Author Topic: Malware name Win32:Vitro  (Read 340193 times)

0 Members and 1 Guest are viewing this topic.

boybawang

  • Guest
Re: Malware name Win32:Vitro
« Reply #180 on: April 06, 2009, 06:35:28 PM »
PLEASE DO NOT COPY HTML FILES FROM ANY BACKUP IT CONTAINS THE CODE TO IMPLEMENT THE VIRUS ON YOUR SYSTEM!

Thanks for the info.
I also viewed the contents of the html file I backed-up (which I first thought were safe) and OMG You are right!! and all html files are infected!!!
I can see that the virus attached in htm file a link to a website which I think acts as its gateway so maybe disabling the internet connection helps.

Regarding EXE files. I'm not sure how it chooses which one to infect (selectively?)  I even tried executing an executable file several times then scanned it but it didn't infect it! Though I'm not sure if going offline/online will make the difference.

I have an important questions to those who know more:
1. Does copying the infected htm files alone triggers the virus? But what if i will NOT run it? I will just let those htm files sit in my Hardrive until Avast finds a cure. They wont trigger unless executed right?

2. So far I can see that vitro infects both EXE and HTML files(in which AVAST only detects the one in EXE). What other file types does it infect?

3. What other harm can it do aside from infection and OS instability? I mean my videos, pictures, and other none exe files don't have to worry right?

4. This is my biggest problem. My Hardisk is partitioned into two drives where the second one contains important data that I don't want to include in the full format. I feel that repartitioning the 1st drive alone won't help so im hopeless.  Maybe my only solution is back-up all important files regardless of the virus then wait for the cure.

thanks
« Last Edit: April 06, 2009, 07:17:06 PM by boybawang »

1 fustrated guy

  • Guest
Re: Malware name Win32:Vitro
« Reply #181 on: April 07, 2009, 05:36:55 PM »
Hi there just got through reading all of the posts in this thread! Wow! I have found one piece of information that may be some what helpful. After becoming infected with this worm, and not knowing what it was exactly, I found while in safe mode I could pop up the task manager with A+C+D and then I belive it was the logonui file that I could select to close and then I would get an error pop up window at which point I would click ok and it would give me access to my icons oin the desktop which allowed me to copy files to my XHD thankfully! But at one point I had a problem with the virus kicking out every 15-30seconds at which point I would have to do the process over again. After I set the files to copy to my XHD I left as it was going to take a while I am no longer able to use this method and now it closes my desktop after 5-10 seconds rather then the 15-30 that it did before.

Now to where I am, I have moved the hard drive to an unaffected pc and I have run drweb and avast now what should my next step be? I am currently running xp pro sp3. Thank you in advance for yourt replies.

Offline Confused Computer User

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 700
  • The answer is 42
Re: Malware name Win32:Vitro
« Reply #182 on: April 07, 2009, 05:56:45 PM »
Well I'm not going to be able to help with the follow up but a short mention for future problems. You can try to use a Linux live CD to do the backup. Essentially you have the Operating system boot from your CD and then go to the drvie and copy files from it to an external drive.

You can Use Ubuntu (requires at least 254MB of RAM and doesn't run on all computers)
http://www.ubuntu.com/getubuntu/download

or PupyLinux (runs very light on system resources ... ran on old Compaq Pressario from 1985-86 but still effective).
http://www.puppylinux.org/

Both sites provide manuals on how to work with their Operating Systems and I can help with how to save the files. Beyond that I can't be of much help. This is just a simple way of recovering files if windows is not working but it should not be your safety net. I leaned that the hard way (still working on a good back-up plan)
« Last Edit: April 07, 2009, 05:58:24 PM by Confused Computer User »
Computer Systems:

Intel Pentium 4 641 / 2GB RAM / Vista Home Basic SP2 / avast! 5.0 Home / SAS Free / MBAM Free / Windows Defender / Windows Firewall / Spyware Blaster/ Secunia PSI / Firefox 3.6 / Opera 10.5

Core2Duo T8300 / 4GB RAM / Vista Home Premium SP2 (32 bit version) / Same Software.

Tyndarus

  • Guest
Re: Malware name Win32:Vitro
« Reply #183 on: April 08, 2009, 02:58:47 PM »
Hi,

one thing
DON'T RUN YOUR VIRUS SCAN, or you wont be able to restart your computer

Got the same problem
Was searching for a serial at www.thekeys.ws, downloaded something, and there comes virus alert...

I ran my virus scan, after a while i noticed that it was detecting all my programs, windows files and system32 files
Had to get everything out of virusscan Vault (AVG at that time)...

It's a bitch of a virus, popups of virusscan detections kept coming.
I DELETED MY VIRUS SCANNER and now everything seems to be chill...

Everything work (also the 'infected' programs), like wordpad was infected (AVG noticed), but it still runs properly.
Uhm, might start thinking this win32:Vitro thing is like

HIV for computers! It made me delete my own defense system.

This evening i'm gonna format my pc, reïnstall the whole system, hoping it's not in my word-documents and pictures.
Havent found any other solution yet. (and didnt want to read all the other replies.)

Thank you and gtz,

Tyndarus

Rickster090

  • Guest
Re: Malware name Win32:Vitro
« Reply #184 on: April 08, 2009, 08:09:54 PM »
This is a bitch of a virus.

i havn't ever had anything worse...
its making me move all the files from System32 to the vualt...

do you think mabye a system restore may work...im going to have alook later..either that or totaly wipe my hard drive.

Oh..just one Advice.

DO NOT GO TO SERIALS.WS  that is where i got it from....better yet do not dwonload any keygens..

(mabye it is our pu8nishment for trying to do something illegal?

DonNils

  • Guest
Re: Malware name Win32:Vitro
« Reply #185 on: April 09, 2009, 01:29:31 AM »
rofl:
Quote
DO NOT GO TO SERIALS.WS  that is where i got it from.

do not use IE ...

Ok guys i had(!) the same problem.. (WINXP)
i cleaned up my HDD 5 times (!)

At first cleanup:
- Nothing malicious detected... 1hr later: (drivers etc. reinstalled) virus was up again..

Second format:
Same problem as before..

Third cleanup:
Same infect...
-> Booted up Backtrack and replaced winlogon.exe, lsass.exe
Tried to logon to windows -> fail (nothing happened *duh*)

-> Now windows setup shows that i've got a "new" partition on /hda  which has 594902490290MB free! lol
-> windows setup wasnt able to load again after that...
-> started backtrack again kicked of the old partition table (yeah!)
-> repair partitions & fix MBR
-> formated C:\


4. format:
-> installed Kaspersky
-> Kaspersky found some infected files & deleted them..
---> Kaspersky fucked up my system... average boot time ~5minutes (after that WINXP crashed)

5. started WC3 out of the box - 2 minutes later WINXP -> infected...
after that i decided letting avast delete every file which is infected..
-> starting avast; check for viruses before windows is up
-> windows was mostly damaged..

6. Format
-> Kicked C:\ off and used G:\ as Windows HDD
-> installed avast; cleaned up everything on my other hdds
---> so far its working and clean

Ok i think this virus is VERY hard, its a whore! please clean up the MBR, too.
Means:
insert windows disk
-> wait until its loaded completly
-> F3 (Repair) and type: help
   (if you logged in in the console etc.)
-> CMD is "fixmbr" (without " ")

if you have vitro.. dont try to repair .. delete everything!

Another advice: install MBAM!

Afaik this virus infects *.exe-files, which are smaller than a predefined size (thats what i think)! (Big *.exe files were not infected); & (in my case) is not infecting *.html files & it changed the hosts file (127.0.0.1 to *.pl)
« Last Edit: April 09, 2009, 01:42:51 AM by DonNils »

Malakie

  • Guest
Re: Malware name Win32:Vitro
« Reply #186 on: April 09, 2009, 09:11:59 AM »
rofl:
Quote
DO NOT GO TO SERIALS.WS  that is where i got it from.

do not use IE ...

Ok guys i had(!) the same problem.. (WINXP)
i cleaned up my HDD 5 times (!)

At first cleanup:
- Nothing malicious detected... 1hr later: (drivers etc. reinstalled) virus was up again..

Second format:
Same problem as before..

Third cleanup:
Same infect...
-> Booted up Backtrack and replaced winlogon.exe, lsass.exe
Tried to logon to windows -> fail (nothing happened *duh*)

-> Now windows setup shows that i've got a "new" partition on /hda  which has 594902490290MB free! lol
-> windows setup wasnt able to load again after that...
-> started backtrack again kicked of the old partition table (yeah!)
-> repair partitions & fix MBR
-> formated C:\


4. format:
-> installed Kaspersky
-> Kaspersky found some infected files & deleted them..
---> Kaspersky fucked up my system... average boot time ~5minutes (after that WINXP crashed)

5. started WC3 out of the box - 2 minutes later WINXP -> infected...
after that i decided letting avast delete every file which is infected..
-> starting avast; check for viruses before windows is up
-> windows was mostly damaged..

6. Format
-> Kicked C:\ off and used G:\ as Windows HDD
-> installed avast; cleaned up everything on my other hdds
---> so far its working and clean

Ok i think this virus is VERY hard, its a whore! please clean up the MBR, too.
Means:
insert windows disk
-> wait until its loaded completly
-> F3 (Repair) and type: help
   (if you logged in in the console etc.)
-> CMD is "fixmbr" (without " ")

if you have vitro.. dont try to repair .. delete everything!

Another advice: install MBAM!

Afaik this virus infects *.exe-files, which are smaller than a predefined size (thats what i think)! (Big *.exe files were not infected); & (in my case) is not infecting *.html files & it changed the hosts file (127.0.0.1 to *.pl)

Like you I too was fighting this.. You might want to read my threads about what I did and how I finally figured it out.   The first thing you must do though is try to find out where it is coming from.   Only then can you kill it as I learned.   Another big lesson I learned, when you reboot... don't just reboot.  pull the power plug to insure memory is clean on boot.   There are a number of things I did and learned so hopefully some of those things will help you too...      One of the most helpful things I learned is that it infects MORE THAN JUST .EXE files!!!  It also infects web pages of all kinds including those active on running webservers!

BTW, like you I formatted and installed and formatted and installed over and over and over...    It was not until I learned about the web pages that I was able to finally figure how to kill it by isolating where I was getting it from.

Malakie

mindry

  • Guest
Re: Malware name Win32:Vitro
« Reply #187 on: April 09, 2009, 11:35:37 AM »
From reading various posts I worked on the assumption that it does or could infect EXE, SCR, HTM/HTML, MP3, WMA and AVI as well as dodgy Autorun.inf files. That seemed to work as just one formatting got rid of it for me. Although as a precaution I formatted my USB stick and SD card (the latter, according to Dr Web, was infected) and purchased new ones. I'm now running all the tools mentioned to avoid this happening again, although I think disabling Autorun would be beneficial and can't find a good method to do this.

Offline Confused Computer User

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 700
  • The answer is 42
Re: Malware name Win32:Vitro
« Reply #188 on: April 09, 2009, 01:27:42 PM »
although I think disabling Autorun would be beneficial and can't find a good method to do this.

Follow this link:
http://support.microsoft.com/kb/967715

Cheers
Computer Systems:

Intel Pentium 4 641 / 2GB RAM / Vista Home Basic SP2 / avast! 5.0 Home / SAS Free / MBAM Free / Windows Defender / Windows Firewall / Spyware Blaster/ Secunia PSI / Firefox 3.6 / Opera 10.5

Core2Duo T8300 / 4GB RAM / Vista Home Premium SP2 (32 bit version) / Same Software.

boybawang

  • Guest
THE SIMPLIEST WAY TO CLEAN Win32:Vitro!
« Reply #189 on: April 09, 2009, 05:24:13 PM »
Thank you DonNils for giving a hint about the size idea  ;)

I got rid of all the unnecessary steps in cleaning Vitro.

Power Unplugging, formatting, partitioning, removing of storage, Internet unplugging etc are all UNNECESSARY.  In fact, I reinstalled Windows without deleting my important data in my drive. Some of that data may still be infected but that doesn't matter here's what i did:

1. I fresh installed Windows the same the way I normally installed them when there is no virus. Just delete all hidden files. That also includes [recycler], [system volume information], [Autorun.inf] and [*.ini]
If you feel uneasy thinking that infected files still resides in the disk, just batch delete all EXE and HTM/HTML files. I use "Ultimate Boot CD" so it's just a matter of pressing the search button and delete the results.

2. After installation, I booted Windows. Don't worry the virus won't trigger unless you execute the infected file. You can view them, transfer, display properties, but don't run them! The same applies to HTML files.

Good news is that you can still safely run most of the executable installers left in the drive. Vitro only infects executables lesser than 100KB such as System files. Almost all setup files are above that so we are lucky.

Note to all who are fund of serial keygens and patches. Most of these files are below 100KB so be careful.
Again you can safely delete these small files by simply pressing the search button then specify the size to search then delete the results.

3. VERY IMPORTANT: I think this the part where everybody falters. That's why many falsely think that Vitro continues to survive after formatting or partitioning but i think it's not the case. It's due to the fact that NOT ALL INFECTED FILES ARE DETECTED by AVAST! In most cases many backed-up their installer exe files that survived from avast deletion. After fresh Windows Install, they even re-scanned them with AVAST a million times therefore strengthening their confidence that they're clean. So they double-click it! The file runs fine- no warnings-what a relief! Opps the installed program requires a password- No problem there's a keygen in the same directory and it's clean too! So they double-click that 96KB keygen and BANG! feel the punishment for downloading pirated softwares!  :)


Note that I'm very cautious with my trial and error experiment. I scanned the memory for each and every file size that I run and reinstalled the OS in each virus hit! Ouch!  So far the smallest file size that i safely run above 100KB is 111KB. and the largest infected file below 100KB is 96KB. So the 100KB i mentioned is just an assumption due to the small margin of possible discrepancy. But feel free to correct me if you discover something else.  I hope that helps. thank you.
« Last Edit: April 09, 2009, 06:13:07 PM by boybawang »

DonNils

  • Guest
Re: Malware name Win32:Vitro
« Reply #190 on: April 09, 2009, 05:56:36 PM »
afaik (in my case) it doesn't infect any html / php files, i had enough.. scanned everything but nothing was found.
Also i scanned movies, nothing.. i cant believe that it could infect such files :_/ however maybe its possible, but in my case not

boybawang

  • Guest
Re: Malware name Win32:Vitro
« Reply #191 on: April 09, 2009, 06:21:24 PM »
how did you know that it your HTML files are not infected? by scanning with AVAST?
You should know that so far AVAST can't detect an infected HTML file!  You better try to open the file with notepad and you will see the malicious link in iFrame attached at the bottom.
The same applies to EXE files. Not all infected EXE files can be detected by avast so the size is our only hint.
« Last Edit: April 09, 2009, 06:28:55 PM by boybawang »

Need_O2

  • Guest
Re: Malware name Win32:Vitro
« Reply #192 on: April 09, 2009, 08:21:24 PM »
all of you are kidding right ?
fighting it ?
if you see vitro and you have external Hard Drive
Bash external Hard Drive with a hammer then burn it in microwave
insert your OS disk (make sure its read-only like CD-DVD)
format your hard drives
install OS
go buy a new external Hard Drive

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware name Win32:Vitro
« Reply #193 on: April 09, 2009, 08:41:47 PM »
Well, joking and talking seriously, Vitro is a very hard infection to get rid without formating, partitioning and starting all over again...
The best things in life are free.

boybawang

  • Guest
Re: Malware name Win32:Vitro
« Reply #194 on: April 09, 2009, 10:17:48 PM »
Well, joking and talking seriously, Vitro is a very hard infection to get rid without formating, partitioning and starting all over again...
I'm not Joking!  I have no objection that Vitro is a very hard infection.  But note that it won't trigger unless you execute them! No matter how many of these infected files you copy to your working drive.  All you need to delete are the files that automatically execute at startup before you fresh install Windows--As in the steps I mentioned.  Also, many didn't expect that AVAST fails do detect some of infected EXE files! That's why many still use them... and if Vitro pops up they wonder where Vitro was hiding during partitioning where infact even formatting is not necessary.  You can even safely execute any file from the infected backup disk as long as it is above 100KB in size. Never execute a file below that size even if AVAST didn't report is as infected! Just one mistake and all your evil description about Vitro will come true!

Vitro is your worst enemy once it get started. But if you don't give it a chance to initiate then it wont even start in the first place. Others over-reacted thinking that it just pops out from nowhere. But it's due to the fact that it's easy to slip some simple preventive measures. I already wasted a lot of time and effort in trial and error before I came up with those directions.