I am afraid it is more likely it is the VM(s) that are infected with malware rather than having a corrupted vmnat.exe.
Whatever network connections you see in the VM through command prompt netstat, will show up as connections in the Windows host with [vmnat.exe] as the binary executable involved in the connection using netstat -b in the command prompt (Admin).
The "rules of the road" for internet safety/security still apply when using VMs to browse the internet. It is not any more safe than using the host machine; in some instances it might be even less safe.
On example is using VMs via NAT to surf internet on a public WiFi. I haven't used Windows in a public WiFi for a while. But I recall that with Windows 7, you have the choice to choose "Public network" when connecting to a public WiFi such as in hotels/airports/etc. The problem with VMs through NAT is that its network profile won't change as it still see the VMNAT as the same network. So if it is set up for "Home Network" more ports are open and the VM connect through NAT on a public WiFi, the "Home Network" profile remains and in theory makes it more vulnerable.