Has been file replaced?

[Santander]

Someone run untested self-extracting archive (executable) on work PC. I
checked Event Viewer tasks and find there:

System -> Source: Windows File Protection

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 2008.09.17.
Time: 9:59:49
User: N/A
Computer: UserName
Description:
File replacement was attempted on the protected system file setup.exe. This
file was restored to the original version to maintain system stability. The
file version of the system file is 5.1.2600.5512.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Has been replaced this system file or not?(is if was restored). What is this
file and where?

Thanks.

 

[Pegasus \(MVP\)]

Someone run untested self-extracting archive (executable) on work PC. I
checked Event Viewer tasks and find there:

System -> Source: Windows File Protection

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 2008.09.17.
Time: 9:59:49
User: N/A
Computer: UserName
Description:
File replacement was attempted on the protected system file setup.exe.
This
file was restored to the original version to maintain system stability.
The
file version of the system file is 5.1.2600.5512.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Has been replaced this system file or not?(is if was restored). What is
this file and where?

Thanks.

It appears that you tried to replace the system file setup.exe with a
different file. The Windows File Protection mechanism subsequently restored
the file to its original version.

 

[ju.c]

The Windows file "setup.exe" is located in 'C:\WINDOWS\system32'.

"file version of the system file is 5.1.2600.5512"

That is correct for WinXP SP3. 'Windows File Protection' has done its job. Everything
looks fine.


ju.c

 

[Santander]

I find no setup.exe in windows system32 folder, there is setupapi.dll v.
5.1.2600.5512 setupdll.dll v. 5.1.2600.0
The application is old HHD Sector Scan utility (Floppy Version) 3.0 from
SalvationDATA Technology Inc. File name hsr3.0floppysetup.exe is SFX RAR
archive.

Not clear why this utility tried to replace setup. Probably virus??
I checked file on online scanner, http://www.virustotal.com, and few
antiviruses show that there is a virus:

Avast 4.8.1195.0 2008.09.17 Win32:Spyware-gen
eSafe 7.0.17.0 2008.09.17 Suspicious File
Ikarus T3.1.1.34.0 2008.09.18 Virus.Win32.Spyware
eSafe 7.0.17.0 2008.09.17 Suspicious File

NOD32 and Kaspersky does not detected anything. Is this false positive? But
we know new viruses appears every day. Please give the advice.

 

[ju.c]

It could be infected, or it could be a false positive. Hard to say.
If you don't need it, delete it.

To restore setup.exe, insert the Windows CD, if it auto starts select exit, and open the
Run box and enter:

sfc /scannow


ju.c

 

[Pegasus \(MVP\)]

Here are the details for c:\windows\system32\setup.exe on my WinXP Pro
machine:
--a-- W32i APP ENU 5.1.2600.5512 shp 23,040 04-14-2008 setup.exe

Perhaps your file is hidden. If it is really missing then you can restore it
from the i386 folder of your WinXP installation CD. In this case the Windows
File Protection mechanism won't interfere.

 

[Santander]

I enabled to show hidden files, but there are no setup.exe
If this protected system file exist and the file "file was restored to the
original version to maintain system stability" as show th EventViewer, where
is this file?
Or it can be lost during SP3 update process? How to search for this file
with Search tool with advanced command to show hidden files?

To restore setup.exe from CD, how long this can take?
sfc /scannow

 

[Santander]

I deleted it, but since other person launched that file on my PC, I have no
idea what modification it done.
Can EventViewer show wrong report?

 

[Pegasus \(MVP\)]

There are two ways in which this file can get lost:
1. You delete it by mistake.
2. It gets deleted by malware or by a virus.

The SP3 installation will NOT delete this file. You can restore it like so:
1. Click Start/Run/cmd{OK}
2. Type this command:
expand X:\i386\setup.ex_ c:\windows\system32\setup.exe{Enter}
(Replace X: with the drive letter of your CD drive)

 

[Santander]

I am sure I did not deleted this file. I copied this file from CD, though I
typed this command not in DOS box, but directly in Run window (by mistake),
so this also works.
File version. is 5.1.2600.5512
So the thing is what deleted it from system32 folder.

 

[Pegasus \(MVP\)]

I am sure I did not deleted this file. I copied this file from CD, though I
typed this command not in DOS box, but directly in Run window (by mistake),
so this also works.
File version. is 5.1.2600.5512
So the thing is what deleted it from system32 folder.

I gave you the two possible reasons in my previous reply. Since this is your
machine and not mine, you're the best judge to pick the most likely one.