Hi

Following a session on MSN I noticed my pc was running sloooow. I also had at that time a dialog box headed windows installer popping up which told me Daemons and crss.exe could not be installed??. I stopped what I was doing (playing football manager game)and ran a AVG scan which found 3 new trojans.

After quarantine of these items I rebooted and done another scan and they seemed to replicate themselves and be found again on a new scan. In safe mode I scanned again with sys restore turned off and ran clear. PC is running OK but one of the paths of quarantined trojans was found in Windows\System32\smss.exe. I deleted this from quarantine and from my system but smss.exe is a windows operating file and is usually found in this location. OOPs Have I done untold damage to my machine as I dont see smss.exe in that location now.

I do see smss.exe running in Task Manger however. AVG is a bit vague on naming trojans found on scans usually just naming them BackDoor Generic TrojansLKK which cannot be found on symantec virus encyclopdia ect. Might go for a paid program if there are any user recommendations. Tried Norton and its OK but to demanding on rescources.

Any advice please on the damage I may have done deleting smss.exe named as a trojan by AVG?

It is more likely that the malware file was located at a known trojan location (please double check):
C:\WINDOWS\smss.exe


Such a trojan can be very bad news (information stealers - passwords, etc.).



Windows, in general, has many safeguards to protect most CRITICAL files by either not allowing any changes to systems files or immediately replacing corrupt or missing ones in other cases.



You are now advised to post a HijackThis LOG for further damage assessment (Last Procedure Steps):

http://www.d-a-l.com/help/showthread.php?t=32403

Hi
Thanks for quick response here is my logfile. About your question on checking the path of these nasties I had fortunatley wrote them down before deleting them from quarantine and they were as follows,

C:\Documents and Settings\Owner\jsjdee.exe

" " " \myname\LocalSettings\Temp

C:\DocumentsandSettings\Owner|LocalSettings\TempIn ternetFiles\ContentIE5\LOHNKICZ\movies-4-allxacckit[1].exe\smss.exe

And Finally the one your interested in and my thread starter is,

C;\Windows\AppPatch\Patches32\smss.exe. These are now all deleted from AVG virus vault.

Logfile of HijackThis v1.99.1
Scan saved at 19:03:35, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AppPatch\Patches32\svchost.exe
C:\WINDOWS\AppPatch\Patches32\Daemons\csrss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JAB Internet Explorer
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: bios - {90CD77F0-6A56-4BD0-A891-3E1FC5C8B550} - bios.dll (file missing)
O21 - SSODL: tsserv - {631EDF9E-6916-4545-8068-304FA5D00C05} - tsserv.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

movies-4-allxacckit

Shows you the kind of trouble some downloads can create.

C:\Windows\AppPatch\Patches32\smss.exe

The above item could be any Trojan infection and potentially not the one I was initially concern about.


However, you appear to have two (2) additional remaining questionable items with the same FILE PATH:


HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here



Submit the following file(s) to VirusTotal for their immediate evaluation and feedback. Use any of the following methods, as appropriate:

• Locate FULL FILE PATH if not apparent. Use Start (BUTTON)>Search, [WINDOWS+F] keys, or F3 key.
• Copy & Paste the FULL FILE PATH in the input BOX
  -- OR --
• Navigate to the file in question.

Post those results in your next reply (if malware findings were indicated) for:

C:\WINDOWS\AppPatch\Patches32\svchost.exe
C:\WINDOWS\AppPatch\Patches32\Daemons\csrss.exe

Heh, Thats a great utility and here's its results! Oh Dear!

Complete scanning result of "svchost.exe", received in VirusTotal at 04.24.2007, 00:45:56 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.24.0 04.23.2007 no virus found
AntiVir 7.4.0.14 04.23.2007 TR/Conact.1
Authentium 4.93.8 04.23.2007 no virus found
Avast 4.7.981.0 04.23.2007 no virus found
AVG 7.5.0.464 04.23.2007 no virus found
BitDefender 7.2 04.23.2007 Trojan.Conact.E
CAT-QuickHeal 9.00 04.23.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 04.24.2007 no virus found
DrWeb 4.33 04.23.2007 no virus found
eSafe 7.0.15.0 04.23.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3589 04.23.2007 no virus found
Ewido 4.0 04.23.2007 no virus found
FileAdvisor 1 04.24.2007 no virus found
Fortinet 2.85.0.0 04.23.2007 suspicious
F-Prot 4.3.2.48 04.23.2007 no virus found
F-Secure 6.70.13030.0 04.24.2007 no virus found
Ikarus T3.1.1.5 04.23.2007 Trojan.Conact.E
Kaspersky 4.0.2.24 04.24.2007 no virus found
McAfee 5015 04.23.2007 no virus found
Microsoft 1.2405 04.24.2007 no virus found
NOD32v2 2213 04.23.2007 no virus found
Norman 5.80.02 04.23.2007 no virus found
Panda 9.0.0.4 04.23.2007 Suspicious file
Prevx1 V2 04.24.2007 Trojan.Gen.system.exe
Sophos 4.16.0 04.23.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.24.2007 Trojan Horse
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.23.2007 no virus found
VirusBuster 4.3.7:9 04.23.2007 no virus found
Webwasher-Gateway 6.0.1 04.23.2007 Trojan.Conact.1

-----------------------------------------------------------------------

Complete scanning result of "csrss.exe", received in VirusTotal at 04.24.2007, 0013 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.24.0 04.23.2007 Win-AppCare/ServU.2063160
AntiVir 7.4.0.14 04.23.2007 BDS/Servu.F
Authentium 4.93.8 04.23.2007 no virus found
Avast 4.7.981.0 04.23.2007 Win32:Trojano-3585
AVG 7.5.0.464 04.23.2007 no virus found
BitDefender 7.2 04.23.2007 Backdoor.Hupigon.HK
CAT-QuickHeal 9.00 04.23.2007 no virus found
ClamAV devel-20070416 04.24.2007 Trojan.Servu.1
DrWeb 4.33 04.23.2007 no virus found
eSafe 7.0.15.0 04.23.2007 Win32.Usirf
eTrust-Vet 30.7.3589 04.23.2007 no virus found
Ewido 4.0 04.23.2007 no virus found
FileAdvisor 1 04.24.2007 Low threat detected
Fortinet 2.85.0.0 04.23.2007 W32/ServUBased.A!tr.bdr
F-Prot 4.3.2.48 04.23.2007 no virus found
F-Secure 6.70.13030.0 04.24.2007 Backdoor.Win32.ServU-based.gen
Ikarus T3.1.1.5 04.23.2007 Backdoor.Win32.Agobot.AAF
Kaspersky 4.0.2.24 04.24.2007 not-a-virus:Server-FTP.Win32.Serv-U.gen
McAfee 5015 04.23.2007 potentially unwanted program ServU-Daemon
Microsoft 1.2405 04.24.2007 Backdoor:Win32/ServUbased.F
NOD32v2 2213 04.23.2007 a variant of Win32/ServU-Daemon
Norman 5.80.02 04.23.2007 W32/GrayBird.CDH
Panda 9.0.0.4 04.23.2007 Application/ServUBased.A
Prevx1 V2 04.24.2007 Trojan.Gen.system.exe
Sophos 4.16.0 04.23.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 Backdoor.Usirf
Symantec 10 04.24.2007 Backdoor.Usirf
TheHacker 6.1.6.095 04.15.2007 Aplicacion/Serv-U.gen
VBA32 3.11.4 04.23.2007 no virus found
VirusBuster 4.3.7:9 04.23.2007 no virus found
Webwasher-Gateway 6.0.1 04.23.2007 Trojan.Servu.F
Aditional Information
File size: 2063160 bytes
MD5: df25283891a37265bc182a42d2f251c0
SHA1: 2578b83aad339d088545ad32e9dedcf3ffcac65b
packers: MOLEBOX
Bit9 info: http://fileadvisor.bit9.com/services...182a42d2f251c0
packers: Molebox
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=3cfd12470056
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español

www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@

----------------------------------------------------------------------

I'm going to bed now but thanks a lot for this, its really appreciated. I've taken ethernet connection out until tomorrow evening. Hope you can help me further..till then Goodnight.

Read over the following directions. Ask if anything appears unclear to you.



Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

• Don't install any Toolbars, or other programs, should it ask you!
• Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Do not run CCleaner until requested later.





We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit.exe

O21 - SSODL: bios - {90CD77F0-6A56-4BD0-A891-3E1FC5C8B550} - bios.dll (file missing)
O21 - SSODL: tsserv - {631EDF9E-6916-4545-8068-304FA5D00C05} - tsserv.dll (file missing)

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Run CCleaner .

FIRST-TIME USE:
Select the ‘Options’ BUTTON option (top LEFT), ‘Advanced’ BUTTON, and then UNCHECK the ‘Only delete files in Windows Temp Folders older than 48 hours’.

Select the ‘Cleaner’ BUTTON option (top LEFT), if not already selected. Use the ’Windows’ TAB up front by default.

• Uncheck ‘Cookies’ option (advisable)
• Optionally, Uncheck ‘Recently Typed URLs’ option (potentially still useful)
• Click the ‘Analyse’ button.
• Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FOLDERS:

C:\WINDOWS\AppPatch\Patches32






POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

Before I do the next step you've advised from your reply today. I should say I just copied and pasted paths of the two items below using your text and pasted into Virustotal to start scanning. Was that sufficient to read files on my computer?

The virustotal results I gave above were cut from here and pasted into search log on the program. Is that OK?

Post those results in your next reply (if malware findings were indicated) for:

C:\WINDOWS\AppPatch\Patches32\svchost.exe
C:\WINDOWS\AppPatch\Patches32\Daemons\csrss.exe
[/B][/QUOTE]

Was that sufficient to read files on my computer?

You executed those steps perfectly and as expected.

Those steps sent a copy of each file to VirusTotal from which their report findings were generated. It is the same as having over 20 AV/Malware tools checking over selected questionable individual files - all at the same time.

It may help you decide that certain tools are more effective than others in your particular case or give you a good second opinion source. Not all tools see ALL the same things or in the same timely manner.

Done all that.
I used windows explorer to navigate to the AppPatch Folder and deleted only the folder Patches32 in that location. Those dll files inside the AppPatch folders of which there are 11 are still intact. The Patches32 folder resides now in the recycle bin. Is that correct or should I delete the whole Apppatch file?

Last night after I'd closed the thread here I played on a couple of games which require a lot of the system and they were crashing to desktop. Since I've done the latest stuff they havnt crashed. Internet is fine, Explorer is good as is Outlook Express. Speed seems fine.

Heres my updated HJ Log ran at the end of your instructions
Hope its OK

Logfile of HijackThis v1.99.1
Scan saved at 20:03:01, on 24/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = JAB Internet Explorer
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe " /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SecurityConsole - Unknown owner - C:\WINDOWS\AppPatch\Patches32\svchost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe