Page 1 of 2 1 2 LastLast
Results 1 to 15 of 27

Thread: Windows File Protection, How do I tell what was changed?

  1. #1
    Member
    Join Date
    Jun 2002
    Posts
    152

    Windows File Protection, How do I tell what was changed?

    It gives me a file protection alert and keeps popping up asking for the cd, but it never tells me exactly what it was that overwrote or modifed one of my important system files. I really need to know because this problem keeps ocurring. I need to know what's causing this because this thing keeps coming back after system restores, I have to restore because once this message pops up nearly all of my programs become unusable, but after a restore everything goes back to normal. I'm uneasy about giving windows the cd because after upgrading to sp3 months ago there's no telling how outdated the cds files are. Any idea on finding out of the source of these alerts?

  2. #2
    Stark Raving MOD Midknyte's Avatar
    Join Date
    May 2002
    Location
    Arkham Asylum
    Posts
    22,269
    You need to make a slipstreamed SP3 disc. Then use that when the system asks for files.
    http://www.simplyguides.net/guides/u...streamer.shtml

    You can try checking Event Viewer, but I don't think SFC file replacements are logged.

  3. #3
    Ultimate Member Ol'Tunzafun's Avatar
    Join Date
    Jun 2002
    Location
    Canadian prairie
    Posts
    3,798
    First you have to kill the malware that is changing those files. It sounds like it may be embedded in your Restore Points as well which means you will have to delete those restore points; this is a standard practice when cleaning out viruses.

    http://sysopt.earthweb.com/forum/sho...d.php?t=161595

    You should also slipstream SP3 into a new installation disk.

    http://lifehacker.com/386526/slipstr...nstallation-cd

  4. #4
    Member
    Join Date
    Jun 2002
    Posts
    152
    After another system restore I ran spyware doctor and it found quite a bit of stuff. The computer is back to normal now and I hope it stays this way. If not I still need to know how I can determine what files were modified and by what. If Event Viewer isn't the answer can anyone recommend something that can give me more info on these overwrites.

  5. #5
    Mod w/ an attitude Sterling_Aug's Avatar
    Join Date
    Jun 1999
    Location
    Schuylkill Haven, PA 1797
    Posts
    12,786
    Quote Originally Posted by frodo098 View Post
    After another system restore I ran spyware doctor and it found quite a bit of stuff. The computer is back to normal now and I hope it stays this way. If not I still need to know how I can determine what files were modified and by what. If Event Viewer isn't the answer can anyone recommend something that can give me more info on these overwrites.
    Instead of relying on system restore, why not take an image of the system and save it to a CD/DVD/external hard drive. You will never be able to find out what has changed since it could be device drivers, registry settings, dll files, or other Windows system files.

  6. #6
    Member
    Join Date
    Jun 2002
    Posts
    152
    Could you explain a little more? Problem came back so I made a backup of the dll cache to see if I can at least replace what was modified instead of restoring.

  7. #7
    Stark Raving MOD Midknyte's Avatar
    Join Date
    May 2002
    Location
    Arkham Asylum
    Posts
    22,269
    Imaging means to make a snapshot backup with something like Paragon Backup Express or Acronis TrueImage.

    The link to Paragon is in my sig and it is FREE.

    Most virus/spyware fixes tell you to disable system restore anyway.

  8. #8
    Member
    Join Date
    Jun 2002
    Posts
    152
    http://www.softpedia.com/get/System/...-Monitor.shtml
    I just used this program to monitor my dllcache folder and this is just a small sampling of the changes to the folder. Is this typical bahavior or is something way out of whack going on?

    New (3/15/2009 1:33 AM): C:\WINDOWS\system32\dllcache\icwconn1.exe.new
    Modified (3/15/2009 1:33 AM): C:\WINDOWS\system32\dllcache\icwconn1.exe.new
    Renamed (3/15/2009 1:33 AM): C:\WINDOWS\system32\dllcache\icwconn1.exe
    New (3/15/2009 1:33 AM): C:\WINDOWS\system32\dllcache\icwconn2.exe.new
    Modified (3/15/2009 1:33 AM): C:\WINDOWS\system32\dllcache\icwconn2.exe.new
    Renamed (3/15/2009 1:33 AM): C:\WINDOWS\system32\dllcache\icwconn2.exe

    Imaging means to make a snapshot backup with something like Paragon Backup Express or Acronis TrueImage.

    The link to Paragon is in my sig and it is FREE.

    Most virus/spyware fixes tell you to disable system restore anyway.
    Today 06:25 AM
    So using this method would be better than system restore and do you think a virus could be launching directly from an old restore file? I thought those things were compressed into some kind of inactive format or something.

  9. #9
    Mod w/ an attitude Sterling_Aug's Avatar
    Join Date
    Jun 1999
    Location
    Schuylkill Haven, PA 1797
    Posts
    12,786
    I have never used system restore. It is too unreliiable. I do NOT want to waste hours and hours trying to figure out what .dll files were changed and what registry settings were changed. I want to quickly and easily get a corrupt system up and running, so I make a backup image.

    Yes, viruses have been known to activate from a system restore point.

  10. #10
    Ultimate Member Rocketmech's Avatar
    Join Date
    May 2001
    Location
    Corpus Christi, Texas
    Posts
    5,739
    "icwconn1.exe" , "icwconn2.exe" are legit Windows Internet Connection Wizard files to help you setup a internet connection, but some malware may be using them as a hook. I think you should scan for malware , using something other than your current AV in case it has been compromised. Better safe than sorry.

    Check the AV/Antispy sticky for Malwarebyte's , SuperAntispyware and AntiVir . It may help to unplug the internet and scan in safe mode.

    As for backups, if you have malware or any corruption that has been saved in a restore point you can reinfect or replace the corruption if you choose a point in time when you were infected or corrupt. Any restore point prior to this does not apply. To remove any corrupted restore points you have to delete all restore points by disabling system restore. After a system is cleaned , then you re-enable it and set a new restore point. System Restore only restores Windows system files. There is no protection for your data if it was infected and does not clean an already infected system.
    Imaging the drive or partition is done when your pc is running clean and correctly. Using a backup image that is clean restores the entire drive or partition to the point in time it was created in less than an hour usually.

  11. #11
    Member
    Join Date
    Jun 2002
    Posts
    152
    I posted that log to show and ask if the behavior was normal as in how the files gets named with a .new extention and then gets changed back. That was just a small sampling of the log, it's doing this pattern with just about every windows dll and exe file.
    New (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\ntkrpamp.exe.new
    Modified (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\ntkrpamp.exe.new
    Renamed (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\ntkrpamp.exe
    New (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\ntkrnlmp.exe.new
    Modified (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\ntkrnlmp.exe.new
    Renamed (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
    New (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\notepad.exe.new
    Modified (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\notepad.exe.new
    Deleted (3/15/2009 5:33 AM): C:\WINDOWS\system32\dllcache\notepad.exe.new
    New (3/15/2009 5:35 AM): C:\WINDOWS\system32\dllcache\nw16.exe.new
    Modified (3/15/2009 5:35 AM): C:\WINDOWS\system32\dllcache\nw16.exe.new
    Renamed (3/15/2009 5:35 AM): C:\WINDOWS\system32\dllcache\nw16.exe
    New (3/15/2009 5:38 AM): C:\WINDOWS\system32\dllcache\progman.exe.new
    Modified (3/15/2009 5:38 AM): C:\WINDOWS\system32\dllcache\progman.exe.new
    Renamed (3/15/2009 5:38 AM): C:\WINDOWS\system32\dllcache\progman.exe
    New (3/15/2009 5:39 AM): C:\WINDOWS\system32\dllcache\recover.exe.new
    Modified (3/15/2009 5:39 AM): C:\WINDOWS\system32\dllcache\recover.exe.new
    Renamed (3/15/2009 5:39 AM): C:\WINDOWS\system32\dllcache\recover.exe
    Just wondering if this is normal for the dllcache files to change this often or is this a sign of some virus?

    I'm also going to have to do a clean and disable system restore and see what happens.

  12. #12
    Member
    Join Date
    Jun 2002
    Posts
    152
    Ok, so I did the disable and it got rid of all the system restore points and so far the file protection thing hasn't happened again. It looks like the Avira software did the job, but now I can't turn system restore back on. I know now there's probably better options, but for now I just wanted to back some kind of emergency option. This feature has save my **** many-a-time.

    I tried the right-click install on the sr.inf file and it didn't work. Also the tab for system restore is all the way gone too. I found out I could bring it back by adding a "1" to the disablesr entry, but it eventually disappears from the registry along with the tab. Can anyone help me with this last prob.

  13. #13
    Ultimate Member Rocketmech's Avatar
    Join Date
    May 2001
    Location
    Corpus Christi, Texas
    Posts
    5,739
    Try the MSKB article 1st : http://support.microsoft.com/kb/q302796/

    Another option is with a WinXP CD in, enter "rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf " without the quotes from the RUN box.

  14. #14
    Member
    Join Date
    Jun 2002
    Posts
    152
    Yeah I did the inf thing with that paste method too and the tab was still gone. I tried the net start option in cmd and it said it was started but in services it was still set to automatic and giving me the access denied error 5 when I tried to turn it on.

    Disabling the turn off system restore in group edit seems like it would do the job too, but alas nothing. Note, I only bothered with this option after everything else failed. Is this any other methods for getting this on?

  15. #15
    Senior Member Lgbpop's Avatar
    Join Date
    Dec 2006
    Location
    Yes
    Posts
    948
    If you would just make an image of your clean system and update THAT occasionally, you wouldn't need something as unreliable as System Restore. Look at all the problems you had relying upon it to date. Perhaps its being rendered unusable is Divine inspiration.
    Thank God we're not getting all of the government we're paying for!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •