Okay, this is weird.

I did some more looking around, and when I delete riched20.dll, it automatically reappears after a few seconds. I used SysInternals "handle" program to try to figure out who's recreating it and it's the WINLOGON process. Now, I guess it's possible that Windows sits in the background and fixes this DLL if it gets deleted, but why this particular DLL? And where is it getting the original from if I'm deleting all copies in my c:\winnt directory? Does it just do an "undelete" in the background? I'm shift-deleting the file (not storing it in the recycle bin) so it'd have to be pretty clever about it.

I'm doing a full system virus scan now (before I ran a Nimda removal tool) to see if there's something fishy going on. So far it's found 59 viruses all in my email attachment directory (from a brief period of time when my email scanning was accidentally disabled) but none of them were actually executed. The virus scan is going to take a while... But this behavior seems different from any of the viruses I've seen that mention riched20.dll (they generally create many copies of it all over... This is specific to my Windows directory.)

Oh well, I don't have another Win2K box to test this on, so I dunno if it's normal behavior or not. On my Win98 box renaming riched20.dll means nothing, the file isn't getting auto-created. So either there's something about Win2K that does this automatically, or I have some kind of badness going on like a virus/worm that I haven't found yet.

Time to play some Solitaire while the virus scan completes...