Need advise on Avast 4 scan results

Here is what Avast4 found on my first scan. I placed them all in the Vault to be safe. Please advise whether these are really trojans or other virus:

6/21/2008 10:54:35 AM SYSTEM 1376 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL” file.
6/21/2008 10:48:46 PM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\Program Files\PPMate\ppmate.exe” file.
6/22/2008 12:14:30 AM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\Program Files\PPMate\PPMNet.exe” file.
6/22/2008 12:15:03 AM Jeff 3872 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\Program Files\Realtek AC97\alcwdm64.sys” file.
6/22/2008 12:18:26 AM Jeff 3872 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043744.dll” file.
6/22/2008 12:18:46 AM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043754.exe” file.
6/22/2008 12:18:48 AM Jeff 3872 Sign of “Win32:Agent-YKJ [trj]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043755.exe” file.
6/22/2008 12:18:49 AM Jeff 3872 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\System Volume Information_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043756.sys” file.

It seems to me that some of them might be false?

Thanks


Your problem may be coming from the use of PPMate. To be sure where your problem is …

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


Can you submit the first 4 files to www.virustotal.com and post the results?

I also suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

OK will run hijackthis and post results. So far the only problem I have found is not being able to run PPmate because the .exe program has been moved to the virus vault. This is not a big problem for me. I can do without this program anyway.


Hi sportflyer -

I do not see much amiss in your HJT log but I could have missed something. You can run HJT again, checkmark the below entry, and click fix.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

There is no file associated with the entry above so it is not needed.

Have you tried following Tech’s suggestions in his post above?


I have not tried Techs suggestion yet.

What should do with the stuff that is in the Virus Vault? Should I restore them and run HJT after deleting the item you suggested above? Tks


First, we would have to know what entries you have in the virus chest. Can you list them here? You can also right click the entries in the chest and select scan. It is possible that some entries might be false positives.

As far as the HJT entry is concerned, it will not matter when you fix it since the entry has no file association which means the entry is useless. After doing this, I suggest again that you follow Tech’s advice above.

The virus entries are listed right at the top of this thread. I rescanned as you suggested above and they all come out as "+ve " . Is there any more you would like see ?

So far I have deleted /quarantined all the spyware found using Spybot S&D, Adware and SuperAntispyware. I also have Spyware Blaster installed for some time and have been keeping it up todate. I have not had any problems with all my application programs. I have not been using ppmate for a while so I can actually uninstall it. However to do this I might have to restore it then immediately uninstall it .

I wouldn’t restore any of them before running HJT, it will have no impact on that scan, the registry entry may still be there and as such would be recorded by HJT.

Too dangerous…
Why don’t you wait some days to see if this is really a false positive? Then, go ahead.
Right now, you can use Revo Uninstaller (www.revouninstaller.com).

Thanks for the inputs. I will go ahead and perform the steps you indicated above. Revo uninstaller looks like a great program.

Yeah, it is :wink:

Here are 3 files after going thru the process Tech indcated above. Secunia shows I needed to update the Quicktime and Macromedia players to latest versions.

I cant upload the Runscanner.bin files where to send them for analysis and feedback.

Tks


I see only 3 things in the HJT log but I might have missed something.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Again, this has no file association and is therefore useless.

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

Do you or did you once have McAfee av on your computer?



From the avast log :

Win32:Adware-gen [Adw]" has been found in “C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL” file.

Prevx says this about the above entry …

DEFINITION OF: VMNTOOLBAR.DLL
Safety Rating: Known Malware, do not run
Malware Family: Part of Malware group - Adware Generic NKL
Malware Form: EXPLOIT


As would be expected, the above mentioned toolbar also shows up in the Runscanner log :

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt

Dictionary (VMN Toolbar) : file://C:\Program Files\VMNTOOLBAR\Cache\SelectedContextTranslation.htm


CharleyO, Tks for quick response.

I will fix the 02 -BHo etc (no file) today.

I had Maccaffee and uninstalled it because its too bloated and slow. What should I do with this entry?

What to do with the VMNtool~1.dll Fix it?

BTW Secunia shows 2 instances of Macromedia in my files but they are of different revisions. 6.X and 8.X How can this be? If I install 9.X would it replace both . Which s/w to install Macromedia flash player or Flash player and Shockwave ? Do I need to uninstall before installing?

First run this tool.

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Check if the entries have gone from HJackThis if not fix them.

The entries are still there in HJT after running both programs. The strange thing is that in one of them the description ( http://…/mcinstal.cab) is missing although the hex code is still there. The other is still intact? I suppose I will have to use Fix to remove.

You should only have needed to use one of the tools, the second was specific to McAfee 2007.

Yes you are going to have to fix the entries in HJT.