vbstub.exe
Andy C
"Since Thursday I have been getting extremely annoyed by an executable
called vbstub.exe that starts running at startup. It brings my CPU
utilization up to 100% and keeps it there. It brings my CPU utilization up
to 100% and keeps it there. If I check task manager I see it in my list of
processes. It shows up as bot on the Applications tab. If I kill bot, vbstub
dies and vice-versa."
Another fellow reports this:
"Upon initial infection, vbstub.exe has only a couple of running images at
any time. However, if you reboot your machine into normal mode and this
thing starts itself- it will create more than twenty images and drain your
system severely. As well, it launches an ominous image of iexplore.exe and
tries to communicate with a remote server (more on this in a minute). As
well, it ties up your lsass.exe (security/policy control program for
windows) and eats even more system resources.
It tries to contact 81.177.1.66:80 on source ports 1051 and 1052 (use
netstat -a -n to determine exactly as it may be random). It then tries to
update itself by means of "botzcfg.php?ver=1.1" parameters from the server."
Has anyone heard of this?
AndyC
Ian Kenefick
Sounds like a binder is being used here if 'stub' is anything to go
by. Suspicious filename arite. You should submit it for instant
analysis to Virustotal and Jotti's scan.
Here is details (under the heading Instant virus analysis) for
submitting to these scans http://www.ik-cs.com/suspicious-files.htm .
Please post back with results.
Andy C
From virusscan.jotti.org:
AntiVir - Found nothing
ArcaVir - Found nothing
Avast - Found nothing
AVG Antivirus - Found nothing
BitDefender - Found nothing
ClamAV - Found nothing
Dr.Web - Found Trojan.Click.695
F-Prot Antivirus - Found nothing
Fortinet - Found nothing
Kaspersky Anti-Virus - Found Trojan.Win32.Agent.je
NOD32 - Found nothing
Norman Virus Control - Found nothing
UNA - Found nothing
VBA32 - Found nothing
From virustotal.com:
AntiVir - TR/Agent.JE.1
Avast - no virus found
AVG - no virus found
Avira - TR/Agent.JE.1
BitDefender - no virus found
CAT-QuickHeal - no virus found
ClamAV - no virus found
DrWeb - Trojan.Click.695
eTrust-Iris - no virus found
eTrust-Vet - no virus found
F-Prot - no virus found
Ikarus - no virus found
Kaspersky - Trojan.Win32.Agent.je
McAfee - no virus found
NOD32v2 - no virus found
Norman - no virus found
Panda - no virus found
Sophos - no virus found
Symantec - no virus found
TheHacker - no virus found
VBA32 - no virus found
Weird...
AndyC
"Ian Kenefick" <ian_ke...@eircom.net> wrote in message
news:pscjj1h083d0gn6dd...@4ax.com...
Ian Kenefick
>Thanks for the info, Ian - some interesting results:
>Kaspersky Anti-Virus - Found Trojan.Win32.Agent.je
[snip]
>Weird...
Not weird at all in fact. You are infected. This is for sure as it has
been confirmed by multiple vendors. You need to send this file for
analysis to your av vendor. They will add detection and give you
instructions on how to disinfect your pc.
David H. Lipman
| Thanks for the info, Ian - some interesting results:
|
< snip >
| Kaspersky - Trojan.Win32.Agent.je
< snip >
| Weird...
|
| AndyC
|
| "Ian Kenefick" <ian_ke...@eircom.net> wrote in message
| news:pscjj1h083d0gn6dd...@4ax.com...
>>
>> Sounds like a binder is being used here if 'stub' is anything to go
>> by. Suspicious filename arite. You should submit it for instant
>> analysis to Virustotal and Jotti's scan.
>>
>> Here is details (under the heading Instant virus analysis) for
>> submitting to these scans http://www.ik-cs.com/suspicious-files.htm .
>> Please post back with results.
|
As you can see, Kasperski detected this. You can use the following scanner that uses the
Kasperski engine.
http://www.ik-cs.com/programs/virtools/KASFX.EXE
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
AndyC
AndyC
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:Olk_e.10136$kH3.243@trnddc01...