Malware name Win32:Vitro

[Committed]

I'm in safe mode on the infected computer.  I have it disconnected from the internet and router as I don't want to spread anything.  I've tried running avast in safe mode and it won't start,however it started in screen saver and found the virus again, but it won't let me do anything.  Keeps telling me access denied. 

I've downloaded DrWebCureIt and launch.exe on a usb flash drive from my linux computer, but I'm not sure what to do with it now.  I really need to get into quickbooks if I can and backup.  I do have backups that are not too old, but it will still require plenty of work to get them up to date. 

[DavidR]

Just had this pop up when I was updating my Nvidia drivers... at first I thought it was a false positive since I was updating drivers but after reading the last 4 pages I have a come to the conclusion I'm hosed. I'm currently running a scan @25% atm and Avast has found 2 win32:vitro infections in
c:\hp\drivers\nvidia_uma_graphics\nlvddmkm.sy_\nvlddmkm.sy  and
c:\nvidia\winvista\158.24\nvlddmkm.sy_\nvlddmkm.sy

This may be a false positive on these nvidia files, there has just been a vPS update, 090225-1, which should resolve this, do a manual update (right click the avast 'a' icon, select Updating, iAVS Update) and scan the files again in the chest.

[Committed]

Here is what Avast is telling me right now.

file name:  C:\Windows\System32\Driverstore\filerepository\nv_disp.inf_d5fff5drf\nvlddrr
Malware name:  Win32:Vitro
Malware type:  Virus/Worm
VPS version:  090225-0, 02/25/2009

when I try to move it to chest, it tells me ACCESS IS DENIED to the above file name, C:\Windows\System.....


Running Dr.Web right now.

[DavidR]

That may be because the file in in use, but the first thing you need to do is a manual update (as suggested) and rescan the file.

[Committed]

That may be because the file in in use, but the first thing you need to do is a manual update (as suggested) and rescan the file.

Are you talking about manually updating Avast?  Right now I've express scanned with Dr.Web(found nothing) and am now about 1/4 through a complete scan.  Nothing yet.  After it's finished, I can disonnect this machine and reconnect my infected computer to the internet and update Avast if that is what your saying.

[DavidR]

Yes I am rather than wait for the auto update process to update the VPS.

Whatever any other scanner says, you still need to resolve it within avast and that is by getting the latest VPS update and scanning the files again to see if that resolves it, e.g. a false positive correction.

So the scan with DrWeb I feel is time wasted if it is an FP, which is why I suggested the VPS update...

If you really don't want to connect a possibly infected system, you could download the complete VPS file on that system (though it is in the region of 23MB) and transfer it to the suspect system.

avast! VPS Update - Manual Download - For updating an off-line systems, download using a system with internet connection, save the file to a CD or USB drive and transfer it to the off-line system and run it to update the VPS signatures file.

[Committed]

I've located the file Avast says is infected.  It's the file name I listed above and I've removed to the recycle bin and took a look at it.  It's an NVIDIA Compatible Windows Vista Kernel Mode Driver. I see in another post, someone had a problem with an NVIDIA driver as well.  Not sure if this is a false positive or not.  This file is not an .exe. 

Still waiting for Dr.web to finish, then I'll connect that computer back up to web and update VPS.  Btw,my wifes computer tested clean.  I might switch all my computers to Ubuntu and keep dual boot for my main since I need to run quickbooks and Chief Architect Cad software.  IMO, linux kicks Windoze butt and is much safer.

I've got a meeting from 1 - 3 pm et so I'll be gone a couple hours.  Will fill in later. 

[Chuckyskins]

This may be a false positive on these nvidia files, there has just been a vPS update, 090225-1, which should resolve this, do a manual update (right click the avast 'a' icon, select Updating, iAVS Update) and scan the files again in the chest.

Looks like it was a FP, updated scaned all came back clean. Does this mean I can restore those files? And thank you for pointing me in the right direction.

[DavidR]

No problem, glad I could help.

Yes, restore from the chest, confirm they are back in the original location and delete the copy in the chest.

Welcome to the forums.

[bolzer]

Hello,

I'm new hear and I hope, this is the right thread.
A friend's Computer is infected by this virus. The good thing is, he doesn't need to save any data on the PC. He uses ist only for gaming, musik ...
So i want to ask, if it's enough to reinstall WinXP with the boot disc, or does Virut survives a formating of the hole Computer??

I hope you can help.

Thanks and best regards

Bolzer

[DavidR]

Whilst it reinstalling XP would resolve any problems with infected system files it wouldn't address how they actually got infected. So a format followed by a reinstall would be best, as far as I'm aware it won't survive a format.

Then you friend needs to address how they got infected, commonly infected USB drives with autorun.inf files and some hacked sites, etc. So even when used for gaming they need the protection of a firewall and anti-virus, but many gamers feel this slows their computer.

[polonus]

Hi malware fighters,

It has already been demonstrated that this new Virut strain was capable of infecting other existing malware, so you are confronted with a double strain of malware:
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/242

polonus

[Maxx_original]

polonus: this scheme was seen already with older variants of Virut and recently with Kavo family of malware infected with Sality... it's a fight on user's machine resulting often to format and reinstall as the last instance (unfortunately there's no guarantee of full disinfection when you are under attack of Virut or Sality).. anyway, thank you for informing the ppl here and keeping the heads partially up

[RejZoR]

I remember once on Malware Research when 1 file was infected by 3 different file infectors, each on top of another. It was like peeling 3 layers of orange skin hehe.
It's quite funny to observe. Though probably not for the user who submitted that file

[danmaher]

OK... starting to wonder if ive got this virus or not... or if its the 'false positive'
Ive scanned fully with Dr Web Curit in safe mode and found nothing.
I tried with Avast and it handnt found anything, however the screensaver version off avast, found the thing again... so its ending with 'nvlddmkm.sy' like im reading in some posts. But to far to my knowledge, and to drweb and avast it hasnt effected any other files... help lol.