applicunwnt.win32.porntool.agent.fi removal

I really could use someones expertise. I think I have some problems on my computer.

I have been having problems erasing files over the past month and have noticed a large area of locked files. There have been other annoyances like not being able to open files due to lack of administrative rights and/or file in use. My logs are showing lots of errors including "memory leaks" and my security logs frequently turn off without notice even though they are to save a log file when full. I believe I am having port problems and my IP address is available for the world to see no matter what I do to hide it. Through System Internals process monitor, I notice that many of my files cannot be verified and have weird paths. I wonder about the integrity of my certificate signature verification.

1. Malwarebytes found 3 security.system.disabled viruses that I quarantined
2. I have downloaded a few rootkit finders with mixed results
3. I used runscanner.org and see that I have a number of missing files
4. Comodo's antivirus has quarantined C:\windows\nircmd.exe and c:\windows\mbr.exe
5. I ran combo.fix and it found possible rootkit activity on system32\ntos.exe and a few other things.
6. Today I checked a few files on virscan.org and found a number of files in the system32 folder that point to the applicunwnt.win32.porntool.agent.fi virus or whatever it is. The thing is is that these files are not showing up on regular scans through Comodo, Malwarebytes and others; and I'm not sure why.
An example of one is system32\catroot\ims.cat when I look it up on virscan.org, it looks like this:

VirSCAN.org Scanned Report :
Scanned time : 2009/06/04 23:31:50 (CDT)
Scanner results: 79% Scanner(s) (30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/report/e8541b64f8b1bb1cbd8e955aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32ialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32ialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virusorn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU

This particular security catalog is related to the Microsoft Windows Component Publisher. The certificate is expired, but I am unable to install a new one. I am getting a message that the certificate is okay. I also noticed that under the authenticated attributes in the details of the certificate, there is a section of unauthenticated attributes countersign (maybe this is all normal, I am just not familiar).

Where do I start? Am I just looking for trouble that is not there...

Thanks,
SMattson

 

I forgot to mention a few other things that are happening that may or may not all be tied in together:

Firefox has been getting huge! Like over 500,000 K at times, even if nothing is really open.

rundll.exe uses 99% CPU at times

Thanks,
smattson

 

Below are the results of my scans:


SUPERAntiSpyware


Edit by chaslang: Inline SAS log removed. Logs need to be attachments.



Malwarebytes Anti-Malware


Edit by chaslang: Inline MBAM log removed. Logs need to be attachments.


ComboFix


Edit by chaslang: Inline ComboFix log removed. Logs need to be attachments.



RootRepeal


Edit by chaslang: Inline RootRepeal log removed. Logs need to be attachments.


MGTool

Results are attached via zip file

I received the following error message and am not sure how though the reports are:

processdll.exe - Common Language Runtime Debugging Services
application has generated an exception that could not be handled
process id = 0xee4 (3812), thread id = 0xa80 (2688)

I did not do anything after getting the error report other than click okay. MGTools generated the attached report after that. (Based on the instructions related to errors, I figured I may need to re-install the .NET Framework software from Microsoft; however, I wanted to double check with you first, since the error was different than those outlined in the instructions.)



MISC
I used to have SpyBot on my computer and it was deleted by Comodo Support about a month or so ago when they were helping me reset up Comodo. I didn't realize that I still had the Teatimer until after the reports were scanning. Sorry.



COMPUTER'S BEHAVIOR AS OF TODAY:

1. The first thing I noticed right away on Process Explorer was that I had a lot more Microsoft files that were digitally signed. I still have unsigned files, but not nearly as many.

2. Firefox is not working correctly... Very slow, froze computer

3. Previously to doing the CCleaner and scans, I had some files (apps, dll, cab, drv) in the c:\windows\system\ and c:\windows\system32\ folders that www.virscan.org had identified as 1.html ApplicUnwnt.Win32.PornTool.Agent.Fi. I re-checked one of those files now and it still is showing up on www.virscan.org as malware. I don't think any of the scans I did in context of this thread for Major Geeks identified them as malware. An example of a few of them that are directing virscan.org to the above dialer are as follows:
- C:\windows\system32\a3d.dll
- C:\windows\system\winspool.drv
- C:\windows\system32\$winnt$.inf
- C:\windows\system32\catroot2\{F250E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb (file extension doesn't show...)

None of these are digitally signed.

4. In Process Explorer, I checked System Properties to see if any info would show up (because previously it hadn't been). The information was blank still (version: n/a; time: n/a; path: blank; command line: blank; current directory: blank; strings: error opening file; security: S-1-5-32). There are also a lot of dll and sys files under System that are not verified including Microsoft.

5. System or explorer is hanging... even when CPU is 15%. Moving from folder to folder has been painstakingly slow and yet other times I have been able to move along quickly.

6. When looking up the file name for #3 above (...system32\catroot2\...), I noticed a dberr.txt log that was just modified today. I looked and came across errors that were repeatedly occurring. From the pages of errors, there were only two files the errors were occuring in: files 2 and 3 with 0x00000057 (only file 2) and 0x000006bb (both) codes. The lines were differing, however.

Examples:
a. Catalogdb encountered error File #2 Line 1236 - 0x00000057
b. Catalogdb encountered error File #3 Line 330 - 0x000006bb


Thank you in advance for helping me solve this.

Smattson

 

Hi I tried to send a reply with all my scans today and haven't seen it posted yet. I resent it once thinking the first time it didn't work on my end. It was almost 6 hours ago. Does it normally take that long to post?

thanks,
Smattson

 

Sorry about not posting the results as attachments. I missed that part. They are attached now.

Smattson

 

My computer ended up with a "black screen" and I lost everything... I had no access to safe mode and tried to repair disk to no avail when using the repair option. I ended up reinstalling the OS several times before it seemed to be working halfway decent.

I had to downgrade to XP Home (which was the original OS) because I couldn't get my XP Pro to work (even though I have the disks and product key). As it stands, I still have some hang ups and my CD drive hardware is no longer visible to my PC (ms error 41), although it was until I installed the SP2 upgrade. (I went to MS website, LG website (cd drive brand) and internet. I have tried a few things and cannot seem to get it to work).

A problem I was having prior to the crash was that my printer would sometimes be recognized and at other times I'd try to print and I would be asked to install a printer. This same issue is happening again. The printer is located in the device manager and in the Printer folder on the Control Panel, however, I cannot print to it. This is a new HP Photosmart 309A. I tried downloading drivers from the CD drive and when that stopped working, I tried downloading drivers from HP's website.

Maybe this is a hard drive failure, motherboard failure etc..., although I ran the diagnostics on the Dell utility CD and everything came back okay.

If I had malware before, you don't think there would be any left after reformatting my HD, do you?

One other change is that I installed Norton 360 and got rid of Comodo. Comodo just allowed too much potential for non-computer savvy users (kids and myself) to permit everyone and their neighbor in to the computer.

Anyway, I don't know if you can help me with the few issues I have now or if I need to be moved to another forum.

Thanks,
Smattson