Hello all,

Unfortunately I have this bad habit of turning to this magnificent community
only with requests for helping hand on malware issues, but since that's the
root nature of this part of the forum, I can just say that I'll be happy to
drop by more frequently in future.

The computer I'm having problems with has Eset NOD32 installed, but as expected
prior to this post, I've read the sticky topics on the top, installed and ran
all the necessary scans, saved out logs etc.

Firstly - I've ran full system scan with ESET,
ending up with one found thread - eliminated.

Secondly - Malwerbytes found about six issues - all eliminated.

All the other logs are attached, except the dds.scr's as my system detects it
as autocad script, and just runs it in notepad. I don't know how to run it on it's own,
so I'll appreciate little help on that subject.

All in all, the problem prevails, some process is taking up my whole uploading bandwidth,
leaving my unabled to any use of internet. Some times this happens right of win start,
sometimes much later. I've found some posts on net with the same indications, but with
no resolution of the problem. One pinpointed one instance of SVCHOST process as the
carrier but i don't know how to determine which one, and how to fix it, once found.
There are multiple instances of this process, and i've found out that it resembles
the count of programs running on .net framework, or something like that.
[meaning one instance for every prog that is currently running]
Anyway, I could use some explanations of the issue about SVCHOST,
but meanwhile, something's going on that I would like to fix, with Your assistance.

End notes, Win XP SP3 [auto-update disabled] running on AMD XP type machine.
Also ran suggested Microsoft app, but resulting in no threads found...
Gmer logs are made prior to malwarebytes cleaning, hijackthis log after...

Here are the logs, hopefully this matter will end with good results.

<a href="/images/attachments/1/mbam%20log.txt">mbam log.txt</a>

<a href="/images/attachments/1/GMER%20One%20log.txt">GMER One log.txt</a>

<a href="/images/attachments/1/GMER%20Two%20log.txt">GMER Two log.txt</a>

<a href="/images/attachments/1/hijackthis%20log.txt">hijackthis log.txt</a>

Best regards, MR

If your computer is infected as bad as it sounds I am a little weary of opening text files that came from your PC. A good place to post hijack logs and anything else that deals with tech stuff is http://www.pastie.org. It's main purpose is for pasting code, but I don't see why you couldn't pastie hijack logs.

commented: All logs can easily be copy/pasted right here. No need to go else where -1

Do you mean paste into post?
If so I'll do that, it's just
that i didn't knew it's easier
for you to work your way with logs
scrolling through my post...
Coming up, in few minutes.

Here's the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:41, on 19.5.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPWOTOOLBOX] C:\Program Files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe "-i"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://mapa.urbel.com/beoinfo/ActiveX/mgaxctrl.cab
O21 - SSODL: UpdateCheck - {E411934E-1FE0-485B-91CB-B4A974067577} - C:\WINDOWS\system32\ymasf.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional\RpcAgentSrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7678 bytes

If anything else is needed, just give me a beep,
I'll be more that happy to work my way to the resolution[s]...

In the meanwhile, I've found something that
looks like it doesn't belong there, so i did a screenshot.


Don't know how to show you this, maybe via box.net, flickr or something?
It shows a service svchost on the internet connection settings...

No, what I meant was pastie your logs onto www.pastie.org. Well, I will look over them now and re-post.

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://mapa.urbel.com/beoinfo/ActiveX/mgaxctrl.cab
O21 - SSODL: UpdateCheck - {E411934E-1FE0-485B-91CB-B4A974067577} - C:\WINDOWS\system32\ymasf.dll (file missing)

These entries look very suspicious. I would not click on that link, it most likely is the cause of your troubles. Also you have acrobat 8.0 on your computer, that is really outdated therefore open to a lot of attacks. ESET is for Creative Technology.

I am not one who messes with the registry, so I am not going to tell you too. I will leave that up to spyware geeks. I am a programmer geek who dabbles in helping out, well basically everywhere on DaniWeb.

Yesterday I wasn't able to check the progress here,
so here I am now. While checking for pc viruses,
i got real one myself, and had to nail the bed for whole day.

The 016 entry that you marked is actually something I'm familiar with,
obviously coming from the major institute of urbanism website,
but how did that plug-in managed to get into my start-up rooster,
i don't know. It could be packed with something malicious but i don't recall
that after i visited this website anything twisted was going goofy with my pc.

As for the other entry, I spotted a few others updating nodes that I don't know:

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

As for Adobe, what you see here are the nodes about Acrobat (not reader),
so going for the new version is a bit more expensive, but i could get new reader.

Anyway, I'm awaiting a "what to do" posts concerning the up-mentioned entries.

The entries i mentioned are obviously
install shield update service ones...

I did several things on my own,
result seems good, at least for now.
Used HJT to fix/delete entries 016 & 021,
used regedit to check what apps are
running behind svchost process,
and found in winlogon a suspicious entry a path
to a file "tnzbrg.exe' in the apps dir
under documents and settings, googled it,
it seemed even more suspicious, deleted
with the help of malwarebytes file deletion app.
Restarted pc, everything seems good,
at least for now... No uncontrolled uploading,
net goes like it should...

. ESET is for Creative Technology.
.

ESET is the Anti-virus program installed on the computer.

hey matthew, I'm kind of amateur when it comes to spyware hell my computers nearly always got something suspicious on it so i can sympathies but I couldn't help but reply to remind you some virus's can be delayed so they activate on a date or on next start up or something. I've even herd of really clever one's that get round security by coming in in parts (tho to me this sounds like a risky infection stratagem for the cracker. (not that i mind that idiot's can fail all they like for all I care).

but anyhoo the point, a problem could have been dormant or unnoticed for sometime before you remember seeing the problem id suggest thinking back from when you saw the problem and looking for thing's you visited that are highest risk. then google virus problems + site or something, if you've got it chances are that someone else has had it or has encountered it befor.

I know this isn't very hopeful but id say google anything you think is suspious even if its just to narrow the possibilities and then id look at the site posted (i'm guessing more people would be able to help)

hope i was more help than a pain ^_^