1,800 files missing from system32

[Joe Blatz <sd_wireless () yahoo com>]

A customer's Windows 2000 server has come up as
missing about 1,800 files from system32. Anyone seen
this happen? 

This is about tenth time this has happened to a
customer of ours. It's happened at multiple sites and
servers. It's ONLY happening on W2k servers (DCs and
non-DCs). They are running up to date Symantec AV
signatures. 

We've had problems getting to the systems to perform
any meaningful analysis before they get rebuilt. 

I was able to review the event logs on one system and
while I found no smoking gun I did find a few things
that I found odd. 
1. At precisely 9:00:00 AM Windows File Protection
kicked in when 35 files in "common files\microsoft
shared", "common files\system\ado", and "common
files\system\msadc", as well as these three:
trialoc.dll, wb32.exe and wordpad.exe were restored by
WFP.

2.Event ID 1202 SceCli  Security policies are
propagated with warning. 0x2: The system cannot find
the file specified, is being logged. This could be
caused by an irresoluble account name but we were not
able to trouble shoot before the system was restored.
This started almost 2 hrs before the WFP activity
mentioned above.

Something that must be disclosed is that these system
are only patched through MS04-004. We know that's a
huge problem but the configuraiton management these
systems are under has not yet approved more current
patches. If this is caused by malware I'll put my
money on missing MS04-011 as being the key factor in
all of this.

An MS support rep says he thinks it's a virus, but I'm
not familiar with any that ONLY target W2k server, and
he can't tell us which one he thinks it is. Has anyone
seen malware, or anything else, only affect W2k
servers and cause massive file deletions in system32?



                
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail