1.discovered i had a virus named "WIN95.CIH.1003.A", along with a worm called "Win32.Hybris.plugin worm". 2.installed new virus scanner (e Trust EZ Antivirus)....ran it, removed most of them, then found another 738 versions of the same virus in my _RESTORE folder.....which as you know, cannot be touched or deleted. 3.Tried the My Computer>properties>performance>file system>troubleshooting>disable system restore (which supposedly purges ALL restore files on startup) think again - nothing.......almost 1.4 GB of files still there. tried this 3 times.....nothing 4.found out about a too good to be true program called "System Restore Remove Pro 1.5 final" - bingo - too good to be true.....doesn't work, web tech support nonexistent) all files still in _RESTORE. bottom line, the virus will continue to spread itself all over my hard drive until this folder's contents are deleted. Heck - i downloaded the new antivirus program and as i ran it the virus had already spread itself to it in the first virus check. What can I do to get this folder clear. i pray this message makes it to post before explorer crashes once again!

Jay, try this post HERE Kim

http://securityresponse.symantec.com/avcenter/reference/newsletter/sarcanuv4i1.html W95.CIH aliases (Chernobyl) - The W95.CIH virus is the only known computer virus capable of rewriting a flash BIOS. It does so by infecting 32-bit Windows 95/98 executable files. When an infected program is run, the virus will infect the computer's memory. W95.CIH then infects new files when they are opened. This means that an infected system must be rebooted from a clean system disk before scanning with Norton AntiVirus -- if this is not done, the virus will infect every file that the anti-virus product scans. You can only be infected if you open the infected file. W95.CIH's destructive payload is triggered on the 26th of the month. Chernobyl also has three variants: Win95.CIH.1003 that strikes on 26 April every year; Win95.CIH.1100 that strikes on 26 June every year; and Win95.CIH.1019 that triggers on the 26th of every month. The Chernobyl W95.CIH is not a new virus. Originally discovered in June 1998 in Taiwan, a complete detection and repair solution for Chernobyl was quickly developed by SARC, ensuring that users of any Norton AntiVirus version updated since June 1998 are fully protected against this threat. For this reason the CIH virus did not impact Symantec customers who maintained their virus definitions. See SARC web site for a more detailed description http://www.symantec.com/avcenter/kill_cih.html The KILL_CIH tool is designed to safely detect and remove all known strains of the W95.CIH (Chernobyl) virus (known strains as of August 3rd, 1998) from memory under Windows 95 and Windows 98 (the W95.CIH virus cannot infect Windows NT systems). If the tool is run before the virus has infected the system, it will also "inoculate" the computer's memory to prevent the W95.CIH virus from infecting the system until the next system reboot. *NOTE* If you are already infected with the W95.CIH virus, run the KILL_CIH tool first before attempting to update your anti-virus definitions or scan your system. If you attempt to scan with an anti-virus product without first running this tool, you run the risk of causing your infection to spread. Once you have used this tool, you can safely update your Norton AntiVirus definitions and scan your machine. The KILL_CIH tool will not detect or remove the W95.CIH virus from files; it will only disable the virus in memory so that an anti-virus program can remove the infection without inadvertently spreading the virus. You can obtain a freeware version of Norton AntiVirus to detect and remove the virus from files on the Symantec web site at: http://www.symantec.com/nav/navc.html This CIH removal tool can be run from either the DOS command line or from a login script, allowing an administrator to automate the disinfection process. This means that an administrator does not have to go to each workstation on their network and reboot from a clean floppy in order to clean the computer. After using this tool, you should update your virus definitions and then start a complete scan of the computer with an anti-virus program such as Norton AntiVirus. This will eliminate the virus and repair any damaged files. The tool itself is designed to avoid infection by the virus and can safely be run without becoming infected if the virus is already resident on a computer. Not found anything on the other one yet.

this sounds like double bad news then. 1.i already ran a v/checker and it does look like i've spread things all over the _RESTORE folder now. 2.even if i do the steps above.......when i rerun the norton progran - it still can't scan the restore prob can it.....bringing me back to my original problem.....how do i empty the _restore folder.

Win32.Hybris.plugin worm W95.Hybris is a worm that spreads by email as an attachment to outgoing email messages. The email message or subject may include, but is not limited to: hahaha@sexyfun.net Snow White and the Seven dwarves The attachment may have one of several different names, including, but not limited to:- anpo porn(.scr atchim.exe branca de neve.scr dunga.scr dwarf4you.exe enano porno.exe joke.exe midgets.scr sexy virgin.scr Symantec has created an interactive tutorial to help you get rid of this worm. Also Known As: W32.Hybris.gen, W32.Hybris.22528.dr, W32/Hybris.gen@M, I-Worm.Hybris, Full Moon Type: Worm To remove the W95.Hybris.gen worm, follow these steps: 1. Run LiveUpdate to ensure that you have the most recent virus definitions. They must be dated September 25, 2000, or later. 2. Start NAV, and perform a full system scan. Make sure that NAV is set to scan all files. When an infected file is detected, do the following: When Wsock32.dll is detected as infected, choose Repair. In most cases, NAV can repair this file. If NAV cannot repair the file, then you will need to replace it from the Windows installation CD. NOTE: If NAV cannot repair Wsock32.dll when Windows is in normal mode, then try to repair it in Safe Mode. See...http://securityresponse.symantec.com/avcenter/venc/data/w95.hybris.gen.html cos' there is loads of info.

Use Disk Cleanup. Click on the More Options Tab. Click on System Restore/CleanUp.

Curious as I want to do same. Wouldn't an FDISK of all drives and master boot do the trick with the exception that manually everything would have to be done, such as copying C:\WINDOWS\OPtions\CABS to a startup me disk and leave the recovery disks aside. I personally want to do this but have never done same, I extracted the files last night for the disk, went to registry and searched for ProductKey which gave me the verification #s to put in, made a boot disk, made sure I had my cd rom/floppy/modem, and I think I found the sound card drivers on the disk. Can this be a solution as I would like to break from the recovery CDs, I think they are a pain and a waist of too much of the peoples's money at $3 or $4 a minute. That is whey before my warranty ran out, I hard copied everything the tech told me to do while walking me through the restore process. Has anyone done so for an extracted copy of ME!!!!! And results. Thanx!!!!!!!!