Delete a file and it comes straight back

[Martinm4884]

My software requies the Windows NT version of Riched32.dll, if I delete it then it appears to go but comes straight back, if I rename it that appears to work but a new one appears with the original name. If I start in Safe mode then it deletes ok and I can copy in the required NT version.

I have re-formatted the entire C drive (only 1 disc in PC) and re-installed Windows XP Professional and the problem is still the same. The re-install is apparently missing various drivers and Internet access is not possible at present but I dont want to waste time on the installation if it will all need doing again.

Hope you can help, Martin

 

[Bobbye]

I'm going to have your thread moved to a more appropriate forum.

 

[Zen]

Forgive me, I'm not really wanting to imply anything here, but I've got one question, "is your copy of Windows XP legit"? I only ask for sometimes people I know who try and install either "bootlegged" or "modified copy's, via a third party's hand" or "badly burnt copy's" will react similarly as what you described. You know, the whole missing drivers and Internet access, stuff like that.

 

[Martinm4884]

Hi Zen, Yes it is a legal copy installed from an original Microsoft CD (with hologram) I have now installed the drivers from the dell website and every thing is now running including internet access. Still got the problem!

 

[Martinm4884]

Copied DDS from other pc but it is immediately deleted.

I have tried to follow the 5step virus plan but DDS wont save, "Access denied" error. So I downloaded to my laptop and then copied it to the problem pc and although it appeared on the exlorer screen it disappeared a moment later. What should I do please?

 

[Bobbye]

Comment to Zen: while you are correct in some of the comments regarding some of the problem that can occur on a illegal copy of the OS, you should also know that malware- especially the rootkits so prevelent now, can also cause some of the same problems.

Martin, I had your thread moved out of the Virus and Malware forum hoping that someone would take a look at the drivers perhaps in a minidump.

You do not need to continue ith the malware scans such as DDS at this point.
=============================
Having said that, I'll return to what I was going to say originally:

As you know, Riched32.dll is a legitimats process.The version you have was most likely pre-installed on the system, or possibly installed by a 3rd party software program. My guess is that the delete hold in Safe Mode because whatever is using the file doesn't start in Safe Mode. Then when you boot into Normal Mode, that program looks for Riched32.dll, finds it and starts it up.

I found the follwing that should help you. It appears it's not quite as simple to change the version as you would like:

INFO: Distribution Issues with Riched32.dll> http://support.microsoft.com/kb/197580

Please check the information and see if this helps you make the change.

Additionally, if it is also a Permission issue (access denied), the following may help:

Add "Take Ownership" to Explorer Right-Click Menu in Win 7 or Vista

DownloadTakeOwnership.zip and save to your desktop.

• Unzip (extract) the files contained in the zipfile.
• Double-click the InstallTakeOwnership.reg file and click through the prompts.
  
  
• Confirm YES for notice about using the Registry Editor
• No reboot necessary.

Here’s what the new right-click menu will look like after installing this registry hack.

(Images courtesy howtogeek)
This should allow you to do the right click on those parts of the system that are denying you permissions and 'take ownership.'
===================================
I will stay subscribed so let me know if these help.

 

[Martinm4884]

Thanks for that information. I have done this simple copy of riched32.dll on at least 20 pcs since XP was released including the one I am having problems with now which leads me to believe it is a virus but I dont understand how it can survive a complete disc format. This pc was attacked by a virus prior to my re-formatting the drive, this was 'fixed' by a colleague but I think it is still infected.

 

[jmjsquared]

-- The file in question did not survive a reformat.

Perhapsing here:
-- Do the hashes of the installed DLL file and the installation-medium's copy match? If so, you can rule out a virus. Further, that may indicate that Windows is detecting the changed/copied DLL as a "violation" which it "fixes" from its store, much like SFC does, right? The reason that you would not see the "fix" in SAFE Mode is because, as you know, the RPC Locator service needed for SFC cannot run in SAFE Mode and, therefore, Windows waits until you NORMAL-boot to replace the file. However, I am curious why after 20+ previous installations, you're having this problem now.

 

[Martinm4884]

Thanks for the reponse 'jmjsquared', I dont know how to find Riched32.dll on the Microsoft XP installation disc, I had assumed it was packed or zipped with all the other Windows stuff.
Your logic makes sense to me but it doesnt explain DDS being deleted as soon as it is copied onto the pc.

 

[jmjsquared]

You got a conditional "clean bill-of-health" from Bobbye and there is no indication that your copy of Riched32.dll has been infected/compromised. I do not have an XP disc at hand now, but I believe you can do a simple seach of your installation disk/image, looking for riched32.dl_ . Please note the underscore instead of the second "L". It should be in the Windows\System32 folder on a 32-bit disk AND in SysWOW64 on a 64-bit system.

--The DDS Tool may be being detected as a dangerous script by your anti-virus which then deletes/quarantines it automatically.
Temporarily disable your real-time protection(s).

-- You've received other "access denied" errors and, possibly, are being denied permission to save DDS.scr to the desktop.
Assuming you log on as Administrator, in addition to "Take/Own" as earlier suggested, you can find a great, free Tool to manage/reset permissions here: http://helgeklein.com/download/

 

[Martinm4884]

OK thanks, found it on the installation cd (without the final L as you said) & it is 2kb, the one in Windows/system32 is 4kb. I thought it was 5kb yesterday but I could be wrong! The NT version is 170kb by the way.

 

[jmjsquared]

Great!

But... the 170KB size is w-a-y larger than in Windows 7-64bit (8.50/10.50KB - System32/SysWOW64) or in my VMWare Windows XP Sp3 - 32bit (3.50KB) installations. Is that normal for the NT version? Perhaps an upload to VirusTotal is a good idea to make sure the file really is clean. http://www.virustotal.com/

BTW, the 2.0KB DL_ on your installation CD is compressed. So, the 4.0KB DLL in System32, being expanded, is about the right size.

B&BTW, Martinm4884: What software requires the Windows NT DLL? And, why not copy it into that software's directory instead of into System32, leaving Windows XP's preferred version unchanged?

EDIT #2: Googling around seems to indicate that the 170KB-sized Riched32.dll file is intended for installation in a specific program's directory; for example, Microsoft's Visual Basic's. The 3.5 - 10.5 KB-sized files belong in the System's folder(s) and should NOT be replaced.

 

[Bobbye]

I don't know what's going on with DDS but if you're intent in running it, try this:

Please download the corresponding file for your operating system:

XP[/url.

[url=http://www.winhelponline.com/fileasso/scrfix_vista.zip]Vista

Windows 7

Extract (unzip) the file onto your desktop, double-click on it and choose Yes to merge the file into the registry when prompted. Afterwards you should then be able to run DDS.scr.















Please download this file: xp_scr_fix

Unpack (unzip) the file onto your desktop and double-click it. You will be asked if you wish to merge the file with you registry, say Yes.

You should then be able to run DDS.scr. It's the .scr file extension causing the problem.
===================================
Please note: DDS does not find and/or remove malware. It just shows what running on the system, installed programs, errors,