This is partly a different issue than posted (and not acknowledged) in Malware forum:
I usually disable dnsclient service because of strange connections when it's running. However I *have* to enable it when I use Windows update -- will not work without it. Also BITS, winhhtp proxy and WU are disabled until I choose to update. This is the
1)Windows update download stalls at 62%.
2)Many connections to weird ips - anything from drupal.com to maildesignmedia.com (20+ connections with data)
3)Svchost Dcomlaunch (which also has Plug&Play) shows
--Tiworker -- embedded
--explorer.exe -- immersive and --embedded C;|windows\explorer.exe /factory.... (re-enables after process kill)
--dllhosts -- one is Connection Manager Lua Host Object -- netshell.dll
--2 instances of WmiPrvSe.exe running from root/wmi and cimv2 providers.
Any help is appreciated.