Hi! I received an email from someone I don't know, but with an ISP that indicates it came somehow from my mother's ISP company. My trial version of eTrust Antivirus software picked it up immediately and noted it was infected with Win32.Magistr.29188 (new variant, came out last week) virus. I permenantly deleted it and ran a full scan, sure enough its there. I spent my entire Saturday trying to get help removing this thing, but nothing. I found lots of the same info (cut n paste style). Microtrend's Housecall supposedly had a "tool" to download, but I must have misread something bec. you download it and get a little screen describing what it does and says for further help press any key, you press a key and ZIP its gone to who knows where! I've gotten a trial version of Norton going now and scanned it for ALL files even compressed ones. Norton says there are 3 files infected with Win32.Magistr.39921@mm (mass mailing virus, older variant of the first one I mentioned, and goes by several aliases). They could not be quarrantined, repaired, or deleted. These files are in the cabinet folders C:\_RESTORE\ARCHIVE\FS1278 and FS1280.CAB . The file names are A0135037.CPY, A0135181.CPY and A0135183.CPY . I've read in Symantec's site where these compressed cabinet folders have to have the files extracted and you have to get your computer systems disk for an extracting tool, and in a long drawn out way take the bad file out, I guess delete it somehow and replace it with a new one extracted from your system's disk. Is that enough info?????? Can anyone help me??? I am not certain I received this virus for the first time yesterday. My system has been unbearably unstable with symptoms of this virus for the past week and a half. Thanks for your time.

-- Smallfry (farmthinkin@gtcinternet.com), February 03, 2002

Answers

Slow down, relax, tell us what system you are running Windows 98? windows 95? 6.0 or what? That is the info needed to help you.

-- mitch hearn (moopups@citlink.net), February 03, 2002.

Windows 2000, IE6, Outlook Express6, Norton Antivirus 2002 Trial with updates.

-- Smallfry (farmthinkin@gtcinternet.com), February 03, 2002.

Off line, go into Norton, click the third one down, click on the center one, let it run until complete, that will tell you where the virus is located ( the nest), bring that info back here and we will go from there. BE EXACT.

-- mitch hearn (moopups@citlink.net), February 03, 2002.

Well, I believe I've already done this, your directions are a bit like taking a right turn at the oak tree with the knot in the third branch, but I think I've done what you were asking. Let me make sure. I ran full scan with the options set not to exclude any file extension and to scan compressed files. This came up with 3 infected files. File A0135037.CPY is located in c:\_RESTORE\ARCHIVES\FS1278.CAB (cabinet folders being compressed and protected) and files A0135181.CPY and A0135183.CPY are in C:\_RESTORE\ARCHIVES\FS1280.CAB. Unlike the other variants of Magistr. virus I guess, this one either hasn't gotten to the .ini files or doesn't affect them. Is this what you were asking for?

-- Smallfry (farmthinkin@gtcinternet.com), February 03, 2002.

Mitch, I reread my last post and I apologize if I sounded like a smartalec! I was chuckling when I wrote about the turn at the oak tree. That's how people give directions around here. Sorry. Thank you for your help.

-- Smallfry (farmthinkin@gtcinternet.com), February 03, 2002.

Your system is advanced beyond me, in earlier versions you can (off line) click left then right on my computer - explore - "C" - tools - find -files - type in *name of virus*.* - find now - delete.

-- mitch hearn (moopups@citlink.net), February 04, 2002.

If you were running norton's tool then it should have quaranteed the virus or deleted depending on what your setting area.

It sounds to me like this virus isnt your problem since it was detected but you already had a virus and have yet to deal wit that.

My first suggestion is to GET RID OF outlook as a mail reader and replace it with a more secure package Outlook as been the channel of most of the major virus on windows for the last few years. That is the easiest way to stop most of the current virus. Then get a real version of norton virus checker with live updates and update daily.

-- Gary in Ohio (gws@columbus.rr.com), February 04, 2002.

I am writing this time from my own computer! Yes, Gary, I did run NortonAV on it and it picked it up but couldn't quarrantine (however that is spelled!),repair or delete those files. I read later in descriptions of this virus that this was common with it. I don't know for certain I had a virus prior to Sat since no software picked one up, but it sure acted like it. I went to Tech Support Guy.org while emailing with these two forums and a guy there told me to disable the _RESTORE folder which on restart would make it purge whatever it had in it. I did this and afterwards ran Norton again and there were no viruses. So I think we may have gotten it. Thank you so much for writing in with advice so quickly! Sorry again for my untimely humor, Mitch. Gary, I couldn't agree more about getting rid out Outlook. What do you use? I am assuming Navigator isn't targeted as much as Outlook, and I like some of their email options (retrievable messages if you need to reformat your computer.) I do not like the way Eudora used to be but haven't checked it out recently. What do you all reccommend?

-- Smallfry (farmthinkin@gtcinternet.com), February 04, 2002.

Hi,

I've got the same problem. I tried to remove C:\_RESTORE\TEMP but I can't find the location nowhere. It's not in C! Only if I search for it on 'find' I get the files (wich I CANT remove cause the 'files are in use') but the map isnt there. Anyway, help me plz.

-- Karo (use_once_and_destroy@hotmail.com), June 01, 2002.

I believe I have this virus which anti-virus software is the best to remove it!

-- Corey Van Vactor (romeho_la1@yahoo.com), June 08, 2002.

C:\_RESTORE/TEMP <-Files used for system restore. -I would suggest using the First In First Out method before anything else, it has worked for me in the past.

The FIFO routine purges the oldest restore points so that newer, more current restore points can be added to the data store. FIFO starts automatically when the files in the data store reach 90 percent of the maximum size of the data store. System Restore purges the oldest files first until the files in the data store occupy no more than 50 percent of the maximum size of the data store.

For example, if the maximum size of the data store is 400 megabytes (MB), 90 percent of this is 360 MB and 50 percent is 200 MB. If the data store is 200 MB when you view the properties of the _Restore folder, it is 50 percent of the maximum size. If you adjust the size of the data store to the minimum size of 200 MB, FIFO occurs when you click Apply.

NOTE: If the data store is less than 90 percent (180 MB) of the minimum (200 MB) value, adjusting the size does not have any effect in purging restore points. In this scenario, you must carefully consider the use of the methods that are described in this article.

Over a period of time, the data store purges restore points on a FIFO basis as the maximum size of the data store is reached. There are a few scenarios in which FIFO can be used to purge older restore points to retain more recent restore points on the computer.

FIFO Method 1 - No action is required if the system has been cleaned and only the data store is reported by the antivirus tool to have suspicious files. Until all infected files are processed out on a FIFO basis, the antivirus tool may still report that there are infected files that it cannot obtain access to within the data store.

FIFO Method 2 - You can trigger the FIFO feature to remove older restore points from the data store by resizing the data store. To use the System Restore feature to adjust the size of the data store:

1-View the properties of the _Restore folder to determine how much data is actually in the data store. You do this to determine if this step will have any effect on the data store. If the data store uses less than 90 percent (less than 180 MB) of the minimum value (200 MB), this method may have no effect on purging the restore points. If less than 90 percent of the data store is used, even at the minimum settings you should consider using FIFO method 1 or using the "Manually Purge the Data Store" method that is listed later in this article.

2-Click Start, point to Settings, and then click Control Panel.

3-Double-click System, and then click the Performance tab.

4-Click File System

5-Adjust the System Restore disk space use slider to the approximate lower amount, and then click Apply.

Note that you can use the System Restore disk space use slider to select the minimum amount of space to allocate for the data store, the maximum amount, or a size in between. Adjusting the slider to a lower value changes the the values that trigger FIFO. You may need to restart your computer for any changes to take effect.

6-Click OK, and then click OK to close System properties

7-Use the antivirus tool to scan the computer to verify that the virus-infected files have been purged from the data store. If there are still infected files in the data store, repeat the previous steps and lower the data store size until the data store is clear of infected files.

Note that you can also use the calendar page in the System Restore tool to view how far back the restore points were purged.

8-After the infected files have been cleared from the data store by using this method, return the slider to the original or appropriate size, click OK to close any open windows, and then restart your computer.

If there still is an infected file in the data store after you resize the data store to the minimum size, you can either wait for it to be processed out on a FIFO basis (FIFO method 1), or you may want to consider using the "Manually Purge the Data Store" method that is described later in this article to remove all restore points on your computer.

Manually Purge the Data Store

To completely and immediately remove the infected file or files in the data store, disable and re-enable the System Restore feature.

WARNING: Using the following steps will completely remove all restore points from the data store. Do not use this method if this will cause problems. When you enable the System Restore feature again, the System Restore feature will create a new restore point and then resume monitoring your computer. Click Start, point to Settings, and then click Control Panel. Double-click System, and then click the Performance tab. Click File System, and then click the Troubleshooting tab. Click to select the Disable System Restore check box, click Apply, click to clear the Disable System Restore check box, click Apply, and then click OK. Restart the computer when you are prompted to do so. When the computer restarts, the data store is purged and the System Restore feature begins monitoring the system again.

-- william baldwin (sillybullfrog@yahoo.com), July 27, 2002.

If you don't want to go all that route. Use a DOS boot disk to get to a C:\> prompt (Without running windows at all.) Then type C:\> cd\_restore\temp (ENTER) C:\> del A0135183.CPY (ENTER) etc...etc...etc until all are deleted C:\> cd\_restore\archives (ENTER) C:\> del FS1280.CAB (ENTER) etc...etc until all are deleted. REBOOT the system without the boot disk Problem solved!!!

-- Randy Brown (Sgtbrown6511@aol.com), August 24, 2002.