Author Topic: Win32:Virtob Virus  (Read 6379 times)

0 Members and 1 Guest are viewing this topic.

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Win32:Virtob Virus
« on: November 16, 2007, 04:44:31 PM »
Hi I'm wondering if someione can help.  This morning my Avast blocked an attempt for a file to download this virus :o  I have done some research into what this virus does (attach to .exe files - increased processor useage etc) and found in task manager the .exe processes looked like they were using more resources than usual.

I scanned with Avast and got no result.  I thought this was a bit weird and I opened up Outlook from quick launch icon and got a message saying that Outlook wasn't configured properly.  Now I was starting to get very nervous as that had never happened before and it was very co-incedental just after a virus was blocked :o

I scanned with Kapersky which found adtool.win32.mywebsearch.brn which I had to delete from system folder and restore folders.  (I think this came with Nero 8 trial which I downloaded recently)

I scanned with Bitdefender which found some related files to the ones I deleted for Nero.

I checked for the file that the virus is supposed to download (VT100.exe) and its not there.

I'm still not convinced that the Virus has gone or didn't infect some of my files.  Is there any way I could check in addition to what I have already done?

Ay help would be greatly appreciated ;)

Avast is the "Don" by the way!  8) 8) 8)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85748
  • No support PMs thanks
Re: Win32:Virtob Virus
« Reply #1 on: November 16, 2007, 05:15:42 PM »
The web shield intercepted the download attempt of the infected file, that is why you got 1 option to abort the connection, which stops the file getting on to your system. So you shouldn't find it there.

The mywebsearch found by K'sky is adware and almost certainly unrelated to the original avast alert.

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections and post the information here (break any url links so they aren't active e.g. http :// www . example.com\vt100.htm\vt100.exe, etc.).

What you might have is something undetected/hidden on your system that tried to download it. Though having done two scans that too didn't find anything.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
If using winXP SUPERantispyware On-Demand only in free version. Or AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or Spyware Terminator Resident scanner.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Win32:Virtob Virus
« Reply #2 on: November 16, 2007, 05:48:15 PM »
Thanks for the quick reply David.

I checked the log viewer under "warning" and there is an entry with the http:// address where I was downloading from (and no it wasn't porn!)  The log says that "sign of Win32:virtob has been found in http:// ..........

I have just downloaded Super Anti Spyware and all that found was tracking cookies (didn't scan in safe mode though).

One thing that has spang to mind is that when I scanned with Bitdefender the last file it came across was a vsnap.idx file that it got stuck on.  I'm presuming that it's because it's an image file probably from Ghost?  That wouldn't have anything to do with the proceedings would it?

Thanks again.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85748
  • No support PMs thanks
Re: Win32:Virtob Virus
« Reply #3 on: November 16, 2007, 06:08:02 PM »
Quote from: Rodney78
The log says that "sign of Win32:virtob has been found in http:// ..........

You have dodged a very virulent bullet virtob is very bad and many find no choice but to reformat, it changes the .exe files on your system.

http://www.gmer.net/vt100.exe.php
Quote
Virus / Rootkit VT100.EXE

    * hides its process and executable file
    * injects its code to every created process
    * infects most executable files on ALL disks, enlarging files by  5120 or  8192 bytes.
    * if the executable file is not infected, it is modified during the launch ( *.EXE, *.SCR )
    * infected file (process) connects to some host and tries to download rootkit file : VT100.EXE
    * after the VT100.exe is downloaded,  it starts massive infection of *.EXE files

The ghost image is likely to be very large so might well have taken some time to scan, and perhaps bitdefender couldn't handle the size.
I would suggest that you exclude these .idx files in avast, but make sure you scan your system before creating an image. I use Drive Image 7.1, last before Symantec bought it out probably now incorporated in Ghost and I exclude my Folder that I store my backup images in.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Win32:Virtob Virus
« Reply #4 on: November 16, 2007, 06:28:01 PM »
Looks like I've had a rather close shave.  To close for my liking.

I appreciate that I have probably got away this time, but if I was infected with this virus how would I know.  (is that a really dumb question?!)

Thanks again.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85748
  • No support PMs thanks
Re: Win32:Virtob Virus
« Reply #5 on: November 16, 2007, 07:34:53 PM »
Your welcome.

I think you would have no problem in knowing you had a problem. If having read only the quoted text above, you would know (but read the full info on the link and do a google search for vt100.exe), havoc would probably be a good description.

Whilst avast should still be able to detect it in the infected exe files, it may not be able to repair those infected files. If that were the case you would have little option but to delete them, so virtob could be munching its way through your executable files.

The VRDB generation may be able to help in repairing infected exe files (though I'm not 100% sure on this particular virus), provided you have run the VRDB and the files infected had previously been included in the VRDB generation.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Virtob Virus
« Reply #6 on: November 16, 2007, 07:48:47 PM »
virtob is really a highly agressive virus... you're not infected, i guess, cause there was only one file detected before downloading... infected systems are full of Virut/Virtob infection (all PE files on the HDD) and avast is saying, that its files were modified... nothing of these symptoms matches to your situation..

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Win32:Virtob Virus
« Reply #7 on: November 16, 2007, 09:20:28 PM »
Thanks for all of the replies.

I guess AVAST saved my bacon this time.

AVAST =  8) 8) 8)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85748
  • No support PMs thanks
Re: Win32:Virtob Virus
« Reply #8 on: November 16, 2007, 10:13:29 PM »
It most certainly did, now would be a time to consider a back-up and recovery strategy.

Some food for thought should the worst ever happen (and that isn't just virus related), if you don't want to lose it back it up. If you fail to plan, then you plan to fail.

If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.

1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.

I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.

So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.

Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Win32:Virtob Virus
« Reply #9 on: November 16, 2007, 10:17:57 PM »
Thats great advice David.

I have got ghost installed and back up twice a week to an external hard drive.  I'm even considering a second to back the back ups!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85748
  • No support PMs thanks
Re: Win32:Virtob Virus
« Reply #10 on: November 16, 2007, 10:27:26 PM »
Well Drive Image 7.1 (the last PowerQuest version before Symantec bought them out) has saved my rear on many occasions. From the first time you have to use one of these tools in anger really does cover the purchase price.

I have even restored the last image for relatively trivial things, that would take longer to resolve than restoring the image. Like my firefox profile and settings got screwed up and it would have taken more than 20 minutes to restore all my customisations, etc. So I just restored the image and mirrored my daily back-up back into their original location, really easy.

I see some people go through some real pain and I think how easy it could be for them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Win32:Virtob Virus
« Reply #11 on: November 16, 2007, 10:44:16 PM »
Its interesting (for me anyway ;D) that you've brought this subject up as I was thinking about how great my back up schedule is, then it dawned on me.  If I actually had to use one of the Ghost images how would I actually do it if, where the hard drive they are stored on got fried (yes its happened to me) ???

I started looking on tinternet yesterday how you could actually back up the images on to DVD, but for love nor money I could not find if it was possible to burn images to CD or DVD.

Seeing as your knowledge is limitless ;) you got any idea if this is possible?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85748
  • No support PMs thanks
Re: Win32:Virtob Virus
« Reply #12 on: November 17, 2007, 12:13:11 AM »
There always limits and I have many ;D

Some disk imaging software can burn directly to DVD, I don't know if that is available on your version of ghost.

There is nothing to stop you backing up to a 2nd HDD and burning the actual disk image file/s to DVD (so you have a 2nd copy) in the same way you would burn any data file, provided you have the software Nero, etc. You may have got a CD with your optical drive to burn DVDs if your drive is capable of writing DVDs.

You are just using the DVD as a data store in the same way you would your 2nd HDD, the major issue is how you could restore from DVD if you only have one optical drive. For instance when I recover an image in Drive Image (DI), I have to put a bootable CD in my optical drive and reboot (My optical drive is set as my first boot drive in the BIOS so I never have to change that). That launches DI and I select recover, etc. now I have to select the drive I want to recover and the location of the disk image file.

I don't know at that point I could switch media so I could point to the DVD disk image file to use in the recovery.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.693) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline RJARRRPCGP

  • Full Member
  • ***
  • Posts: 112
Re: Win32:Virtob Virus
« Reply #13 on: November 28, 2007, 02:30:24 AM »
Spreading to many .exe files is like the virus I gotten before, but when using Symantec AntiVirus back in 2003 or late 2002, W32.Pinfi. That virus spreaded to at least around 200 files and caused installers to give a file corrupted error message.
Asus A7V8X-X motherboard BIOS 1005 (5/8/2003)-Athlon XP T-bred 2400+-512 MB PC2700 DDR SDRAM-Maxtor 60 GB 6Y060P0 HDD-eVGA GeForce 4 Ti 4200 64 MB DDR -SoundBlaster Audio PCI 128-Antec True 430 power supply-