So . . . are the "deleted" system files actually deleted and then re-created? I find it more likely that the "delete" command in Windows XP checks to see if the system attribute on a file is set, and if it is, aborts the deletion. Try booting up into DOS and deleting it.
Or you could obtain an un-infected IPv9.dll from somewhere and try copying that over the existing file.
Also consider the fact that antivirus programs can mess up, and flag an uninfected file as infected. If this is the case, it usually does it reproducably, and if your antivirus program is common (Norton is certainly very common!), then the manufacturer of the program which uses IPv9.dll is probably aware of this and may mention it on their website. If they do, then just ignore the warning. I'm sure you can configure Norton to ignore certain files when it does scans.
Or . . . maybe a malware program is actually re-creating the file. I don't see why Windows would re-create a file, but a malware program certainly could.
How could you detect this? I'd try replacing the file with a file of zero bytes. If it remains in place, then something is actually detecting when the file disappears and copying it back again. You could do this with something as simple as
Code:
#include <stdio.h>
int main(void) {
FILE *fp = fopen("IPv9.dll", "w");
if(!fp) perror("Couldn't open dll");
else fclose(fp);
return 0;
}
If that program fails, then either the malware program is smart and it also examines the file size, or Windows is just preventing the file from being deleted in the first place.