Here is what Avast4 found on my first scan. I placed them all in the Vault to be safe. Please advise whether these are really trojans or other virus:
6/21/2008 10:54:35 AM SYSTEM 1376 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL” file.
6/21/2008 10:48:46 PM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\Program Files\PPMate\ppmate.exe” file.
6/22/2008 12:14:30 AM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\Program Files\PPMate\PPMNet.exe” file.
6/22/2008 12:15:03 AM Jeff 3872 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Program Files\Realtek AC97\alcwdm64.sys” file.
6/22/2008 12:18:26 AM Jeff 3872 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043744.dll” file.
6/22/2008 12:18:46 AM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043754.exe” file.
6/22/2008 12:18:48 AM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043755.exe” file.
6/22/2008 12:18:49 AM Jeff 3872 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043756.sys” file.
Your problem may be coming from the use of PPMate. To be sure where your problem is …
Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Someone will review your log and then offer help.
Can you submit the first 4 files to www.virustotal.com and post the results?
I also suggest:
Disable System Restore and reenable it after step 3.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
OK will run hijackthis and post results. So far the only problem I have found is not being able to run PPmate because the .exe program has been moved to the virus vault. This is not a big problem for me. I can do without this program anyway.
First, we would have to know what entries you have in the virus chest. Can you list them here? You can also right click the entries in the chest and select scan. It is possible that some entries might be false positives.
As far as the HJT entry is concerned, it will not matter when you fix it since the entry has no file association which means the entry is useless. After doing this, I suggest again that you follow Tech’s advice above.
The virus entries are listed right at the top of this thread. I rescanned as you suggested above and they all come out as "+ve " . Is there any more you would like see ?
So far I have deleted /quarantined all the spyware found using Spybot S&D, Adware and SuperAntispyware. I also have Spyware Blaster installed for some time and have been keeping it up todate. I have not had any problems with all my application programs. I have not been using ppmate for a while so I can actually uninstall it. However to do this I might have to restore it then immediately uninstall it .
I wouldn’t restore any of them before running HJT, it will have no impact on that scan, the registry entry may still be there and as such would be recorded by HJT.
Too dangerous…
Why don’t you wait some days to see if this is really a false positive? Then, go ahead.
Right now, you can use Revo Uninstaller (www.revouninstaller.com).
Here are 3 files after going thru the process Tech indcated above. Secunia shows I needed to update the Quicktime and Macromedia players to latest versions.
I cant upload the Runscanner.bin files where to send them for analysis and feedback.
Win32:Adware-gen [Adw]" has been found in “C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL” file.
Prevx says this about the above entry …
DEFINITION OF: VMNTOOLBAR.DLL
Safety Rating: Known Malware, do not run
Malware Family: Part of Malware group - Adware Generic NKL
Malware Form: EXPLOIT
As would be expected, the above mentioned toolbar also shows up in the Runscanner log :
I had Maccaffee and uninstalled it because its too bloated and slow. What should I do with this entry?
What to do with the VMNtool~1.dll Fix it?
BTW Secunia shows 2 instances of Macromedia in my files but they are of different revisions. 6.X and 8.X How can this be? If I install 9.X would it replace both . Which s/w to install Macromedia flash player or Flash player and Shockwave ? Do I need to uninstall before installing?
The entries are still there in HJT after running both programs. The strange thing is that in one of them the description ( http://…/mcinstal.cab) is missing although the hex code is still there. The other is still intact? I suppose I will have to use Fix to remove.