Malware name Win32:Vitro

[Bladehere]

can someone help me? this comp is important to my job, i need to know if i need to buy something or not.

[polonus]

Hi Bladehere,

Go into SafeMode as soon as possible else the virus is infecting on, in SafeMode it is inert,
Virut is a file-infector, that is rather serious

1. Download Dr.Web CureIt to your Desktop: cureit.exe from ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
(Preferably from a pendrive/ usb-stick onto mentioned PC, after this has been downloaded using a non-infected PC) you could approach your PC from a pen-drive that has been disinfected with the autorun disinfector from here:
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Leave the file this leaves on your USB-stick there and set the properties to system, hidden and read-only,



2. Doubleclick cureit.exe and then click Start in order to start a Quick Scan.
This will first scan all those files that have been loaded into momentary memory,
and when something has been found up have CureIt repair this/these...
- Then there appears a window with an offer to buy the software with 50% off, click to disappear through clicking X.

Now the main menu will be visible.
- Choose the language to use at the top if you want to use another language as english.
- Then choose Actions and set for the following options:
Adware: Move
Dialers: Move
Jokes: Report
Riskware: Report
Hacktools: Move
Then take away the tag at Prompt at action.
Then click OK.
- Choose options - Change Settings and remove tag at Heuristic analysis.
- Then click OK.

3. Back in the main window you can select the drives that you want to be scanned.
- Select all drives here. Then a red ball will apear for the drives selected for scanning.
- Then click the green arrow to start the scan.
This will replace the infected files to the following folder %userprofile%\DoctorWeb\Quarantine\
whenever disinfection fails.
- If the scan has run then choose for File - save Report list. Save this log onto your desktop.
- Close Dr.Web Cureit.

4. Now restart your computer!! This is an important stage, because it may well be that DrWebCureIT like to replace/remove files during a restart. Do an additonal avast full scan with your PC started in SafeMode, because this virus is apparently inactive in SafeMode,
Load the files you wanna save (drivers, etc) onto a pendrive and scan these thoroughly with DrWeb's CureIt in the proposed settings and again after you started up in SafeMode, so you have various scanning routines following each other up, but better safe then sorry, because the file infector can raise from the dead almost in any infected executable and then we are right back where we started,

If the infection is really bad, the computer maybe beyond repair (because of the corruptive nature of the random file-infector and its encryption), the next thing left is the FFR solution, namely fdisk - format - reinstall, so I hope you haven't have to do that,

polonus

[Bladehere]

ugh i nuked my comp now i have a strike f1 to retry boot f12 to go to system utility and i tried the restart test thing and it still beeps after that.... what do i need?

^ i had someone do that for me cause i dont care about any files, i just need the firewire port since i dont have one on my laptop, and now thats my problem, is there a way to fix this, with a low cost atleast.

[Bladehere]

anyone out there got a fix to this?

[oenkitt]

I've been having trouble with this virus too. I ran avast, and my dad set it to put all infected files into the chest. Now when I try to run windows, all that will show up is my wallpaper. I can't even open task manager to run anything. I'm thinking we put something in the chest that we shouldn't have, that was vital to running windows (even safe mode wont work now). I'm not a computer expert however, so can someone tell me if this is even possible? And if so, how can I empty the chest without being able to run anything?

[lordloxley]

 
I have downloaded and tried to use all of the tools mentioned here.

cure it did nothing.
kapersky did not run for some reason.
bitdefender ran for more than 24 hours and did nothing.
f-secure ran but now my computer goes to an endless loop after showing the winxp splash screen.

After running the windows setup (repair without deleting everything**), it did all the preliminary steps but then procces froze during 'configuring setup' step.
**yes I know it would not work but just in case.

My last attempt will be to add a SATA drive I have but not using it.  Then download knopixx live cd so i can copy MY all-NON-EXE-DLL files (mp3, photos, docs, xls, etc, etc)

Hopefully the new knoppix have sata drivers (an older copy did not).

Then the C drive will suffer a complete wipe (delete partition and all)

I hate to recreate my working computer to my dev standards. (Takes too long and Ghost does not work for my WinXP version)

Does anybody know if this dammed virus can cross-over from VM to VM if I'm using VMWare?

That will be my new addition in this marathon against virus writers.

[polonus]

Again,

We haven't a clue what the purpose of this corrupting file infector is, while it leaves a computer beyond repair. You cannot use it as a zombie in a botnet, you cannot use it for launching spyware. On the other hand the malware is so advanced in nature that it cannot have been developed but by very apt malcreants.
But why it is pure negative, then? It has a random encrypted file infecting routine making it very hard to recover from it, re: http://www.sophos.com/security/blog/2008/05/1436.html
So the best protection is prevention (update, patch, in-browser security). I wonder where the weak side of this malware is to tackle it. For the moment I reckon your luck was in,
this is the latest removal info: http://www.hm2k.com/posts/win32-virtob-virut-removal
About throwing in the towel:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html#IDComment15344616

polonus

[BriGuy27]

Hey All,

I've been infected w/this virus too & after reading a ton of posts, I'm not sure what to do.  Avast! found this virus about 2 weeks ago & I moved many of the .exe files to the chest & some I ignored b/c I knew they were vital to the system.  My computer only works in safe mode, but I cannot open the chest up to restore some of these .exe files.  I bought a USB flash drive & will probably end up downloading the flash disinfector & try the Dr. Web fix it on the computer, but then what?  These files I have in the chest are re-named b/c they were infected & will still probably be infected even if I use this fix am I correct?  If so then is it worth it for me to try to fight this virus or should I just try to get some files off my computer & start fresh?
I do have some programs on this computer, whose .exes I had put in the chest that I would like to have again.  Any suggestions?

[Pedro Hin]

I infected my honeypot with this, and now the RDPCLIP process has created a static HTTP connection to 61.235.117.80 -- a chinese webhost.

I do not know what this means, but I searched for the IP in google and found this article from Feb 2:
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t200105.html

[qwertyo]

Hmm.. as for the people who are having trouble getting to start windows, even in safe mode, i would suggest getting on a clean pc and burning a copy of ERD Boot Commander. I'm not sure if you're gonna be able to restore the files in the chestor if you can even run avast under ERD Boot Commander, but if you know what files are missing and you have two computers of the same OS, you can move over files between the two (just make sure that you don't get your flash stick infected, put the files in a read-only folder/system folder/hidden, as someone mentioned before). If you're also thinking about formatting, you can move over vital files before you purge your comp (again, make sure the files you're copying are safe). Recovery console is also an option, but I've only used it once before

Oh, and your computer may have trouble picking up the flash stick if you're booting it with ERD Boot Commander, you may have to plug/un-plug it several times

[Chuckyskins]

Just had this pop up when I was updating my Nvidia drivers... at first I thought it was a false positive since I was updating drivers but after reading the last 4 pages I have a come to the conclusion I'm hosed. I'm currently running a scan @25% atm and Avast has found 2 win32:vitro infections in
c:\hp\drivers\nvidia_uma_graphics\nlvddmkm.sy_\nvlddmkm.sy  and
c:\nvidia\winvista\158.24\nvlddmkm.sy_\nvlddmkm.sy

Is it possible for me to have escaped massive infection since avast picked up on the virus as soon as it went active(not sure on the correct term)? Also how did this virus get on my comp?, I'm very careful about what I DL and open is it possible that this spread from my roomates comps via our network? they both DL alot of files from torrent sites. 

EDIT: found 6 more files that were infected, moved to chest then ran Drweb(none found) am I in the clear or should I nuke the system just to be safe? Also if I'm in the clear can I delete the files in the chest or should I just leave them be? 
Thanks for any help -Cameron

[FooFan79]

Hi all,

New to the forum, brought here by this *wonderful* virus.  Anyway, here is my situation, I am using Windows Vista and my Avast came up saying that I was infected with Win32:Vitro. 

So, in my virus chest, it says the following files are infected:

Install_AVg_7702420 from location C:\Users\Owners\Downloads is infected with Win32:Trojan
Install_AVg_7702420 from location C:\Users\Owners\Downloads is infected with Win32:Trojan (yes, it does list this twice)
nvlddmkm.sy_ from location C:\hp\DRIVERS\NVIDIA_UMA_Grap... (I assume that says graphics but cuts off there)  is infected with Win32:Vitro
nvlddmkm.sy_ from location D:\hp\Drv\APP28871\offline_driver is infected with Win32:Vitro
nvlddmkm.sys from location C:\Windows\System32\DriverStore... is infected with Win32:Vitro
nvlddmkm.sys.vir from location C:\Program Files\Alwil Softwar\Ava... is infected with Win32:Vitro

Also, here is my Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:49 AM, on 2/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\hp\kbd\kbd.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O13 - Gopher Prefix:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4995 bytes

Any help with what I should do would be greatly appreciated!

Thanks in advance.

[danmaher]

Avast picked it up but for no reason... i mean i was on it this morning and nothing. Tonight and nothing, i go have tea, come back and its found it.
The only thing different that ive done is plugged my printer in and used it. That i havnt used in a while.

Next thing... ive done the flash disinfecter thing... avast isnt showing the virus... im currently using the dr web scanner thing, the 'quick scan' didnt find anything...
so im doing the complete scan now... so far (not long into it) hasnt found anything... from what ive read it doesnt just disappear...

im on a laptop, had a usb, printer and external pluged in. ive got no exe files on external.

not sure how this has just appeared... without doing anything out of the ordinary or going to any sites i havnt been on before.

[Committed]

Well I got this damn thing too.  Never in 18 years have I had a virus.  Was sitting in the other room when I heard the Avast virus warning.  Tried to delete it, move it to chest and it kept saying ACCESS DENIED.  The only thing I could do was rename and move it. 

I burned most of my docs on a dvd,but the dvd wouldn't eject.  I ended up shutting it down as it was very late.  Now I'm on my laptop which I run Linux and looking for solutions.  I will boot to safe mode and see what I can do.  This is my main computer that is infected.  I use it for cad, accounting and a whole lot more important stuff.  If it goes down, I'm hosed.  Plus that, there are 3 other computers on this network.  My wife said hers is running funny.  Arghh!!

[polonus]

Hi Committed,

Re: http://forum.avast.com/index.php?topic=42926.0 This was a FP and users with this find can sigh in relief.
For the other there is less hope.....
This virus is a file infector that does not play rules, so the code is sloppy infecting randomly and in different ways.Different anti-malware products use varied techniques to identify an infected file they may not all report broken samples as infectious. This is often difficult to explain to customers who run multiple anti-virus products, and although neither response is wrong, neither is entirely correct.

Traditionally, anti-virus vendors have used four different methods to detect broken replicants:-

Detect them as the virus and don’t offer disinfection
Detect them as -Dam (.Dam)
Detect them via more intensive user initiated scans after detection of main virus.
Not detect them
Customers seem to understand detection of broken samples however they have some difficulty comprehending non-detection (often requiring support to assure them that the sample is not only not viable but beyond repair.)

The only chance you had was to change into SafeMode the very moment it got detected (the AV product should do that for you to prevent further activation), because the virus is inactive in Safe Mode. So what I could imagine for the future is scanning from a CD from another OS, and in Safe Mode a layered scanning approach: scan and repair the files that were "normally"corrupted/infested, excluding and protecting files that were not and "not-normally" corrupted or infested, exclude those to be repaired in a non-detection run, and alternately on and on, and then still this may be not sufficient and we should throw in the towel. This virus was "just created to junk your computer and make as much damage as possible", in this sense it is an anti-MS virus a la carte,

polonus