These days I've run just for fun Win32/Brontok.U to see how does NOD react.. (don't do this at home ) The .exe unpacked and 5 files were extracted to my Documents and settings folder. AMON prompted me for each of them to take an action. I've choosen to delete 3 of them and to rename 2. Then I went to system startup (Run-> msconfig) and I was bewildered to see smss.exe checked there. The path was D:\Documents and settings\Local settings... the exact folder and the exact file extracted by the infected exe file. The file was already deleted by AMON but who could it reached the startup, if AMON blocked it ? Is it working properly or what ?