[Metallica]

It certainly does. We must have removed something that was hiding information from us.

Download and run: http://www.trojaner-...file=sphjfix109
Use the start disinfection button.

Download: DelDomains.inf
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Post back with a new log when you are done.

Regards,

[Advertisements]

Hi Pieter

I have applied the files and attach a new log, also I still have the explorer error message and a new message regarding missing files.

C:\Windows\Temp\Se.dll and C:\windows\TWC.PTN

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 10:18:36 PM, on 7/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\NAZKCKD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\SYSTEM\RICHEDTR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [richup] C:\WINDOWS\SYSTEM\richup.exe
O4 - HKLM\..\Run: [nazkckd] c:\windows\system\nazkckd.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL (file missing)

Thanks

[iisupreme11]

Hi Pieter

I have applied the files and attach a new log, also I still have the explorer error message and a new message regarding missing files.

C:\Windows\Temp\Se.dll and C:\windows\TWC.PTN

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 10:18:36 PM, on 7/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\NAZKCKD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\SYSTEM\RICHEDTR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [richup] C:\WINDOWS\SYSTEM\richup.exe
O4 - HKLM\..\Run: [nazkckd] c:\windows\system\nazkckd.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.xxxtoolba.../0006_adult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL (file missing)

Thanks

[Metallica]

OK. You will have to have some patience. This will take some more time. Your computer was heavily infected with some of the nastiest cr@p around.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\SYSTEM\RICHEDTR.DLL

O4 - HKLM\..\Run: [richup] C:\WINDOWS\SYSTEM\richup.exe
O4 - HKLM\..\Run: [nazkckd] c:\windows\system\nazkckd.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://super-gals.co.../x.chm::/ad.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.xxxtoolba.../0006_adult.cab

O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL (file missing)

Reboot and post a new log. The stubborn ones will show up again.
Let me know if there are any more errors.

Regards,

[iisupreme11]

Hi Pieter

I followed the instructions and have another (smaller) log to post.

Logfile of HijackThis v1.99.1
Scan saved at 12:45:42 AM, on 7/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\NAZKCKD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nazkckd] c:\windows\system\nazkckd.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Regards

[Metallica]

There is one that I would like to have identified in there.

Can you surf to: http://virusscan.jotti.org/

Upload c:\windows\system\nazkckd.exe
and let me know the results of the scan please.

• Also download the Registry Search Tool.
• Unzip the contents of RegSrch.zip to a convenient location.
• Double-click on RegSrch.vbs.
• If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
• In the "Enter search string (case insensitive) and click OK..." box paste this string:
  • {00000049-8F91-4D9C-9573-F016E7626484}
• Click "OK" to search the registry for that string.
• Wait for a few minutes while it completes the search.
• Click "OK" to open the results in WordPad.
• Copy and paste the entire results into your next post.

Regards,

[iisupreme11]

Hi Pieter

Here are all the scan logs:

Virusscan.jotti.org:

File: nazkckd.exe Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 64af08f1fc45796c23b3fa6c7ebbb18a Packers detected:
PE_PATCH, UPX
Scanner results AntiVir
Found TR/Dldr.BetterIne.D ArcaVir
Found Trojan.Agent.Ay Avast
Found nothing AVG Antivirus
Found nothing BitDefender
Found nothing ClamAV
Found nothing Dr.Web
Found Trojan.DownLoader.3256 F-Prot Antivirus
Found nothing Fortinet
Found W32/Agent.53CB-tr Kaspersky Anti-Virus
Found Trojan.Win32.Agent.ay NOD32
Found nothing Norman Virus Control
Found nothing UNA
Found nothing VBA32
Found Trojan.Win32.Agent.ay

RegSearch Scan:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{00000049-8F91-4D9C-9573-F016E7626484}" 7/5/05 6:35:35 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}]

[HKEY_LOCAL_MACHINE\Software\CLASSES\CeresDll.CeresDllObj.1\CLSID]
@="{00000049-8F91-4D9C-9573-F016E7626484}"

[HKEY_LOCAL_MACHINE\Software\CLASSES\CeresDll.CeresDllObj\CLSID]
@="{00000049-8F91-4D9C-9573-F016E7626484}"

Regards

[Metallica]

Excellent job.

Copy the part in bold below into notepad and save it as ceresrem.reg
Set filetype to "All files"

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000049-8F91-4D9C-9573-F016E7626484}]

[-HKEY_LOCAL_MACHINE\Software\CLASSES\CeresDll.CeresDllObj.1]

[-HKEY_LOCAL_MACHINE\Software\CLASSES\CeresDll.CeresDllObj]


Doubleclick the file and confirm you want to merge it with the registry.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Use it to delete this file:
C:\WINDOWS\SYSTEM\NAZKCKD.EXE
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)

O4 - HKLM\..\Run: [nazkckd] c:\windows\system\nazkckd.exe

Then reboot again and post a new HijackThis log.

Regards,

[iisupreme11]

Hi Pieter

Once again followed all the instructions and here is the new HijackThis log.

Note: When I download killbox.exe to the desktop there was no folder and there was no prompt regarding the pending operations prompt.

Logfile of HijackThis v1.99.1
Scan saved at 8:43:18 PM, on 7/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Regards

[Metallica]

I'm doing my happy dance over here.
That is a clean log.

Is your computer behaving as it should now?

Please do have a look at my site about removing and preventing spyware.

Regards,

[iisupreme11]

HI Pieter

No not quite, I still have a the explorer error message: Thsi program has performed an illegal operation and will be shut down. etc

Also the original problem regarding the shortcuts is still there.

Should I down load the antivius software from the site previously mentioned.

Regards

[Metallica]

Next time that happens please post the full and exact text of the error.
That may provide us with a lead where to look.

Also see if you have these files:
C:\PROGRAM FILES\Common Files\system32.dll
C:\PROGRAM FILES\Common Files\services.exe
C:\Program Files\Common Files\FreeProd# (where # is a number)

Let me know.

[iisupreme11]

Hi Pieter

When the system is booting up and the desktop is shown an error box appears. It has as its title Explorer, a picture of a red circle with a white cross on it and the following message.

'This program has performed an illegal operation and will be shut down.

If the problem persists, contact the program vendor.'

There are also two command buttons CLOSE and DETAILS. When the details are expanded the following information is found:

EXPLORER caused an invalid page fault in
module <unknown> at 0000:61b85cf6.
Registers:
EAX=0042bf62 CS=0167 EIP=61b85cf6 EFLGS=00010217
EBX=81593b60 SS=016f ESP=0080ff88 EBP=0080ff98
ECX=c1557d40 DS=016f ESI=0042b9f3 FS=250f
EDX=81593bc0 ES=016f EDI=8159351c GS=0000
Bytes at CS:EIP:

Stack dump:
0042ba07 0042bf62 81593bc0 0042b9f3 0080ffcc bff88f20 00000000 8159351c 00000008 81593b60 00000007 0080ffa4 0080fdb8 ffffffff bffc05b4 bff79050

Any attempt to close the box just returns the error box. When I check under the folder C:\windows I found an application called Explorer but it was only created recently.

I checked for the files mentioned but only found the folder under c:\programs files\common files\freeprodfetch. When I open the folder there is an application called mc-58-12-0000093. When I view the properties of the application there are two tabs General and Version. The Version tab shows version 3,1,1,5 and two version items Comments which shows http://www.autoitscr...3/complied.html and Language which shows English (United Kingdom).


I hope the above helps.

Regards

[Metallica]

Delete that entire folder c:\programs files\common files\freeprodfetch please.

Then copy the code below into notepad and save it as findtheother.bat

echo ** This batch was originally written by OSC ** 
cd C:\WINDOWS\Fonts 
if exist C:\contents.txt del C:\contents.txt 
echo ************************************>> C:\contents.txt 
echo **These are the hidden files found**>> C:\contents.txt 
echo ************************************>> C:\contents.txt 
dir /a:h >> c:\contents.txt 
echo ************************************>> C:\contents.txt 
echo **These are the system files found**>> C:\contents.txt 
echo ************************************>> C:\contents.txt 
dir /a:s >> C:\contents.txt 
start notepad c:\contents.txt 
exit

Then doubleclick that file and when it is done it will open a text file showing all hidden and system files in that folder. Post the contents of that file in a reply to this thread.

[iisupreme11]

Hi Pieter

Here is the log:

************************************
**These are the hidden files found**
************************************

Volume in drive C has no label
Volume Serial Number is 17D6-137A
Directory of C:\Windows\FONTS

VGA850 FON 5,232 04-23-99 10:22p VGA850.FON
8514OEM FON 12,288 04-23-99 10:22p 8514OEM.FON
8514SYS FON 9,600 04-23-99 10:22p 8514SYS.FON
COURE FON 23,424 04-23-99 10:22p COURE.FON
COURF FON 31,744 04-23-99 10:22p COURF.FON
DOSAPP FON 44,320 04-23-99 10:22p DOSAPP.FON
MODERN FON 7,968 04-23-99 10:22p MODERN.FON
SERIFF FON 81,744 04-23-99 10:22p SERIFF.FON
SMALLE FON 24,352 04-23-99 10:22p SMALLE.FON
SMALLF FON 19,632 04-23-99 10:22p SMALLF.FON
SSERIFE FON 64,656 04-23-99 10:22p SSERIFE.FON
SSERIFF FON 89,856 04-23-99 10:22p SSERIFF.FON
SYMBOLE FON 56,352 04-23-99 10:22p SYMBOLE.FON
SYMBOLF FON 80,928 04-23-99 10:22p SYMBOLF.FON
VGAFIX FON 5,376 04-23-99 10:22p VGAFIX.FON
VGAOEM FON 5,168 04-23-99 10:22p VGAOEM.FON
VGASYS FON 7,296 04-23-99 10:22p VGASYS.FON
8514FIX FON 10,992 04-23-99 10:22p 8514FIX.FON
SERIFE FON 57,952 04-23-99 10:22p SERIFE.FON
MARLETT TTF 17,412 04-23-99 10:22p MARLETT.TTF
20 file(s) 656,292 bytes
0 dir(s) 923,885,568 bytes free
************************************
**These are the system files found**
************************************

Volume in drive C has no label
Volume Serial Number is 17D6-137A
Directory of C:\Windows\FONTS

923,885,568 bytes free

I also attach another HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:53:08 AM, on 7/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CMMON32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw10fd.law10....ex/HMAtchmt.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab



regards

[Metallica]

I have another regsitry file and search batch for you.

Copy the part in bold below into notepad and save it as Appid.reg
Set Filetype to "all files"

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{23456789-0000-0020-0900-00AAFF6D2EA4}]

Doubleclick that file and confirm you want to merge it with the registry.

Then copy the code below into notepad and save it as lookup2.bat
Set Filetype to "All files"

echo ** This batch was originally written by OSC ** 
cd c:\programs files\common files
if exist C:\contents.txt del C:\contents.txt 
echo ************************************>> C:\contents.txt 
echo **These are the hidden files found**>> C:\contents.txt 
echo ************************************>> C:\contents.txt 
dir /a:h >> c:\contents.txt 
echo ************************************>> C:\contents.txt 
echo **These are the system files found**>> C:\contents.txt 
echo ************************************>> C:\contents.txt 
dir /a:s >> C:\contents.txt 
start notepad c:\contents.txt 
exit

Then doubleclick that file and when it is done it will open a text file showing all hidden and system files in that folder. Post the contents of that file in a reply to this thread.