How to Remove VMNToolbar PUA

VMNToolbar is a potentially unwanted application that modifies internet browser settings on the compute and was discovered on August 28, 2017. It can affect Windows 7, 8 and 10 systems and the risk level is Low
Once executed, the application creates the following folders:

  • %ProgramFiles%\vmndtxtb\chrome\content\widgets\net.vmn.www.Coupons
  • %ProgramFiles%\vmndtxtb\chrome\content\widgets\net.vmn.www.Facebook
  • %ProgramFiles%\vmndtxtb\chrome\content\widgets\net.vmn.www.Twitter
  • %ProgramFiles%\vmndtxtb\chrome\content\widgets\net.vmn.www.YouTube
  • %ProgramFiles%\vmndtxtb\chrome\skin

The application creates the following files:

  • %AppData%\vmndtxtb\dtx.ini
  • %AppData%\vmndtxtb\guid.dat
  • %AppData%\vmndtxtb\setupCfg.xml
  • %AppData%\vmndtxtb\vmn3_2dn.dll
  • %AppData%\vmndtxtb\vmn3_2dn.dl_
  • %AppData%\vmndtxtb\vmn3_2dn.exe
  • %AppData%\vmndtxtb\vmn3_2dn.ex_
  • %ProgramFiles%\vmndtxtb\auxi\config.xml
  • %ProgramFiles%\vmndtxtb\auxi\vmndtxAu.dll
  • %ProgramFiles%\vmndtxtb\chrome\content\custom.js
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\about.xml
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\dtxpanel.xul
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\dtxpanelwin.xul
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\dtxprefwin.xul
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\dtxwin.xul
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\emailnotifierproviders.xml
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\external.js
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\neterror.xhtml
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\rsspreview.html
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\rsswin.xml
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\rsswin.xsl
  • %ProgramFiles%\vmndtxtb\chrome\content\lib\wmpstreamer.html
  • %ProgramFiles%\vmndtxtb\chrome\content\modules\datastore.jsm
  • %ProgramFiles%\vmndtxtb\chrome\content\newtab\images\btn_search.gif
  • %ProgramFiles%\vmndtxtb\chrome\content\newtab\images\bullet.gif
  • %ProgramFiles%\vmndtxtb\chrome\content\newtab\images\field_bg.gif
  • %ProgramFiles%\vmndtxtb\chrome\content\newtab\images\powered_by_yahoo.gif
  • %ProgramFiles%\vmndtxtb\chrome\content\newtab\newtab.html
  • %ProgramFiles%\vmndtxtb\chrome\content\preferences.xml
  • %ProgramFiles%\vmndtxtb\chrome\content\toolbar.htm
  • %ProgramFiles%\vmndtxtb\chrome\content\toolbar.xul
  • %ProgramFiles%\vmndtxtb\chrome\content\widgets\.cvsignore
  • %ProgramFiles%\vmndtxtb\chrome\data\coupons\merchants.xml
  • %ProgramFiles%\vmndtxtb\chrome\data\rss\rss.xml
  • %ProgramFiles%\vmndtxtb\chrome\data\search\engines.xml
  • %ProgramFiles%\vmndtxtb\chrome\data\search\search.xsl
  • %ProgramFiles%\vmndtxtb\chrome\data\weather\icons.xml
  • %ProgramFiles%\vmndtxtb\components\windowmediator.js
  • %ProgramFiles%\vmndtxtb\EXERunner.exe
  • %ProgramFiles%\vmndtxtb\install.ico
  • %ProgramFiles%\vmndtxtb\manifest.xml
  • %ProgramFiles%\vmndtxtb\previousChromeSearch.dat
  • %ProgramFiles%\vmndtxtb\previousStartPage.dat
  • %ProgramFiles%\vmndtxtb\search.ico
  • %ProgramFiles%\vmndtxtb\uninstall.exe
  • %ProgramFiles%\vmndtxtb\vmndtxDx.dll
  • %ProgramFiles%\vmndtxtb\vmndtxtb.dll

Next, the application creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Network Error Advisor” = “”%ProgramFiles%\vmndtxtb\ExeRunner.exe” vmndtxtb vmn3_2dn”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d5b8015d-68af-4b2c-9412-e349d82ab4a2}\”” = “Updater For VMN Toolbar”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d5b8015d-68af-4b2c-9412-e349d82ab4a2}\InprocServer32\”” = “%ProgramFiles%\vmndtxtb\auxi\vmndtxAu.dll”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d5b8015d-68af-4b2c-9412-e349d82ab4a2}\InprocServer32\”ThreadingModel” = “Apartment”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f379a94e-3c5d-4bad-b32c-0e3af1cc3617}\”” = “VMN Toolbar”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f379a94e-3c5d-4bad-b32c-0e3af1cc3617}\InprocServer32\”” = “%ProgramFiles%\vmndtxtb\vmndtxDx.dll”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f379a94e-3c5d-4bad-b32c-0e3af1cc3617}\InprocServer32\”ThreadingModel” = “Apartment”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98f782cf-9b6b-41ca-909b-b4fdc0bbc23a}\”AppName” = “uninstall.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98f782cf-9b6b-41ca-909b-b4fdc0bbc23a}\”AppPath” = “%ProgramFiles%\vmndtxtb”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98f782cf-9b6b-41ca-909b-b4fdc0bbc23a}\”Policy” = “3”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\”{f379a94e-3c5d-4bad-b32c-0e3af1cc3617}” = “VMN Toolbar”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5b8015d-68af-4b2c-9412-e349d82ab4a2}\” = “Updater For VMN Toolbar”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f379a94e-3c5d-4bad-b32c-0e3af1cc3617}\”” = “VMN Toolbar”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”Publisher” = “Visicom Media Inc.”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”DisplayVersion” = “3.2.0.2”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”DisplayIcon” = “%ProgramFiles%\vmndtxtb\install.ico”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”DisplayName” = “VMN Toolbar”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”InstallLocation” = “%ProgramFiles%\vmndtxtb”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”UninstallString” = “%ProgramFiles%\vmndtxtb\uninstall.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”NoModify” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”NoRepair” = “1”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vmndtxtb\”EstimatedSize” = “275”
  • HKEY_CURRENT_USER\S-1-5-21-1454471165-854245398-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\”URL” = “http://www.mystart.com/search_w.php?fr=chr-vmn&type=vmn3_2msch&q={searchTerms}”
  • HKEY_CURRENT_USER\S-1-5-21-1454471165-854245398-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\”DisplayName” = “Search The Web”
  • HKEY_CURRENT_USER\S-1-5-21-1454471165-854245398-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\”FaviconURLFallback” = “http://search.yahoo.com/favicon.ico”
  • HKEY_CURRENT_USER\S-1-5-21-1454471165-854245398-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\”FaviconPath” = “%ProgramFiles%\vmndtxtb\search.ico”
  • HKEY_CURRENT_USER\S-1-5-21-1454471165-854245398-682003330-1003\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}\”SuggestionsURLFallback” = “http://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}”

The application is a internet browser toolbar that changes the default search provider to Yahoo and changes the browser home page to www.mystart.com.

Leave a Reply