vbshell.tlb : BHO ?

Discussion in 'other anti-malware software' started by FanJ, Nov 22, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Found by PestPatrol:

    Pest: Meridian
    Pest Info:
    Category: Browser Helper Object
    Release Date: 12/17/2001 0:00:00
    File Info:
    In File: C:\WINDOWS\SYSTEM\vbshell.tlb
    PVT: 421896892
    MD5: b8fc8ab66c226266ab7c68ea85f32710
    Date: 03-20-2000 0:05:54
    File Analysis: Look up with MD5 (recommended) or PVT.
    Certainty: Confirmed
    Threatens: Liability
    Risk: Low.
    Advice: Delete or quarantine
    Action: Ignored


    The info at the PestPatrol-site:
    link: here


    Could someone tell me please a bit more about this one?
    Thanks !
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi FanJ, :)

    You wouldn't happen to have a CLSID for that BHO ?

    Regards,

    Pieter
     
  3. FanJ

    FanJ Guest

    Hi Pieter :)

    Oops, Pestpatrol didn't give me that one as far as I saw :rolleyes:
    I could try to do a search at the registry.......

    Cheers, Jan.
     
  4. FanJ

    FanJ Guest

    Hi Pieter,

    Would this help:

    [HKEY_CLASSES_ROOT\TypeLib\{39898EB0-DE1B-11D2-9FD6-00550076E06F}\1.0\0\win32]
    @="C:\\WINDOWS\\SYSTEM\\vbshell.tlb"

    [HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{39898EB0-DE1B-11D2-9FD6-00550076E06F}\1.0\0\win32]
    @="C:\\WINDOWS\\SYSTEM\\vbshell.tlb"
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi FanJ,

    I have that file too. Just not as a BHO.
    It´s in Windows\System32
    63 kB No version info. The CLSID is the same.

    Can I ask what triggered your interest?

    Regards,

    Pieter
     
  6. FanJ

    FanJ Guest

    Thanks Pieter,

    Well, my interest was triggered by the alert from PestPatrol.
    I guess I got to find out whether I have it indeed as BHO....
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi FanJ,

    Sorry if I´m stating the obvious.
    HijackThis will tell you in a few seconds. Just see if it is listed under O2.

    Regards,

    Pieter
     
  8. FanJ

    FanJ Guest

    :oops: :oops: :oops: :rolleyes:
    I should have thought about that......................... :blink:

    Thanks Pieter !!!!!!!!!!!!
     
  9. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    That's a required file for SpywareGuard - deleting it may cause major system problems if you have SpywareGuard installed & active/running. :eek: (This just might explain some of the problems people have been having with SpywareGuard lately.)

    It's a freely available type-library that SpywareGuard uses, and even if Meridian uses it, the type-library itself can't cause any damage (plus the file itself certainly isn't a BHO...).

    If anyone can contact PestPatrol about it, I would appreciate it.

    Best regards,

    -Javacool
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi FanJ,

    You know me. I´ve got a one-track mind. ;)

    I'm curious why PP started flagging this all of a sudden.
    That file has probably been on your computer from the start. Keep us posted, my friend. :)

    Pieter
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi javacool,

    Our posts crossed. Does SpywareGuard install that file if it is not present?

    Regards,

    Pieter
     
  12. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Yep, the SpywareGuard installer will copy and register the vbshell.tlb file if it isn't present.

    I wouldn't be surprised if Meridian installs that file itself and uses the type definitions within it to let its BHO function (especially if the Meridian BHO is written in VB), but again that type-library itself is certainly not malicious in nature.

    Best regards,

    -Javacool
     
  13. FanJ

    FanJ Guest

    Thanks Javacool !!!!!!!!!!!!!!!!

    SpyWareGuard installed (at the moment not the active-part running).

    As for BHO:
    I just did run HijackThis 1.97.7:
    It is not listed there under O2.


    I could try to contact the PestPatrol folks, but I cannot promise that I wil succeed. In the past I had good contact via email (or you could post at their forum (not existing anymore), but since I tried it many months ago and I got no reply anymore.....well...eh....).
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi FanJ,

    Let me know if you don't have an answer by Monday evening (our timezone).

    Regards and take care,

    Pieter
     
  15. FanJ

    FanJ Guest

    Hi Pieter and Javacool :)

    I have just send the question, with link to this thread and with Javacool's remarks, to the PestPatrol company using their web-based support.
    My request has been assigned a number ;)
    So, let's have a little patience till they reply.
    I have asked them to reply here at this thread too.

    PS: Pieter, maybe I'm not on-line monday; I'll send you an IM in a few minutes.

    Cheers, Jan.
     
  16. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    i noticed that pestpatrol being flagging that about 2 weeks ago. Obviously yet another false positive.
     
  17. FanJ

    FanJ Guest

    Hi,

    I got very quickly a very nice email from Shirley at PestPatrol.

    -Quote-
    The detection of vbshell.tlb is a false alarm and has been removed from our database. New scan strings reflecting this will be posted as soon as possible.
    -end quote-

    Big thanks Shirley !!!

    Best regards, Jan.
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good job, FanJ. :)

    Pieter
     
  19. FanJ

    FanJ Guest

    Thanks Pieter :)

    I was very pleased to see how good the support was working via their webbased-support, how quickly I got an answer and what a really nice email I got from Shirley !!!

    Thumbs up for PestPatrol and Shirley !!! :) :D
     
  20. FanJ

    FanJ Guest

    Hi,

    The false alarm has been fixed in the PestPatrol update from 25 Nov 2003.
    I did run a scan with the latest def's: all OK :)
    Thanks PestPatrol !!! :)
     
Thread Status:
Not open for further replies.