Solved

WINNT\system32 folder's size is way too big

Posted on 2003-12-01
11
3,052 Views
Last Modified: 2012-06-27
Hi,
Intel p3 800
18 GB
256 MB RAM
Win2k pro
Heavy-duty apps:
Office 2k premium
Ms Visual Studio 7 .net

I’ve recently noticed that my hard drive is extremely close to max out (big problem for me). I’ve doubles checked all Personal folders, such as My Documents with its sub-folders etc. and saw nothing out of the ordinary. But then I decided to check some system folders and found out that my WINNT\system32 folder contains aprox. 11 GB of data. Then I’ve compared it to some of my colleague’s system32 folders and those held less than 1 GB of data. Now I’m worried.
Please advise…….

This link contains screenshots that gives you more specific details:
http://mars.netanya.ac.il/~honimrod/html_pages/w2kprb.htm
0
Comment
Question by:dneebrkr
  • 6
  • 5
11 Comments
 
LVL 14

Expert Comment

by:spiderfix
ID: 9852127
Where it says "Created:" have you noticed the corrupted font?
http://mars.netanya.ac.il/~honimrod/images/winnt/sys32prop.gif
http://mars.netanya.ac.il/~honimrod/images/winnt/winntprop.gif

It looks like you have a virus. Go here and scan online.
http://www3.ca.com/virusinfo/virusscan.aspx
It will ask you to install a small file...say "YES".
0
 

Author Comment

by:dneebrkr
ID: 9852229
Dear spiderfix,

I forgot to mention, I'm from Israel.
These are not corrupted fonts but just Hebrew fonts......sorry
0
 
LVL 14

Expert Comment

by:spiderfix
ID: 9852250
Ok, but there are virii that consume hard drive space to the point
of filling the hard drive. You still want to do the online scan.
0
 

Author Comment

by:dneebrkr
ID: 9857076
Hey spiderfix,

I've ran CA's scan and it found some viruses that my NAV didn't find one of which is a flooder....(I guess this is the source of my probelm...also given the fact that after I cleanes some personal files it flooded my HD again)
I've added a screenshot of the scan results and the output of a 'dir' command executed on my system32 folder (perhaps you will be able to tell me which files are to be deleted).

http://mars.netanya.ac.il/~honimrod/html_pages/w2kprb.htm

Thanks
0
 
LVL 14

Expert Comment

by:spiderfix
ID: 9860087
It may be best to do all this in Safe Mode.
In the list you've titled "CA's scan results" delete...

- SecureNetbios.exe
- B.exe (end the process {ctrl+alt+del} then delete) run regedit and go to
  hkey_local_machine\software\microsoft\windows\currentversion\run
  and delete b.exe
- SECURE_NT.BAT
- nfgns.exe
- ipax.dll (end the process {ctrl+alt+del} then delete) run regedit and go to
  hkey_local_machine\software\microsoft\windows\currentversion\run
- QT9X3.exe

Anything that reports "can not delete" try ending the process then delete.
You want to also download and run Spybot
http://www.safer-networking.org/index.php?lang=en&page=download
make sure you run the updater first then scan and remove anything that
shows up in the list marked in red.
When your done deleting everything and Spybot has done it's removals
then reboot and run a search on all partitions for every file that was marked
by the virus scan as infected...
SecureNetbios.exe
B.exe
SECURE_NT.BAT
nfgns.exe
ipax.dll
QT9X3.exe
Then run Spybot and ensure the system is clean, then return to Etrust
virus scan and run another scan.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:dneebrkr
ID: 9861303
Spiderfix,

A new Ca's scan resulted nothing, however I would like to know what to do with those extremely large files I found in system32\ras directory. Someone suggested I should delete them.

Dir on system32\ras:

Volume in drive C has no label.
 Volume Serial Number is F840-9411

 Directory of C:\WINNT\system32\ras

09/12/2003  09:21a      <DIR>          .
09/12/2003  09:21a      <DIR>          ..
12/07/1999  12:00p                 733 cis.scp
12/07/1999  12:00p              14,527 pad.inf
12/07/1999  12:00p               2,815 pppmenu.scp
12/07/1999  12:00p               2,375 slip.scp
12/07/1999  12:00p               2,813 slipmenu.scp
12/07/1999  12:00p               6,213 switch.inf
08/09/2003  10:19a              35,840 KILL.EXE
08/03/2003  09:20a                 494 rb.bat
12/02/2003  09:56p       2,506,072,324 mybot.log
08/02/2003  07:18p               1,162 secure_nt.bat
11/09/2003  01:20p                   0 mybot.ignl.bkup
08/03/2003  11:38p                 109 Service.bat
12/02/2003  07:54p                 680 ServUDaemon.ini
08/03/2003  09:29a           1,930,240 WINMGNT.EXE
08/03/2003  12:56p                 600 A.bat
08/07/2003  01:46p                 310 BOT.BAT
08/02/2003  07:18p               1,162 cmd.bat
07/28/2003  11:12p              24,576 Diskinfo.exe
08/15/2000  12:22a              81,920 FireDaemon.exe
11/09/2003  12:57p                 156 server.txt
11/09/2003  12:58p      <DIR>          src
11/09/2003  01:11p              13,394 Configure
11/09/2003  01:11p              15,146 COPYING
11/09/2003  01:11p              68,016 cygregex.dll
11/09/2003  01:13p             971,080 cygwin1.dll
11/09/2003  01:13p                 857 iroffer.cron
11/09/2003  01:13p             213,300 iroffer.exe
11/09/2003  01:13p               2,826 Makefile.config
11/09/2003  01:13p              19,729 mybot.txt
11/09/2003  01:13p               4,929 README
11/09/2003  01:13p              16,278 WHATSNEW
12/01/2003  02:08p                 132 mybot.msg
11/09/2003  01:20p                   0 mybot.ignl
12/02/2003  07:54p                 526 ServUStartUpLog.txt
12/02/2003  07:54p                   4 mybot.pid
12/02/2003  07:13p                  52 mybot.xdcc.bkup
11/30/2003  12:00a       3,159,999,519 mybot.log.2003-w46
11/23/2003  12:00a       1,853,669,573 mybot.log.2003-w45
12/02/2003  09:55p                   4 mybot.ignl.tmp
11/12/2003  08:24a       4,294,967,295 mybot.log.2003-w44
12/02/2003  09:55p                 194 mybot.xdcc.txt
12/02/2003  09:55p                  52 mybot.xdcc
              41 File(s) 11,818,141,955 bytes
               3 Dir(s)       4,472,832 bytes free

which one of them should I delete?!

mybot.log.2003-w44
mybot.log.2003-w46
mybot.txt
mybot.log.2003-w45
0
 
LVL 14

Accepted Solution

by:
spiderfix earned 125 total points
ID: 9861400
Delete all the *.exe(s) and the *.dll(s) in that folder.

FireDaemon.exe is allowing access to your system.

The best thing to do would be to rename all the *.exe and *.dll
suffixes in the folder to *.old
rename the folder itself and move it to somewhere else on the hard drive
reboot, and if all is ok with the reboot then delete the folder and it's contents.

I'll check back later today I won't be around a computer for the afternoon.
0
 

Author Comment

by:dneebrkr
ID: 9862036
spiderfix

Well.....

I've actually done all this already 15 minutes ago..... except relocating the 'ras' folder.... it seems OK now.......

I've also ran spybot and removed more than 100 components. In addition I've installed NAv 2002 + Internet Security...now I have another problem...when I reboot my desktop icons appear after 2 minutes while the task bar is working fine and I cannot run any apps until they appear....
(NAV + NIS are from an original Symantec CD)...but this is for another forum
0
 
LVL 14

Expert Comment

by:spiderfix
ID: 9863239
Personally I find NAV anything a pest, especially on win2K. It really slows
the computer down for one, and two it drills into WindowsXX so deep that if you
ever uninstall it (Add/Remove Programs, NAV uninstaller, 3rd party uninstallers)
you end up with Control Panel probs, recycle bin probs, and a few other things.
I really dislike their software and I hope that no Symantec-lovers post in here
to boast of it's wonderfulness because it's simply top-heavy software that serves
no purpose. There are online scanners for free and freeware virus checkers that
do a much better job at killing and finding virii and they don't require ¼ of what
Symantec uses in resources.

Ok, enough Symantec bashing.

You probably have some programs starting on boot that are unnecessary. And
firewalls (software) I don't believe in using them at all either unless your troubleshooting
rouge transfers. Software firewalls slow down a system as well. To stop some of these
programs from running at boot one can use regedit and drill down to the RUN tree but
for win2K I run msconfig.exe from Windows98. It will show errors when started on win2K
but they can be ignored, they cause no problems it's just an internal report from msconfig.exe
and it's basically complaining that your win2K. You can download one here
http://www.techadvice.cc/files/s29k2/w98/msconfig.exe
and go to the Startup tab and remove the checkmark from unwanted programs starting
on boot.

If your not sure what to leave running and what to disable you can post the log file here
from HiJackThis and I'll have a look at it.
http://mjc1.com/mirror/hjt
The "Scan" button turns into the "Save Log" button on that program. You can copy and paste
the log here. HiJackThis will also show BHO (Browser Helper Objects) which are their
own breed of spyware that spyware removal programs are not capable of seeing or removing.
I will look at those (if any) listed. If you had that much spyware you probably have 3 or more
BHOs installed into your browser.
0
 

Author Comment

by:dneebrkr
ID: 9865125
Hey Spiderfix,

Well, my PC works just fine without system32\ras & system32\wins folders and I managed to clean up about 8 GB of data from my disk.

Symantec's NAV 2002 + NIS were uninstalled and "miraculously" my PC starts up normally. Now I'm working with my good old Symantec NAV 7.6 which seems a lot more light and friendly. Moreover, I'm seriously considering of using a different AV system.

I'm usualy in control of my OS and unwanted apps or services are disabled/deleted if detected.

Spybot has done some serious cleanup work as well...but nothing out of the ordinary was discovered, I guess every common user will discover at list 50% of the spyware that was discovered on my machine - I guess you can't 100% control the data being transferred to one's machine through the internet unless you're behind a serious firewall and AV system.

I'm not sure how I was infected in the first place but I learned 2 things for sure:
1) How to run a trace after a virus/Trojan.
2) That no one is really protected (spybot will always find something.....)

Thank you very much

DNeeBrkr
0
 
LVL 14

Expert Comment

by:spiderfix
ID: 9866673
Your welcome. It's good everything turned out ok for you.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Owning a franchise can be the dream of a lifetime. It provides a chance for economic growth. You can be as successful as you want.  To make your franchise successful, you need to market it successfully. Here are six of the best marketing strategies …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now