Author Topic: Malware name Win32:Vitro  (Read 340184 times)

0 Members and 1 Guest are viewing this topic.

Pedro Hin

  • Guest
Re: Malware name Win32:Vitro
« Reply #90 on: March 01, 2009, 03:01:15 PM »
Thank you Pedro Hin and DavidR.

I usually use Puppylinux to boot from live cd (so far it's the only Linux distro that booted on an old Compaq machine with very low ram a bit over 64MB RAM)
I would only copy .doc, .pds, and ppt files at most. I think that these as well. Can you confirm? As a rule of thumb I always scan any new mp3 or wma file.
 Thanks again.

I don't know for sure, I haven't learned enough about this to know if it can glue a copy of itself to documents and the like. However, so far it doesn't appear to have the ability to patch code onto anything but compiled executables.

sdlehman

  • Guest
Re: Malware name Win32:Vitro
« Reply #91 on: March 02, 2009, 10:37:54 PM »
Woke up to find this virus infecting one of my computers this morning. Fortunately it did not migrate over the network to the other two. I am currently trying to run Avira Recue disc but I am not sure I will know when its done as my screen is nearly all black. Disabled sound as instructed.

If I am unsuccessful at removing virus, I want to salvage some of my files. If I reload Win XP Home on a clean hard drive and set up this computer again, how do I explore the infected drives without getting re-infected?

Thanks

Stace

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #92 on: March 02, 2009, 11:40:12 PM »
Hi sdlehman,

The source of this virus mainly is infected Internet sites, illegal software with off-course the "working" cracks, key-gens and patches, downloaded films, music and through P2P.

The best and most secure option left is just to format and re-install. If you should have made back-ups wirh infected exe files and other infected files on it, the chances of re-infection are real. Some say av scanners can cleanse quite some of the infected files, some advise MBAM, DrWebCureIt, combofix to scan/cleanse. It is almost impossible to recover, it is very time consuming, and if you do not go into Safe Mode immediately after infection your Windows OS might get corrupted beyond repair, because the virus is meant to corrupt indiscriminately because of the buggy infection routines. So, it is the user's choice, but i.m.h.o. the best option, total recall for your machine,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

omaralqady

  • Guest
Re: Malware name Win32:Vitro
« Reply #93 on: March 05, 2009, 04:57:20 AM »
Is this virus able to infect archives as well or is it just executables??

waavlater

  • Guest
Re: Malware name Win32:Vitro
« Reply #94 on: March 05, 2009, 06:17:44 AM »
Después de pelear contra el virus Virut, por varios días y con varias veces reinstalando Windows, por fin elimine al virus.

Gracias a este virus, he aprendido mucho sobre los virus.

Las opiniones de POLONUS, son muy interesantes y muy profesionales.
Gracias Polonus.

Lo único que no me funciono al tratar de arreglar los problemas, es que drweb se congela cuando encuentra archivos grandes y no continua.

Saludos, see you in the next virus.

rubberduck

  • Guest
Re: Malware name Win32:Vitro
« Reply #95 on: March 05, 2009, 11:23:41 AM »
Hey and thanks to forum its help a lot!

I have this virus too. I have problem to get my backup files.
I can run windows safe mode but i have lost my sing up password. Virus maybe destroyed my sing up key.
I have windows xp home edition sp3.
Any one with same problem?
Help please i need to get my back up files to save. to other computer.
sorry my bad english.  ;D

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #97 on: March 05, 2009, 09:37:23 PM »
Hi waavlater,

Concerning the DrWebCureIt hick-up go here and run this Sdfix:
http://www.bleepingcomputer.com/forums/topic131299.html
Also perform a complete scan with MBAM: http://www.malwarebytes.org/mbam-download.php

and report here the log file added as txt (Additional Options),

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

cutshot

  • Guest
Re: Malware name Win32:Vitro
« Reply #98 on: March 05, 2009, 11:59:11 PM »
Your best bet to save your data/flies...is to STOP TRYING TO FIX IT...YOU CAN'T.. Go buy another hard drive, re-install windows, dl anti virus,  Avast in good because it has a boot scan. You need to remove the infected files asap. Every time you re boot windows it spreads to more files.....so you need to clean before full boot.

TURN OFF SYSTEM RESTORE

So...get your new hard drive up and running with Avast installed and updated...  and turn off sys restore, turn off the pc....change the jumper on the infected drive to slave....and install it as a slave drive.

Re boot...go to my computer and make sure it's reconized...but DON"T CLICK ON IT!!

Now open avast and select boot scan and select the infected drive...advanced options...delete files...and allow  move/delete....re-boot   and let it run.

After it's done it will boot to windows...go to avast dir..data/report/awsboot.txt..here you will find the results.

I suggest you do this at least twice...or untill you find no more problems.

Then.....you can start copying the data you need off of the infected drive to your new drive...of better yet..an external drive.

After you get all your data off the infected drive...FULL REFORMAT IT.

When your all done, you will have an extra internal drive to back up data on (data only..no .exe stuff).

Side note....if you copy your data with avast running.(ie. new install..slave drive...it should find anything you missed..during copy)

The harder I tried to fix this virus...the worse it spread...STop..save your data before you can't!

If you lucky enough to catch this before it gets all your EXE fles, the report wil tell you which ones it got....you can just restore the exe from the s/w provider, (not recomended unless you know what your doing).

I repeat ...STOP TRYING TO FIX IT...save your data...it will also jump to flash drives with hidden .exe file so beware!!!   It also hits some dll's

Conentrate on saving your data!!!!...NOT REMOVING THE VIRUS...

NoneX1

  • Guest
Re: Malware name Win32:Vitro
« Reply #99 on: March 06, 2009, 12:04:29 AM »
Well basically i used Dr.Web Cure-it and it cleaned everything i still have some problems though.
I ran a kaspersky online scan and it showed some threats and virus's, i will post it if asked.
There is no more virut to be found but i get these warnings when i open Firefox or IE 7

Quote
Insecure Internet activity. Threat of virus attack

Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register your antivirus software.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended).

probably a fake just to scare me and download their software

Should i try to fight it or just reformat?
If i reformat can i take some mp3's even if they are not infected from the scans i did or no?
If i remove all .scr and .exe from my drive D: storge drive will this be good enough if i did reformat?



« Last Edit: March 06, 2009, 12:46:13 AM by NoneX1 »

partzeus

  • Guest
Re: Malware name Win32:Vitro
« Reply #100 on: March 09, 2009, 12:22:02 PM »
This virus actually got me to post a message. This is the nastiest virus I have seen in years.
« Last Edit: March 10, 2009, 08:49:04 AM by partzeus »

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Malware name Win32:Vitro
« Reply #101 on: March 09, 2009, 12:53:11 PM »
I see no point in buying new hard drive just because virus infected it. All you have to do is to format the HDD. You can do that with Windows XP or Vista CD/DVD.

Also cleaning Vitro is a tough task because it first infects explorer.exe, svchost.exe and logonui.exe, components that have to be active for proper windows operation.
DrWeb seems to be the only one able cleaning this mess. But i wouldn't rely on it completelly.
Though, avast! is able to resist it somehow. AntiVir just got corrupted why avast! kept on working.
Visit my webpage Angry Sheep Blog

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #102 on: March 09, 2009, 03:09:41 PM »
Formatting... the total failure of an antivirus protection... :P
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #103 on: March 09, 2009, 03:50:43 PM »
Hi Tech,

Yes, we were beaten here and we have bitten the dust, but this is only for the moment, the analysis of the infecting vector goes on (how it is circumventing the Windows File Protection scheme) and the strongest point of the virus will be it's final undoing as often found with malware.
Essexboy, oldman, and the other anti-malware geeks are already brooding on ways to harden against this, see what comes out of the Incubator. When infected immediately go further in SafeMode to stop further complete and utter infection.

As things stand for the moment the best way is to go SafeHex to prevent infection, that will mean update and patch all of your Windows OS and all the vulnerable third party software (use Secunia PSI to do this real easy), do not cruise the Internet with full admin rights (only for necessary downloads and installs), do abstain from doing risky things there (going after cracks, key-gens, insecure P2P), use a safer browser like Firefox or Flock with NoScript and RequestPolicy add-ons installed), have a two-way fw active and update your av and have all the services like NetShield and Webshield etc. operational,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

BrBrasil

  • Guest
Re: Malware name Win32:Vitro
« Reply #104 on: March 09, 2009, 03:59:55 PM »
Hello guys!

Is avast having problems only to clean an already infected machine, or is also missing variants of Vitro when it tries to infected a machine with an updated Avast Av?

Thanks!

BrBrasil