[A] Malwarebytes - blocked potently malicious website popup

well... "Not necessarily", doesn't do it for me...

Could the repercussion of staying connected while not blocking the malicious websites result in further infection of my computer???
Or will my computer be alright... cause right now it still works and the internet is working...

THANKS

Talk to you again when I have the log.

STEALING THAT SMILEY....
Good Day ...

Haven't been using my internet but I wanted to update you on whats going on...

I still waiting to hear back from my friend about the xp disc and stuff,

I'm also having some serious issues with my internet and modem. I went to use my xbox (connected Ethernet directly to the modem)
the connection failed...

Could not resolve DNS something or something...

It has been like this for a couple days now... no connection no nothing even at the cable company they could not get the modem to connect to the internet.

I'm breaking up my post cause I think I'm going to get disconnected...

In the systems event viewer under admin in the control panel, in the security log around every 3 sec there is a new log that appears

the cat. is policy and it says that Windows Firewall group policy has been applied...

also there are lots of svchosts running in my task manager... one kept spiking resources only when I plug my computers ethernet to the modem. So I decided to terminate it, afterward a system shutdown was initiated by NT Authority/Network Service.

I have found references to this NT Authority/Network Service all over event viewer...

Lots are log ons and outs...
Setting Security privileges to the account...

I also have seen Anonymous attempt to log on to my computer...

in the event viewer there was a log that said

svchost(1764) an attempt to open the file "C:\WINDOWS\system32\CatRoot2\edb.log" for read/writed acess failed with system 5 error. "Acess Denied"

not sure what that is about...

Also alot of the services on the computer especially those that have to do with networking DNS client DHCP client and just about everything to do with remote access... under their properties have their logon config set to

This Account : NT Authority/Network Service

rather than what just about ever other thing is set to

Local System Account

None of this means much to me I really don't know that much about computers but this stuff seemed shaded...

There is also a bunch of really strange stuff also going on...

Like the Event Log service stopping and then restarting....

While I was sitting next to my computer, already logged on I saw a log created in the Event Viewer of apparently me trying to log in to my computer using my user name but the log in failed because of a bad password... wtf

There is also a really strange Service called

##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##
and thats also the discription of the service...

it also has dependence on TCP/IP protocal driver

I also scheduled a boot-time scan with avast and it found a rootkit on my computer and deleted it...
Win32 Rootkit - Gen [RTK] the process it was running was alg.exe

I also believe I have some malicous drivers on the computer...



this is from the security task manager you had me install on the computer...

do you have a program that can examine my services and drivers

Heres what happends according to the Event Viewer when I pull the Ethernet to my modem from my computer out, then plug it back in...

Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4202
Date:6/22/2012
Time:8:26:40 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 ....j..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Warning
Event Sourcehcp
Event Category:None
Event ID:1003
Date:6/22/2012
Time:8:26:40 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0015F274321A. The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...


Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4201
Date:6/22/2012
Time:8:26:50 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was connected to the network, and has initiated normal operation over the network adapter.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 ....I..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4201
Date:6/22/2012
Time:8:26:54 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was connected to the network, and has initiated normal operation over the network adapter.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 ....I..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Information
Event Source:Tcpip
Event Category:None
Event ID:4202
Date:6/22/2012
Time:8:27:50 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
The system detected that network adapter \DEVICE\TCPIP_{8A8C78B5-A0CB-4AD1-AF7D-2E6A30D73CB4} was disconnected from the network, and the adapter's network configuration has been released. If the network adapter was not disconnected, this may indicate that it has malfunctioned. Please contact your vendor for updated drivers.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 6a 10 00 40 ....j..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........


Event Type:Warning
Event Sourcehcp
Event Category:None
Event ID:1003
Date:6/22/2012
Time:8:27:50 PM
User:N/A
Computer:NONE-76AAAFB655
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0015F274321A. The following error occurred:
The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: c7 04 00 00 Ç...


and this cycle just repeats every time leaving me connected to the network but with no connection to the internet

Heres the ANONYMOUS LOGON log

Event Type:Success Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:540
Date:6/22/2012
Time:11:53:18 PM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:NONE-76AAAFB655
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID0x0,0x1722E)
Logon Type:3
Logon Process:NtLmSsp
Authentication Package:NTLM
Workstation Name:
Logon GUID:-

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

log on and off and special privileges

Event Type:Success Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:528
Date:6/22/2012
Time:11:53:17 PM
User:NT AUTHORITY\NETWORK SERVICE
Computer:NONE-76AAAFB655
Description:
Successful Logon:
User Name:NETWORK SERVICE
Domain:NT AUTHORITY
Logon ID0x0,0x3E4)
Logon Type:5
Logon Process:Advapi
Authentication Package:Negotiate
Workstation Name:
Logon GUID:-

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:Success Audit
Event Source:Security
Event Categoryrivilege Use
Event ID:576
Date:6/22/2012
Time:11:53:17 PM
User:NT AUTHORITY\NETWORK SERVICE
Computer:NONE-76AAAFB655
Description:
Special privileges assigned to new logon:
User Name:NETWORK SERVICE
Domain:NT AUTHORITY
Logon ID0x0,0x3E4)
Privileges:SeAuditPrivilege
SeAssignPrimaryTokenPrivilege
SeChangeNotifyPrivilege

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

the failed log on attempt by me (apparently when was already logged in)

Event Type:Failure Audit
Event Source:Security
Event Category:Account Logon
Event ID:680
Date:6/22/2012
Time:12:26:13 AM
User:NT AUTHORITY\SYSTEM
Computer:NONE-76AAAFB655
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Owner
Source Workstation: NONE-76AAAFB655
Error Code: 0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type:Failure Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:529
Date:6/22/2012
Time:12:26:13 AM
User:NT AUTHORITY\SYSTEM
Computer:NONE-76AAAFB655
Description:
Logon Failure:
Reason:Unknown user name or bad password
User Name:Owner
Domain:
Logon Type:2
Logon Process:Advapi
Authentication Package:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:NONE-76AAAFB655
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
My user is right must be bad password

LOTS OF THESE...

Event Type:Information
Event Source:MsiInstaller
Event Category:None
Event ID:11729
Date:6/22/2012
Time:5:49:48 PM
User:NONE-76AAAFB655\Owner
Computer:NONE-76AAAFB655
Description:
The description for Event ID ( 11729 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Product: Java(TM) 7 Update 5 -- Configuration failed., (NULL), (NULL), (NULL), (NULL), , .
Data:
0000: 7b 32 36 41 32 34 41 45 {26A24AE
0008: 34 2d 30 33 39 44 2d 34 4-039D-4
0010: 43 41 34 2d 38 37 42 34 CA4-87B4
0018: 2d 32 46 38 33 32 31 37 -2F83217
0020: 30 30 35 46 46 7d 005FF}

Hope this can help you maybe just understand how what ever is still on my computer is working if not help to get rid of it...

like I said before I don't know if the things above are very normal or malicous... but my guess is you do. Tell me what you think and if there is anything in the mean time before I get that xp disc and all, that we can do that would be great.

I'll pop on shortly like this tomorrow (if I my new EVIL DNS server lets me, I really dont now what I'm talking about), hope to catch you then...

STEALING IT AGAIN...

one last thing came to mind

I have multiple spoolsv.exe on my computer

4 to be exact

mostly worried about this one

it's located at - C:\WINDOWS\ERDNT\cache

created Monday, June 11, 2012, 2:31:02 AM
modifed Tuesday, August 17, 2010, 9:17:06 AM wtf
accesed Today, June 23, 2012, 2:49:57 AM

from the event viewer

Event Type:Information
Event Source:Service Control Manager
Event Category:None
Event ID:7035
Date:6/23/2012
Time:1:37:34 AM
User:NT AUTHORITY\SYSTEM
Computer:NONE-76AAAFB655
Description:
The Windows Image Acquisition (WIA) service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:Information
Event Source:Service Control Manager
Event Category:None
Event ID:7036
Date:6/23/2012
Time:1:37:35 AM
User:N/A
Computer:NONE-76AAAFB655
Description:
The Windows Image Acquisition (WIA) service entered the running state.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

In Windows XP, WIA runs in the LocalSystem context. Because of the security ramifications of running a service as LocalSystem whereby a buggy driver or malicious person would have unrestricted access to the system, the WIA service in Windows Server 2003 and Windows Vista operates in the LocalService context. This can result in compatibility issues when using a driver designed for Windows XP

Here's the update...

Found someone that can most likely create the disc for me... Might be able to get the logs in a few days,

Till then... see ya