Can't Get Rid Of 'Em

[billnc]

I've tried all the procedures I could find and I'm still stuck.

Running Windows ME

I’ve got about 60 self-replicating Win32:Trojan-gen. {VC} viruses in my C:\_Restore\Temp directory.

This is what I've tried:

1. Disabled System Restore
2. Scanned in Safe Mode
3. Tried to move to chest - (no "access denied" message, but the end log shows that the move failed)
4. Tried to delete upon restart with no success.
5.  Did a minimal boot with a boot disk to a "C:\" prompt and deleted all files in Temp dir (*.*). Files are gone, until I reboot Windows, then they're back
6.  Did a minimal boot with a boot disk to a "C:\" prompt and deleted the Temp directory itself.  Same result as above -Windows recreates Temp directory including viruses.

I would really appreciate any help anyone could give.

[DavidR]

Switching off System Restore should stop them being protected and restoring (no idea why it didn't), reboot and check if clean, if so then enable System Restore. Check out the link below just to be sure.

Win XP-ME - How to disable System Restore

[billnc]

Nope, didn't work.

System restore is properly turned off.

During the scan -  there are 5 files that Avast is "Unable To Scan"

They are:

Classes.dat
hwinfo.dat
jaytoexp.dat
system.dat
user.dat

I know that there are some files which can not be deleted - like index.dat.

Could one of these files be reinstalling the virus?

[Eddy]

- disable system restore
- reboot
- check if system restore is still disabled.

Let us know.

[billnc]

Disabled System Restore
Shut Down
Restart
System Restore still disabled
Did not fix problem

However, I found the Solution

Hope this can help others

Running Windows ME

Make a startup boot disk
(Control Panel - Add/Remove Programs - StartUp Disk Tab)
Boot with disk, then choose Minimal Boot

(You must know how to work in DOS)
Change directories to the correct directory
For my situation it went like this:

A:\ (type in) C:                         
C:\
C:\ (type in)cd _restore
C:\_RESTORE (type in) cd temp
C:\_RESTORE\TEMP

The virus files had the attribute of a system file AND a hidden file.
Once you are in the right directory, you have to remove the attibute of the system file AND the attribute of the hidden file at the same time.

MAKE SURE THAT YOU ARE NOT DELETING FILES THAT YOU NEED.
In my case, in this directory, I knew that all the files were unnecessary.

C:\_RESTORE\TEMP (type in)attrib *.* -s -h

This will remove system & hidden attributes from every file in this directory.
There is a space between *.* and -s.

If you know the specific name of the infected file, you can just do that one.
I had 62 of them, so the *.* was far easier.

To NOW see the files in the directory:
C:\_RESTORE\TEMP (type in) dir

Every file should come up.

To FINALLY get rid of them (YEA!!!):

C:\_RESTORE\TEMP del *.*

Reboot normally and read Psalm 100 out loud.

Thanks for your help, Eddy & David!

[DavidR]

Happy to have tried to help, that is the first time I have come across disabling system restore not clearing all restore points completely. I have also never used ME  only win3.1, win95, win98+se and Xp Pro.