Author Topic: Malware name Win32:Vitro  (Read 340178 times)

0 Members and 1 Guest are viewing this topic.

Vladimir1989

  • Guest
Re: Malware name Win32:Vitro
« Reply #30 on: February 21, 2009, 05:19:38 PM »
Hi

I too got infected with this VITRO, and it doesn't let me to go to windows (not even safe mode now). In the beginning on the startup there was this data execution prevention screen with LOGONUI something with an error. Now I want to format the entire disk (I don't have to save anything, btw so that is not a problem) but I have a huge problem. I tried to format it with my windows xp disc but the blue screen always pops out so I can't do anything with that CD. Second thing I tried is to format it from DOS on the bootcd but it gets stuck with some driver loading (ATAPICD.SYS loading... and then nothing, just stays like that). Could you pls give me some advice, I really don't know what else to do to format it.

cheers

Rangerro

  • Guest
Re: Malware name Win32:Vitro
« Reply #31 on: February 21, 2009, 06:00:39 PM »
Installing windows on the same hdd wont help. Windows is crashing right after install... Best way to remove it is to install new windows on other hdd and perform full skan with (lets say) avast which has new virous data base. Its good to do scan from boot menu also for sure. Unfortunatelly windows on c will require new installation because there are too many infections and after deleting all of them it wont work again (repair of windows will be only time lost). Im in the middle of scan now and after 12% log file allready has 121kb. Its second hardcore virous after 10 days for me, last time i fight with it 6 days. All started again after installing some program from hdd and try to run it. So now I've deleted most of exe files for sure -_- Doing everything what you can to save all other files on hdd's is better then format so keep fighting :P

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #32 on: February 21, 2009, 06:35:57 PM »
Rangerro, did you try the boot CD I've posted right above?
The best things in life are free.

Rangerro

  • Guest
Re: Malware name Win32:Vitro
« Reply #33 on: February 21, 2009, 07:36:56 PM »
nah, I search options like that befor when I had that "antispyware 2009" problem and I heard about that option right after I manage to deal with it. Now when I see how much infection there is I can only say that it would be loose of time to try install windows again on same or other partition of infected HDD. Good for me with 2 Hdd's but what if i wouldn't have it, teoreticly boot cd should help but whithout second HDD and boot cd I would try to take it to some friend and cure it on other PC. If there is any options to deal with it then its better then formating all of particions and things which I have (I simply dont like to burn things on disc's)... I'll get boot cd now (every option to save some time is better) because I forgot about that option today when it happend again. Lets hope that removing all of viruses, installation's.exe and every other exe files help for more then only 10 days this time.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #34 on: February 21, 2009, 07:57:25 PM »
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #35 on: February 21, 2009, 08:07:30 PM »
Hi Rangerro,

Virut is a file-infector, that is rather serious

1. Download Dr.Web CureIt to your Desktop: cureit.exe from ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
(Preferably from a pendrive/ usb-stick onto mentioned PC, after this has been downloaded using a non-infected PC)

2. Doubleclick cureit.exe and then click Start in order to start a Quick Scan.
This will first scan all those files that have been loaded into momentary memory,
and when something has been found up have CureIt repair this/these...
- Then there appears a window with an offer to buy the software with 50% off, click to disappear through clicking X.

Now the main menu will be visible.
- Choose the language to use at the top if you want to use another language as english.
- Then choose Actions and set for the following options:
Adware: Move
Dialers: Move
Jokes: Report
Riskware: Report
Hacktools: Move
Then take away the tag at Prompt at action.
Then click OK.
- Choose options - Change Settings and remove tag at Heuristic analysis.
- Then click OK.

3. Back in the main window you can select the drives that you want to be scanned.
- Select all drives here. Then a red ball will apear for the drives selected for scanning.
- Then click the green arrow to start the scan.
This will replace the infected files to the following folder %userprofile%\DoctorWeb\Quarantine\
whenever disinfection fails.
- If the scan has run then choose for File - save Report list. Save this log onto your desktop.
- Close Dr.Web Cureit.

4. Now restart your computer!! This is an important stage, because it may well be that DrWebCureIT like to replace/remove files during a restart. Do an additonal full scan with your PC started in SafeMode, because this virus is apparently inactive in SafeMode,


After restart, copy and paste the contents of the log and attach to your next posting.
Also post a new HJT log, download from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
and mention any remaining problems,

polonus
« Last Edit: February 22, 2009, 08:46:04 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mindry

  • Guest
Re: Malware name Win32:Vitro
« Reply #36 on: February 21, 2009, 09:22:13 PM »
Thanks for the hint but the flash drive disinfector will not install,I go through all the Run and Allow stuff, then am told that the programme didn't install correctly. So I click "install again with recommended settings" but this just causes the cycle to repeat. Any ideas?
Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:

1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
I did follow the instructions but the flash disinfector just doesn't seem to work for me. But thanks for the links, I have now downloaded and burned Avira just in case Vitro returns. Since I'd just wiped the computer I had nothing to lose so I plugged my two memory sticks in and ran DrWebCureIt - turns out that the autorun on one of them was infected with Win32:HLLW (dunno if this is connected to Vitro or not) but everything seems to be clean now. I tried the disc with my important documents on, and it was clean, so I haven't really lost anything apart from lots of sleep!

JMC

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #37 on: February 21, 2009, 09:44:44 PM »
Hi mindry,

It is the new form of the Conficker dropper, my friend, your OS is vulnerable.
Do not panic and act accordingly,
Read this and what patches to install for your OS:
http://www.antivirusworld.com/news/win32-hllw-shadow-based-exploits-vulnerability-of-windows.html+Win32:HLLW
http://forum.drweb.com/index.php?showtopic=277240

Search for the following, when found kill and remove:
Kill the following processes
pbrush.exe
Remove the following files
mssccprj.scc, overflow.frm, overflow.frx, overflow.vbp, pbrush.exe, readme.txt.

Also post a new HJT log for analysis, download from here: http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
and mention any remaining problems,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Bladehere

  • Guest
Re: Malware name Win32:Vitro
« Reply #38 on: February 22, 2009, 02:11:25 AM »
i have this virus, i use avast and i deleted everything it said was the problem, i got the log in log out loop problem and i fixed it, now the virus is still here, i dont care about anything thing on this computer, only my firewire port since i dont have one in my laptop, is there a way to just Nuke my comp or like delete everything and start over, i need this comp for my videos and photography and NOTHING else.

qwertyo

  • Guest
Re: Malware name Win32:Vitro
« Reply #39 on: February 22, 2009, 02:18:00 AM »
my friend got this virus a couple days ago, and boy, it infected EVERYTHING. i saw that his taskman, find, and lots of other vital things got infected.... i almost got my own comp infected through a flash stick, and i scanned my flash stick throughly, then scheduled a boot-scan, then rescanned my flash stick. since i didnt execute anything when i plugged in for a scan, i was safe from infection

do you guys know if there's a way to set a flash stick into read only mode? and if this will prevent the vitro virus from corrupting it? if it's already corrupted, then setting it into read only should do absolutely nothing, but i'm trying to find a way to plug flash sticks into infected comps safely

Rangerro

  • Guest
Re: Malware name Win32:Vitro
« Reply #40 on: February 22, 2009, 02:40:02 PM »
16 hours and 16 minutes scan with avast found 837 infections, almost every was that vitro virus, ofcourse I deleted them all for sure :P I'll see some other things now and I'll post here later.
« Last Edit: February 22, 2009, 02:42:05 PM by Rangerro »

Pedro Hin

  • Guest
Re: Malware name Win32:Vitro
« Reply #41 on: February 22, 2009, 03:15:13 PM »
...do you guys know if there's a way to set a flash stick into read only mode? and if this will prevent the vitro virus from corrupting it? if it's already corrupted, then setting it into read only should do absolutely nothing, but i'm trying to find a way to plug flash sticks into infected comps safely
What works for me is to create a folder in the root of the flash drive named autorun.inf. Then I set the folder System, Hidden and ReadOnly attributes

Bladehere

  • Guest
Re: Malware name Win32:Vitro
« Reply #42 on: February 22, 2009, 03:17:49 PM »
ugh i nuked my comp now i have a strike f1 to retry boot f12 to go to system utility and i tried the restart test thing and it still beeps after that.... what do i need?

Rangerro

  • Guest
Re: Malware name Win32:Vitro
« Reply #43 on: February 22, 2009, 08:08:09 PM »
Polonus Dr web automaticly sets language

Hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:02:46, on 2009-02-22
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


looks fine fore me, just like I said befor, avast remove 837 infection, some others I removed myself and last step was boot menu scan with avast wich remove (I think) last infections. So now after removing almost 1000 of viruses and installing windows again it works fine.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #44 on: February 22, 2009, 08:57:01 PM »
Cześć rangerro,

That seems OK, to cleanse the last bits of this do another full scan with DrWebCureIt na "pynolu" and then with avast with your computer in Safe Mode, because in SafeMode the virus is not active.

Życzę wszystkiego dobrego ,

pozdrawiam,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!