• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1499
  • Last Modified:

Slow computer and suspicious windows file and folder behaviour


I'm just about at my wits end with this computer at the moment!

System Details

Windows XP Pro SP2
1GB Ram
Firewall - ZoneAlarm
Anti-Virus - NOD32
Anti-Spyware - see below


Speed Issues

The computer is running very slowly, particularly when I'm on the internet.   Opening links can be extremely slow and recently, sometimes when I do a search, the google search results page opens up OK, but any links I click on don't connect.   I get a message dialogue box saying that my internet connection is OK and then have a range of options available like retry, ping, whois, etc (maybe that's due to a Firefox Extension I've installed - I'm not sure).

Wierd Things

The weird things relate mainly to my directory structure(s) including things like - I have folders with multiple sub-folders but nothing in them (even when I show all files including those that are normally hidden).   I have new folders added to the C:\ directory every now and then.   In the C:\Temp directory, I have files and folders dating back a year or so, when I've run programs that clean out temp files in the last few days.   Although I have IE7 installed, there is reference to IE5 when I run software to delete temp files etc

What I've tried to resolve the problems -

First I ran NOD32 - the first time I ran it in relation to this problem, I found I had an infection (Win32 Netsky).
I quarantined the offending files, found that they were residing in a folder I didn't even know I had under C:\Import.   This directory, which was not created by me, seemed to be a duplicate of my C: Drive and contained 2 folders - Drive C and Drive D.   I've since removed this directory to an external drive and don't think it's causing me any problems.

Then I ran NOD32 again and can't remember now whether I found no further threats or aborted the scan after it was taking so long (I mean hours and hours).

I then ran -

Weebroot SpySweeper
Spybot Search & Destroy
Lavasoft Adaware
NTREGOPT (to optimise the registry)

There were no further threats detected and I had thought that the system should be pretty clean by this stage but there was still an issue with the speed.

Because of the Weird Things mentioned above, I thought I might have some corrupt windows files so I tried to do a Windows Repair but when I tried to select the option on the installation CD to install windows, I received an error message saying that the version of windows on my computer was a later version than what was on the disc and I couldn't get to the point where you would normally get the options to repair or install.   Even though I've installed all windows updates and hotfixes etc, I'm pretty sure I've been able to repair windows files before using this method so I checked that the serial numbers matched using  Belarc Advisor and they do.

I then purchased Uniblue Power Suite and ran Registry Booster and SpeedUpMyPC which seemed to make a difference but it was still taking a long time to do things like forwarding emails, accessing the internet, etc.   Then when I ran SpyEraser (the 3rd part of the Power Suite), it scanned cookies, memory and registry fairly quickly, detected a few registry issues but was still scanning files more than 8 hours later.   I sent Uniblue an email to see if this was normal and I received a reply saying it could be depending on what was running and to try running SpyEraser in Safe Mode which I did.   Again, it scanned cookies, memory and registry fairly quickly, detected no registry issues this time, but was still scanning files more than 2 hours later so I had to abort the scan and get some real work done.

In the meantime, I had some extra RAM installed which has made a difference but startup is still slow, my Uniblue Power Suite had some components missing when I rebooted and Webroot SpySweeper has been removed.

In relation to the Weird Things, today I noticed another new folder under C:\Documents and Settings.   A directory called Administrator:BACKOFFICE which contains directories for things I don't even recognise.   I've also noticed a bunch of files in the root directory with an .sqm extension.

So, to cut a long story short, the strange files and folders thing is making me wonder if there is serious problem I haven't been able to detect/remove and the speed thing is still an issue.

Any thoughts on where to from here would be greatly appreciated.

If I need to run a HijackThis scan, would you mind including some instructions on what to do to be able to post it back here?

Many thanks

  • 8
  • 6
  • 4
  • +2
1 Solution
By now you could have, and probably should just backup what you need and do a reinstall. Your PC should have a CAL sticker on the side, just use the disks and blow out windows. It is usually that quickest, surestest and sometimes only way to fix wierd issues.

Remember to just wipe out the old windows, format the drive and do a fresh install.

First, try SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE). Then download and open Dial-a-fix (http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip), check all checkboxes under the "Registration center" section, and click "GO".
Not a bad idea to run HijackThis. Download it from http://www.hijackthis.de/ (link is at top-right corner of that page). Unzip the contents to some folder (not the Desktop) then run the .exe file by double-clicking on it. It shows the results in a window - just copy and paste the results here.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

bluedognoosa21Author Commented:
Thank you for your quick replies to my posting.

As you might have gathered, I've been doing everything possible to try to avoid a fresh install of windows as I'm really short on time and run a few business applications which I can't afford to mess up.  Having said that though, it's looking more and more like a fresh install is going to be about the only way to go.

I installed and ran Super Antispyware  - no problems detected.

I also downloaded and ran Dial-a-fix and have copied the log file below -

Bit early to tell how effective it was but I thought I'd post a copy of the file  here to see if you think there's anything obvious in it -

Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
     the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
     dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 2
IE version: 7.0.5730.11
MPC: 55276-013
CPU: AMD Athlon(tm)  (~1250MHz)
BIOS: 15/09/2003
Memory (approx): 991MB
Uptime: 12 hour(s)
Current directory: C:\Documents and Settings\Admin\Desktop\Downloads\Dial-a-fix-v0.60.0.24\Dial-a-fix-v0.60.0.24

04/10/2007 9:09:51 PM -- Dial-a-fix : [v0.60.0.24] -- started
9:09:51 PM | Policy scan started
9:09:51 PM | Policy scan ended - no restrictive policies were found
--- Emptying temp folders ---
9:41:02 PM | Deleting C:\Documents and Settings\Admin\Local Settings\Temp...
9:41:03 PM | C:\Documents and Settings\Admin\Local Settings\Temp could not be completely emptied, please reboot and try again
9:41:03 PM | Deleting C:\WINDOWS\temp...
9:41:03 PM | C:\WINDOWS\temp could not be completely emptied, please reboot and try again
9:41:03 PM | Deleting C:\DOCUME~1\Admin\LOCALS~1\Temp...
9:41:03 PM | C:\DOCUME~1\Admin\LOCALS~1\Temp could not be completely emptied, please reboot and try again
--- MSI ---
9:53:42 PM | Registered: C:\WINDOWS\system32\msi.dll
--- Registration: ActiveX controls/codecs ---
9:55:11 PM | Registered: C:\WINDOWS\system32\acelpdec.ax
9:55:11 PM | Registered: C:\WINDOWS\system32\actxprxy.dll
9:55:11 PM | Registered: C:\WINDOWS\system32\asctrls.ocx
9:55:11 PM | Registered: C:\WINDOWS\system32\daxctle.ocx
9:55:11 PM | Registered: C:\WINDOWS\system32\hhctrl.ocx
9:55:11 PM | Registered: C:\WINDOWS\system32\l3codecx.ax
9:55:11 PM | Registered: C:\WINDOWS\system32\licmgr10.dll
9:55:11 PM | Registered: C:\WINDOWS\system32\mpg4ds32.ax
9:55:14 PM | Registered: C:\WINDOWS\system32\msdxm.ocx
9:55:14 PM | Registered: C:\WINDOWS\system32\proctexe.ocx
9:55:14 PM | Registered: C:\WINDOWS\system32\tdc.ocx
9:55:15 PM | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
9:55:18 PM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
9:55:18 PM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
9:55:19 PM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
9:55:19 PM | Registered: C:\WINDOWS\system32\quartz.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\danim.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\dmscript.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\dmstyle.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\dxmasf.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\dxtmsft.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\dxtrans.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
9:55:20 PM | Registered: C:\WINDOWS\system32\atl.dll
9:55:20 PM | Registered: C:\WINDOWS\system32\corpol.dll
9:55:21 PM | Registered: C:\WINDOWS\system32\jscript.dll
9:55:21 PM | Registered: C:\WINDOWS\system32\dispex.dll
9:55:21 PM | Registered: C:\WINDOWS\system32\scrrun.dll
9:55:21 PM | Registered: C:\WINDOWS\system32\scrobj.dll
9:55:21 PM | Registered: C:\WINDOWS\system32\vbscript.dll
9:55:21 PM | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
9:55:21 PM | Registered: C:\WINDOWS\system32\activeds.dll
9:55:21 PM | Registered: C:\WINDOWS\system32\audiodev.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\browsewm.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\cabview.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\cdfview.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\clbcatex.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\clbcatq.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\comcat.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\cscui.dll
9:55:22 PM | Registered: C:\WINDOWS\system32\credui.dll
9:55:23 PM | Registered: C:\WINDOWS\system32\datime.dll
9:55:23 PM | Registered: C:\WINDOWS\system32\devmgr.dll
9:55:23 PM | Registered: C:\WINDOWS\system32\dfsshlex.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dmdlgs.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dmloader.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dmocx.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dmview.ocx
9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dsuiext.dll
9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dsquery.dll
9:55:24 PM | Registered: C:\WINDOWS\system32\dskquoui.dll
9:55:25 PM | Registered: C:\WINDOWS\system32\els.dll
9:55:25 PM | Registered: C:\WINDOWS\system32\es.dll
9:55:25 PM | Registered: C:\WINDOWS\system32\fontext.dll
9:55:25 PM | Registered: C:\WINDOWS\system32\hlink.dll
9:55:25 PM | Registered: C:\WINDOWS\system32\hnetcfg.dll
9:55:26 PM | Registered: C:\WINDOWS\system32\iedkcs32.dll
9:55:26 PM | Registered: C:\WINDOWS\system32\iepeers.dll
9:55:26 PM | Registered: C:\WINDOWS\system32\ils.dll
9:55:26 PM | Registered: C:\WINDOWS\system32\inetcfg.dll
9:55:26 PM | Registered: C:\WINDOWS\system32\inetcomm.dll
9:55:26 PM | Registered: C:\WINDOWS\system32\laprxy.dll
9:55:27 PM | Registered: C:\WINDOWS\system32\lmrt.dll
9:55:27 PM | Registered: C:\WINDOWS\system32\mlang.dll
9:55:28 PM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
9:55:28 PM | Registered: C:\WINDOWS\system32\mmcshext.dll
9:55:28 PM | Registered: C:\WINDOWS\system32\mscoree.dll
9:55:28 PM | Registered: C:\WINDOWS\system32\mshtmled.dll
9:55:29 PM | Registered: C:\WINDOWS\system32\msoeacct.dll
9:55:29 PM | Registered: C:\WINDOWS\system32\msr2c.dll
9:55:29 PM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
9:55:29 PM | Registered: C:\WINDOWS\system32\mydocs.dll
9:55:29 PM | Registered: C:\WINDOWS\system32\mstime.dll
9:55:30 PM | Registered: C:\WINDOWS\system32\netcfgx.dll
9:55:30 PM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
9:55:30 PM | Registered: C:\WINDOWS\system32\netplwiz.dll
9:55:30 PM | Registered: C:\WINDOWS\system32\netman.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\netshell.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsevt.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmssvc.dll
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\occache.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\occache.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\ole32.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\oleaut32.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\oleacc.dll
9:55:31 PM | Registered: C:\WINDOWS\system32\olepro32.dll
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
9:55:32 PM | Registered: C:\WINDOWS\system32\photowiz.dll
9:55:32 PM | Registered: C:\WINDOWS\system32\remotepg.dll
9:55:32 PM | Registered: C:\WINDOWS\system32\rpcrt4.dll
9:55:32 PM | Registered: C:\WINDOWS\system32\rshx32.dll
9:55:32 PM | Registered: C:\WINDOWS\system32\sendmail.dll
9:55:32 PM | Registered: C:\WINDOWS\system32\slayerxp.dll
9:55:32 PM | Registered: C:\WINDOWS\system32\shell32.dll
9:55:35 PM | DllInstalled: C:\WINDOWS\system32\shell32.dll
9:55:36 PM | Registered: C:\WINDOWS\system32\shmedia.dll
9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
9:55:36 PM | Registered: C:\WINDOWS\system32\shimgvw.dll
9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
9:55:37 PM | Registered: C:\WINDOWS\system32\shsvcs.dll
9:55:37 PM | Registered: C:\WINDOWS\system32\srclient.dll
9:55:37 PM | Unregistered: C:\WINDOWS\system32\stobject.dll
9:55:37 PM | Registered: C:\WINDOWS\system32\stobject.dll
9:55:37 PM | Registered: C:\WINDOWS\system32\twext.dll
9:55:40 PM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
9:55:40 PM | Registered: C:\WINDOWS\system32\urlmon.dll
9:55:40 PM | Registered: C:\WINDOWS\system32\userenv.dll
9:55:40 PM | Registered: C:\WINDOWS\system32\winhttp.dll
9:55:40 PM | DllInstalled: C:\WINDOWS\system32\wininet.dll
9:55:40 PM | Registered: C:\WINDOWS\system32\zipfldr.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
9:55:43 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

You might have noticed that there is a message near the start saying that certain temp files could not be deleted and advising that you should reboot and try again, which I did - but the temp files were still unable to be deleted.   Any thoughts?

I also ran Hijack this and got an error message (something about HOSTS file) and it shutdown very quicly.   The log file from that scan is also attached -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:58 PM, on 04/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\PowerSuite.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149547814113
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149675825093
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://www.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of file - 7585 bytes

Thanks again - l;ook forward to hearing from you.

Have you tried superantispyware in safe mode?
To remove temporary files I always use www.ccleaner.com
bluedognoosa21Author Commented:
I ran ccleaner at the outset but it didn't work.

I may have discovered a clue however.

Firstly, I've been having problems with windows installer,   Can I just remove it and reinstall to see if that helps?

On the slow computer issue, today I was looking for something in the Volume System Information directory and what I found was hardly any files I expected to find together with stacks of RP entries which I assume is Restore Point,   Anyway, when I checked the properties of the directory I noticed that the size of this directory is over 12 GB!!   (that's not a misprint)   Any ideas on why this would be so?

I must admit, it is seriously looking like needing to reinstall windows xp pro SP2.

You can reinstall Windows Installer by using Dial-a-fix. Check the "Fix Windows Installer:" checkbox and click "GO". Also, just because you have a folder that's over 12 GB, it doesn't necessarily mean it's linked to a slow computer and weird behavior.
12 GB of unexplained space is certainly very suspicious. Since that folder is often the target of hackers (to store bootleg music and videos), it is best to rule that out first.

I notice one suspicious entry in your HJT log:

O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe

Are you familiar with what this is?

If not, please submit this file (Mpi32.exe) on-line to this site:


and they will tell you right-away whether it is known malware.

Also, do a scan with RootkitRevealer:

Download and run RootkitRevealer from: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need that file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
bluedognoosa21Author Commented:
Thanks for the advice.   I'll give them all a go.   I'll be away for the next few days so will do my homework and post back here later in the week.

The mpi32 entry is our pabx phone management software (I manage a holiday resort).

r-k, oh yeah, a rootkit scan may be a good idea.
bluedognoosa21Author Commented:
Hi Wizard

I think you might be on to something.   I downloaded and ran a scan with Rootkit Revealer.    The first time I ran it, I turned everything off I could think of (AV, Anti-spyware, Fwall, etc) so the system was as idle as I could get it.   I saved the file to desktop and my docs but couldn't find it when I opened those directories using my computer.   I thought maybe some malware might be hiding it so I ran another scan but this time left everything active.  

Anyway, to cut a long story short, I eventually found them under C:\Docs & Settings\Local Services\Desktop.   This is the results of the first scan -

HKLM\SECURITY\Policy\Secrets\SAC*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      29/09/2007 7:51 AM      0 bytes      Key name contains embedded nulls (*)
C:\Program Files\ESET\cache\FND0.NFI      20/10/2007 11:01 AM      259 bytes      Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.ci      20/10/2007 10:49 AM      2.92 MB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.dir      20/10/2007 10:49 AM      5.87 KB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010009.ci      20/10/2007 10:49 AM      2.90 MB      Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010009.dir      20/10/2007 10:49 AM      5.65 KB      Hidden from Windows API.
C:\WINDOWS\system32\spool\PRINTERS\FP00014.SHD      20/10/2007 10:40 AM      0 bytes      Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\spool\PRINTERS\FP00014.SPL      20/10/2007 10:40 AM      0 bytes      Visible in Windows API, but not in MFT or directory index.

The following is the results of the second scan where I didn't stop anything first -

HKU\S-1-5-21-2052111302-1993962763-725345543-1003\Software\Licenses\{I81A067BDE7DB239C}      20/10/2007 12:40 PM      4 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*      5/06/2006 9:45 PM      0 bytes      Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{3D14228D-FBE1-11D0-995D-00C04FD919C1}*      29/09/2007 7:51 AM      0 bytes      Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{520AA255-85C2-880E-9146-66C52A616535}\gxxlbDlffc\      20/10/2007 12:40 PM      58 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{520AA255-85C2-880E-9146-66C52A616535}\icPrDwNg\      20/10/2007 12:40 PM      54 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\CLSID\{520AA255-85C2-880E-9146-66C52A616535}\RjAkelp\      20/10/2007 12:40 PM      42 bytes      Data mismatch between Windows API and raw hive data.
C:\Program Files\ESET\cache\FND0.NFI      20/10/2007 12:49 PM      260 bytes      Hidden from Windows API.
C:\System Volume Information\_restore{1D607D8A-712A-48F1-881D-ECBA776F9A92}\RP596\A0058249.RDB      20/10/2007 12:42 PM      1.75 MB      Hidden from Windows API.

Not sure if it means anything, but when I went to look in System Volume Information the other day, when the mouse was hovering over the folder, it was showing Folder Empty, but when I tried to open it anyway, I got an Access Denied message.   (I'm pretty sure that's what happened).   There were a few other system folders I tried to open but got the same error message.


Hmm... You don't have a rootkit, so that's good. The results above are just normal "noise" that you'd expect.

That still leaves the question of what is taking up that extra 12 GB space...

You can right-click on tje System Volume Information folder, select Properties -> Security and click "Add" and add your own username and give yourself at least read permission to that folder and all subfolders within (i.e. click on Advanced and see that the box labeled "Replace permission entries on all child objects...")  is "checked"

That should allow you to browse inside that folder and see if you can spot the missing 12 GB of stuff.

Is C:\System Volume Information\catalog.wci the folder that's taking up the space?
bluedognoosa21Author Commented:
That's a relief to hear it's not a rootkit.

Today I'm being permitted access to C:\System Volume Information and it's not saying it's empty.

There are 2 folders and 2 files in this directory - contents are as follows -

Folder 1 -

-restore{1D607D8A- etc}   (14GB) (13,290 files, 384 folders) File Folder - Date Modified 20/10/07 (As you can see it's grown 2GB since my first posting on this.   The contents of this folder are -

Folder - RP502 - RP597 inclusive, with all folders in between numbered sequentially.   With the exception of the last entry (RP597), all other entries are blue so I'm assuming they're compressed.

Files -


Folder 2 -

cat.wci  (104MB) File Folder - Date Modified 21/10/07
This folder contains a collection of files of the following types - C1, FID, PS1, PS2, DIR, 000, 001, 002, HSH, BK1, BK2

File 1 -

MountPointManagerRemoteDatabase (0KB) System File - Date Modified 13/10/07

File 2 -

tracking.log (1000KB) Text Document - Date Modified 13/10/07
The contents of this file are indecipherable with the exception of the word 'backoffice' which appears several times on each line.   Not sure if this has anything to do with a user that was created by the system called - administrator:BACKOFFICE which just appeared one day.   (I must admit, that's not to say I haven't inadvertently created it unwittingly........)

Will look forward to your next posting.

Those RP502 to RP597 folders are "Restore Points", backups of the Registry and other system files that Windows makes every so often. Since you have about 100 of them chances are that each one is about 140 MB, which explains the rather large disk space usage. Can you verify that each one is about that size?

How big is your hard drive? I suggest you decrease the max space that Windows allocates for restore points, you don't really need 100 of them. By default Windows weants to allocate 10% of your C: drive, but you can reduce that by going into Conrol Panel -> System -> System Restore tab -> Settings and use the slider there to select a smaller value like 5 or even 3%. That will free up a fair amount of space.

How much of C: drive is free space? (before and after reducing the Restore Point allocation)

How much RAM is in your machine currently?

Are you seeing a slowdown only during web browsing, or at other times as well?
bluedognoosa21Author Commented:
C: drive free space now = 39GB (out of 80GB)
The folder sizes vary.   Probably about half are around 40-70MB, others vary from about 100MB to 600Mb and 1 folder alone is about 2GB.

The space allocated to system restore was on max (12% or so) so I've reduced that to 5% for now.

The size of sys vol info is now about 6GB (4740 files - 114 folders) and C: drive free space is now about 42GB. RP580 is still there though which is the 2GB folder.

The slowdown is a bit erratic and sometimes occurs when I'm using basic Office programs but is primarily at it's slowest when I'm trying to do things either in or between Outlook and browsing.   I just tried IE7 and that's pretty fast but I usually use firefox which has been painfully slow by comparison.

Just as a matter of interest, now that I've reduced the amount of space allocated to system restore, I presume the earlier folders have been deleted so is it OK to run ccleaner now?

bluedognoosa21Author Commented:
Hi r-k

Just wondered if you'd had time to look at my last post.   If you could let me know what your thoughts are, I can allocate points and hopefully close the question.

Oops, sorry about that, got away from this for a while.

Seems like the abnormal disk space usage has been brought under control and is not a factor any more. RP580 should eventually disappear as new restore points are created, or you can force delete it by disabling all restore points on a one time basis, then re-enable them again.

The slowdown is still unexplained though we can rule out rootkits, low disk space, and probably even malware. If the slowdown is mainly in Firefox I would just remove Firefox as completely as possible (save your bookmarks in case they are of value), then download the latest version and reinstall.

Yes, should be OK to run ccleaner now.

Might be good to post a new summary if my understanding of current problems is off the mark. Thanks.

bluedognoosa21Author Commented:
Hi r-k

Thanks very much for your help with this one.   Since my last posting when I said firefox was still slow, after a few reboots, everything is working much faster and the problems seem to have disappeared.   I think it was all related to the bloated 12GB being hogged by the restore points.   I've reduced the max space allocation to 5% but would be happy to go lower to maybe 3% if possible.

I just wanted to double check that I could go ahead and clean up/defrag, etc safely which I'm sure will speed things up further.

Thanks again
Thanks. Good to know even Firefox is back to normal. I would definitely feel safe about defragging if you wish (though I am not a fan of unnecessary and frequent defrags). Re, space for Restore points, even 3% on an 80 GB drive means about 2.4 GB, or about 25 restore points, which should really be more than anyone is likely to need.

Thanks and good luck :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 8
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now