Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


WINNT\system32 folder's size is way too big

Posted on 2003-12-01
Medium Priority
Last Modified: 2012-06-27
Intel p3 800
18 GB
256 MB RAM
Win2k pro
Heavy-duty apps:
Office 2k premium
Ms Visual Studio 7 .net

I’ve recently noticed that my hard drive is extremely close to max out (big problem for me). I’ve doubles checked all Personal folders, such as My Documents with its sub-folders etc. and saw nothing out of the ordinary. But then I decided to check some system folders and found out that my WINNT\system32 folder contains aprox. 11 GB of data. Then I’ve compared it to some of my colleague’s system32 folders and those held less than 1 GB of data. Now I’m worried.
Please advise…….

This link contains screenshots that gives you more specific details:
Question by:dneebrkr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 14

Expert Comment

ID: 9852127
Where it says "Created:" have you noticed the corrupted font?

It looks like you have a virus. Go here and scan online.
It will ask you to install a small file...say "YES".

Author Comment

ID: 9852229
Dear spiderfix,

I forgot to mention, I'm from Israel.
These are not corrupted fonts but just Hebrew fonts......sorry
LVL 14

Expert Comment

ID: 9852250
Ok, but there are virii that consume hard drive space to the point
of filling the hard drive. You still want to do the online scan.
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.


Author Comment

ID: 9857076
Hey spiderfix,

I've ran CA's scan and it found some viruses that my NAV didn't find one of which is a flooder....(I guess this is the source of my probelm...also given the fact that after I cleanes some personal files it flooded my HD again)
I've added a screenshot of the scan results and the output of a 'dir' command executed on my system32 folder (perhaps you will be able to tell me which files are to be deleted).


LVL 14

Expert Comment

ID: 9860087
It may be best to do all this in Safe Mode.
In the list you've titled "CA's scan results" delete...

- SecureNetbios.exe
- B.exe (end the process {ctrl+alt+del} then delete) run regedit and go to
  and delete b.exe
- nfgns.exe
- ipax.dll (end the process {ctrl+alt+del} then delete) run regedit and go to
- QT9X3.exe

Anything that reports "can not delete" try ending the process then delete.
You want to also download and run Spybot
make sure you run the updater first then scan and remove anything that
shows up in the list marked in red.
When your done deleting everything and Spybot has done it's removals
then reboot and run a search on all partitions for every file that was marked
by the virus scan as infected...
Then run Spybot and ensure the system is clean, then return to Etrust
virus scan and run another scan.

Author Comment

ID: 9861303

A new Ca's scan resulted nothing, however I would like to know what to do with those extremely large files I found in system32\ras directory. Someone suggested I should delete them.

Dir on system32\ras:

Volume in drive C has no label.
 Volume Serial Number is F840-9411

 Directory of C:\WINNT\system32\ras

09/12/2003  09:21a      <DIR>          .
09/12/2003  09:21a      <DIR>          ..
12/07/1999  12:00p                 733 cis.scp
12/07/1999  12:00p              14,527 pad.inf
12/07/1999  12:00p               2,815 pppmenu.scp
12/07/1999  12:00p               2,375 slip.scp
12/07/1999  12:00p               2,813 slipmenu.scp
12/07/1999  12:00p               6,213 switch.inf
08/09/2003  10:19a              35,840 KILL.EXE
08/03/2003  09:20a                 494 rb.bat
12/02/2003  09:56p       2,506,072,324 mybot.log
08/02/2003  07:18p               1,162 secure_nt.bat
11/09/2003  01:20p                   0 mybot.ignl.bkup
08/03/2003  11:38p                 109 Service.bat
12/02/2003  07:54p                 680 ServUDaemon.ini
08/03/2003  09:29a           1,930,240 WINMGNT.EXE
08/03/2003  12:56p                 600 A.bat
08/07/2003  01:46p                 310 BOT.BAT
08/02/2003  07:18p               1,162 cmd.bat
07/28/2003  11:12p              24,576 Diskinfo.exe
08/15/2000  12:22a              81,920 FireDaemon.exe
11/09/2003  12:57p                 156 server.txt
11/09/2003  12:58p      <DIR>          src
11/09/2003  01:11p              13,394 Configure
11/09/2003  01:11p              15,146 COPYING
11/09/2003  01:11p              68,016 cygregex.dll
11/09/2003  01:13p             971,080 cygwin1.dll
11/09/2003  01:13p                 857 iroffer.cron
11/09/2003  01:13p             213,300 iroffer.exe
11/09/2003  01:13p               2,826 Makefile.config
11/09/2003  01:13p              19,729 mybot.txt
11/09/2003  01:13p               4,929 README
11/09/2003  01:13p              16,278 WHATSNEW
12/01/2003  02:08p                 132 mybot.msg
11/09/2003  01:20p                   0 mybot.ignl
12/02/2003  07:54p                 526 ServUStartUpLog.txt
12/02/2003  07:54p                   4 mybot.pid
12/02/2003  07:13p                  52 mybot.xdcc.bkup
11/30/2003  12:00a       3,159,999,519 mybot.log.2003-w46
11/23/2003  12:00a       1,853,669,573 mybot.log.2003-w45
12/02/2003  09:55p                   4 mybot.ignl.tmp
11/12/2003  08:24a       4,294,967,295 mybot.log.2003-w44
12/02/2003  09:55p                 194 mybot.xdcc.txt
12/02/2003  09:55p                  52 mybot.xdcc
              41 File(s) 11,818,141,955 bytes
               3 Dir(s)       4,472,832 bytes free

which one of them should I delete?!

LVL 14

Accepted Solution

spiderfix earned 500 total points
ID: 9861400
Delete all the *.exe(s) and the *.dll(s) in that folder.

FireDaemon.exe is allowing access to your system.

The best thing to do would be to rename all the *.exe and *.dll
suffixes in the folder to *.old
rename the folder itself and move it to somewhere else on the hard drive
reboot, and if all is ok with the reboot then delete the folder and it's contents.

I'll check back later today I won't be around a computer for the afternoon.

Author Comment

ID: 9862036


I've actually done all this already 15 minutes ago..... except relocating the 'ras' folder.... it seems OK now.......

I've also ran spybot and removed more than 100 components. In addition I've installed NAv 2002 + Internet Security...now I have another problem...when I reboot my desktop icons appear after 2 minutes while the task bar is working fine and I cannot run any apps until they appear....
(NAV + NIS are from an original Symantec CD)...but this is for another forum
LVL 14

Expert Comment

ID: 9863239
Personally I find NAV anything a pest, especially on win2K. It really slows
the computer down for one, and two it drills into WindowsXX so deep that if you
ever uninstall it (Add/Remove Programs, NAV uninstaller, 3rd party uninstallers)
you end up with Control Panel probs, recycle bin probs, and a few other things.
I really dislike their software and I hope that no Symantec-lovers post in here
to boast of it's wonderfulness because it's simply top-heavy software that serves
no purpose. There are online scanners for free and freeware virus checkers that
do a much better job at killing and finding virii and they don't require ¼ of what
Symantec uses in resources.

Ok, enough Symantec bashing.

You probably have some programs starting on boot that are unnecessary. And
firewalls (software) I don't believe in using them at all either unless your troubleshooting
rouge transfers. Software firewalls slow down a system as well. To stop some of these
programs from running at boot one can use regedit and drill down to the RUN tree but
for win2K I run msconfig.exe from Windows98. It will show errors when started on win2K
but they can be ignored, they cause no problems it's just an internal report from msconfig.exe
and it's basically complaining that your win2K. You can download one here
and go to the Startup tab and remove the checkmark from unwanted programs starting
on boot.

If your not sure what to leave running and what to disable you can post the log file here
from HiJackThis and I'll have a look at it.
The "Scan" button turns into the "Save Log" button on that program. You can copy and paste
the log here. HiJackThis will also show BHO (Browser Helper Objects) which are their
own breed of spyware that spyware removal programs are not capable of seeing or removing.
I will look at those (if any) listed. If you had that much spyware you probably have 3 or more
BHOs installed into your browser.

Author Comment

ID: 9865125
Hey Spiderfix,

Well, my PC works just fine without system32\ras & system32\wins folders and I managed to clean up about 8 GB of data from my disk.

Symantec's NAV 2002 + NIS were uninstalled and "miraculously" my PC starts up normally. Now I'm working with my good old Symantec NAV 7.6 which seems a lot more light and friendly. Moreover, I'm seriously considering of using a different AV system.

I'm usualy in control of my OS and unwanted apps or services are disabled/deleted if detected.

Spybot has done some serious cleanup work as well...but nothing out of the ordinary was discovered, I guess every common user will discover at list 50% of the spyware that was discovered on my machine - I guess you can't 100% control the data being transferred to one's machine through the internet unless you're behind a serious firewall and AV system.

I'm not sure how I was infected in the first place but I learned 2 things for sure:
1) How to run a trace after a virus/Trojan.
2) That no one is really protected (spybot will always find something.....)

Thank you very much

LVL 14

Expert Comment

ID: 9866673
Your welcome. It's good everything turned out ok for you.

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question