Slow computer and suspicious windows file and folder behaviour

Posted on 2007-10-03
Last Modified: 2013-12-04

I'm just about at my wits end with this computer at the moment!

System Details

Windows XP Pro SP2
1GB Ram
Firewall - ZoneAlarm
Anti-Virus - NOD32
Anti-Spyware - see below


Speed Issues

The computer is running very slowly, particularly when I'm on the internet.   Opening links can be extremely slow and recently, sometimes when I do a search, the google search results page opens up OK, but any links I click on don't connect.   I get a message dialogue box saying that my internet connection is OK and then have a range of options available like retry, ping, whois, etc (maybe that's due to a Firefox Extension I've installed - I'm not sure).

Wierd Things

The weird things relate mainly to my directory structure(s) including things like - I have folders with multiple sub-folders but nothing in them (even when I show all files including those that are normally hidden).   I have new folders added to the C:\ directory every now and then.   In the C:\Temp directory, I have files and folders dating back a year or so, when I've run programs that clean out temp files in the last few days.   Although I have IE7 installed, there is reference to IE5 when I run software to delete temp files etc

What I've tried to resolve the problems -

First I ran NOD32 - the first time I ran it in relation to this problem, I found I had an infection (Win32 Netsky).
I quarantined the offending files, found that they were residing in a folder I didn't even know I had under C:\Import.   This directory, which was not created by me, seemed to be a duplicate of my C: Drive and contained 2 folders - Drive C and Drive D.   I've since removed this directory to an external drive and don't think it's causing me any problems.

Then I ran NOD32 again and can't remember now whether I found no further threats or aborted the scan after it was taking so long (I mean hours and hours).

I then ran -

Weebroot SpySweeper
Spybot Search & Destroy
Lavasoft Adaware
NTREGOPT (to optimise the registry)

There were no further threats detected and I had thought that the system should be pretty clean by this stage but there was still an issue with the speed.

Because of the Weird Things mentioned above, I thought I might have some corrupt windows files so I tried to do a Windows Repair but when I tried to select the option on the installation CD to install windows, I received an error message saying that the version of windows on my computer was a later version than what was on the disc and I couldn't get to the point where you would normally get the options to repair or install.   Even though I've installed all windows updates and hotfixes etc, I'm pretty sure I've been able to repair windows files before using this method so I checked that the serial numbers matched using  Belarc Advisor and they do.

I then purchased Uniblue Power Suite and ran Registry Booster and SpeedUpMyPC which seemed to make a difference but it was still taking a long time to do things like forwarding emails, accessing the internet, etc.   Then when I ran SpyEraser (the 3rd part of the Power Suite), it scanned cookies, memory and registry fairly quickly, detected a few registry issues but was still scanning files more than 8 hours later.   I sent Uniblue an email to see if this was normal and I received a reply saying it could be depending on what was running and to try running SpyEraser in Safe Mode which I did.   Again, it scanned cookies, memory and registry fairly quickly, detected no registry issues this time, but was still scanning files more than 2 hours later so I had to abort the scan and get some real work done.

In the meantime, I had some extra RAM installed which has made a difference but startup is still slow, my Uniblue Power Suite had some components missing when I rebooted and Webroot SpySweeper has been removed.

In relation to the Weird Things, today I noticed another new folder under C:\Documents and Settings.   A directory called Administrator:BACKOFFICE which contains directories for things I don't even recognise.   I've also noticed a bunch of files in the root directory with an .sqm extension.

So, to cut a long story short, the strange files and folders thing is making me wonder if there is serious problem I haven't been able to detect/remove and the speed thing is still an issue.

Any thoughts on where to from here would be greatly appreciated.

If I need to run a HijackThis scan, would you mind including some instructions on what to do to be able to post it back here?

Many thanks

Question by:bluedognoosa21
    LVL 4

    Expert Comment

    By now you could have, and probably should just backup what you need and do a reinstall. Your PC should have a CAL sticker on the side, just use the disks and blow out windows. It is usually that quickest, surestest and sometimes only way to fix wierd issues.

    Remember to just wipe out the old windows, format the drive and do a fresh install.

    LVL 22

    Expert Comment

    First, try SUPERAntiSpyware ( Then download and open Dial-a-fix (, check all checkboxes under the "Registration center" section, and click "GO".
    LVL 32

    Expert Comment

    Not a bad idea to run HijackThis. Download it from (link is at top-right corner of that page). Unzip the contents to some folder (not the Desktop) then run the .exe file by double-clicking on it. It shows the results in a window - just copy and paste the results here.

    Author Comment

    Thank you for your quick replies to my posting.

    As you might have gathered, I've been doing everything possible to try to avoid a fresh install of windows as I'm really short on time and run a few business applications which I can't afford to mess up.  Having said that though, it's looking more and more like a fresh install is going to be about the only way to go.

    I installed and ran Super Antispyware  - no problems detected.

    I also downloaded and ran Dial-a-fix and have copied the log file below -

    Bit early to tell how effective it was but I thought I'd post a copy of the file  here to see if you think there's anything obvious in it -

    Notes about this log:
    1) "->" denotes an external command being executed, and "-> (number)" indicates
         the return code from the previous command
    2) Not all external command return codes are accurate, or useful
    3) Sometimes commands return 0 (no error) even when they fail or crash
    4) If an error occurs while registering an object, please send an email to: and include a copy of this log

    DAF version: v0.60.0.24

    --- System info ---
    OS: Microsoft Windows XP Service Pack 2
    IE version: 7.0.5730.11
    MPC: 55276-013
    CPU: AMD Athlon(tm)  (~1250MHz)
    BIOS: 15/09/2003
    Memory (approx): 991MB
    Uptime: 12 hour(s)
    Current directory: C:\Documents and Settings\Admin\Desktop\Downloads\Dial-a-fix-v0.60.0.24\Dial-a-fix-v0.60.0.24

    04/10/2007 9:09:51 PM -- Dial-a-fix : [v0.60.0.24] -- started
    9:09:51 PM | Policy scan started
    9:09:51 PM | Policy scan ended - no restrictive policies were found
    --- Emptying temp folders ---
    9:41:02 PM | Deleting C:\Documents and Settings\Admin\Local Settings\Temp...
    9:41:03 PM | C:\Documents and Settings\Admin\Local Settings\Temp could not be completely emptied, please reboot and try again
    9:41:03 PM | Deleting C:\WINDOWS\temp...
    9:41:03 PM | C:\WINDOWS\temp could not be completely emptied, please reboot and try again
    9:41:03 PM | Deleting C:\DOCUME~1\Admin\LOCALS~1\Temp...
    9:41:03 PM | C:\DOCUME~1\Admin\LOCALS~1\Temp could not be completely emptied, please reboot and try again
    --- MSI ---
    9:53:42 PM | Registered: C:\WINDOWS\system32\msi.dll
    --- Registration: ActiveX controls/codecs ---
    9:55:11 PM | Registered: C:\WINDOWS\system32\
    9:55:11 PM | Registered: C:\WINDOWS\system32\actxprxy.dll
    9:55:11 PM | Registered: C:\WINDOWS\system32\asctrls.ocx
    9:55:11 PM | Registered: C:\WINDOWS\system32\daxctle.ocx
    9:55:11 PM | Registered: C:\WINDOWS\system32\hhctrl.ocx
    9:55:11 PM | Registered: C:\WINDOWS\system32\
    9:55:11 PM | Registered: C:\WINDOWS\system32\licmgr10.dll
    9:55:11 PM | Registered: C:\WINDOWS\system32\
    9:55:14 PM | Registered: C:\WINDOWS\system32\msdxm.ocx
    9:55:14 PM | Registered: C:\WINDOWS\system32\proctexe.ocx
    9:55:14 PM | Registered: C:\WINDOWS\system32\tdc.ocx
    9:55:15 PM | Registered: C:\WINDOWS\system32\wshom.ocx
    --- Registration: Control Panel applets ---
    9:55:18 PM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
    9:55:18 PM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
    9:55:19 PM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
    --- Registration: Direct[X|Draw|Show|Media] ---
    9:55:19 PM | Registered: C:\WINDOWS\system32\quartz.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\danim.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\dmscript.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\dmstyle.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\dxmasf.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\dxtmsft.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\dxtrans.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\sbe.dll
    --- Registration: Programming cores/runtimes ---
    9:55:20 PM | Registered: C:\WINDOWS\system32\atl.dll
    9:55:20 PM | Registered: C:\WINDOWS\system32\corpol.dll
    9:55:21 PM | Registered: C:\WINDOWS\system32\jscript.dll
    9:55:21 PM | Registered: C:\WINDOWS\system32\dispex.dll
    9:55:21 PM | Registered: C:\WINDOWS\system32\scrrun.dll
    9:55:21 PM | Registered: C:\WINDOWS\system32\scrobj.dll
    9:55:21 PM | Registered: C:\WINDOWS\system32\vbscript.dll
    9:55:21 PM | Registered: C:\WINDOWS\system32\wshext.dll
    --- Registration: Explorer/IE/OE/shell/WMP ---
    9:55:21 PM | Registered: C:\WINDOWS\system32\activeds.dll
    9:55:21 PM | Registered: C:\WINDOWS\system32\audiodev.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\browsewm.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\cabview.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\cdfview.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\clbcatex.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\clbcatq.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\comcat.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\cscui.dll
    9:55:22 PM | Registered: C:\WINDOWS\system32\credui.dll
    9:55:23 PM | Registered: C:\WINDOWS\system32\datime.dll
    9:55:23 PM | Registered: C:\WINDOWS\system32\devmgr.dll
    9:55:23 PM | Registered: C:\WINDOWS\system32\dfsshlex.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dmdlgs.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dmloader.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dmocx.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dmview.ocx
    9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dsuiext.dll
    9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dsquery.dll
    9:55:24 PM | Registered: C:\WINDOWS\system32\dskquoui.dll
    9:55:25 PM | Registered: C:\WINDOWS\system32\els.dll
    9:55:25 PM | Registered: C:\WINDOWS\system32\es.dll
    9:55:25 PM | Registered: C:\WINDOWS\system32\fontext.dll
    9:55:25 PM | Registered: C:\WINDOWS\system32\hlink.dll
    9:55:25 PM | Registered: C:\WINDOWS\system32\hnetcfg.dll
    9:55:26 PM | Registered: C:\WINDOWS\system32\iedkcs32.dll
    9:55:26 PM | Registered: C:\WINDOWS\system32\iepeers.dll
    9:55:26 PM | Registered: C:\WINDOWS\system32\ils.dll
    9:55:26 PM | Registered: C:\WINDOWS\system32\inetcfg.dll
    9:55:26 PM | Registered: C:\WINDOWS\system32\inetcomm.dll
    9:55:26 PM | Registered: C:\WINDOWS\system32\laprxy.dll
    9:55:27 PM | Registered: C:\WINDOWS\system32\lmrt.dll
    9:55:27 PM | Registered: C:\WINDOWS\system32\mlang.dll
    9:55:28 PM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
    9:55:28 PM | Registered: C:\WINDOWS\system32\mmcshext.dll
    9:55:28 PM | Registered: C:\WINDOWS\system32\mscoree.dll
    9:55:28 PM | Registered: C:\WINDOWS\system32\mshtmled.dll
    9:55:29 PM | Registered: C:\WINDOWS\system32\msoeacct.dll
    9:55:29 PM | Registered: C:\WINDOWS\system32\msr2c.dll
    9:55:29 PM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
    9:55:29 PM | Registered: C:\WINDOWS\system32\mydocs.dll
    9:55:29 PM | Registered: C:\WINDOWS\system32\mstime.dll
    9:55:30 PM | Registered: C:\WINDOWS\system32\netcfgx.dll
    9:55:30 PM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
    9:55:30 PM | Registered: C:\WINDOWS\system32\netplwiz.dll
    9:55:30 PM | Registered: C:\WINDOWS\system32\netman.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\netshell.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsevt.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
    9:55:31 PM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\ntmssvc.dll
    9:55:31 PM | DllInstalled: C:\WINDOWS\system32\occache.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\occache.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\ole32.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\oleaut32.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\oleacc.dll
    9:55:31 PM | Registered: C:\WINDOWS\system32\olepro32.dll
    9:55:31 PM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
    9:55:32 PM | Registered: C:\WINDOWS\system32\photowiz.dll
    9:55:32 PM | Registered: C:\WINDOWS\system32\remotepg.dll
    9:55:32 PM | Registered: C:\WINDOWS\system32\rpcrt4.dll
    9:55:32 PM | Registered: C:\WINDOWS\system32\rshx32.dll
    9:55:32 PM | Registered: C:\WINDOWS\system32\sendmail.dll
    9:55:32 PM | Registered: C:\WINDOWS\system32\slayerxp.dll
    9:55:32 PM | Registered: C:\WINDOWS\system32\shell32.dll
    9:55:35 PM | DllInstalled: C:\WINDOWS\system32\shell32.dll
    9:55:36 PM | Registered: C:\WINDOWS\system32\shmedia.dll
    9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
    9:55:36 PM | Registered: C:\WINDOWS\system32\shimgvw.dll
    9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
    9:55:37 PM | Registered: C:\WINDOWS\system32\shsvcs.dll
    9:55:37 PM | Registered: C:\WINDOWS\system32\srclient.dll
    9:55:37 PM | Unregistered: C:\WINDOWS\system32\stobject.dll
    9:55:37 PM | Registered: C:\WINDOWS\system32\stobject.dll
    9:55:37 PM | Registered: C:\WINDOWS\system32\twext.dll
    9:55:40 PM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
    9:55:40 PM | Registered: C:\WINDOWS\system32\urlmon.dll
    9:55:40 PM | Registered: C:\WINDOWS\system32\userenv.dll
    9:55:40 PM | Registered: C:\WINDOWS\system32\winhttp.dll
    9:55:40 PM | DllInstalled: C:\WINDOWS\system32\wininet.dll
    9:55:40 PM | Registered: C:\WINDOWS\system32\zipfldr.dll
    9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
    9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
    9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
    9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
    9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
    9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
    9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
    9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
    9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
    9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
    9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
    9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
    9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
    9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
    9:55:43 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
    9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
    9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
    9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
    9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
    9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
    9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
    9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

    You might have noticed that there is a message near the start saying that certain temp files could not be deleted and advising that you should reboot and try again, which I did - but the temp files were still unable to be deleted.   Any thoughts?

    I also ran Hijack this and got an error message (something about HOSTS file) and it shutdown very quicly.   The log file from that scan is also attached -

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:19:58 PM, on 04/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
    C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
    O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe
    O4 - Global Startup: Exif Launcher.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    End of file - 7585 bytes

    Thanks again - l;ook forward to hearing from you.

    LVL 22

    Expert Comment

    Have you tried superantispyware in safe mode?
    LVL 22

    Expert Comment

    To remove temporary files I always use

    Author Comment

    I ran ccleaner at the outset but it didn't work.

    I may have discovered a clue however.

    Firstly, I've been having problems with windows installer,   Can I just remove it and reinstall to see if that helps?

    On the slow computer issue, today I was looking for something in the Volume System Information directory and what I found was hardly any files I expected to find together with stacks of RP entries which I assume is Restore Point,   Anyway, when I checked the properties of the directory I noticed that the size of this directory is over 12 GB!!   (that's not a misprint)   Any ideas on why this would be so?

    I must admit, it is seriously looking like needing to reinstall windows xp pro SP2.

    LVL 22

    Expert Comment

    You can reinstall Windows Installer by using Dial-a-fix. Check the "Fix Windows Installer:" checkbox and click "GO". Also, just because you have a folder that's over 12 GB, it doesn't necessarily mean it's linked to a slow computer and weird behavior.
    LVL 32

    Expert Comment

    12 GB of unexplained space is certainly very suspicious. Since that folder is often the target of hackers (to store bootleg music and videos), it is best to rule that out first.

    I notice one suspicious entry in your HJT log:

    O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe

    Are you familiar with what this is?

    If not, please submit this file (Mpi32.exe) on-line to this site:

    and they will tell you right-away whether it is known malware.

    Also, do a scan with RootkitRevealer:

    Download and run RootkitRevealer from:
    and click on "Scan" to scan your drives.
    It takes a while, so be patient.
    Try not to use the system too much during that time to avoid false positives.
    If it produces anything interesting, use "File -> Save As.." to save the
    results to a text file (Important -> you may need that file later)
    Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
    first 30 lines or so.

    Author Comment

    Thanks for the advice.   I'll give them all a go.   I'll be away for the next few days so will do my homework and post back here later in the week.

    The mpi32 entry is our pabx phone management software (I manage a holiday resort).

    LVL 22

    Expert Comment

    r-k, oh yeah, a rootkit scan may be a good idea.

    Author Comment

    Hi Wizard

    I think you might be on to something.   I downloaded and ran a scan with Rootkit Revealer.    The first time I ran it, I turned everything off I could think of (AV, Anti-spyware, Fwall, etc) so the system was as idle as I could get it.   I saved the file to desktop and my docs but couldn't find it when I opened those directories using my computer.   I thought maybe some malware might be hiding it so I ran another scan but this time left everything active.  

    Anyway, to cut a long story short, I eventually found them under C:\Docs & Settings\Local Services\Desktop.   This is the results of the first scan -

    HKLM\SECURITY\Policy\Secrets\SAC*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      29/09/2007 7:51 AM      0 bytes      Key name contains embedded nulls (*)
    C:\Program Files\ESET\cache\FND0.NFI      20/10/2007 11:01 AM      259 bytes      Hidden from Windows API.
    C:\System Volume Information\catalog.wci\      20/10/2007 10:49 AM      2.92 MB      Hidden from Windows API.
    C:\System Volume Information\catalog.wci\00010008.dir      20/10/2007 10:49 AM      5.87 KB      Hidden from Windows API.
    C:\System Volume Information\catalog.wci\      20/10/2007 10:49 AM      2.90 MB      Hidden from Windows API.
    C:\System Volume Information\catalog.wci\00010009.dir      20/10/2007 10:49 AM      5.65 KB      Hidden from Windows API.
    C:\WINDOWS\system32\spool\PRINTERS\FP00014.SHD      20/10/2007 10:40 AM      0 bytes      Visible in Windows API, but not in MFT or directory index.
    C:\WINDOWS\system32\spool\PRINTERS\FP00014.SPL      20/10/2007 10:40 AM      0 bytes      Visible in Windows API, but not in MFT or directory index.

    The following is the results of the second scan where I didn't stop anything first -

    HKU\S-1-5-21-2052111302-1993962763-725345543-1003\Software\Licenses\{I81A067BDE7DB239C}      20/10/2007 12:40 PM      4 bytes      Data mismatch between Windows API and raw hive data.
    HKLM\SECURITY\Policy\Secrets\SAC*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SAI*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
    HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      29/09/2007 7:51 AM      0 bytes      Key name contains embedded nulls (*)
    HKLM\SOFTWARE\Classes\CLSID\{520AA255-85C2-880E-9146-66C52A616535}\gxxlbDlffc\      20/10/2007 12:40 PM      58 bytes      Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\Classes\CLSID\{520AA255-85C2-880E-9146-66C52A616535}\icPrDwNg\      20/10/2007 12:40 PM      54 bytes      Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\Classes\CLSID\{520AA255-85C2-880E-9146-66C52A616535}\RjAkelp\      20/10/2007 12:40 PM      42 bytes      Data mismatch between Windows API and raw hive data.
    C:\Program Files\ESET\cache\FND0.NFI      20/10/2007 12:49 PM      260 bytes      Hidden from Windows API.
    C:\System Volume Information\_restore{1D607D8A-712A-48F1-881D-ECBA776F9A92}\RP596\A0058249.RDB      20/10/2007 12:42 PM      1.75 MB      Hidden from Windows API.

    Not sure if it means anything, but when I went to look in System Volume Information the other day, when the mouse was hovering over the folder, it was showing Folder Empty, but when I tried to open it anyway, I got an Access Denied message.   (I'm pretty sure that's what happened).   There were a few other system folders I tried to open but got the same error message.


    LVL 32

    Expert Comment

    Hmm... You don't have a rootkit, so that's good. The results above are just normal "noise" that you'd expect.

    That still leaves the question of what is taking up that extra 12 GB space...

    You can right-click on tje System Volume Information folder, select Properties -> Security and click "Add" and add your own username and give yourself at least read permission to that folder and all subfolders within (i.e. click on Advanced and see that the box labeled "Replace permission entries on all child objects...")  is "checked"

    That should allow you to browse inside that folder and see if you can spot the missing 12 GB of stuff.

    LVL 22

    Expert Comment

    Is C:\System Volume Information\catalog.wci the folder that's taking up the space?

    Author Comment

    That's a relief to hear it's not a rootkit.

    Today I'm being permitted access to C:\System Volume Information and it's not saying it's empty.

    There are 2 folders and 2 files in this directory - contents are as follows -

    Folder 1 -

    -restore{1D607D8A- etc}   (14GB) (13,290 files, 384 folders) File Folder - Date Modified 20/10/07 (As you can see it's grown 2GB since my first posting on this.   The contents of this folder are -

    Folder - RP502 - RP597 inclusive, with all folders in between numbered sequentially.   With the exception of the last entry (RP597), all other entries are blue so I'm assuming they're compressed.

    Files -


    Folder 2 -

    cat.wci  (104MB) File Folder - Date Modified 21/10/07
    This folder contains a collection of files of the following types - C1, FID, PS1, PS2, DIR, 000, 001, 002, HSH, BK1, BK2

    File 1 -

    MountPointManagerRemoteDatabase (0KB) System File - Date Modified 13/10/07

    File 2 -

    tracking.log (1000KB) Text Document - Date Modified 13/10/07
    The contents of this file are indecipherable with the exception of the word 'backoffice' which appears several times on each line.   Not sure if this has anything to do with a user that was created by the system called - administrator:BACKOFFICE which just appeared one day.   (I must admit, that's not to say I haven't inadvertently created it unwittingly........)

    Will look forward to your next posting.

    LVL 32

    Accepted Solution

    Those RP502 to RP597 folders are "Restore Points", backups of the Registry and other system files that Windows makes every so often. Since you have about 100 of them chances are that each one is about 140 MB, which explains the rather large disk space usage. Can you verify that each one is about that size?

    How big is your hard drive? I suggest you decrease the max space that Windows allocates for restore points, you don't really need 100 of them. By default Windows weants to allocate 10% of your C: drive, but you can reduce that by going into Conrol Panel -> System -> System Restore tab -> Settings and use the slider there to select a smaller value like 5 or even 3%. That will free up a fair amount of space.

    How much of C: drive is free space? (before and after reducing the Restore Point allocation)

    How much RAM is in your machine currently?

    Are you seeing a slowdown only during web browsing, or at other times as well?

    Author Comment

    C: drive free space now = 39GB (out of 80GB)
    RAM = 1GB
    The folder sizes vary.   Probably about half are around 40-70MB, others vary from about 100MB to 600Mb and 1 folder alone is about 2GB.

    The space allocated to system restore was on max (12% or so) so I've reduced that to 5% for now.

    The size of sys vol info is now about 6GB (4740 files - 114 folders) and C: drive free space is now about 42GB. RP580 is still there though which is the 2GB folder.

    The slowdown is a bit erratic and sometimes occurs when I'm using basic Office programs but is primarily at it's slowest when I'm trying to do things either in or between Outlook and browsing.   I just tried IE7 and that's pretty fast but I usually use firefox which has been painfully slow by comparison.

    Just as a matter of interest, now that I've reduced the amount of space allocated to system restore, I presume the earlier folders have been deleted so is it OK to run ccleaner now?


    Author Comment

    Hi r-k

    Just wondered if you'd had time to look at my last post.   If you could let me know what your thoughts are, I can allocate points and hopefully close the question.

    LVL 32

    Expert Comment

    Oops, sorry about that, got away from this for a while.

    Seems like the abnormal disk space usage has been brought under control and is not a factor any more. RP580 should eventually disappear as new restore points are created, or you can force delete it by disabling all restore points on a one time basis, then re-enable them again.

    The slowdown is still unexplained though we can rule out rootkits, low disk space, and probably even malware. If the slowdown is mainly in Firefox I would just remove Firefox as completely as possible (save your bookmarks in case they are of value), then download the latest version and reinstall.

    Yes, should be OK to run ccleaner now.

    Might be good to post a new summary if my understanding of current problems is off the mark. Thanks.


    Author Comment

    Hi r-k

    Thanks very much for your help with this one.   Since my last posting when I said firefox was still slow, after a few reboots, everything is working much faster and the problems seem to have disappeared.   I think it was all related to the bloated 12GB being hogged by the restore points.   I've reduced the max space allocation to 5% but would be happy to go lower to maybe 3% if possible.

    I just wanted to double check that I could go ahead and clean up/defrag, etc safely which I'm sure will speed things up further.

    Thanks again
    LVL 32

    Expert Comment

    Thanks. Good to know even Firefox is back to normal. I would definitely feel safe about defragging if you wish (though I am not a fan of unnecessary and frequent defrags). Re, space for Restore points, even 3% on an 80 GB drive means about 2.4 GB, or about 25 restore points, which should really be more than anyone is likely to need.

    Thanks and good luck :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
    Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now