Accesso impedito al computer... Forse spyware o trojan?

[irrazionale]

Salve a tutti!!!

Vi chiedo se per favore potreste aiutarmi a capire se ho uno spyware od un trojan installato nel computer.

E' da qualche giorno che, ogni volta che mi connetto ad internet, ricevo un avviso da Zone Alarm che mi segnala: "Accesso impedito al computer 127.0.0.1".

Questo prima non mi era mai capitato. Nè Avast nè Ad-Aware mi segnalano la presenza di minacce. Eppure quell'avviso mi insospettisce. Potreste dare uno sguardo al log di HijackThis? Allego anche la lista dei processi che utilizzano l'autorun. Grazie e complimenti per la vostra attività.


Logfile of HijackThis v1.99.1
Scan saved at 14.06.38, on 05/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avast4\aswUpdSv.exe
C:\Programmi\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Avast4\ashMaiSv.exe
C:\Programmi\Avast4\ashWebSv.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Vista Inspirat\VisualTooltip\VisualToolTip.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Programmi\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\WINDOWS\Vista Inspirat\LClock\lclock.exe
C:\WINDOWS\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Webshots\webshots.scr
C:\WINDOWS\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\HijackThis\Old Version\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Programmi\FreshDevices\FreshDownload\fdcatch.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\Programmi\FreshDevices\FreshDownload\fdiebar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\WINDOWS\Vista Inspirat\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Programmi\Nero\Nero 7\InCD\InCD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UberIcon] "C:\WINDOWS\Vista Inspirat\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [LClock] C:\WINDOWS\Vista Inspirat\LClock\lclock.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
O4 - Startup: Y'z ToolBar.lnk = C:\WINDOWS\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Download &All by FD - file://C:\Programmi\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Programmi\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Programmi\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: FreshDownload - {1E506AE7-4E6B-461A-ABED-39E332E91089} - C:\Programmi\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1165112225141
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Ecco la lista dei processi che si avviano al caricamento del sistema:


StartupList report, 05/04/2007, 14.10.07
StartupList version: 1.52
Started from : C:\Programmi\StartupList\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16414)
* Using verbose mode
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avast4\aswUpdSv.exe
C:\Programmi\Avast4\ashServ.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Avast4\ashMaiSv.exe
C:\Programmi\Avast4\ashWebSv.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\Vista Inspirat\VisualTooltip\VisualToolTip.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Programmi\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\WINDOWS\Vista Inspirat\LClock\lclock.exe
C:\WINDOWS\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Programmi\Webshots\webshots.scr
C:\WINDOWS\Vista Inspirat\YzToolbar\YzToolBar.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programmi\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Programmi\StartupList\StartupList.exe

This lists all processes running in memory, which are all active
programs and some non-exe system components.

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\AlphaUMi\Menu Avvio\Programmi\Esecuzione automatica]
Stardock ObjectDock.lnk = C:\WINDOWS\Vista Inspirat\ObjectDock\ObjectDock.exe
Webshots.lnk = C:\Programmi\Webshots\Launcher.exe
Y'z ToolBar.lnk = C:\WINDOWS\Vista Inspirat\YzToolbar\YzToolBar.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica]
Bluetooth Manager.lnk = ?

This lists all programs or shortcuts in folders marked by Windows as
'Autostart folder', which means any files within these folders are
launched when Windows is started. The Windows standard is that only
shortcuts (*.lnk, *.pif) should be present in these folders.
The location of these folders is set in the Registry.

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

These are Windows NT/2000/XP specific startup locations. They
execute when the user logs on to his workstation.

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SynTPLpr = C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
VisualTooltip = C:\WINDOWS\Vista Inspirat\VisualTooltip\VisualToolTip.exe
avast! = C:\PROGRA~1\Avast4\ashDisp.exe
InCD = C:\Programmi\Nero\Nero 7\InCD\InCD.exe

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
UberIcon = "C:\WINDOWS\Vista Inspirat\UberIcon\UberIcon Manager.exe"
LClock = C:\WINDOWS\Vista Inspirat\LClock\lclock.exe

This lists programs that run Registry keys marked by Windows as
'Autostart key'. To the left are values that are used to clarify what
program they belong to, to the right the program file that is started.

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APPE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

Programs listed here are components of the Windows Setup that were
only ran when Windows started for the first time. To prevent them
from running multiple times, Windows checks for a key with the same
name at the HKCU root. If it's not found, the component at the HKLM
root is ran, and a matching key is created at the HKCU root so the
component is not ran again next time. Most entries involve either
RUNDLL.EXE or RUNDLL32.EXE, so a suspicious key is not hard to find.

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\MARINE~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

The Shell key from SYSTEM.INI tells Windows what file handles
the Windows shell, i.e. creates the taskbar, desktop icons etc. If
programs are added to this line, they are all ran at startup.
The SCRNSAVE.EXE line tells Windows what is the default screensaver
file. This is also a leftover from Windows 3.x and should not be used.
(Since Windows 95 and higher stores this setting in the Registry.)
The 'drivers' line loads non-standard DLLs or programs.

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

Due to a bug in Windows 9x, it mistakenly uses C:\Explorer.exe and
other instances (if present) when searching for Explorer.exe.
Explorer.exe should only exists in the Windows folder.
Windows NT is vulnerable to this as well, but only if the
'Shell' Registry value from the previous section
is just 'Explorer.exe' instead of the full path.
Additionally, presence of \WINDOWS\Explorer\Explorer.exe indicates
infection with the [email protected]r virus.

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

Some file extensions are always hidden, like .lnk (shortcut) and
.pif (shortcut to MS-DOS program). The Life_Stages virus was a .shs
(Shell Scrap) file that had the extension hidden by default. This can
be a security risk when a virus with a double-extension filename is
on the loose, since the extension can be hidden even when 'Don't show
extensions for known filetypes' is turned off.
The shortcut overlay acts as a reminder that the file is just a shortcut.
If the shortcut overlay is removed, the difference between a file and
a shortcut is invisible.

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Programmi\FreshDevices\FreshDownload\fdcatch.dll - {206E52E0-D52E-11D4-AD54-0000E86C26F6}

MSIE features Browser Helper Objects (BHO) that plug into MSIE and
can do virtually anything on your system. Benevolant examples are
the Google Toolbar and the Acrobat Reader plugin. More often though,
BHO's are installed by spyware and serve you to a neverending flow
of popups and ads as well as tracking your browser habits, claiming
they 'enhance your browsing experience'.

--------------------------------------------------

Enumerating Download Program Files:

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsu...?1165112225141

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeup...tent/opuc4.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub...sh/swflash.cab

The items in Download Program Files are programs you downloaded and
automatically installed themselves in MSIE. Most of these are Java
classes Media Player codecs and the likes. Some items are only
visible from the Registry and may not show up in the folder.

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\WINDOWS\system32\wshbth.dll

The Windows Socket system (Winsock) connects your system to the
Internet. Part of this task is resolving domain names (www.server.com)
to IP addresses (12.23.34.45) which is handler by several system
files, called Layered Service Providers (LSPs), which work as a
chain: if one LSP is gone, the chain is broken and Winsock cannot
resolve domain names - which means no program on your system can
access the Internet.

--------------------------------------------------

Enumerating Windows NT/2000/XP services

avast! iAVS4 Control Service: "C:\Programmi\Avast4\aswUpdSv.exe" (autostart)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
Audio Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
avast! Antivirus: "C:\Programmi\Avast4\ashServ.exe" (autostart)
Browser di computer: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Bluetooth Support Service: %SystemRoot%\system32\svchost.exe -k bthsvcs (autostart)
Servizi di crittografia: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Utilità di avvio processo server DCOM: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Client DHCP: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Client DNS: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Servizio di segnalazione errori: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Registro eventi: %SystemRoot%\system32\services.exe (autostart)
Guida in linea e supporto tecnico: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
InCD Helper: C:\Programmi\Nero\Nero 7\InCD\InCDsrv.exe (autostart)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Helper NetBIOS di TCP/IP: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE" (autostart)
O&O Defrag: C:\WINDOWS\system32\oodag.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Servizi IPSEC: %SystemRoot%\system32\lsass.exe (autostart)
Archiviazione protetta: %SystemRoot%\system32\lsass.exe (autostart)
RPC (Remote Procedure Call): %SystemRoot%\system32\svchost -k rpcss (autostart)
Gestione account di protezione (SAM): %SystemRoot%\system32\lsass.exe (autostart)
Utilità di pianificazione: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (autostart)
Accesso secondario: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notifica eventi di sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall / Condivisione connessione Internet (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Rilevamento hardware shell: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Spooler di stampa: %SystemRoot%\system32\spoolsv.exe (autostart)
Servizio Ripristino configurazione di sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Acquisizione di immagini di Windows (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Temi: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Manutenzione collegamenti distribuiti client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Host di periferiche Plug and Play universali: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
iX-30: system32\DRIVERS\usbhub.sys (autostart)
Ora di Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Strumentazione gestione Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Centro sicurezza PC: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Aggiornamenti automatici: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Zero Configuration reti senza fili: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


Windows NT4/2000/XP launches several dozen of 'services' when
your system starts that range in importance from system-
critical (like RPCSS) to redundant (Remote Registry Editor),
or even dangerous (Universal Plug & Play). Though very little
malicious programs use this type of startup, it is included here
for completeness.
Windows 9x/ME launches system-critical files in a similar way
at system startup, but unlike Windows NT services, the Windows 9x
VxD services are all important, and much less in number. Practically
the only non-Microsoft programs starting from here are software firewalls.

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\ZoneLabs\spyware.dat.zlbak


Windows NT4/2000/XP can be setup to run scripts at user logon,
logoff, and system startup or shutdown.
These scripts can do virtually anything, from mapping a
network drive to starting a trojan horse virus. If scripts
are started on your system and you don't know what
they are, consider disabling them using the Group Policy
Editor (click Start, Run, type "gpedit.msc" and hit Enter).

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

This Registry key lists several system components are loaded at
system startup. Not much is known about this key since it is
virtually undocumented and only used by programs like the Volume
Control, IE Webcheck and Power Management icons. However, a
virus/trojan in the form of a DLL can also load from this key.
The Hitcap trojan is an example of this.

--------------------------------------------------
End of report, 17.328 bytes
Report generated in 0,343 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only