Win XP System File Protection

[siavoshkc]

You can delete a system file in XP nothing will prevent you. But after a second or two the file will be regenerated by Windows. Why its this way?
I've installed Norton Anti Virus on my uncle's PC. It warns him each time it dials up for internet. It says IPv9.dll is infected and deleted automatically. But AV doesn't know that its a system file and will be regenerated by OS. The problem is that it seems that the regenerated file is also infected. What can I do with it?

[Edit] The System Restore was disabled on his PC.

[dwks]

So . . . are the "deleted" system files actually deleted and then re-created? I find it more likely that the "delete" command in Windows XP checks to see if the system attribute on a file is set, and if it is, aborts the deletion. Try booting up into DOS and deleting it.

Or you could obtain an un-infected IPv9.dll from somewhere and try copying that over the existing file.

Also consider the fact that antivirus programs can mess up, and flag an uninfected file as infected. If this is the case, it usually does it reproducably, and if your antivirus program is common (Norton is certainly very common!), then the manufacturer of the program which uses IPv9.dll is probably aware of this and may mention it on their website. If they do, then just ignore the warning. I'm sure you can configure Norton to ignore certain files when it does scans.

Or . . . maybe a malware program is actually re-creating the file. I don't see why Windows would re-create a file, but a malware program certainly could.

How could you detect this? I'd try replacing the file with a file of zero bytes. If it remains in place, then something is actually detecting when the file disappears and copying it back again. You could do this with something as simple as

Code:

#include <stdio.h>

int main(void) {
    FILE *fp = fopen("IPv9.dll", "w");
    if(!fp) perror("Couldn't open dll");
    else fclose(fp);

    return 0;
}

If that program fails, then either the malware program is smart and it also examines the file size, or Windows is just preventing the file from being deleted in the first place.

[siavoshkc]

This is not malware that regenerates the file. Its Windows. I don't know how and why it is like this. You can go and delete Spider game executive to see it yourself. It does this to its all files.

[matsp]

Yes, it's Windows File Protection - it covers a list of files that Windows keeps safe for you and restores when/if you delete them. It is, however, disabled in safe-mode, so if you really want to remove the file, try rebooting into safe mode, delete the file and reboot again, and it should be gone.

--
Mats

[@nthony]

As far as I know, Windows File Protection works as DWK suggested, it will usually prompt you that the file is a system file and cannot be deleted, and will not delete it at all. If the file is being deleted and regenerated, that definately sounds more like a malware program (and yes it can infect anything, even spiders.exe).

[jEssYcAt]

It might be a good idea to pull up your task manager to see what processes are running, type each process (like svchost.exe) into google or yahoo or your search engine of choice and look over the responses you get. Most of them should come up as either Microsoft Windows processes for this or that, some might come up for QuickTime or JavaUpdate or your soundcard, video card, etc.

If you find anything that turns out to be malware, you can probably also find information on how to get rid of it by looking through the search results.

It might also be a good idea to run virus scans (there are free scans available via the web and in my experience some scanners will pick up things that others will miss), as well as a malware scanner like AdAware and Spybot S&D (these two are free). I haven't used Norton Anti-virus since it was installed from floppy discs and I have read lots of bad stuff about it, but then I'm sure I could find bad stuff about McAfee too.

I use AVG and haven't had any problems with it thus far (couple years and counting).

I had a problem "infection" a while back that used 3 processes that kept watch on each other and restarted any of them that I tried to End Task before I could get to the other two. The processes kept coming back with slightly different filenames too, so I couldn't just write a 0-byte .exe file to prevent it from running. It also had several files in the windows folders that would be regenerated if any of those processes were running... it was irritating and tenacious, and I admired it's beauty even as I slew it using Google and Safemode. :o)

Your situation reminds me of that.

[siavoshkc]

Thanks Mats.

As far as I know, Windows File Protection works as DWK suggested, it will usually prompt you that the file is a system file and cannot be deleted, and will not delete it at all.

Why don't you try it yourself? Windows warns you for a system file but deletes it.

It might be a good idea to pull up your task manager to see what processes are running, type each process (like svchost.exe) into google or yahoo or your search engine of choice and look over the responses you get. Most of them should come up as either Microsoft Windows processes for this or that, some might come up for QuickTime or JavaUpdate or your soundcard, video card, etc.

Its very easy for me to identify a malware in processes. But many malwares hide themselves or come as a system process.

The infection of IPv9.dll is "infostealer" trojan that is not a severe threat.