Need help - "Windows File Protection" gone nuts!

Bard

The System Log in Event Viewer is showing that the "Windows File Protection" program has reported errors at least once and occasionally twice every minute for the past couple of days worth of logs. These errors are along the following lines:

File replacement was attempted on the protected system file SOME PROGRAM.EXE. This file was restored to the original version to maintain system stability. The file version of the system file is 5.50.4133.2400.

... where "SOME PROGRAM.EXE" is one of the following:

c:\program files\windows nt\pinball\pinball.exe
c:\program files\windows nt\dialer.exe
c:\winnt\system32\mspaint.exe
c:\winnt\system32\dxdiag.exe
c:\winnt\system32\cmmgr32.exe
c:\program files\internet explorer\connection wizard\isignup.exe
c:\program files\internet explorer\connection wizard\inetwiz.exe
c:\program files\internet explorer\connection wizard\icwconn1.exe
c:\program files\internet explorer\connection wizard\icwconn2.exe
c:\program files\outlook express\msimn.exe (Outlook Express)
c:\program files\outlook express\wabmig.exe
c:\program files\outlook express\wab.exe
c:\program files\netmeeting\conf.exe

--

The thing is that all this activity by "Windows File Protection" in restoring files "to the original version to maintain system stability" is causing my hard drive to work overtime - presumably overwriting files with the so-called "original version" and writing the log entries ... once or twice EVERY minute... This is slowing the system down considerably - occasionally to an absolute crawl.

I don't get it, basically... and I was wondering if anyone else did. I thought I'd noticed a connection in that these all seemed to be comms/Internet related apps... so I was going to see if upgrading to IE6 might help.... that was until, of course, I came across a log entry for MSPAINT (which I have NEVER used in this installation of Windows), which has nothing to do with the 'net...

The system in question is Windows 2000 Professional with Service Packs 1 and then 2 installed. Reported build number is 5.00.2195.

HELP! (??!?!!?!?)

--

Any suggestions appreciated at this stage...

Cheers,

phaxx

My guess is a virus infecting them, so windows goes and restores them, and so on...

Typedef

If you post a list of what processes are running it may be possible to extrapilate which if any virus is causing the multiple overwrites?
Also do you have the same problems no matter which user you log in as? If not then might I suggest you zap everthing in every users startup folder?

All so, if you have a look at what services are running on your system, it may give you an idea of a suspicious program or something.

Che Lives.

Supercell

Does look very suss, have you checked the run folder in your registry, startup folder etc?

Update you're virus scanner definitions and do a full scan.

lphchild

Looks like Nimda or a variant....

Are you running IIS?

lph

Bard

A virus is, I suppose, a distinct possibility.

IIS:

I'm not running IIS - hadn't gotten around to re-installing that part of Win2K yet.

Users:

I'm only using one user at the moment - Administrator.

Startup items:

The handy little utility "Startup Manager", which can zap any items in the startup folder, the registry (machine - run or user - run), win.ini, etc. reports that only my scanner management program, "internat.exe", QuickTime Task ("qttask.exe" in the system32 folder) and the "Synchronisation Manager" (whatever that is) - mobsync.exe /logon are running.

Running processes:

This is a strange one... all the normal processes are there in Task Manager (like system, winlogon, services, spool server, etc.) but some others are appearing with strange names... e.g.: Opera (the web browser) is appearing as "Opera .exe" - this happens when running a bunch of other programs too - a load of spaces before the file extension (".exe") - for example "POWERDVD .exe" - the number of spaces seems to be different each time I run the program as ZoneAlarm doesn't recognise the program by name and asks (again) if that program is allowed access the Internet.... PLUS: These programs that are appearing in Task Manager in this way take an age to load up (and then seem to run at a normal speed) - which is quite suspicious.

This would seem to point at it being a viral infection... but on a fresh new installation of Windows 2000 Pro, that seems quite strange. The C: drive was wiped (repartitioned), formatted, and Win2K reinstalled on it. The (data) drive however was not, and it contains documents, graphics, mp3's, exe's, and loads more, - so I guess a virus is, as I said, a distinct possibility.

Any further suggestions anyone has would be quite helpful. I take it that efforts on my part to disable the Windows File Protection system are 'silly' to say the least, in that it's probably actually doing it's job properly.

Thanks guys,

Bard

It was Nimda alright...

going through my system now, bit by bit, eradicating it, using the latest McAfee software.

This is my first time really being hit hard by a virus... GRRR!!!

WhiteWashMan

bard,
go to the symantic web site and there is a small .exe program there especially for erasing the nimda virus. its only a couple of k as far as i remember.
it should wrok better than mcafee

Bard

By the time I'd gotten to see your reply, WWMan, I'd already cleaned it out using McAfee... however I think I'll download the file anyway... just in case!

Thanks for the help.