A Head Scratcher

[techgranny]

Hello:
 I have been fixing up a computer that runs poorly and was just about to give up when I found multiple file entries in System 32. It has 4 wininet.dll, 4 urlmon.dll, 3 shlwapi.dll, 2 url.dll just to name a few. No wonder it has a hard time executing a command! I have done searches on this and only found one case that was slightly similar so I am hoping the great minds here can help answer my questions .
 I would love to know why this happened but that's just out of curiosity. The more important question is " How do I know which ones to delete?".  Some are the same size and date and some aren't. Some are compressed and some aren't. Do I just get rid of all of them and write a clean copy from the XP CD?  Are they going to let me delete them at all?
 Any advice would be appreciated!

[BC_Programmer]

It is impossible for two files with the same name to exist in the same directory.

However a common tactic used by malware is to use letters that look the same in the standard windows dialog font.

for example, a lower-case L and a uppercase i look the same in the default windows fonts for most systems. So some of them could have "tweaked" names. You can check this by changing the system font in appearance.

Also, if these files are simply under system32 but in different folders, then that is normal. Windows keeps a copy of many of those files in dllcache in case somebody accidentally deletes the originals, and often backups are made by windows update in other folders, too.

[techgranny]

Hey BC!
 Sorry, I should have explained myself better. It is, for example, urlmon.dll, urlmon(2).dll, urlmon(3).dll and so on and they are all in System32. I have looked at the properties on each and they have the same details. When I say some are different sizes I mean that for instance, if there is 4 entries, 2 of them are the same as each other and the other 2 are a larger size but also the same as each other. I wondered if the smaller ones could be from previous service packs and the larger ones the updated versions that didn't install properly which still doesn't explain why there are copies of each. It's just weird! BTW, the Microsoft updater won't work properly either. It keeps asking me to install the same security update even though it says that it has been successfully installed.
  I moved all of the documents to a disc and then removed every program that could be reinstalled, cleaned the startup and autoruns before running almost every free malware scan known to man so I am fairly sure I have gotten every worm, trojan and rootkit I can get.
  I was going to remove the compressed entries using the logic that if they were compressed they must not be being used but then I wondered if they could be the good files and the used ones were infected clones. Then I thought that was unlikely since they were the same size. Then I got a painkiller for my headache and started this thread!
  I suppose I should make a list of the files and their sizes and check it against a couple of other XP's to see what should be there. ( I am getting really sick of moving mouse, keyboard and monitor cables!!!!)

[BC_Programmer]

delete the ones with numbers in brackets. They are accidental copies, possibly by an accidental drag or a copy paste or something. They aren't used by anything, by the way- (programs using the functionality in a dll import from say, urlmon.dll, not from urlmon(1).dll). Of course there is a bad side to this, since it means that haven't tracked down why the machine behaves strangely just yet!

[techgranny]

Thanks Wizkid! (How come your listed as a beginner?) I don't too much that it won't solve the problem because I learn through the journey! I wonder where I should look now? 

[truenorth]

"How come your listed as a beginner?"As you come to "know" our esteemed member BC through your longer exposure to his postings on the CH forums you will come to realize (and hopefully enjoy) his often extensive repartee when addressing posts. He often will inflict his wry sense of "humour" as part of his replies. While i am sure his pronounced modesty will prevent him from personally responding to your quoted query i hope he will concur with my interpretation of the existence of the description "beginner". He is actually by any definition way above that. truenorth

[BC_Programmer]

While i am sure his pronounced modesty will prevent him from personally responding to your quoted query i hope he will concur with my interpretation of the existence of the description "beginner". He is actually by any definition way above that. truenorth

Thanks

Actually, the reason my experience is set to beginner is because the forum software was updated and it reset some profile settings, and I didn't feel it was necessary to change it. After all, that option really only says how much the person thinks they know, not how much they actually do. And in many sense I think everyone can be a beginner at something. A person great with MS word will likely be lost in Visual Studio; somebody good with photoshop might be a beginner using PowerPoint, and vice versa. I'm not an expert or even experienced or familiar with everything computer related, so I think it fits to go with the lowest common denominator. Better to have people telling you you have it set to low rather than that it is too high .

[techgranny]

 I can understand if you don't want to be bothered changing it since you have so many better things to spend your time on and it would appear that it is better than a coffee table book for starting conversations but after all the hours ( thousands?, millions?) you have spent at the keyboard I think it would be safe to say you are "familiar". It is really more of a fact than a brag. 

[patio]

BC is by far the best Beginner we have here...

You're in good hands...

[techgranny]

I didn't doubt it for a moment!

So, I deleted those duplicates and figured I was done with that now the Explorer Search just keeps looping around and finding the same entries over and over! Splane that one Lucy!
 Annnd....I did an Internet Search on the entries "Zonedon" and "Zonedoff" and it appears they may be Malware but Avast says they are clean. Is there any other explanation for them?

[truenorth]

Sounds like you should meander on over to the experts at the "virus and spyware" forum and introduce yourself there and make mention of your last post. I offer this as the basis for that recommendation.
http://security.pc-fault.com/security/51263.html
I CANNOT attest to the credibility of this site and it's statement but i would want to determine the credibility the statement that is being made there.truenorth
.

[techgranny]

 Thanks for the link Truenorth. I already spent a couple of weeks on this matter with SuperDave and found nothing to explain the weird behaviour. I have run more scans since then and have found a couple more things including a rootkit but it is still messed up. I wanted to do a clean install but the CD just won't run even though I can view, copy and paste from it. I used the CD to do a repair install a couple of month ago so I know it works. Another weird thing is that if I run sfc /scannow it takes its time and the CD ROM makes noise every now and then and the progress indcator runs to the end before it shuts off but if I run sfc without the CD it keeps saying that required dll's are missing.
 I would say it is driving me crazy but my friend keeps telling me it is less like a drive and more like a short putt!