Hi; I was doing some system maintenance on a win2k SP4 Machine and 2 XP-Pro SP3 machines and found some files in: - ..\Local Settings\Application Data\ and - ..\Documents and Settings\user name\Application Data\ when I searched for them they came back as supposedly bad fusioncache.dat (no threat detected during scan) GDIPFFONTCACHEV1.DAT (no threat detected during scan) IconCache.db (no threat detected during scan) except these two (which supposedly belong to roxio / sonic) rx_audio.Cache (no threat detected during scan) rx_image.Cache (no threat detected during scan) some of these files had a file date of when the system was built so I used the Eset Online Scanner, Spybot S&D, and then tried MBAM I had AVG up until 2 days ago and then dumped it because it wasn't working properly other than to slow my systems down, - it wouldn't even detect the EICAR test string every time during the quick scan a registry entry which I created with Group Policy Editor was detected as a HiJack on all the systems actually all the anti-Spy/Malware scanners detect this and I don't know why, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind Result > (Hijack.Find) this key is created when using The GPO User Configuration\Administrative Templates\Start Menu and Taskbar\ "Remove Search From the Start Menu" (Enabled) (I try to remove clutter I don't use from my system / menus etc.) so after all that I ran a "Deep Scan" and selected all the drives in my main system which has a ton of backed up files from 4 win3.1x machines that I haven't had time to sort out and permanently archive or remove yet; here's where it gets weird; one 14 year old file from the Microsoft Win32's extension set for 16-bit Win3.1x was detected as a trojan dropper D:\310Moved\Server~D\SOFTWARE\WIN~DLLS.100\SYSTEM\WIN32S\W32SKRNL.DLL D:\310Moved\Server~D\SOFTWARE\WIN~DLLS.166\SYSTEM\WIN32S\W32SKRNL.DLL D:\310Moved\Server~J\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL D:\310Moved\Server~L\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL E:\310Moved\Server~D\SOFTWARE\WIN~DLLS.100\SYSTEM\WIN32S\W32SKRNL.DLL E:\310Moved\Server~D\SOFTWARE\WIN~DLLS.166\SYSTEM\WIN32S\W32SKRNL.DLL E:\310Moved\Server~J\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL E:\310Moved\Server~L\WINDOWS\SYSTEM\WIN32S\W32SKRNL.DLL Result on all files > (Trojan.Dropper) -> No action taken. they're all the same file: W32SKRNL.DLL 82,944 Bytes 30/01/1996 23:00 the file comes from a legitimate program install CD which included win32's and the game FreeCell even though those win3.1x systems were never on the internet or even a real network, I used Interlink to transfer to the main backup file storage server back then and then when I got the new XP system I pulled the largest drive and put it on an IDE/USB adapter and pulled the files to the main system now in use. should I submit a copy of this file just to verify it, sorry for the long post, I hope it makes enough sense. summary there's really two things going on: > where'd those weird files come from and why aren't they detected? > and why are a legitimate registry entry and a file from 1996 detected as threats? THX