Help getting rin of VBSTUB.EXE - Bloodhound.W32.1

[Stan]

I downloaded a bunch of trial programs to convert video files from one
format to another for editing purposes. It seems that one of them
gave me a virus even though scanning each installation file shows no
virus in the installation files.

What I now have is a report that pops up every now and then by my
anti-virus program that I have a virus in C:\Windows in a file named
VBSTUB.EXE which contains the Bloodhound.W32.1 virus. My virus
program then says that it can not fix the virus or quarantine the
file. I find out that the reason why is that a search of Windows
directory and the whole HD shows no evidence of the existence of
VBSTUB.EXE.... (BTW, I do have my system set up to show hidden files)
Then, running a virus scan of the whole system turns
up no viruses.

I am assuming that something is putting VBSTUB.EXE into the windows
directory and activating it and then deleting it before the virus
protection software can get its hands on it. BTW, I uninstalled all
the VOB conversion programs. I then went into restore to go back just
before the installations started and it also appears that all restore
points got zapped. Also, there is nothing new in the startup folder
or listed under my startup items that I can find.

How do I rid myself of this thing?

System: Windows XP-SP2 with all updates

Regards,

 

[Clark]

I downloaded a bunch of trial programs to convert video files from one
format to another for editing purposes. It seems that one of them
gave me a virus even though scanning each installation file shows no
virus in the installation files.

What I now have is a report that pops up every now and then by my
anti-virus program that I have a virus in C:\Windows in a file named
VBSTUB.EXE which contains the Bloodhound.W32.1 virus. My virus
program then says that it can not fix the virus or quarantine the
file. I find out that the reason why is that a search of Windows
directory and the whole HD shows no evidence of the existence of
VBSTUB.EXE.... (BTW, I do have my system set up to show hidden files)
Then, running a virus scan of the whole system turns
up no viruses.

I am assuming that something is putting VBSTUB.EXE into the windows
directory and activating it and then deleting it before the virus
protection software can get its hands on it. BTW, I uninstalled all
the VOB conversion programs. I then went into restore to go back just
before the installations started and it also appears that all restore
points got zapped. Also, there is nothing new in the startup folder
or listed under my startup items that I can find.

How do I rid myself of this thing?

System: Windows XP-SP2 with all updates

Regards,

One guess would be Rootkit, but it really could be coming from anywhere,
some of these malware programs install in such a way the actual infection is
not the file your system sees, but is hidden elsewhere in the system

For ha ha's try www.free.grisoft.com and download their free rootkit
detector, it has worked for me.
or rootkit hook analyzer is good, well to analyze anyway.
I'd also scan the PC with it in safe mode (AntiVirus)
Well that's a start.

Clark

 

[David H. Lipman]

From: "Stan" <[email protected]>

| I downloaded a bunch of trial programs to convert video files from one
| format to another for editing purposes. It seems that one of them
| gave me a virus even though scanning each installation file shows no
| virus in the installation files.
|
| What I now have is a report that pops up every now and then by my
| anti-virus program that I have a virus in C:\Windows in a file named
| VBSTUB.EXE which contains the Bloodhound.W32.1 virus. My virus
| program then says that it can not fix the virus or quarantine the
| file. I find out that the reason why is that a search of Windows
| directory and the whole HD shows no evidence of the existence of
| VBSTUB.EXE.... (BTW, I do have my system set up to show hidden files)
| Then, running a virus scan of the whole system turns
| up no viruses.
|
| I am assuming that something is putting VBSTUB.EXE into the windows
| directory and activating it and then deleting it before the virus
| protection software can get its hands on it. BTW, I uninstalled all
| the VOB conversion programs. I then went into restore to go back just
| before the installations started and it also appears that all restore
| points got zapped. Also, there is nothing new in the startup folder
| or listed under my startup items that I can find.
|
| How do I rid myself of this thing?
|
| System: Windows XP-SP2 with all updates
|
| Regards,

Bloodhound.W32.1 is Symantec's name for a Win32 coded heuristic detection.

You might NOT have found C:\Windows\VBSTUB.EXE becuase it may be marked with the Hidden and
System file attributes or the running component is hiding the file.

If you went to a Command Prompt and used the 'Attrib' command to remove the Hidden and
System attributes, then used the 'Dir' command, I'm sure it would show up in the directory
listing.

Since this is a Heuristic detection, it actually has a chance of being a False Positive
declaration.

You can always go into the System Recovery Console and rename the file VBSTUB.EXE to
something like VBSTUB.EXE.vir. Then you can load the OS without this file being executed
and then submit a copy of VBSTUB.EXE to Virus Total.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.