Has been file replaced?

  • Thread starter Thread starter Santander
  • Start date Start date
S

Santander

Guest
Someone run untested self-extracting archive (executable) on work PC. I
checked Event Viewer tasks and find there:

System -> Source: Windows File Protection

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 2008.09.17.
Time: 9:59:49
User: N/A
Computer: UserName
Description:
File replacement was attempted on the protected system file setup.exe. This
file was restored to the original version to maintain system stability. The
file version of the system file is 5.1.2600.5512.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Has been replaced this system file or not?(is if was restored). What is this
file and where?

Thanks.
 
Re: Has been file replaced?


"Santander" <santander@microsoft.news> wrote in message
news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
> Someone run untested self-extracting archive (executable) on work PC. I
> checked Event Viewer tasks and find there:
>
> System -> Source: Windows File Protection
>
> Event Type: Information
> Event Source: Windows File Protection
> Event Category: None
> Event ID: 64002
> Date: 2008.09.17.
> Time: 9:59:49
> User: N/A
> Computer: UserName
> Description:
> File replacement was attempted on the protected system file setup.exe.
> This
> file was restored to the original version to maintain system stability.
> The
> file version of the system file is 5.1.2600.5512.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Has been replaced this system file or not?(is if was restored). What is
> this file and where?
>
> Thanks.
>

It appears that you tried to replace the system file setup.exe with a
different file. The Windows File Protection mechanism subsequently restored
the file to its original version.
 
Re: Has been file replaced?

The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.


> "file version of the system file is 5.1.2600.5512"

That is correct for WinXP SP3. 'Windows File Protection' has done its job. Everything
looks fine.


ju.c


"Santander" <santander@microsoft.news> wrote in message
news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
> Someone run untested self-extracting archive (executable) on work PC. I checked Event
> Viewer tasks and find there:
>
> System -> Source: Windows File Protection
>
> Event Type: Information
> Event Source: Windows File Protection
> Event Category: None
> Event ID: 64002
> Date: 2008.09.17.
> Time: 9:59:49
> User: N/A
> Computer: UserName
> Description:
> File replacement was attempted on the protected system file setup.exe. This
> file was restored to the original version to maintain system stability. The
> file version of the system file is 5.1.2600.5512.
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Has been replaced this system file or not?(is if was restored). What is this file and
> where?
>
> Thanks.
>
>
 
Re: Has been file replaced?

I find no setup.exe in windows system32 folder, there is setupapi.dll v.
5.1.2600.5512 setupdll.dll v. 5.1.2600.0
The application is old HHD Sector Scan utility (Floppy Version) 3.0 from
SalvationDATA Technology Inc. File name hsr3.0floppysetup.exe is SFX RAR
archive.

Not clear why this utility tried to replace setup. Probably virus??
I checked file on online scanner, http://www.virustotal.com, and few
antiviruses show that there is a virus:

Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
eSafe 7.0.17.0 2008.09.17 Suspicious File
Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
eSafe 7.0.17.0 2008.09.17 Suspicious File

NOD32 and Kaspersky does not detected anything. Is this false positive? But
we know new viruses appears every day. Please give the advice.

-------------




"ju.c" <bibidybubidyboop@mailnator.com> wrote in message
news:OvCfwBXGJHA.768@TK2MSFTNGP05.phx.gbl...
> The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.
>
>
>> "file version of the system file is 5.1.2600.5512"
>
> That is correct for WinXP SP3. 'Windows File Protection' has done its job.
> Everything looks fine.
>
>
> ju.c
>
>
> "Santander" <santander@microsoft.news> wrote in message
> news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
>> Someone run untested self-extracting archive (executable) on work PC. I
>> checked Event Viewer tasks and find there:
>>
>> System -> Source: Windows File Protection
>>
>> Event Type: Information
>> Event Source: Windows File Protection
>> Event Category: None
>> Event ID: 64002
>> Date: 2008.09.17.
>> Time: 9:59:49
>> User: N/A
>> Computer: UserName
>> Description:
>> File replacement was attempted on the protected system file setup.exe.
>> This
>> file was restored to the original version to maintain system stability.
>> The
>> file version of the system file is 5.1.2600.5512.
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>> Has been replaced this system file or not?(is if was restored). What is
>> this file and where?
>>
>> Thanks.
>>
>>
 
Re: Has been file replaced?

It could be infected, or it could be a false positive. Hard to say.
If you don't need it, delete it.

To restore setup.exe, insert the Windows CD, if it auto starts select exit, and open the
Run box and enter:

sfc /scannow


ju.c


"Santander" <santander@microsoft.news> wrote in message
news:#Hqd$fXGJHA.1268@TK2MSFTNGP05.phx.gbl...
> I find no setup.exe in windows system32 folder, there is setupapi.dll v. 5.1.2600.5512
> setupdll.dll v. 5.1.2600.0
> The application is old HHD Sector Scan utility (Floppy Version) 3.0 from SalvationDATA
> Technology Inc. File name hsr3.0floppysetup.exe is SFX RAR archive.
>
> Not clear why this utility tried to replace setup. Probably virus??
> I checked file on online scanner, http://www.virustotal.com, and few antiviruses show
> that there is a virus:
>
> Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
> eSafe 7.0.17.0 2008.09.17 Suspicious File
> Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
> eSafe 7.0.17.0 2008.09.17 Suspicious File
>
> NOD32 and Kaspersky does not detected anything. Is this false positive? But we know new
> viruses appears every day. Please give the advice.
>
> -------------
>
>
>
>
> "ju.c" <bibidybubidyboop@mailnator.com> wrote in message
> news:OvCfwBXGJHA.768@TK2MSFTNGP05.phx.gbl...
>> The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.
>>
>>
>>> "file version of the system file is 5.1.2600.5512"
>>
>> That is correct for WinXP SP3. 'Windows File Protection' has done its job. Everything
>> looks fine.
>>
>>
>> ju.c
>>
>>
>> "Santander" <santander@microsoft.news> wrote in message
>> news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
>>> Someone run untested self-extracting archive (executable) on work PC. I checked Event
>>> Viewer tasks and find there:
>>>
>>> System -> Source: Windows File Protection
>>>
>>> Event Type: Information
>>> Event Source: Windows File Protection
>>> Event Category: None
>>> Event ID: 64002
>>> Date: 2008.09.17.
>>> Time: 9:59:49
>>> User: N/A
>>> Computer: UserName
>>> Description:
>>> File replacement was attempted on the protected system file setup.exe. This
>>> file was restored to the original version to maintain system stability. The
>>> file version of the system file is 5.1.2600.5512.
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>>
>>> Has been replaced this system file or not?(is if was restored). What is this file and
>>> where?
>>>
>>> Thanks.
>>>
>>>
>
 
Re: Has been file replaced?

Here are the details for c:\windows\system32\setup.exe on my WinXP Pro
machine:
--a-- W32i APP ENU 5.1.2600.5512 shp 23,040 04-14-2008 setup.exe

Perhaps your file is hidden. If it is really missing then you can restore it
from the i386 folder of your WinXP installation CD. In this case the Windows
File Protection mechanism won't interfere.


"Santander" <santander@microsoft.news> wrote in message
news:%23Hqd$fXGJHA.1268@TK2MSFTNGP05.phx.gbl...
>I find no setup.exe in windows system32 folder, there is setupapi.dll v.
>5.1.2600.5512 setupdll.dll v. 5.1.2600.0
> The application is old HHD Sector Scan utility (Floppy Version) 3.0 from
> SalvationDATA Technology Inc. File name hsr3.0floppysetup.exe is SFX RAR
> archive.
>
> Not clear why this utility tried to replace setup. Probably virus??
> I checked file on online scanner, http://www.virustotal.com, and few
> antiviruses show that there is a virus:
>
> Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
> eSafe 7.0.17.0 2008.09.17 Suspicious File
> Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
> eSafe 7.0.17.0 2008.09.17 Suspicious File
>
> NOD32 and Kaspersky does not detected anything. Is this false positive?
> But we know new viruses appears every day. Please give the advice.
>
> -------------
>
>
>
>
> "ju.c" <bibidybubidyboop@mailnator.com> wrote in message
> news:OvCfwBXGJHA.768@TK2MSFTNGP05.phx.gbl...
>> The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.
>>
>>
>>> "file version of the system file is 5.1.2600.5512"
>>
>> That is correct for WinXP SP3. 'Windows File Protection' has done its
>> job. Everything looks fine.
>>
>>
>> ju.c
>>
>>
>> "Santander" <santander@microsoft.news> wrote in message
>> news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
>>> Someone run untested self-extracting archive (executable) on work PC. I
>>> checked Event Viewer tasks and find there:
>>>
>>> System -> Source: Windows File Protection
>>>
>>> Event Type: Information
>>> Event Source: Windows File Protection
>>> Event Category: None
>>> Event ID: 64002
>>> Date: 2008.09.17.
>>> Time: 9:59:49
>>> User: N/A
>>> Computer: UserName
>>> Description:
>>> File replacement was attempted on the protected system file setup.exe.
>>> This
>>> file was restored to the original version to maintain system stability.
>>> The
>>> file version of the system file is 5.1.2600.5512.
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>>
>>> Has been replaced this system file or not?(is if was restored). What is
>>> this file and where?
>>>
>>> Thanks.
>>>
>>>
>
 
Re: Has been file replaced?

I enabled to show hidden files, but there are no setup.exe
If this protected system file exist and the file "file was restored to the
original version to maintain system stability" as show th EventViewer, where
is this file?
Or it can be lost during SP3 update process? How to search for this file
with Search tool with advanced command to show hidden files?

To restore setup.exe from CD, how long this can take?
sfc /scannow

------------------



"Pegasus (MVP)" <I.can@fly.com.oz> wrote in message
news:uC0hT0XGJHA.4056@TK2MSFTNGP05.phx.gbl...
> Here are the details for c:\windows\system32\setup.exe on my WinXP Pro
> machine:
> --a-- W32i APP ENU 5.1.2600.5512 shp 23,040 04-14-2008 setup.exe
>
> Perhaps your file is hidden. If it is really missing then you can restore
> it from the i386 folder of your WinXP installation CD. In this case the
> Windows File Protection mechanism won't interfere.
>
>
> "Santander" <santander@microsoft.news> wrote in message
> news:%23Hqd$fXGJHA.1268@TK2MSFTNGP05.phx.gbl...
>>I find no setup.exe in windows system32 folder, there is setupapi.dll v.
>>5.1.2600.5512 setupdll.dll v. 5.1.2600.0
>> The application is old HHD Sector Scan utility (Floppy Version) 3.0 from
>> SalvationDATA Technology Inc. File name hsr3.0floppysetup.exe is SFX RAR
>> archive.
>>
>> Not clear why this utility tried to replace setup. Probably virus??
>> I checked file on online scanner, http://www.virustotal.com, and few
>> antiviruses show that there is a virus:
>>
>> Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>> Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>>
>> NOD32 and Kaspersky does not detected anything. Is this false positive?
>> But we know new viruses appears every day. Please give the advice.
>>
>> -------------
>>
>>
>>
>>
>> "ju.c" <bibidybubidyboop@mailnator.com> wrote in message
>> news:OvCfwBXGJHA.768@TK2MSFTNGP05.phx.gbl...
>>> The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.
>>>
>>>
>>>> "file version of the system file is 5.1.2600.5512"
>>>
>>> That is correct for WinXP SP3. 'Windows File Protection' has done its
>>> job. Everything looks fine.
>>>
>>>
>>> ju.c
>>>
>>>
>>> "Santander" <santander@microsoft.news> wrote in message
>>> news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
>>>> Someone run untested self-extracting archive (executable) on work PC. I
>>>> checked Event Viewer tasks and find there:
>>>>
>>>> System -> Source: Windows File Protection
>>>>
>>>> Event Type: Information
>>>> Event Source: Windows File Protection
>>>> Event Category: None
>>>> Event ID: 64002
>>>> Date: 2008.09.17.
>>>> Time: 9:59:49
>>>> User: N/A
>>>> Computer: UserName
>>>> Description:
>>>> File replacement was attempted on the protected system file setup.exe.
>>>> This
>>>> file was restored to the original version to maintain system stability.
>>>> The
>>>> file version of the system file is 5.1.2600.5512.
>>>> For more information, see Help and Support Center at
>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>
>>>> Has been replaced this system file or not?(is if was restored). What is
>>>> this file and where?
>>>>
>>>> Thanks.
>>>>
>>>>
>>
>
>
 
Re: Has been file replaced?

I deleted it, but since other person launched that file on my PC, I have no
idea what modification it done.
Can EventViewer show wrong report?

-------------


"ju.c" <bibidybubidyboop@mailnator.com> wrote in message
news:OIP2WxXGJHA.4760@TK2MSFTNGP05.phx.gbl...
> It could be infected, or it could be a false positive. Hard to say.
> If you don't need it, delete it.
>
> To restore setup.exe, insert the Windows CD, if it auto starts select
> exit, and open the Run box and enter:
>
> sfc /scannow
>
>
> ju.c
>
>
> "Santander" <santander@microsoft.news> wrote in message
> news:#Hqd$fXGJHA.1268@TK2MSFTNGP05.phx.gbl...
>> I find no setup.exe in windows system32 folder, there is setupapi.dll v.
>> 5.1.2600.5512 setupdll.dll v. 5.1.2600.0
>> The application is old HHD Sector Scan utility (Floppy Version) 3.0 from
>> SalvationDATA Technology Inc. File name hsr3.0floppysetup.exe is SFX RAR
>> archive.
>>
>> Not clear why this utility tried to replace setup. Probably virus??
>> I checked file on online scanner, http://www.virustotal.com, and few
>> antiviruses show that there is a virus:
>>
>> Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>> Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>>
>> NOD32 and Kaspersky does not detected anything. Is this false positive?
>> But we know new viruses appears every day. Please give the advice.
>>
>> -------------
>>
>>
>>
>>
>> "ju.c" <bibidybubidyboop@mailnator.com> wrote in message
>> news:OvCfwBXGJHA.768@TK2MSFTNGP05.phx.gbl...
>>> The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.
>>>
>>>
>>>> "file version of the system file is 5.1.2600.5512"
>>>
>>> That is correct for WinXP SP3. 'Windows File Protection' has done its
>>> job. Everything looks fine.
>>>
>>>
>>> ju.c
>>>
>>>
>>> "Santander" <santander@microsoft.news> wrote in message
>>> news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
>>>> Someone run untested self-extracting archive (executable) on work PC. I
>>>> checked Event Viewer tasks and find there:
>>>>
>>>> System -> Source: Windows File Protection
>>>>
>>>> Event Type: Information
>>>> Event Source: Windows File Protection
>>>> Event Category: None
>>>> Event ID: 64002
>>>> Date: 2008.09.17.
>>>> Time: 9:59:49
>>>> User: N/A
>>>> Computer: UserName
>>>> Description:
>>>> File replacement was attempted on the protected system file setup.exe.
>>>> This
>>>> file was restored to the original version to maintain system stability.
>>>> The
>>>> file version of the system file is 5.1.2600.5512.
>>>> For more information, see Help and Support Center at
>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>
>>>> Has been replaced this system file or not?(is if was restored). What is
>>>> this file and where?
>>>>
>>>> Thanks.
>>>>
>>>>
>>
 
Re: Has been file replaced?

There are two ways in which this file can get lost:
1. You delete it by mistake.
2. It gets deleted by malware or by a virus.

The SP3 installation will NOT delete this file. You can restore it like so:
1. Click Start/Run/cmd{OK}
2. Type this command:
expand X:\i386\setup.ex_ c:\windows\system32\setup.exe{Enter}
(Replace X: with the drive letter of your CD drive)

"Santander" <santander@microsoft.news> wrote in message
news:eQbq$SYGJHA.5244@TK2MSFTNGP04.phx.gbl...
>I enabled to show hidden files, but there are no setup.exe
> If this protected system file exist and the file "file was restored to
> the original version to maintain system stability" as show th EventViewer,
> where is this file?
> Or it can be lost during SP3 update process? How to search for this file
> with Search tool with advanced command to show hidden files?
>
> To restore setup.exe from CD, how long this can take?
> sfc /scannow
>
> ------------------
>
>
>
> "Pegasus (MVP)" <I.can@fly.com.oz> wrote in message
> news:uC0hT0XGJHA.4056@TK2MSFTNGP05.phx.gbl...
>> Here are the details for c:\windows\system32\setup.exe on my WinXP Pro
>> machine:
>> --a-- W32i APP ENU 5.1.2600.5512 shp 23,040 04-14-2008 setup.exe
>>
>> Perhaps your file is hidden. If it is really missing then you can restore
>> it from the i386 folder of your WinXP installation CD. In this case the
>> Windows File Protection mechanism won't interfere.
>>
>>
>> "Santander" <santander@microsoft.news> wrote in message
>> news:%23Hqd$fXGJHA.1268@TK2MSFTNGP05.phx.gbl...
>>>I find no setup.exe in windows system32 folder, there is setupapi.dll v.
>>>5.1.2600.5512 setupdll.dll v. 5.1.2600.0
>>> The application is old HHD Sector Scan utility (Floppy Version) 3.0 from
>>> SalvationDATA Technology Inc. File name hsr3.0floppysetup.exe is SFX
>>> RAR archive.
>>>
>>> Not clear why this utility tried to replace setup. Probably virus??
>>> I checked file on online scanner, http://www.virustotal.com, and few
>>> antiviruses show that there is a virus:
>>>
>>> Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
>>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>>> Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
>>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>>>
>>> NOD32 and Kaspersky does not detected anything. Is this false positive?
>>> But we know new viruses appears every day. Please give the advice.
>>>
>>> -------------
>>>
>>>
>>>
>>>
>>> "ju.c" <bibidybubidyboop@mailnator.com> wrote in message
>>> news:OvCfwBXGJHA.768@TK2MSFTNGP05.phx.gbl...
>>>> The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.
>>>>
>>>>
>>>>> "file version of the system file is 5.1.2600.5512"
>>>>
>>>> That is correct for WinXP SP3. 'Windows File Protection' has done its
>>>> job. Everything looks fine.
>>>>
>>>>
>>>> ju.c
>>>>
>>>>
>>>> "Santander" <santander@microsoft.news> wrote in message
>>>> news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
>>>>> Someone run untested self-extracting archive (executable) on work PC.
>>>>> I checked Event Viewer tasks and find there:
>>>>>
>>>>> System -> Source: Windows File Protection
>>>>>
>>>>> Event Type: Information
>>>>> Event Source: Windows File Protection
>>>>> Event Category: None
>>>>> Event ID: 64002
>>>>> Date: 2008.09.17.
>>>>> Time: 9:59:49
>>>>> User: N/A
>>>>> Computer: UserName
>>>>> Description:
>>>>> File replacement was attempted on the protected system file setup.exe.
>>>>> This
>>>>> file was restored to the original version to maintain system
>>>>> stability. The
>>>>> file version of the system file is 5.1.2600.5512.
>>>>> For more information, see Help and Support Center at
>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>>
>>>>> Has been replaced this system file or not?(is if was restored). What
>>>>> is this file and where?
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>
>>
>>
>
 
Re: Has been file replaced?

I am sure I did not deleted this file. I copied this file from CD, though I
typed this command not in DOS box, but directly in Run window (by mistake),
so this also works.
File version. is 5.1.2600.5512
So the thing is what deleted it from system32 folder.

------------


"Pegasus (MVP)" <I.can@fly.com.oz> wrote in message
news:u1tA9yYGJHA.4992@TK2MSFTNGP04.phx.gbl...
> There are two ways in which this file can get lost:
> 1. You delete it by mistake.
> 2. It gets deleted by malware or by a virus.
>
> The SP3 installation will NOT delete this file. You can restore it like
> so:
> 1. Click Start/Run/cmd{OK}
> 2. Type this command:
> expand X:\i386\setup.ex_ c:\windows\system32\setup.exe{Enter}
> (Replace X: with the drive letter of your CD drive)
>
> "Santander" <santander@microsoft.news> wrote in message
> news:eQbq$SYGJHA.5244@TK2MSFTNGP04.phx.gbl...
>>I enabled to show hidden files, but there are no setup.exe
>> If this protected system file exist and the file "file was restored to
>> the original version to maintain system stability" as show th
>> EventViewer,
>> where is this file?
>> Or it can be lost during SP3 update process? How to search for this file
>> with Search tool with advanced command to show hidden files?
>>
>> To restore setup.exe from CD, how long this can take?
>> sfc /scannow
>>
>> ------------------
>>
>>
>>
>> "Pegasus (MVP)" <I.can@fly.com.oz> wrote in message
>> news:uC0hT0XGJHA.4056@TK2MSFTNGP05.phx.gbl...
>>> Here are the details for c:\windows\system32\setup.exe on my WinXP Pro
>>> machine:
>>> --a-- W32i APP ENU 5.1.2600.5512 shp 23,040 04-14-2008 setup.exe
>>>
>>> Perhaps your file is hidden. If it is really missing then you can
>>> restore
>>> it from the i386 folder of your WinXP installation CD. In this case the
>>> Windows File Protection mechanism won't interfere.
>>>
>>>
>>> "Santander" <santander@microsoft.news> wrote in message
>>> news:%23Hqd$fXGJHA.1268@TK2MSFTNGP05.phx.gbl...
>>>>I find no setup.exe in windows system32 folder, there is setupapi.dll
>>>>v.
>>>>5.1.2600.5512 setupdll.dll v. 5.1.2600.0
>>>> The application is old HHD Sector Scan utility (Floppy Version) 3.0
>>>> from
>>>> SalvationDATA Technology Inc. File name hsr3.0floppysetup.exe is SFX
>>>> RAR archive.
>>>>
>>>> Not clear why this utility tried to replace setup. Probably virus??
>>>> I checked file on online scanner, http://www.virustotal.com, and few
>>>> antiviruses show that there is a virus:
>>>>
>>>> Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
>>>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>>>> Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
>>>> eSafe 7.0.17.0 2008.09.17 Suspicious File
>>>>
>>>> NOD32 and Kaspersky does not detected anything. Is this false positive?
>>>> But we know new viruses appears every day. Please give the advice.
>>>>
>>>> -------------
>>>>
>>>>
>>>>
>>>>
>>>> "ju.c" <bibidybubidyboop@mailnator.com> wrote in message
>>>> news:OvCfwBXGJHA.768@TK2MSFTNGP05.phx.gbl...
>>>>> The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.
>>>>>
>>>>>
>>>>>> "file version of the system file is 5.1.2600.5512"
>>>>>
>>>>> That is correct for WinXP SP3. 'Windows File Protection' has done its
>>>>> job. Everything looks fine.
>>>>>
>>>>>
>>>>> ju.c
>>>>>
>>>>>
>>>>> "Santander" <santander@microsoft.news> wrote in message
>>>>> news:erUoA4WGJHA.4056@TK2MSFTNGP05.phx.gbl...
>>>>>> Someone run untested self-extracting archive (executable) on work PC.
>>>>>> I checked Event Viewer tasks and find there:
>>>>>>
>>>>>> System -> Source: Windows File Protection
>>>>>>
>>>>>> Event Type: Information
>>>>>> Event Source: Windows File Protection
>>>>>> Event Category: None
>>>>>> Event ID: 64002
>>>>>> Date: 2008.09.17.
>>>>>> Time: 9:59:49
>>>>>> User: N/A
>>>>>> Computer: UserName
>>>>>> Description:
>>>>>> File replacement was attempted on the protected system file
>>>>>> setup.exe.
>>>>>> This
>>>>>> file was restored to the original version to maintain system
>>>>>> stability. The
>>>>>> file version of the system file is 5.1.2600.5512.
>>>>>> For more information, see Help and Support Center at
>>>>>> http://go.microsoft.com/fwlink/events.asp.
>>>>>>
>>>>>> Has been replaced this system file or not?(is if was restored). What
>>>>>> is this file and where?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>>
>>>>
>>>
>>>
>>
>
>
>
 
Re: Has been file replaced?


"Santander" <santander@microsoft.news> wrote in message
news:eNtEZKZGJHA.5084@TK2MSFTNGP02.phx.gbl...
>I am sure I did not deleted this file. I copied this file from CD, though I
>typed this command not in DOS box, but directly in Run window (by mistake),
>so this also works.
> File version. is 5.1.2600.5512
> So the thing is what deleted it from system32 folder.

I gave you the two possible reasons in my previous reply. Since this is your
machine and not mine, you're the best judge to pick the most likely one.
 
Back
Top