The Windows Me virus conundrum

If your company uses Windows Me and a virus works its way into the _Restore folder, there is not much any antivirus software can do. In this Daily Feature, Jim Wells discusses a few alternatives to eradicate the virus.

What do you do when your antivirus software is unable to reach files on your hard drive? Typically, most antivirus programs have complete access to your systems files that enable them to tackle various strains of virus or worm out there. However, if you are running Microsoft’s Windows Millennium Edition (Me), you should be aware that antivirus programs are unable to remove a virus that has infected files located in the _Restore folder and its subfolders.

Why Me?
Windows Me contains a System Restore feature that protects folders and files in the _Restore folder located on its system partition. System Restore uses these folders to restore your computer's operating system to a previous state from an earlier point in time. It makes a snapshot of your computer's configurations, files, settings, and data. So if things go wrong and you have a system failure, the System Restore feature will get you back to where you left off. (Think of it as a way to step back in time to when your PC was running at its peak performance.)

Because of the nature of the _Restore files, Windows Me does not allow them to be manipulated. In fact, you are unable to see them unless you have the View Hidden Files And Folders option enabled in Windows Explorer. Even then, deleting or moving them is impossible. Thus, if a virus or worm works its way into this part of the system, your antivirus software is rendered useless.

If you are unfortunate enough to have a virus get into this area of your system, all is not lost. According to a Microsoft Support article, remedies range from adjusting the size of the data store in which the System Restore feature resides to manually purging the data store. You should proceed with caution no matter which option you choose. Changing any part of the System Restore can cause both performance issues and changes to older restore points originally saved by this feature.

Should you decide to lower the size of the data store, you are, in effect, speeding up the process by which Windows Me purges older saved data points. The goal of this method is to rid the System Restore feature of the infected files as soon as possible. Windows Me automatically purges older saved data points once a maximum file size is reached. For example, your maximum System Restore file size setting is 400 MB, so once the data store reaches 50 percent of this size, it will purge the older data point. The only catch is Windows Me does not make a move until the data store is 50 percent of the maximum size (200 MB) or 90 percent of the minimum value (180 MB). Thus, if the data store is only 179 MB, the purge process will not occur. So check the size of the data store by clicking on the properties of the _Restore folder and determine how much to adjust its size in order to force a purge to occur.

To adjust the amount of storage space to allocate to the System Restore feature, go to Start | Settings | Control Panel. Find the System icon and click the Performance tab. Click the File System button to display the File System Properties dialog box (Figure A). In the Settings frame, lower the System Restore Disk Space Use slide bar to a level that will kick off a file purge for your system.

Figure A
Remember, this workaround will have no effect if the data store is less than 90 percent of the minimum value you set.

After rebooting your machine, use your antivirus software to see if the purging process removed the infected files. If it did not, repeat the process until they have been removed. Just remember to reset your System Restore Disk Space Use setting back to its original position once your system is clean.

Workaround alternatives
Looking at the previous workaround, you might think the obvious step to take would be lowering the System Restore Disk Space Use slide bar to its lowest position so it will purge immediately. However, this step would eliminate all the restore points saved on your machine. This process could make it impossible for you to restore your machine to a time when it was working correctly.

One alternate solution offered by Microsoft is to leave the system alone if the virus only resides in the data store. Since the system will eventually purge the data store, as long as the virus is not infecting active files on your system, then the "do nothing" approach should work best. While allowing a virus to reside on your system does not sound like a good idea, it might make the most sense if you're dependent upon your saved restore points for system recovery.

If you just can't wait to rid your system of a virus, you do have the option of doing a manual purge. Simply double-click the System icon in Control Panel and select the Performance tab. Click the File System button, and then on the File System Properties page, click on the Troubleshooting tab. You will see a check box at the bottom that allows you to Disable System Restore (Figure B). Select this check box and click Apply. Next, immediately clear this check box and click Apply again. After clicking OK, you should reboot your machine to complete the data store purge.

Figure B
Keep in mind, this will remove all restore points from your system. In other words, use it only as a last resort.

Antivirus software has been very effective as a tool to rid computers of the numerous malevolent viruses out there. Microsoft's Windows Me, however, has thrown the industry a curve ball with its protection of the System Restore feature. If the antivirus software cannot gain access to the infected portion of the operating system, alternative methods of eradication must be pursued. I hope that one of the methods I described will keep your clients running smoothly.

Editor's Picks