MSE has started to pick this file up in the last few days and asks me to send a sample off each time my pc starts because its not recognised.
C:\Users\MY PC \AppData\Local\Temp\temp_fMKebUffFwkUuXw\vbc.exe
ive looked about for info on this file but there seems to be a lot of disagreement on wether this a virus or not,
i find it odd that a MS virus scanner wouldnt recognise a file that is supposed to be a process belonging to Microsoft Visual Studio
As you've already discovered, the legitimate vbc.exe is a file associated with Visual Studio/Visual Basic. The file is usually found in C:\Windows\Microsoft.NET\Framework\v2.0.50727 folder. If you find it anywhere else, please note that vbc.exe could be a virus, trojan, worm, or spyware.
What is Vbc.exe - Fix vbc.exe Errors Microsoft Corporation
Since MSE is questioning its authenticity (probably because it's not following the usual file path) you could try renaming the .exe extension to something else, like .xxe just as an example. Run your computer to see if anything breaks. If something stops working you can always change the extension back to the original .exe.
Rename a file
You could also submit the file to VirusTotal for another opinion. FWIW, the vbc.exe file on my machine (7 Pro x64) is in the folder referenced above.
https://www.virustotal.com/
thanks marsmimar i have renamed the file like youve suggested but if this is a virus its not as simple as just renaming the executive file is it?
i had already done a virustotal scan but it came up with zero out of 43 but it also says its been voted 36 to 6 as being harmful also says the file name is usenet.exe
some comments
This is not a malware : description..............: Visual Basic Command Line Compiler
This file is used by malware (especially Microsoft .NET RAT) to compile and load payload.
----
Indeed. This doesn't show up as malicious in any AV but malware does detect this... This is a threat, look through your windows startup and look for any suspicious file, which you will most likely find.
----
listed in registry as sn0zZ's Bot
The following files have been added to the system:
%APPDATA%\winlogon.exe
%TEMP%\data.dat
%TEMP%\TWQI3P64Z4.exe
The following registry elements have been created:
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE\
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID\
The following registry elements have been changed:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\PUEDBRM = "%APPDATA%\winlogon.exe"
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE\S62KNP0C3G = June 10, 2010
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID\S62KNP0C3G = sn0zZ's Bot
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE \DONOTALLOWEXCEPTIONS = 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE \AUTHORIZEDAPPLICATIONS\LIST\%TEMP%\TWQI3P64Z4.EXE = %TEMP%\TWQI3P64Z4.exe:*:Enabled:Windows Messanger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE \AUTHORIZEDAPPLICATIONS\LIST\%WINDIR%\MICROSOFT.NET\FRAMEWORK\V2.0.50727\VBC.EXE = %WINDIR%\Microsoft.NET\Framework\v2.0.50727\vbc.exe:*:Enabled:Windows Messanger
#malware
----
ive checked my startup list it all looks normal except for 2 entries
startup item
371384756 and 1827221171
manufacturer
both unknown
command
C:\users\MY PC\Appdata\local\temp\tmp59FB.tmp.exe and
C:\users\MY PC\Appdata\local\temp\tmpC480.tmp.exe
location
both HKCU\SOFTWARE\Microsofft\Windows\CurrentVersion\Run
i have no idea what these are as it gives no information
it seems i should be concerned over this file even though none of the scanners at virustool has picked it up
If you have any feeling that your computer could be infected I suggest using this.
Windows Defender Offline
thank you Layback bear, i ran that but it didnt pick up anything, when my pc restarted MSE once again picked up the vbc.exe in AppData\Local\Temp which i figure that it has recreated its self as i had renamed the .exe
having a look in the temp folder ive found another 12 instances of vbc.exe all in folders with names like temp_tFPKODjsvYKwDpI, i went through and renamed all the .exe's
restarted my pc and rechecked the temp folder and found 2 more newley created folders both containing vbc.exe.
In my opinion I wouldn't worry about them. I have several all the time. Windows Defender Offline indicated no problem I would believe it. vbc.exe can be a virus but not all vbc.exe are a virus.
Happy computing.
All the traces you've told here indicate that it IS A VIRUS.
First off, there is a legitimate file in the system named "vbc.exe", it's the Visual Basic command line compiler, and is located under c:\windows\microsft.net\someotherfolder. That said, normally when you see exe processes spawning on it's own on strange locations, you have all reasons to doubt.
The folders are located under TEMP, a location normally reserved for temporary data files, or maybe for temporary programs that delete themselves afterwards. The folder name is also strange, probably random, which seems suspicious too. Moreover, if it's running on its own at system startup without your knowledge, and using the very same filename of a well known system executable, you have all reasons to doubt.
Look at msconfig from where it autoruns, delete those and all instances you find of the exe. And just in case, enable your firewall to block outgoing connections. This time I think MSE got it right and you're effectively infected.
I've asked for one of the Forum's malware experts to take a look and give an opinion. I trust her judgement completely.
any news from the malware expert marsmimar?
There's a few hours time difference so I'm hoping we'll hear something real soon.
Quote