Archived from groups: microsoft.public.windowsme.general (
More info?)
The virus indications in the Restore folder are of little consequence,
unless you perform a restoral to an infected point. The following verbose
info should cover all your questions. I believe author credit may go to Mr.
Mike Maltby, MS-MVP...
someone correct me if I'm wrong.
===================================
SYMPTOMS
When you run an antivirus program, you may receive a report that indicates
that one or more files in the
_Restore\Temp or the _Restore\Archive folders contain a virus or are
infected with a virus. Also, your antivirus
program may indicate an inability to remove the virus from the file or
files.
CAUSE
This behavior occurs because the System Restore feature in Windows
Millennium Edition (Me) protects all folders
and files in the _Restore folder on the Windows Me system partition. This
folder and all of its subfolders are the
data store that the System Restore feature uses to restore your computer's
operating system to a previous
state from a previous point in time.
Although some antivirus programs may have the ability to work with files
that have been compressed or stored in
.zip or .cab file format, the System Restore feature does not permit these
utilities to manipulate these files
within the data store. The data store is protected for data integrity
purposes, and the System Restore feature is
the only method you can use to obtain access to the data store. Because of
this, the antivirus program is
unable to remove the virus from the file or files in the data store. The
files in the data store are inactive and can
be used only by the System Restore feature.
RESOLUTION
To work around this behavior, use the appropriate method.
Use the First In First Out (FIFO) Feature
The FIFO routine purges the oldest restore points so that newer, more
current restore points can be added to
the data store. FIFO starts automatically when the files in the data store
reach 90 percent of the maximum size
of the data store. System Restore purges the oldest files first until the
files in the data store occupy no more
than 50 percent of the maximum size of the data store.
For example, if the maximum size of the data store is 400 megabytes (MB),
90 percent of this is 360 MB and 50
percent is 200 MB. If the data store is 200 MB when you view the
properties of the _Restore folder, it is 50
percent of the maximum size. If you adjust the size of the data store to
the minimum size of 200 MB, FIFO
occurs when you click Apply .
NOTE : If the data store is less than 90 percent (180 MB) of the minimum
(200 MB) value, adjusting the size
does not have any effect in purging restore points. In this scenario, you
must carefully consider the use of the
methods that are described in this article.
Over a period of time, the data store purges restore points on a FIFO
basis as the maximum size of the data
store is reached. There are a few scenarios in which FIFO can be used to
purge older restore points to retain
more recent restore points on the computer.
FIFO Method 1
No action is required if the system has been cleaned and only the data
store is reported by the antivirus tool to
have suspicious files. Until all infected files are processed out on a
FIFO basis, the antivirus tool may still report
that there are infected files that it cannot obtain access to within the
data store.
FIFO Method 2
You can trigger the FIFO feature to remove older restore points from the
data store by resizing the data store.
To use the System Restore feature to adjust the size of the data store:
1.View the properties of the _Restore folder to determine how much data
is actually in the data store. You
do this to determine if this step will have any effect on the data
store. If the data store uses less than 90
percent (less than 180 MB) of the minimum value (200 MB), this method
may have no effect on purging the
restore points. If less than 90 percent of the data store is used,
even at the minimum settings you should
consider using FIFO method 1 or using the "Manually Purge the Data
Store" method that is listed later in
this article.
2.Click Start , point to Settings , and then click Control Panel .
3.Double-click System , and then click the Performance tab.
4.Click File System .
5.Adjust the System Restore disk space use slider to the approximate
lower amount, and then click Apply
.
Note that you can use the System Restore disk space use slider to
select the minimum amount of space
to allocate for the data store, the maximum amount, or a size in
between. Adjusting the slider to a lower
value changes the the values that trigger FIFO. You may need to
restart your computer for any changes
to take effect.
6.Click OK , and then click OK to close System properties.
7.Use the antivirus tool to scan the computer to verify that the
virus-infected files have been purged from
the data store. If there are still infected files in the data store,
repeat the previous steps and lower the
data store size until the data store is clear of infected files.
Note that you can also use the calendar page in the System Restore
tool to view how far back the restore
points were purged.
8.After the infected files have been cleared from the data store by
using this method, return the slider to
the original or appropriate size, click OK to close any open windows,
and then restart your computer.
If there still is an infected file in the data store after you resize the
data store to the minimum size, you can
either wait for it to be processed out on a FIFO basis (FIFO method 1), or
you may want to consider using the
"Manually Purge the Data Store" method that is described later in this
article to remove all restore points on your
computer.
Manually Purge the Data Store
To completely and immediately remove the infected file or files in the
data store, disable and re-enable the
System Restore feature.
WARNING : Using the following steps will completely remove all restore
points from the data store. Do not use
this method if this will cause problems. When you enable the System
Restore feature again, the System Restore
feature will create a new restore point and then resume monitoring your
computer.
1.Click Start , point to Settings , and then click Control Panel .
2.Double-click System , and then click the Performance tab.
3.Click File System , and then click the Troubleshooting tab.
4.Click to select the Disable System Restore check box, click Apply ,
click to clear the Disable System
Restore check box, click Apply , and then click OK .
5.Restart the computer when you are prompted to do so. When the
computer restarts, the data store is
purged and the System Restore feature begins monitoring the system
again.
STATUS
This behavior is by design.
MORE INFORMATION
The _Restore folder is protected by default and prevents programs from
using or manipulating the files that are
within this folder. These files are inactive while in the data store and
are not used by any utility other than
System Restore.
The System Restore feature is not designed to detect or scan for virus
infections or virus activity. Most
computer virus infections seek or attack files with extensions such as
..exe or .com. These are file types that the
System Restore feature is designed to monitor.
NOTE : If you restore your computer to a previous state when you did not
have an installed antivirus tool, you
must install an antivirus tool and clean any files that were restored and
are infected.
=====================================
Heirloom, old and brevity is a good thing
"Andrew Murray" <admurray@iinet.net.au> wrote in message
news:%23HUBudbRFHA.2348@tk2msftngp13.phx.gbl...
> _Restore is for the System Restore function....
>
> "KenP" <KenP@discussions.microsoft.com> wrote in message
> news:CE3BB70F-C035-48E0-BB56-F9E26B7944C6@microsoft.com...
> > Hi, I hope you are doing well.
> >
> > I have a HP Pavillion with WMe on it. There is a _RESTORE folder under
the
> > c
> > drive that according to my antivirus checker contains all kinds of
> > viruses,
> > etc. in files located within a TEMP directory and named Axxxxx.cpy. The
> > _RESTORE folder is a hidden folder but when I show it, I do not see the
> > TEMP
> > directory or the A*.cpy files. I can't remove the A*.cpy files because I
> > can't get access to them.
> >
> > Does anyone know the significance of the _RESTORE folder? Can I delete
it?
> > If so, do you have any suggestions on how to do that? I can't access the
> > files in the SAFE MODE.
> >
> > Any help on this _RESTORE issue will be greatly appreciated.
>
>
Facebook
Twitter
Instagram