Solved

Potential Virus (VB.exe)[norton system service?]

Posted on 2007-04-04
5
239 Views
Last Modified: 2013-11-22
So a user comes up to me one day and says "I cannot get online"

He was unable to access 95% of the network resorces. I say 95% cause he was actually able to access one network drive. Aside from that he was not able to surf the net do email or anything. He was able to ping all server and external addresses. Everything seemed to be setup correctly.

After looking through the system I found the source of the problem. A process called "vb.exe" was running, and when you closed this process everything was working again.

This file is located in the system32, as well as the prefetch.

There was also a registry entry in the HKLM...bla bla bla...Microsoft Run folder vb.exe, the string beside it says it was a "norton system service"

Well throughout the day user 2 came to me and had the same problem. This is when I got worried. I removed the enteries the files the process and it has been fixed for these users. Never heard anything back.

Well as I am writing this (Next day) I have recieved 3 people tell me this morning in 45 mins that they have the same problem.

How can I find out how this file is replicating? How can I find out where it's coming from or where it came from, what can I do?

We run a 25-30 server environment of Windows 2003/2000 with Symantec 10.0 rolled out to all clients and servers with updated definitions. Symantec is reporting no problem.
0
Comment
Question by:Drakin030
  • 3
  • 2
5 Comments
 
LVL 10

Accepted Solution

by:
bbrunning earned 500 total points
ID: 18851638
Get a hold of the actually virus and submit it to Symantec. Symantec's corporate customers get very good support and usually have an update/fix for the definitions within a day or 2.
0
 

Author Comment

by:Drakin030
ID: 18851682
In the meantime is there anything I can do to find out where it came from or how it is replicating?
0
 
LVL 10

Expert Comment

by:bbrunning
ID: 18851826
As far as locating the main system infected it's hard to say. I have a Watchguard Firebox that alerts me of massive broadcasts when things like this happen and I can normally track down which systems are getting infections but I've never really known of a way to track it down to the beginning. It's possible that the first one that was brought to you was the main system that was infected and now it's just spreading everywhere but it's also possible that the main system is showing no symptoms and just infecting other systems. You could install zonealarm on one of the infected programs and let that trigger a warning as to what port and service it is using to replicate itself. I hate zonealarm but it's come in handy tracking down some viruses for me.

Process explorer will also help figure out where the file is running and what it's using
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx


0
 

Author Comment

by:Drakin030
ID: 18851949
I did use a program called PE Explorer. I think it kinda did the same thing. I wasnt able to find much info I saw the name "Dingboy" from time to time. I will try and use this program to see what I can come up with.
0
 
LVL 10

Expert Comment

by:bbrunning
ID: 18855262
Thanks for the points!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Resolve DNS query failed errors for Exchange
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now