Today I have discovered that I have a program called kernel.vmm which has replaced my kernel32.exe (kernel32.exe was deleted) and the "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" "Windows Kernel" in the registry. I would normally just replace this with the original and change the registry but when I searched for kernel32.vmm I could find nothing on any search engine or database... I am running windows 98 SE on a Pentium 3 computer with a cable (always on) connection. This program also automatically hooks upto the net when the computer starts (I have now disabled it from acessing the net with my firewall). If anyone would like a copy of this file please email me ( forest_rd@hotmail.com) and I will send it to you (54kb)

hi mat, I did a search on kernel32.vmm to see if it is a possible trojan and was unable to find it in any database as such. I also checked with simovits consulting to see if it was in their database of active trojans and it wasn't. so I suspect that indeed it is a trojan in the wild of the variety of sub7 or back orifice, keylogger,and or remote access variety, you may if you wish check out www.thepublicworks.com security section and click on links, simovits consulting, dark-e, trojan removal, dalantec. also download RegProt, Procmon and Netmon from Sysinternals. also do a trojan and port scan of your puter at www.pcflank.com. also go to wilders.com and download a copy of Trojan Hunter 30 day trial and scan. since you said it was a start up i would also check win.ini sys.ini autoexec.bat, all the run services in registry in all hot keys, also check the roots in registry eg: bat, com, hta, pif at the command/open level. you may have to remove that file and do a replace from your win98 c.d good luck and cheers, murve

Kernel32.exe is the Babylonia virus. http://securityresponse.symantec.com/avcenter/venc/data/w95.babylonia.html Kernel32.vmm in not a valid Windows file. Run MsConfig and unselect any entries referencing it. Then update your virus defs and do a full scan again. The Trojan links above are also useful.

I have had a good into this and have found the following. The only registry items it seems to make is the Run key as said above and the one that sets the file type as being an application (can be changed from the Folder options in Explorer). That it only connected to my DNS servers on port 53 and seems not to have actually done any harm. It can be gotten rid of by simply editing the registry and removing the above run key and deleting the file. I have absoutely no idea hw it got on my computer.

I just found the same file after it tried to access the net through Zone Alarm. It works in conjunction with syscfg.exe(which is a valid windows file). Seems if syscfg.exe starts up so does this file. I deleted kernell32.vmm both in the Windows folder and in the registry. I think I got it from a porn site and no Norton did not pick it up with a full scan.