A Virus Was Found!

[naturallygay]

Filename-C:\cp1041.nls
Malware name-Win32:Trojan-gen {Other}
Type-Virus/Worm
VPS-071129-0, 11/29/2007
i run Avast! on access scaner on this computer
Windows firewall
how do i manually remove this?
i've tried to move to chest, but it comes back
TY for any help

[DavidR]

NLS is a file extension associated with Code Page National Language Support, so I wouldn't would confirm the detection, see below. Though the location seems strange, it is more likely to be in C:\windows\system32\c_1252.nls and in a file name like thie example.

Upload it to VirusTotal - Multi engine on-line virus scanner and report the findings. You may need to pause the Standard Shield to upload it or it may alert again. You can't upload it from the chest as it is a protected area, the file will need to be put in a temporary location (I suggest you create a folder on c:\ called suspect).

If there are multiple detections the avast detection is good and you may have something else undetected or hidden that is restoring it.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1.  If using winXP SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner. Or a-Squared free On-Demand only with free version(if using win98/ME).

[naturallygay]

NLS is a file extension associated with Code Page National Language Support, so I wouldn't would confirm the detection, see below. Though the location seems strange, it is more likely to be in C:\windows\system32\c_1252.nls and in a file name like thie example.

Upload it to VirusTotal - Multi engine on-line virus scanner and report the findings. You may need to pause the Standard Shield to upload it or it may alert again. You can't upload it from the chest as it is a protected area, the file will need to be put in a temporary location (I suggest you create a folder on c:\ called suspect).

If there are multiple detections the avast detection is good and you may have something else undetected or hidden that is restoring it.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1.  If using winXP SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner. Or a-Squared free On-Demand only with free version(if using win98/ME).

k i've downloaded AVG's scaner


its runing now, and i plan on runing a AVAST boot time Scan, to hopefully find whats keeping it on my computer, but when i go to VirusTotal - Multi engine on-line virus scanner and i copy and paste C:\cp1041.nls it comes up with nothing. When you say "the file will need to be put in a temporary location (I suggest you create a folder on c:\ called suspect)." i've made a folder, but a can't file the actual file, becuase i've moved it to "chest" lots of times that theres atleast 6 of the file, and i dont want to really restore it, and i can't find the file normally (ie. local dick C:\, then looking)

have i done something wrong?

if not is there really anything i can do?

[DavidR]

The file needs to be expoirted from the chest and you select the suspect folder as the location.

I'm not surprised VirusTotal wasn't able to do anything, what you copied and pasted wasn't where the file was, it was in the chest, so export it to c:\suspect\cp1041.nls and that is what you would past into the VT window, or you can click the Browse button and navigate to the file in the suspect folder.

Note Restore is different to Export, it isn't sent to the original location.

You could also add c:\suspect\* to the Standard Shield, Customize, Advanced, Add (exclusions) list, that will stop the standard shield scanning any files in the suspect folder.

[naturallygay]

ok ty, BTW i'm usless with computers, so thanks, you've been a great help.

this is what www.virustotal.com came up with.

Antivirus\ Version\ Last Update\ Result
AhnLab-V3\ 2007.12.1.0\ 2007.11.30\ Win-Trojan/Xema.variant
AntiVir \7.6.0.34 \2007.11.30 \TR/Drop.Age.afg.2.A
Authentium\ 4.93.8\ 2007.11.30\ W32/Agent.BVH
Avast 4.7.1074.0\ 2007.11.30\ Win32:Trojan-gen {Other}
AVG 7.5.0.503 \2007.11.30 \Win32/PEPatch
BitDefender 7.2 \2007.11.30 \MemScan:Backdoor.RBot.XEC
CAT-QuickHeal \9.00 \2007.11.30\ Backdoor.Delf.aml
ClamAV \0.91.2 \2007.11.30\ -
DrWeb \4.44.0.09170\ 2007.11.30 \Trojan.Spambot
eSafe \7.0.15.0 \2007.11.29 \suspicious Trojan/Worm
eTrust-Vet \31.3.5338 \2007.11.30 \Win32/Rlsloup
Ewido \4.0 2007.11.30 \-
FileAdvisor \1 2007.11.30\ -
Fortinet \3.14.0.0 2007.11.30 \-
F-Prot\ 4.4.2.54 \2007.11.30 \W32/Agent.BVH
F-Secure \6.70.13030.0 \2007.11.30\ Backdoor.Win32.Delf.aml
Ikarus\ T3.1.1.12 \2007.11.30 \Backdoor.Win32.Delf.AML
Kaspersky \7.0.0.125 \2007.11.30 \Backdoor.Win32.Delf.aml
McAfee \5175 \2007.11.30 \Spam-Xarvester
Microsoft \1.3007 \2007.11.30 \Spammer:Win32/Agent.U
NOD32v2 \2696 \2007.11.30 \probably a variant of Win32/Spabot.NAC
Norman \5.80.02 \2007.11.30 \SpamTool.gen1
Panda\ 9.0.0.4 \2007.11.29\ -
Prevx1 \V2 \2007.11.30 \-
Rising \20.20.40.00 \2007.11.30\ Hack.Spam.Win32.Agent.u
Sophos \4.23.0 \2007.11.30 \Troj/Botspa-Gen
Sunbelt \2.2.907.0\ 2007.11.30\ -
Symantec \10 \2007.11.30\ Infostealer.Gampass
TheHacker \6.2.9.145 \2007.11.30\ -
VBA32 \3.12.2.5 \2007.11.30\ -
VirusBuster \4.3.26:9\ 2007.11.30 \Spamtool.Agent.Gen!Pac
Webwasher-Gateway \6.6.2 \2007.11.30 \Trojan.Drop.Age.afg.2.A

 

Additional information
File size: 91648 bytes
MD5: 35dcab85f045de8c79695de6bda9bab9
SHA1: c237fd8586909b47692ff1c4c8ef2f6e84999a8d

the (\) is my doing so you can tell what type, version etc easier.
seems like i'm screwed....

[naturallygay]

i did a full system scan with AVG Anti-spyware 7.5
nothing came up
i'm now scaning just C:\ and that file i just linked

[Spiritsongs]

 

  The VirusTotal Report shows several Scanners reporting you have "Delf",
   which I understand from the malware-fighters on the Forums at
   http://aumha.net is extremely difficult, if not impossible to "cleanse" .
   You MAY have a "cleanable" version; since they are extremely
   knowledgeable on this subject, I recommend you ask them for help .

[DavidR]

Re the VT results, if nothing else it confirms the detection by avast is good.

i did a full system scan with AVG Anti-spyware 7.5
nothing came up
i'm now scaning just C:\ and that file i just linked

I would now try superantispyware next and if nothing is found and cp1041.nls keeps coming back to the c:\ location there may well be a process hidden by a rootkit responsible for it.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- AVG Anti-Rootkit http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5.
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

I would also like you to try another tool (after running a couple of the anti-rootkit tools), HiJackThis (HJT) to analyse what is running on your system and post the contents of the log here.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial

[naturallygay]

this is what the guys at AumHa says

There are at least four rootkit/service entries protecting the DLL, and the DLL (you will find more than one involved) protect the rootkits in turn.

You need to kill the driver services first.
After a reboot, you can then remove the DLL entries.

I know of no other approach that will work.
You are not going to beat this with Panda Anti-rootkit.

first whats a DLL?
how do i kill all drivers (wipe the computer? system restore?)

[naturallygay]

Also...i was runing Panda and AVG and Hijackthis
but my sister turned off the computer 3/4 of the way through.... so i'll post the results tomorrow

[oldman]

how do i kill all drivers (wipe the computer? system restore?)

  no, you track 'em down and squash 'em 

Follow on with DavidR's instructions.

[DavidR]

this is what the guys at AumHa says

There are at least four rootkit/service entries protecting the DLL, and the DLL (you will find more than one involved) protect the rootkits in turn.

You need to kill the driver services first.
After a reboot, you can then remove the DLL entries.

I know of no other approach that will work.
You are not going to beat this with Panda Anti-rootkit.

first whats a DLL?
how do i kill all drivers (wipe the computer? system restore?)

Firstly is there a URL to what the guys as aumha said, with their statement that there are at least 4 rootkits/services protecting the dll (Dynamic Link Library, a file containing a library of instructions, see none the wiser, http://en.wikipedia.org/wiki/Dynamic-link_library, better).

If they can make that statement you would think they would go the extra yard and tell you more rather than leave you hanging, considering the file in question cp1041.nls, isn't a .dll file.

So run all of the anti-rootkit tools, read the info available at the antirootkit.com link I gave and also post the contents of a hijackthis (HJT) log here and we will see what we can find.

Take things one step at a time and don't think this is a big job rather a task with several small jobs. At the end of each stage (running one of the anti-rootkits, etc.) report the findings here before moving on to the next step. If there is something you are not sure about stop and ask, rather than bore on regardless.

[Spiritsongs]

   Hi Andrew & Others :

     I found the Thread on the Aumha Forums that you started that has been
     replied to by Bill Castner, a Moderator & Microsoft Most Valuable
     Professional . I realize his Responses to you were not helpful for the
     immediate future ; however, he has posted Other Info in those forums
     about Delf as follows :
    "You will not be able to enumerate a Delf infection. It has one to in some cases multiple rootkits, who have as one responsiblity to ensure that the detection and identification of their activity is suppressed by the Windows APIs.

Your log shows you are still infected. I honestly do not believe that AVG free is capable of removing a Delf infection. There are Delf variants that I know cannot be removed by most paid antivirus programs.

The way Delf infections work is that they have a rootkit service entry that protects a DLL. In turn, the DLL protects the rootkit. These will be invisible to Windows APIs and invisible to tools that depend on them, such as REGEDIT. There can be multiple DLLs and multiple rootkit entries, each providing some measure of stealth and removal challenges to each other in a symbiotic relationship.

In the main, Delf will employ userland rootkits, rather than kernel mode rootkits. You need to find and kill the rootkit services. Then go back and remove the now unprotected DLLs.

You can expect that Delf will defeat most rootkit detector utilities. They will not see the rootkits, or if they see them they will be unable to remove them. The current Delf infections are usually from China, and you can expect a lot of tedious work with such utilities as Ice Sword or Dark Spy to remove the rootkit entries, if it is even possible in Normal modes of Windows. With some newer variants you will need to use a WinPE environment, or even Recovery Console, and delete the rootkits manually. This is somewhat challenging as their filenames will change on every restart of the computer.

If, and many do now a days, the Delf infection has kernel level hooks, you might not be abe to remove them at all unless you are very skilled at rebuilding native XP or Vista services by hand.

Since the objective of Delf is to steal user informatiion, including passwords, and distribute them to malicious users on the Internet, the best advice I can give you is to reformat and reinstall on clean media. You can expect to have to reformat any hard drive, and any portable media device such as a USB pen drive used with the computer. See my thoughts here: http://aumha.net/viewtopic.php?t=28580

You should consider using a Sophos IDE for this to start. These can be terrificly effective on the smaller Delf infections: http://www.sophos.com/security/analyses/w32delfeyr.html

Instructions for use: http://www.sophos.com/support/knowledgebase/article/363.html

This of course will do nothing for your already compromised user account information and compromised passwords.  "
       
 
 
 
 

[naturallygay]

hijackthis log below
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\ENDUSE~1\LOCALS~1\Temp\Temporary Directory 2 for AntiRootkit[1].zip\PAVARK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2872A3B5-41A7-4DC5-9F7C-272B971CDE93} - C:\WINDOWS\system32\vtutq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {970D022E-A884-4D2A-BB4A-EBC22D2FEBD2} - C:\WINDOWS\system32\jkkjigg.dll (file missing)

[naturallygay]

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GameFace Messenger] C:\Program Files\GameFace Messenger\GameFace.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by144fd.bay144.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
O20 - Winlogon Notify: jkkjigg - jkkjigg.dll (file missing)
O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ENDUSE~1/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg