful.
The last device you disabled before shutdown works properly is probably the
one that's causing your problem. You may have a corrupt device driver, or a
device that either isn't installed correctly or isn't working properly. Try
reinstalling the problem device's driver. If that doesn't help, contact the
manufacturer of the device to see if newer drivers are available.
Virtual device drivers
To determine if your problem is the result of a bad virtual device driver,
open the SYSTEM.INI file and locate its [386Enh] section. Next, add a
semicolon to the front of each line that begins with the Device command and
ends with .386, as shown in Figure C (adding the semicolon disables the
command). Now, save your changes, restart Windows 95, and try to perform a
shutdown.
Figure C Place a semicolon in front of all lines starting with DEVICE and
ending with .386
If your browser does not support inline frames, click here to view on a
separate page.
If the shutdown process is successful, a virtual device driver is probably
to blame for your earlier shutdown problem. To narrow your search for the
bad driver, remove one of the semicolons you added to SYSTEM.INI. Save your
changes, restart the system, and try another shutdown. Keep repeating this
process, removing one more semicolon each time until you find the virtual
device driver that's causing the problem.
Commands in WIN.INI
Sometimes Windows 95 executes a command in the WIN.INI file that causes the
shutdown process to malfunction. To test for this possibility, open the
WIN.INI file in a text editor. Next, locate the file's Load and Run lines
and place a semicolon in front of each of them, as shown in Figure D. Now,
restart your computer and issue the ShutDownÉ command again.
Figure D Place a semicolon in front of the Load and Run lines in your
WIN.INI file.
If your browser does not support inline frames, click here to view on a
separate page.
If Windows 95 shuts down successfully, one of these commands may be to
blame. In this case, create a new Load line below the original and plug in
one of the files that the original command was loading. Next, restart your
computer and again try to execute a shutdown. If the process fails, the
command you specified in the new Load line is your culprit. If Windows 95
shuts down properly, replace the command in the new Load line with the next
one that the original line calls. Repeat this process until you've tried all
the commands in the original Load line.
Once you've covered all the Load commands, you can move on to the Run line.
Just cycle commands into it in the same way that you did for the Load line
until you find the one that's causing your problems.
When you find the Run or Load command responsible for your shutdown
failure, you can permanently delete the command. If the command loads a
critical file, you should try reinstalling the file because it may be
corrupt.
Advanced power management
Your shutdown problem could also be the result of a conflict between your
computer's APM (Advanced Power Management) and its memory configuration. Not
all computers have APMÑif yours doesn't, you can skip this step of the
diagnostic process.
Begin by double-clicking the System icon in Control Panel and selecting the
Device Manager tab. Next, double-click Advanced Power Management in the
System Devices list box. Deselect the Enable Power Management check box and
click OK. Restart Windows 95 and then try to shut down your machine. If this
attempt is successful, there's probably a compatibility problem with your
computer's APM. It's a good idea to contact your PC's manufacturer in this
eventÑthe company may offer a patch to correct the problem.
File system settings
To determine whether Windows 95's file system settings are causing your
shutdown woes, double-click the System icon in Control Panel and select the
Performance tab in the System Properties sheet. Click the File SystemÉ
button, and Windows 95 will display the File System Properties dialog box.
At this point, click the Troubleshooting tab and select all its check boxes.
Click OK, click Close, and then click Yes when Windows 95 asks you if you
want to restart your computer.
After your PC restarts, you'll notice that your system performance has
degraded. This is normal when you activate the options in the
Troubleshooting tab. Go ahead and try to shut down your system. If the PC
shuts down successfully, the problem is more than likely related to the file
system settings. Experiment with selecting various combinations of the
Troubleshooting tab's check boxes to see which configuration resolves your
shutdown failure with the least impact on your system.
If this technique doesn't fix your problem, be sure to go back and deselect
the options in the Troubleshooting tab. Otherwise, your system's performance
will suffer.
Commands in CONFIG.SYS or AUTOEXEC.BAT
Your CONFIG.SYS or AUTOEXEC.BAT file may execute a command that causes your
shutdown problem. To explore this possibility, first restart your computer.
When you see the message Starting Windows 95É, press the [F8] key. Now,
choose Step-by-step confirmation from the Microsoft Windows 95 Startup Menu.
Press [Enter] to accept each of the prompts in Listing A, and press [Esc] to
reject any other prompts.
Listing A
Load DoubleSpace driver
Process the system registry
DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\IFSHLP.SYS
Load the Windows graphical user interface
Load all Windows drivers
When Windows 95 starts up with your custom instructions, try to execute a
shut down. If Windows 95 shuts down, your problem is probably in the
CONFIG.SYS or AUTOEXEC.BAT file. To find out which line is causing the
problem, restart Windows 95 and press [F8] when you see the Starting Windows
95É message. Choose Step-by-step confirmation just like before. This time,
answer Yes to all the prompts shown in Listing A, including the Process your
startup device drivers (CONFIG.SYS) prompt and the Process your startup
command file (AUTOEXEC.BAT) prompt.
The idea behind this technique is to process one command in CONFIG.SYS, then
reboot and try the first two commands, and so forth. When you run out of
commands in CONFIG.SYS, start processing the commands in AUTOEXEC.BATÑthe
first one, then the first two, and so on, trying to shut down the PC between
each combination. Be sure to process all the commands in CONFIG.SYS when
you're running AUTOEXEC.BAT commands, since some commands in AUTOEXEC.BAT
are dependent on previously loaded drivers.
If a command in the AUTOEXEC.BAT or CONFIG.SYS file is causing your problem,
you can permanently delete the command. If the command is loading a critical
file, you should try to reinstall that file, since it may be corrupt.
Memory conflicts
Sometimes a memory conflict can cause shutdown problems, and these conflicts
can exist even when HIMEM.SYS and EMM386.EXE aren't loading. To see if this
is your situation, edit the CONFIG.SYS file to make its first two lines read
as follows:
DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE X=A000-FEFF
The X=A000-FEFF parameter tells EMM386.EXE to exclude the largest allowable
memory range. EMM386 can actually accept values up to the hexadecimal
address FFFF, but using values larger than FEFF for this purpose will result
in a conflict because of overlapping memory requirements.
Once you edit the necessary lines in CONFIG.SYS, save your changes. Now,
restart and shut down your computer. If the process is successful, you
probably have some sort of memory conflict. Refer to last month's article
ÒDiagnosing Problems with Memory ChipsÓ for more information on
troubleshooting memory problems.
BOOTLOG.TXT
If you've tried all the methods we've discussed and none of them seem to be
helping, look at the hidden BOOTLOG.TXT file in the root directory of your C
drive. Search this file for any lines that begin with Terminate. These
lines, which appear at the end of the file, may help you find the cause of
the problem.
Each Terminate line should have a matching EndTerminate entry. If the last
line of the file is one of the lines shown in Listing B, check the possible
cause.
Listing B
Terminate = Query Drivers
Possible memory manager problem.
Terminate = Unload Network
Possible conflict with real-mode network driver in CONFIG.SYS.
Terminate = Reset Display
You may possibly need an updated video driver, you should also disable video
shadowing.
Terminate = RIT
Possible timer related problem with your sound card or an old mouse driver.
Terminate = Win32 A 32-bit program is blocking a thread
Look for these Terminate lines in the BOOTLOG.TXT file.
In Figure B, the Terminates lines are the error messages. What follows is a
reason why you may have gotten the error. Under normal circumstances, the
last line should be EndTerminate = KERNEL, as shown in Figure E.
Figure E Under normal circumstances, BOOTLOG.TXT should end with the line
EndTerminate = KERNEL.
If your browser does not support inline frames, click here to view on a
separate page.
CMOS
If none of the other methods work, try resetting your computer's CMOS to its
factory defaults. Be careful to write down your current settings before
making this change. Since methods for editing CMOS vary from computer to
computer, you'll need to consult your owner's manual if you aren't sure how
to do this.
Conclusion
When Windows 95 hangs during shutdown, many people think it's annoying but
harmless. However, this snag can lead to data corruption and wasted hard
disk space. In this article, we've explored reasons why the shutdown process
may fail and provided a step-by-step method for troubleshooting the problem.
The article entitled "Troubleshooting Shutdown" was originally published in
Windows 95 Professional, June 1997. Copyright © 1997, The Cobb Group, 9420
Bunson Parkway, Louisville, KY 40220. All rights reserved. For subscription
information, call the Cobb Group at 1-800-223-8720.
We at Microsoft Corporation hope that the information in this work is
valuable to you. Your use of the information contained in this work,
however, is at your sole risk. All information in this work is provided "as
is," without any warranty, whether express or implied, of its accuracy,
completeness, fitness for a particular purpose, title or non-infringement,
and none of the third-party products or information mentioned in the work
are authored, recommended, supported or guaranteed by Microsoft Corporation.
Microsoft Corporation shall not be liable for any damages you may sustain by
using this information, whether direct, indirect, special, incidental or
consequential, even if it has been advised of the possibility of such
damages.
"Kryten" <Kry...@RedDwarf.net> wrote in message
news:enahut86f02t4i7kl...@4ax.com...