Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • This topic is locked This topic is locked
8 replies to this topic

#1 geeman48


  • Members
  • 4 posts
  • Local time:07:32 AM

Posted 27 December 2009 - 07:10 PM

I recently noticed I was not getting AVG 9.0 (free) updates. I did a spyware check using spybot search and destroy and found a program called Mywebsearch. I was able to get rid of most of it out. I then installed Malwarebytes and it found more issues of Mywebsearch I figured that I was good to go. I tried to update my virus definitions and Zone Alarm poped up a "stub.exe" wants to access the internet I hit deny and AVG will not update. I get an error saying there is no internet connection. I check my internet connection and everything is good. A google search of Stub.exe says its a piece of malware that should be deleted!!
My system is a netbook running Windows XP sp3.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ken at 15:14:14.93 on Sun 12/27/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.277 [GMT -8:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ken\Local Settings\Temporary Internet Files\Content.IE5\E66EJPFZ\dds[1].scr
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253986151312
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-10-12 353672]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2009-9-29 98984]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-5-5 55152]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-27 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-3-16 39296]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-5-5 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 SRS_PremiumSound_Service;SRS Labs Premium Sound;c:\windows\system32\drivers\SRS_PremiumSound_i386.sys [2009-5-5 232872]

=============== Created Last 30 ================

2009-12-27 19:56:32 0 d-----w- c:\docume~1\ken\applic~1\Malwarebytes
2009-12-27 19:56:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-27 19:56:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-27 19:56:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 19:56:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-27 19:39:46 0 d-----w- c:\program files\Trend Micro
2009-12-27 09:15:05 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-27 08:18:21 0 d-----w- c:\docume~1\ken\applic~1\AVG8
2009-12-26 21:32:15 5779 ----a-w- c:\windows\wininit.ini
2009-12-26 20:47:37 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-26 20:47:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-30 07:07:10 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-30 07:05:17 0 d-----r- c:\program files\Skype

==================== Find3M ====================

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 03:06:22 0 ----a-w- c:\docume~1\ken\applic~1\wklnhst.dat
2009-10-13 02:39:37 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-08 22:57:02 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 22:57:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 22:56:56 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-03 02:22:23 32 ----a-w- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-05-05 16:49:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-09-26 17:00:27 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009092620090927\index.dat

============= FINISH: 15:15:55.93 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 28 December 2009 - 08:34 AM

Hi geeman48,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c dir /a /s c:\stub.* > log.txt&start log.txt

    A text file (log.txt) will be open. Please post its content to your reply.

#3 geeman48

  • Topic Starter

  • Members
  • 4 posts
  • Local time:07:32 AM

Posted 29 December 2009 - 12:07 AM

Thank you for your help.
I agree to your requests.
I performed the actions you suggested and have the logs listed below.

Malwarebytes' Anti-Malware 1.42
Database version: 3448
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/28/2009 9:00:36 PM
mbam-log-2009-12-28 (21-00-36).txt

Scan type: Quick Scan
Objects scanned: 142173
Time elapsed: 14 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Volume in drive C has no label.
Volume Serial Number is 648D-7A1A

Directory of c:\Documents and Settings\Ken\Local Settings\Temp\7zS8.tmp

10/29/2009 07:02 AM 1,021,208 stub.exe
1 File(s) 1,021,208 bytes

Directory of c:\WINDOWS\Prefetch

12/27/2009 12:33 PM 20,140 STUB.EXE-03A85B82.pf
12/27/2009 01:10 PM 20,108 STUB.EXE-084493F6.pf
12/27/2009 12:11 PM 23,078 STUB.EXE-327CE304.pf
3 File(s) 63,326 bytes

Total Files Listed:
4 File(s) 1,084,534 bytes
0 Dir(s) 137,925,578,752 bytes free

#4 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 29 December 2009 - 05:57 AM

Click on this link--> virustotal

Click the browse button. Copy and paste the line in bold in the open box, then click Send File.

c:\Documents and Settings\Ken\Local Settings\Temp\7zS8.tmp\stub.exe

If the file is analyzed before, click Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.

#5 geeman48

  • Topic Starter

  • Members
  • 4 posts
  • Local time:07:32 AM

Posted 29 December 2009 - 11:55 PM

File stub.exe received on 2009.12.30 04:50:43 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished. Email:

Antivirus Version Last Update Result
a-squared 2009.12.30 -
AhnLab-V3 2009.12.29 -
AntiVir 2009.12.29 -
Antiy-AVL 2009.12.29 -
Authentium 2009.12.30 -
Avast 4.8.1351.0 2009.12.29 -
AVG 2009.12.30 -
BitDefender 7.2 2009.12.30 -
CAT-QuickHeal 10.00 2009.12.29 -
ClamAV 0.94.1 2009.12.30 -
Comodo 3411 2009.12.30 -
DrWeb 2009.12.30 -
eSafe 2009.12.29 -
eTrust-Vet 35.1.7206 2009.12.30 -
F-Prot 2009.12.30 -
F-Secure 9.0.15370.0 2009.12.30 -
Fortinet 2009.12.30 -
GData 19 2009.12.30 -
Ikarus T3. 2009.12.30 -
Jiangmin 13.0.900 2009.12.29 -
K7AntiVirus 7.10.932 2009.12.28 -
Kaspersky 2009.12.30 -
McAfee 5846 2009.12.29 -
McAfee+Artemis 5846 2009.12.29 -
McAfee-GW-Edition 6.8.5 2009.12.29 -
Microsoft 1.5302 2009.12.29 -
NOD32 4727 2009.12.30 -
Norman 6.04.03 2009.12.29 -
nProtect 2009.1.8.0 2009.12.29 -
Panda 2009.12.15 -
PCTools 2009.12.30 -
Prevx 3.0 2009.12.30 -
Rising 2009.12.30 -
Sophos 4.49.0 2009.12.30 -
Sunbelt 3.2.1858.2 2009.12.30 -
Symantec 2009.12.30 -
TheHacker 2009.12.30 -
TrendMicro 2009.12.30 -
VBA32 2009.12.29 -
ViRobot 2009.12.30.2115 2009.12.30 -
VirusBuster 2009.12.29 -
Additional information
File size: 1021208 bytes
MD5...: 9acc7c85875b816e39bdadd0a8d9f66e
SHA1..: 8b0d36f3a421e783b5df8ac724dbc48be2f2e93a
SHA256: a5ef994d19db7e1cd7745621818e7b04d54e473216a134076e82a5bf112883dd
ssdeep: 24576:9YgxpI+9wUIMIG1hQDAgLoHEG1m+7vB5/TEJl:9r7IghQmEqZTEJl

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x8f276
timedatestamp.....: 0x4ae9ae52 (Thu Oct 29 15:01:38 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xbb9dc 0xbc000 6.66 cf5421b7d4cbca1216dc31ffd5bec253
.rdata 0xbd000 0x2ef6c 0x2f000 4.86 ded81484cd9d71555e137789128ea77b
.data 0xec000 0xc00df88 0xb000 5.45 65f43c8fd4c8167bdfb3651d9db282e4
.rsrc 0xc0fa000 0x7c8 0x1000 2.70 2499589a11782885edb7ee19cc25cef3

( 11 imports )
> KERNEL32.dll: SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, DeleteCriticalSection, HeapCreate, HeapDestroy, IsValidCodePage, GetOEMCP, GetCPInfo, HeapSize, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetModuleFileNameA, CreateThread, ExitThread, FindFirstFileA, GetDriveTypeA, GetFileInformationByHandle, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, GetStartupInfoA, GetProcessHeap, GetCommandLineA, QueryPerformanceCounter, HeapFree, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, RaiseException, RtlUnwind, CreateEventW, ResetEvent, SetEvent, CreateProcessW, SetEndOfFile, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, SetStdHandle, GetFullPathNameA, GetCurrentDirectoryA, GetTimeFormatA, GetDateFormatA, SetEnvironmentVariableA, SetEnvironmentVariableW, InitializeCriticalSection, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, FreeLibrary, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, GetTimeZoneInformation, CompareStringA, SystemTimeToFileTime, GetTempPathW, GetCurrentDirectoryW, DeleteFileW, MulDiv, VirtualAlloc, VirtualFree, MultiByteToWideChar, GetModuleHandleW, GetVersionExA, GetUserDefaultLangID, Sleep, ExitProcess, FindResourceW, InterlockedDecrement, GetACP, GetCommandLineW, FindResourceExW, SizeofResource, GetFileSize, FlushFileBuffers, TerminateThread, GetSystemTime, WideCharToMultiByte, ResumeThread, GetExitCodeThread, WaitForSingleObject, GetSystemDefaultLCID, CompareStringW, LocalFree, LoadResource, LockResource, FreeResource, LoadLibraryW, GetLastError, GetProcAddress, HeapAlloc, GetSystemInfo, SetThreadPriority, GetWindowsDirectoryW, GetComputerNameExW, GetSystemDirectoryW, CreateMutexW, LocalAlloc, ReleaseMutex, InterlockedExchange, InterlockedIncrement, FindNextFileW, FindFirstFileW, GetFileAttributesW, RemoveDirectoryW, CopyFileW, FindClose, CreateDirectoryW, MoveFileW, SetFileAttributesW, GetVersionExW, CloseHandle, lstrcpynW, FileTimeToLocalFileTime, VirtualQuery, GetModuleHandleA, GetCurrentProcessId, SetLastError, FileTimeToSystemTime, GetModuleFileNameW, ExpandEnvironmentStringsW, SetUnhandledExceptionFilter, GetCurrentThread, CreateFileW, IsBadReadPtr, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcess, FormatMessageW, SetFilePointer, WriteFile, GlobalFree, LoadLibraryA, SleepEx, FormatMessageA, GetTickCount, ReadFile, GetStdHandle, GetFileType, WaitForMultipleObjects, PeekNamedPipe, ExpandEnvironmentStringsA
> USER32.dll: IsWindow, GetClientRect, SetWindowTextW, UpdateWindow, MessageBoxW, wvsprintfW, wsprintfW, PtInRect, LoadCursorW, GetSysColor, GetWindowTextW, GetWindowTextLengthW, FillRect, GetWindowLongW, GetDC, CallWindowProcW, EndPaint, BeginPaint, SendMessageW, GetParent, SetRect, PostMessageW, DefWindowProcW, GetDlgCtrlID, DrawTextW, DrawFocusRect, GetFocus, ShowWindow, LoadBitmapW, InvalidateRect, SetCursor, SetTimer, DrawIconEx, GetMessageW, TranslateMessage, DispatchMessageW, DestroyIcon, SetScrollInfo, GetKeyState, RegisterWindowMessageW, SetFocus, DestroyWindow, GetScrollPos, GetAncestor, GetNextDlgTabItem, GetScrollRange, GetScrollInfo, MapWindowPoints, SystemParametersInfoA, GetSystemMetrics, EnableWindow, KillTimer, RedrawWindow, EnumChildWindows, GetDlgItem, GetDlgItemTextW, SetDlgItemTextW, SetClassLongW, LoadIconW, GetDesktopWindow, DialogBoxParamW, EndDialog, GetCursorPos, ScreenToClient, AdjustWindowRectEx, MoveWindow, GetWindow, ReleaseDC, InflateRect, ClientToScreen, LoadImageW, RegisterClassExW, SetWindowPos, SetWindowRgn, GetWindowRect, CreateWindowExW, SetWindowLongW
> GDI32.dll: SetDCPenColor, LineTo, SetTextJustification, GetTextMetricsW, GetTextMetricsA, GetTextExtentPointA, GetPixel, SetPixel, CreateRectRgn, GetClipRgn, StretchBlt, ExtTextOutW, CreateRoundRectRgn, SelectClipRgn, CreateFontW, CreatePen, Polygon, Ellipse, CreateCompatibleDC, BitBlt, DeleteDC, GetStockObject, SetBkColor, SetBkMode, GetObjectW, SetTextColor, TextOutW, GetTextExtentPoint32W, MoveToEx, GetDeviceCaps, DPtoLP, SelectObject, CreateFontIndirectW, DeleteObject, CreateSolidBrush, CreateCompatibleBitmap
> ADVAPI32.dll: QueryServiceStatus, CloseServiceHandle, OpenServiceW, OpenSCManagerW
> SHELL32.dll: ShellExecuteW, ShellExecuteExW
> ole32.dll: OleUninitialize, OleInitialize, CoCreateInstance, OleSetContainedObject
> OLEAUT32.dll: -, -
> VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
> MSIMG32.dll: TransparentBlt
> COMCTL32.dll: ImageList_Draw, ImageList_GetImageInfo, ImageList_Destroy, ImageList_LoadImageW, InitCommonControlsEx, _TrackMouseEvent
> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

( 0 exports )

RDS...: NSRL Reference Data Set
pdfid.: -
publisher....: AVG Technologies CZ, s.r.o.
copyright....: Copyright © 2009 AVG Technologies CZ, s.r.o.
product......: AVG Download Manager
description..: stub
original name: stub
internal name: stub
file version.:
comments.....: n/a
signers......: AVG Technologies
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 4:02 PM 10/29/2009
verified.....: -

trid..: Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware

#6 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 30 December 2009 - 04:55 AM

The file is declared clean by all the antivirus scanners. Besides, this is a part of the analysis we got from Virustotal:

publisher....: AVG Technologies CZ, s.r.o.
copyright....: Copyright 2009 AVG Technologies CZ, s.r.o.
product......: AVG Download Manager
description..: stub
original name: stub
internal name: stub
file version.:
comments.....: n/a
signers......: AVG Technologies

I tried to update my virus definitions and Zone Alarm poped up a "stub.exe" wants to access the internet I hit deny and AVG will not update.

That is because you block AVG Download Manager which is stub.exe in this case.

I don't see also any antivirus at the moment protecting your computer. I suggest you to install AVG9. Also remove the stub.exe denial rule from Zone Alarm in order to let AVG updated and run a full system scan.
  • Visit http://free.avg.com/download?prd=afe to download AVG 9 setup file to your desktop.
  • Double click the downloaded setup file to Install AVG 9 then update it.
  • On the left side click Computer scanner and select Scan whole computer.
  • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
  • Select File Type: All files Name:scan.txt and save it on your desktop.
  • Under Warnings tap press Remove all unhealed infections. Then close the application.
  • Copy/paste the content of scan.txt located on your desktop to your reply.

#7 geeman48

  • Topic Starter

  • Members
  • 4 posts
  • Local time:07:32 AM

Posted 02 January 2010 - 05:25 PM

Farbar thanks for your help. Attached is the log from
AVG 9.0 It seems all is well. I do not know why my search for
Stub.exe indicated it was malicious and should be deleted!
I am sure stub.exe is probably something that can be malicious I wish
AVG could name it something else.

"Scan ""Scan whole computer"" was finished."
"No infection was found during this scan"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Saturday, January 02, 2010, 1:19:58 PM"
"Scan finished:";"Saturday, January 02, 2010, 2:11:10 PM (51 minute(s) 12 second(s))"
"Total object scanned:";"296180"
"User who launched the scan:";"Ken"

#8 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 02 January 2010 - 07:12 PM

It looks good as I expected. :(

You are right about some reports and the bad stub.exe and I have read them too. But malware developers use sometimes the name of the legit files to disguise themselves. Even the name of Windows system files are often used for that purpose, or they even patch legit files. That is why we research files before removing or blocking them.

Happy Surfing geeman48. :(

#9 Farbar


    Just Curious

  • Security Developer
  • 21,719 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 04 January 2010 - 03:31 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users