Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: is this a virus? vbc.exe?

25 Sep 2012   #1

windows 7 64bit build 7600
 
 
is this a virus? vbc.exe?

MSE has started to pick this file up in the last few days and asks me to send a sample off each time my pc starts because its not recognised.

C:\Users\MY PC \AppData\Local\Temp\temp_fMKebUffFwkUuXw\vbc.exe

ive looked about for info on this file but there seems to be a lot of disagreement on wether this a virus or not,
i find it odd that a MS virus scanner wouldnt recognise a file that is supposed to be a process belonging to Microsoft Visual Studio

My System SpecsSystem Spec
.

25 Sep 2012   #2

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

As you've already discovered, the legitimate vbc.exe is a file associated with Visual Studio/Visual Basic. The file is usually found in C:\Windows\Microsoft.NET\Framework\v2.0.50727 folder. If you find it anywhere else, please note that vbc.exe could be a virus, trojan, worm, or spyware.

What is Vbc.exe - Fix vbc.exe Errors Microsoft Corporation

Since MSE is questioning its authenticity (probably because it's not following the usual file path) you could try renaming the .exe extension to something else, like .xxe just as an example. Run your computer to see if anything breaks. If something stops working you can always change the extension back to the original .exe.

Rename a file

You could also submit the file to VirusTotal for another opinion. FWIW, the vbc.exe file on my machine (7 Pro x64) is in the folder referenced above.

https://www.virustotal.com/
My System SpecsSystem Spec
25 Sep 2012   #3

windows 7 64bit build 7600
 
 

thanks marsmimar i have renamed the file like youve suggested but if this is a virus its not as simple as just renaming the executive file is it?

i had already done a virustotal scan but it came up with zero out of 43 but it also says its been voted 36 to 6 as being harmful also says the file name is usenet.exe
some comments

This is not a malware : description..............: Visual Basic Command Line Compiler

This file is used by malware (especially Microsoft .NET RAT) to compile and load payload.

----


Indeed. This doesn't show up as malicious in any AV but malware does detect this... This is a threat, look through your windows startup and look for any suspicious file, which you will most likely find.
----

listed in registry as sn0zZ's Bot

The following files have been added to the system:


%APPDATA%\winlogon.exe


%TEMP%\data.dat

%TEMP%\TWQI3P64Z4.exe


The following registry elements have been created:


HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\


HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\

HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE\

HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\

HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID\


The following registry elements have been changed:


HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\PUEDBRM = "%APPDATA%\winlogon.exe"


HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE\S62KNP0C3G = June 10, 2010

HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID\S62KNP0C3G = sn0zZ's Bot

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE \DONOTALLOWEXCEPTIONS = 0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE \AUTHORIZEDAPPLICATIONS\LIST\%TEMP%\TWQI3P64Z4.EXE = %TEMP%\TWQI3P64Z4.exe:*:Enabled:Windows Messanger

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE \AUTHORIZEDAPPLICATIONS\LIST\%WINDIR%\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE = %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger
#malware

----


ive checked my startup list it all looks normal except for 2 entries

startup item
371384756 and 1827221171

manufacturer
both unknown

command
C:\users\MY PC\Appdata\local\temp\tmp59FB.tmp.exe and
C:\users\MY PC\Appdata\local\temp\tmpC480.tmp.exe

location
both HKCU\SOFTWARE\Microsofft\Windows\CurrentVersion\Run

i have no idea what these are as it gives no information


it seems i should be concerned over this file even though none of the scanners at virustool has picked it up
My System SpecsSystem Spec
.


25 Sep 2012   #4

Windows 7 Pro. 64/SP-1
 
 

If you have any feeling that your computer could be infected I suggest using this.
Windows Defender Offline
My System SpecsSystem Spec
25 Sep 2012   #5

windows 7 64bit build 7600
 
 

thank you Layback bear, i ran that but it didnt pick up anything, when my pc restarted MSE once again picked up the vbc.exe in AppData\Local\Temp which i figure that it has recreated its self as i had renamed the .exe
having a look in the temp folder ive found another 12 instances of vbc.exe all in folders with names like temp_tFPKODjsvYKwDpI, i went through and renamed all the .exe's
restarted my pc and rechecked the temp folder and found 2 more newley created folders both containing vbc.exe.
My System SpecsSystem Spec
25 Sep 2012   #6

Windows 7 Pro. 64/SP-1
 
 

In my opinion I wouldn't worry about them. I have several all the time. Windows Defender Offline indicated no problem I would believe it. vbc.exe can be a virus but not all vbc.exe are a virus.
Happy computing.
My System SpecsSystem Spec
25 Sep 2012   #7

Windows 7 Ultimate x64
 
 

All the traces you've told here indicate that it IS A VIRUS.

First off, there is a legitimate file in the system named "vbc.exe", it's the Visual Basic command line compiler, and is located under c:\windows\microsft.net\someotherfolder. That said, normally when you see exe processes spawning on it's own on strange locations, you have all reasons to doubt.

The folders are located under TEMP, a location normally reserved for temporary data files, or maybe for temporary programs that delete themselves afterwards. The folder name is also strange, probably random, which seems suspicious too. Moreover, if it's running on its own at system startup without your knowledge, and using the very same filename of a well known system executable, you have all reasons to doubt.

Look at msconfig from where it autoruns, delete those and all instances you find of the exe. And just in case, enable your firewall to block outgoing connections. This time I think MSE got it right and you're effectively infected.
My System SpecsSystem Spec
25 Sep 2012   #8

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

I've asked for one of the Forum's malware experts to take a look and give an opinion. I trust her judgement completely.
My System SpecsSystem Spec
26 Sep 2012   #9

windows 7 64bit build 7600
 
 

any news from the malware expert marsmimar?
My System SpecsSystem Spec
26 Sep 2012   #10

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

There's a few hours time difference so I'm hoping we'll hear something real soon.
My System SpecsSystem Spec
Reply

 is this a virus? vbc.exe?




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:33 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33