WINNT\system32 folder's size is way too big

Intel p3 800
18 GB
256 MB RAM
Win2k pro
Heavy-duty apps:
Office 2k premium
Ms Visual Studio 7 .net

I’ve recently noticed that my hard drive is extremely close to max out (big problem for me). I’ve doubles checked all Personal folders, such as My Documents with its sub-folders etc. and saw nothing out of the ordinary. But then I decided to check some system folders and found out that my WINNT\system32 folder contains aprox. 11 GB of data. Then I’ve compared it to some of my colleague’s system32 folders and those held less than 1 GB of data. Now I’m worried.
Please advise…….

This link contains screenshots that gives you more specific details:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Where it says "Created:" have you noticed the corrupted font?

It looks like you have a virus. Go here and scan online.
It will ask you to install a small file...say "YES".
dneebrkrAuthor Commented:
Dear spiderfix,

I forgot to mention, I'm from Israel.
These are not corrupted fonts but just Hebrew fonts......sorry
Ok, but there are virii that consume hard drive space to the point
of filling the hard drive. You still want to do the online scan.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

dneebrkrAuthor Commented:
Hey spiderfix,

I've ran CA's scan and it found some viruses that my NAV didn't find one of which is a flooder....(I guess this is the source of my probelm...also given the fact that after I cleanes some personal files it flooded my HD again)
I've added a screenshot of the scan results and the output of a 'dir' command executed on my system32 folder (perhaps you will be able to tell me which files are to be deleted).

It may be best to do all this in Safe Mode.
In the list you've titled "CA's scan results" delete...

- SecureNetbios.exe
- B.exe (end the process {ctrl+alt+del} then delete) run regedit and go to
  and delete b.exe
- nfgns.exe
- ipax.dll (end the process {ctrl+alt+del} then delete) run regedit and go to
- QT9X3.exe

Anything that reports "can not delete" try ending the process then delete.
You want to also download and run Spybot
make sure you run the updater first then scan and remove anything that
shows up in the list marked in red.
When your done deleting everything and Spybot has done it's removals
then reboot and run a search on all partitions for every file that was marked
by the virus scan as infected...
Then run Spybot and ensure the system is clean, then return to Etrust
virus scan and run another scan.
dneebrkrAuthor Commented:

A new Ca's scan resulted nothing, however I would like to know what to do with those extremely large files I found in system32\ras directory. Someone suggested I should delete them.

Dir on system32\ras:

Volume in drive C has no label.
 Volume Serial Number is F840-9411

 Directory of C:\WINNT\system32\ras

09/12/2003  09:21a      <DIR>          .
09/12/2003  09:21a      <DIR>          ..
12/07/1999  12:00p                 733 cis.scp
12/07/1999  12:00p              14,527 pad.inf
12/07/1999  12:00p               2,815 pppmenu.scp
12/07/1999  12:00p               2,375 slip.scp
12/07/1999  12:00p               2,813 slipmenu.scp
12/07/1999  12:00p               6,213 switch.inf
08/09/2003  10:19a              35,840 KILL.EXE
08/03/2003  09:20a                 494 rb.bat
12/02/2003  09:56p       2,506,072,324 mybot.log
08/02/2003  07:18p               1,162 secure_nt.bat
11/09/2003  01:20p                   0 mybot.ignl.bkup
08/03/2003  11:38p                 109 Service.bat
12/02/2003  07:54p                 680 ServUDaemon.ini
08/03/2003  09:29a           1,930,240 WINMGNT.EXE
08/03/2003  12:56p                 600 A.bat
08/07/2003  01:46p                 310 BOT.BAT
08/02/2003  07:18p               1,162 cmd.bat
07/28/2003  11:12p              24,576 Diskinfo.exe
08/15/2000  12:22a              81,920 FireDaemon.exe
11/09/2003  12:57p                 156 server.txt
11/09/2003  12:58p      <DIR>          src
11/09/2003  01:11p              13,394 Configure
11/09/2003  01:11p              15,146 COPYING
11/09/2003  01:11p              68,016 cygregex.dll
11/09/2003  01:13p             971,080 cygwin1.dll
11/09/2003  01:13p                 857 iroffer.cron
11/09/2003  01:13p             213,300 iroffer.exe
11/09/2003  01:13p               2,826 Makefile.config
11/09/2003  01:13p              19,729 mybot.txt
11/09/2003  01:13p               4,929 README
11/09/2003  01:13p              16,278 WHATSNEW
12/01/2003  02:08p                 132 mybot.msg
11/09/2003  01:20p                   0 mybot.ignl
12/02/2003  07:54p                 526 ServUStartUpLog.txt
12/02/2003  07:54p                   4
12/02/2003  07:13p                  52 mybot.xdcc.bkup
11/30/2003  12:00a       3,159,999,519 mybot.log.2003-w46
11/23/2003  12:00a       1,853,669,573 mybot.log.2003-w45
12/02/2003  09:55p                   4 mybot.ignl.tmp
11/12/2003  08:24a       4,294,967,295 mybot.log.2003-w44
12/02/2003  09:55p                 194 mybot.xdcc.txt
12/02/2003  09:55p                  52 mybot.xdcc
              41 File(s) 11,818,141,955 bytes
               3 Dir(s)       4,472,832 bytes free

which one of them should I delete?!

Delete all the *.exe(s) and the *.dll(s) in that folder.

FireDaemon.exe is allowing access to your system.

The best thing to do would be to rename all the *.exe and *.dll
suffixes in the folder to *.old
rename the folder itself and move it to somewhere else on the hard drive
reboot, and if all is ok with the reboot then delete the folder and it's contents.

I'll check back later today I won't be around a computer for the afternoon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dneebrkrAuthor Commented:


I've actually done all this already 15 minutes ago..... except relocating the 'ras' folder.... it seems OK now.......

I've also ran spybot and removed more than 100 components. In addition I've installed NAv 2002 + Internet I have another problem...when I reboot my desktop icons appear after 2 minutes while the task bar is working fine and I cannot run any apps until they appear....
(NAV + NIS are from an original Symantec CD)...but this is for another forum
Personally I find NAV anything a pest, especially on win2K. It really slows
the computer down for one, and two it drills into WindowsXX so deep that if you
ever uninstall it (Add/Remove Programs, NAV uninstaller, 3rd party uninstallers)
you end up with Control Panel probs, recycle bin probs, and a few other things.
I really dislike their software and I hope that no Symantec-lovers post in here
to boast of it's wonderfulness because it's simply top-heavy software that serves
no purpose. There are online scanners for free and freeware virus checkers that
do a much better job at killing and finding virii and they don't require ¼ of what
Symantec uses in resources.

Ok, enough Symantec bashing.

You probably have some programs starting on boot that are unnecessary. And
firewalls (software) I don't believe in using them at all either unless your troubleshooting
rouge transfers. Software firewalls slow down a system as well. To stop some of these
programs from running at boot one can use regedit and drill down to the RUN tree but
for win2K I run msconfig.exe from Windows98. It will show errors when started on win2K
but they can be ignored, they cause no problems it's just an internal report from msconfig.exe
and it's basically complaining that your win2K. You can download one here
and go to the Startup tab and remove the checkmark from unwanted programs starting
on boot.

If your not sure what to leave running and what to disable you can post the log file here
from HiJackThis and I'll have a look at it.
The "Scan" button turns into the "Save Log" button on that program. You can copy and paste
the log here. HiJackThis will also show BHO (Browser Helper Objects) which are their
own breed of spyware that spyware removal programs are not capable of seeing or removing.
I will look at those (if any) listed. If you had that much spyware you probably have 3 or more
BHOs installed into your browser.
dneebrkrAuthor Commented:
Hey Spiderfix,

Well, my PC works just fine without system32\ras & system32\wins folders and I managed to clean up about 8 GB of data from my disk.

Symantec's NAV 2002 + NIS were uninstalled and "miraculously" my PC starts up normally. Now I'm working with my good old Symantec NAV 7.6 which seems a lot more light and friendly. Moreover, I'm seriously considering of using a different AV system.

I'm usualy in control of my OS and unwanted apps or services are disabled/deleted if detected.

Spybot has done some serious cleanup work as well...but nothing out of the ordinary was discovered, I guess every common user will discover at list 50% of the spyware that was discovered on my machine - I guess you can't 100% control the data being transferred to one's machine through the internet unless you're behind a serious firewall and AV system.

I'm not sure how I was infected in the first place but I learned 2 things for sure:
1) How to run a trace after a virus/Trojan.
2) That no one is really protected (spybot will always find something.....)

Thank you very much

Your welcome. It's good everything turned out ok for you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.