Malware -- plz help

Yesterday, I removed my old firewall, PC Tools Firewall, and installed a new one, LooknStop as I heard it was faster. After I installed it, I noticed it in the logs blocking a strange connection to rny93-5-82-241-16-70.fbx.proxad.net to port 9500. I realized it was coming from within my Win2000 Vmware machine which I run for my poker apps. I checked the processes within the Vmware machine, and I noticed a strange iexplore.exe process even though I had just rebooted it. If I kill it, it comes right back in the process list. I installed looknstop within the vmware machine, and it asked me if I wanted to allow c:\program files\Internet Explorer\iexplore.exe to connect to the internet. I said no, and in the logs, here it was trying to connect to 82.241.16.70 port 9500 (same as above). If I double click on it, a normal session of Internet Explorer starts up. I went thru the malware guides and ran the scans in there, and additionally I ran Mcaffee Security Centre, AVG Free, Avira Free and Avast Free and NGenFix, and none of them identified anything wrong on the system. Attached are the logs from Counterspy, Panda, and hijackthis. In the next message, I'll attach the logs for GetRunKey and ShowNew.

 

Logs from GetRunKey and ShowNew

 

I have none installed, since this a vmware image for which I have backup snapshots, I wanted to keep as low a memory footprint as possible, and I don't use for anything else other than playing online poker, I figured I could always go back to a previous snapshot if anything happened. Now I see the need for at least some antispyware, even though none that I tried so far identify that iexplore process as being abnormal.

On a different note, I take issue with your diagnostic. Not really sure how you identified rny93-5-82-241-16-70.fbx.proxad.net (82.241.16.70) to be the same as dnsmon.ripe.net (193.0.19.21). There clearly is a rogue iexplore.exe process trying to connect nonstop to the above proxad address. A process which, if I kill, it reappears back up right away. I have attached two screenshots of the interception by LooknStop which is installed on the machine hosting the vmware machine.

Can you recommend a program to take a snapshot of a system before and after a program installation and compares the two to find the changes?

 

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 82.0.0.0 - 82.255.255.255
CIDR: 82.0.0.0/8
NetName: 82-RIPE
NetHandle: NET-82-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois

On further investigation, http://www.ripe.net/whois?form_type...ing=&searchtext=82.241.16.70&do_search=Search

inetnum: 82.241.16.0 - 82.241.19.255
netname: FR-PROXAD-ADSL
descr: Proxad / Free SAS
descr: Static pool (Freebox)
descr: rny93-5 (stmaurice)
descr: NCC#2005090519
country: FR
admin-c: ACP23-RIPE
tech-c: TCP8-RIPE
status: ASSIGNED PA "status:" definitions
remarks: Spam/Abuse requests: mailto:abuse@proxad.net
mnt-by: PROXAD-MNT
source: RIPE # Filtered

role: Administrative Contact for ProXad
address: Free SAS / ProXad
address: 8, rue de la Ville L'Eveque
address: 75008 Paris
phone: +33 1 73 50 20 00
fax-no: +33 1 73 92 25 69
remarks: trouble: Information: http://www.proxad.net/
remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net
admin-c: RA999-RIPE
tech-c: FG4214-RIPE
nic-hdl: ACP23-RIPE
mnt-by: PROXAD-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@proxad.net

role: Technical Contact for ProXad
address: Free SAS / ProXad
address: 8, rue de la Ville L'Eveque
address: 75008 Paris
phone: +33 1 73 50 20 00
fax-no: +33 1 73 92 25 69
remarks: trouble: Information: http://www.proxad.net/
remarks: trouble: Spam/Abuse requests: mailto:abuse@proxad.net
admin-c: RA999-RIPE
tech-c: FG4214-RIPE
nic-hdl: TCP8-RIPE
mnt-by: PROXAD-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@proxad.net

% Information related to '82.224.0.0/11AS12322'

route: 82.224.0.0/11
descr: ProXad network / Free SAS
descr: Paris, France
origin: AS12322
mnt-by: PROXAD-MNT
source: RIPE # Filtered

 

So I decided to do some more digging, and see what kind of trojan I had. I reinstalled AVG Free and it didn't detect anything at all during the scan it made right after it installed, but, after I rebooted, it detected Trojan.Agent.HHP. Out of curiosity, and because I had planned anyhow to see which Antivirus had the lowest memory footprint, I went through quite a few Antivirus programs to decide what to install on my system. AVG Free came out the winner by a far margin. The rest of the results in terms of memory footprint can be seen here if you want, I have in the spreadsheet quite a few antivirus programs, spreadsheet programs, music players, IMs, Java IDEs, and Firewalls.

http://spreadsheets.google.com/pub?key=pHetixIBxndIqzV1qDS0fIg

 

Absolutely, but keep in mind that in my tests I have updated all the antivirus programs to the most update definition file. What's more interesting in my opinion is the difference in memory footprint, and therefore in performance between different programs that perform roughly the same function. My computer absolutely flies when using, let's say, ENOD and Sensiveguard for a firewall, and slows down to a crawl with McAfee or PC Tools Firewall. I think memory footprint should be one of the numbers that software reviewers should post when reviewing different programs. It's not only an indicator of how well your computer will perform with that particular program, but of the programmer's level of skill and passion for his work, and thus of the quality of the program itself.