Svchost przez ok. 3-4 min. >80% procesora

Dla specjalistów Bezpieczeństwo
#1

Słuchajcie, po założeniu na drugim kompie offica 2003 pro po załadowaniu systemu jeden ze svchost’ów przez ok. 3-4 minuty “żre” zasoby procesora. Komputer jest skonfigurowany identycznie i ma identyczne zasoby jak jego “brat bliźniak”, z tym, że tam nie występują takie schody.

Antywir i antyspyware nie wykrywają niczego. Worms doodrs cleaner krzyczy, żebym sprawdził antyirem, bo podejrzewa, że mam zainfekowaną pamięć.

W hijacku i sillencie nie widzę niczego specjalnego, ale - proszę tych, co wiedzą lepiej o rzucenie okiem:

  1. Hijack:

    Logfile of HijackThis v1.99.1

    Scan saved at 11:38:57, on 2007-01-20

    Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\Program Files\Eset\nod32krn.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

    C:\WINDOWS\system32\HPZipm12.exe

    C:\Program Files\Eset\nod32kui.exe

    C:\Program Files\LClock\lclock.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\WINDOWS\system32\svchost.exe

    D:\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.dialog.net.pl:8080

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

    O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM…\Run: [nwiz] nwiz.exe /install

    O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

    O4 - HKLM…\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice

    O4 - HKLM…\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup

    O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

    O4 - HKCU…\Run: [LClock] C:\Program Files\LClock\lclock.exe

    O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

    O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

    O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O11 - Options group: [INTERNATIONAL] International*

    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.pl/s/v/14.18/uploader2.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162511046687

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162516229375

    O17 - HKLM\System\CCS\Services\Tcpip…{BCBDD5BA-8098-4CF1-B55C-EE674BB36902}: NameServer = 217.30.129.149,217.30.137.200

    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

  2. Sillent:

    “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

    Operating System: Windows XP SP2

    Output limited to non-default values, except where indicated by “{++}”

    Startup items buried in registry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

    “LClock” = “C:\Program Files\LClock\lclock.exe” [null data]

    “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

    “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]

    “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

    “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

    “Outpost Firewall” = “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice” [“Agnitum Ltd.”]

    “OutpostFeedBack” = “C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup” [“Agnitum Ltd.”]

    “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

    -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper”

                    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

    {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”

    -> {HKLM…CLSID} = “Skype add-on (mastermind)”

                    \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]

    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

    -> {HKLM…CLSID} = “SSVHelper Class”

                    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

    “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

    -> {HKLM…CLSID} = “HyperTerminal Icon Ext”

                    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

    “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

    -> {HKLM…CLSID} = “DesktopContext Class”

                    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

    “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

    -> {HKLM…CLSID} = “NVIDIA CPL Extension”

                    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

    “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

    -> {HKLM…CLSID} = “Desktop Explorer”

                    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

    “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

    -> {HKLM…CLSID} = (no title provided)

                    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

    “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

    -> {HKLM…CLSID} = “nView Desktop Context Menu”

                    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

    “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

    -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

                    \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

    “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW”

    -> {HKLM…CLSID} = “Shell Extension for CDRW”

                    \InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]

    “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension”

    -> {HKLM…CLSID} = “UnlockerShellExtension”

                    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

    “{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}” = “ABBYYPDFContextMenuExtension”

    -> {HKLM…CLSID} = “AbbyyPDF.PDFShellExtension.1”

                    \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

    “{0DE76E1C-40C5-4fae-A59A-44EF606A0B02}” = “ABBYYS2OContextMenuExtension”

    -> {HKLM…CLSID} = “AbbyyS2O.S2OShellExtension.1”

                    \InProcServer32\(Default) = "C:\Program Files\ABBYY ScanTo Office 1.0\STOShellExtension.dll" ["ABBYY (BIT Software)"]

    “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

    -> {HKLM…CLSID} = (no title provided)

                    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

    “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

    -> {HKLM…CLSID} = “Microsoft Office Outlook”

                    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

    “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

    -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

                    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

    “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler”

    -> {HKLM…CLSID} = “Microsoft Office Metadata Handler”

                    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

    “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler”

    -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler”

                    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

    “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”

    -> {HKLM…CLSID} = “WPDShServiceObj Class”

                    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\Software\Classes\PROTOCOLS\Filter\

    <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

    -> {HKLM…CLSID} = (no title provided)

                    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

    {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

    -> {HKLM…CLSID} = “PDF Shell Extension”

                    \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes*\shellex\ContextMenuHandlers\

    ABBYYPDFContextMenuExtension(Default) = “{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}”

    -> {HKLM…CLSID} = “AbbyyPDF.PDFShellExtension.1”

                    \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

    ABBYYS2OContextMenuExtension(Default) = “{0DE76E1C-40C5-4fae-A59A-44EF606A0B02}”

    -> {HKLM…CLSID} = “AbbyyS2O.S2OShellExtension.1”

                    \InProcServer32\(Default) = "C:\Program Files\ABBYY ScanTo Office 1.0\STOShellExtension.dll" ["ABBYY (BIT Software)"]

    ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”

    -> {HKLM…CLSID} = “Outpost.ASWShellExt Component”

                    \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

    IGXMADD(Default) = “{6DB8751F-2BBF-11d2-A39B-00C04FB96AD2}”

    -> {HKLM…CLSID} = “Micrografx Share Media File Import Shell Extension”

                    \InProcServer32\(Default) = "C:\Program Files\Corel\CorelDRAW ESSENTIALS 2\Photobook\Share\Media\igxMadd.dll" ["Micrografx, Inc."]

    NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

    -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

                    \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

    PandoShellExt(Default) = “{9C150845-2A2D-44CC-90B3-AA03480AA3D2}”

    -> {HKLM…CLSID} = “PDShellExt Class”

                    \InProcServer32\(Default) = "C:\Program Files\Pando Networks\Pando\PandoShellExt.dll" ["TODO: "]

    WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

    ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”

    -> {HKLM…CLSID} = “Outpost.ASWShellExt Component”

                    \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

    PandoShellExt(Default) = “{9C150845-2A2D-44CC-90B3-AA03480AA3D2}”

    -> {HKLM…CLSID} = “PDShellExt Class”

                    \InProcServer32\(Default) = "C:\Program Files\Pando Networks\Pando\PandoShellExt.dll" ["TODO: "]

    WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

    ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”

    -> {HKLM…CLSID} = “Outpost.ASWShellExt Component”

                    \InProcServer32\(Default) = "C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]

    FineReader8(Default) = “{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}”

    -> {HKLM…CLSID} = “FineReader8ExplorerContextMenuHandler”

                    \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

    NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

    -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

                    \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

    UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”

    -> {HKLM…CLSID} = “UnlockerShellExtension”

                    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

    WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

    UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”

    -> {HKLM…CLSID} = “UnlockerShellExtension”

                    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

    Group Policies {policy setting}:

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    “NoResolveTrack” = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    “NoSMBalloonTip” = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    “NoLogOff” = (REG_DWORD) hex:0x00000000

    {Disable Logoff}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    “NoResolveTrack” = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

    {Shutdown: Allow system to be shut down without having to log on}

    “undockwithoutlogon” = (REG_DWORD) hex:0x00000001

    {Devices: Allow undock without having to log on}

    “DisableStatusMessages” = (REG_DWORD) hex:0x00000001

    {unrecognized setting}

    Active Desktop and Wallpaper:

    Active Desktop may be disabled at this entry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

    “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

    HKCU\Control Panel\Desktop\

    “Wallpaper” = “C:\Documents and Settings\Piotr Kłys\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

    Enabled Scheduled Tasks:

    “User_Feed_Synchronization-{EC916082-ED73-4D7A-93E7-48A99708E6AF}” -> launches: “C:\WINDOWS\system32\msfeedssync.exe sync” [MS]

    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

    000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

    000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

    000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

    C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11

    %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19

    %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

    Toolbars, Explorer Bars, Extensions:

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID{A1A7E22D-1587-4230-8F16-081C68D21448}(Default) = “Szybkie dostosowywanie programu”

    Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

    InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll” [“Agnitum Ltd.”]

    HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie”

    Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

    InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

    “MenuText” = “Sun Java Console”

    “CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}”

    -> {HKCU…CLSID} = “Java Plug-in 1.5.0_10”

                    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

    -> {HKLM…CLSID} = “Java Plug-in 1.5.0_10”

                    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

    {44627E97-789B-40D4-B5C2-58BD171129A1}\

    “ButtonText” = “Szybkie dostosowywanie programu Outpost Firewall Pro”

    {77BF5300-1474-4EC7-9980-D32B190E9B07}\

    “ButtonText” = “Skype”

    “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”

    -> {HKLM…CLSID} = “Skype add-on (button)”

                    \InProcServer32\(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\

    “ButtonText” = “Badanie”

    Running Services (Display Name, Service Name, Path {Service DLL}):

    Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS]

    NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

    NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]

    Outpost Firewall Service, OutpostFirewall, “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service” [“Agnitum Ltd.”]

    Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”]

    Print Monitors:

    HKLM\System\CurrentControlSet\Control\Print\Monitors\

    PCL Language Monitor\Driver = “hpz3l3xu.dll” [“Hewlett-Packard Company”]

    <>: Suspicious data at a malware launch point.

    • This report excludes default entries except where indicated.

    • To see everywhere the script checks and everything it finds,

      launch it from a command prompt or a shortcut with the -all parameter.

    • The search for DESKTOP.INI DLL launch points on all local fixed drives

      took 61 seconds.

    ---------- (total run time: 140 seconds)

#2

Logi są ok.

Zajrzyj tutaj:

http://portal.centrumxp.pl/forums/thread/169899.aspx

i przeczytaj punkt “svchost.exe 100% CPU”

#3

A ja bym polecał sprawdzić posty Piotr P. w poniższym wątku:

http://forum.dobreprogramy.pl/viewtopic … hlight=100

Też tak kiedyś miałem i rozwiązanie było podobne. Jak to się sprawdzi, to opisaną procedurę trzeba stosować po każdym (w moim przypadku) skorzystaniu z Aktualizacji Automatycznych.

#4

Dzięki piękne - metoda P.Palusińskiego z podmianą aktualizacji plikiem .bat okazała się skuteczna. Nie wiem co prawda, dlaczego tak się stało - na drugim kompie nie było żadnych problemów. Tajemnice MS… :slight_smile:

Jeszcze raz - dzięki - SD