Need advise on Avast 4 scan results

[sportflyer]

Here is what Avast4  found on my first scan.  I placed them all in the Vault to be safe.  Please advise whether these are really trojans or other virus:

6/21/2008 10:54:35 AM   SYSTEM   1376   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL" file. 
6/21/2008 10:48:46 PM   Jeff   3872   Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\Program Files\PPMate\ppmate.exe" file. 
6/22/2008 12:14:30 AM   Jeff   3872   Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\Program Files\PPMate\PPMNet.exe" file. 
6/22/2008 12:15:03 AM   Jeff   3872   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Program Files\Realtek AC97\alcwdm64.sys" file. 
6/22/2008 12:18:26 AM   Jeff   3872   Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043744.dll" file. 
6/22/2008 12:18:46 AM   Jeff   3872   Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043754.exe" file. 
6/22/2008 12:18:48 AM   Jeff   3872   Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043755.exe" file. 
6/22/2008 12:18:49 AM   Jeff   3872   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043756.sys" file. 

It seems to me that some of them might be false?

Thanks

[CharleyO]

***

Your problem may be coming from the use of PPMate. To be sure where your problem is ...

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


***

[Lisandro]

Can you submit the first 4 files to www.virustotal.com and post the results?

I also suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[sportflyer]

OK will run hijackthis and post results.  So far the only problem I have found is not being able to run PPmate because the .exe program has been moved to the virus vault. This is not a big problem for me. I can do without this program anyway.

[sportflyer]

***

Your problem may be coming from the use of PPMate. To be sure where your problem is ...

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


OK here are the results in an attachment : This scan was taken after the so called viruses have been moved to the Avast Virus Vault  . Tks





***

[CharleyO]

***

Hi sportflyer -

I do not see much amiss in your HJT log but I could have missed something. You can run HJT again, checkmark the below entry, and click fix.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

There is no file associated with the entry above so it is not needed.

Have you tried following Tech's suggestions in his post above?


***

[sportflyer]

***

Hi sportflyer -

I do not see much amiss in your HJT log but I could have missed something. You can run HJT again, checkmark the below entry, and click fix.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

There is no file associated with the entry above so it is not needed.

Have you tried following Tech's suggestions in his post above?

***

I have not tried Techs suggestion yet.   

What should do with the stuff that is in the Virus Vault? Should I restore them and run HJT after deleting the item you suggested above? Tks

[CharleyO]

***

First, we would have to know what entries you have in the virus chest. Can you list them here? You can also right click the entries in the chest and select scan. It is possible that some entries might be false positives.

As far as the HJT entry is concerned, it will not matter when you fix it since the entry has no file association which means the entry is useless. After doing this, I suggest again that you follow Tech's advice above.

[sportflyer]

The virus entries are listed right at the top of this thread. I rescanned as you suggested above and they all come out as "+ve " . Is there any more you would like see ?

So far I have deleted /quarantined all the spyware found using Spybot S&D, Adware and SuperAntispyware.  I also have Spyware Blaster installed for some time and have been keeping it up todate. I have not had any problems with all my application programs. I have not been using ppmate for a while so I can actually uninstall it. However to do this I might have to restore it then immediately uninstall it . 

[DavidR]

I wouldn't restore any of them before running HJT, it will have no impact on that scan, the registry entry may still be there and as such would be recorded by HJT.

[Lisandro]

I have not been using ppmate for a while so I can actually uninstall it. However to do this I might have to restore it then immediately uninstall it . 

Too dangerous...
Why don't you wait some days to see if this is really a false positive? Then, go ahead.
Right now, you can use Revo Uninstaller (www.revouninstaller.com).

[sportflyer]

Thanks for the inputs. I will go ahead and perform the steps you indicated above.  Revo uninstaller looks like a great program. 

[Lisandro]

Revo uninstaller looks like a great program. 

Yeah, it is

[sportflyer]

Here are 3 files after going thru the process Tech indcated above. Secunia shows I needed to update the Quicktime and Macromedia players to latest versions.

I cant upload the Runscanner.bin files  where to send them for analysis and feedback.

Tks

[CharleyO]

***

I see only 3 things in the HJT log but I might have missed something.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Again, this has no file association and is therefore useless.

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

Do you or did you once have McAfee av on your computer?


***