Malware name Win32:Vitro

[DonNils]

yep .. but here is nothing infected... i looked everything up.. nothing

[kurdtpage]

For those of you who are new to this thread, a few tools to help. These should be run from safe mode if possible.

Removal tools:
http://www.avg.com/us.virus-removal.ndi-67762 (I found this not to be 100% effective, but its a good start)
http://www.scanforfree.com/09/win32-virut-gen-5-removal.html (I think this may be an old one. It cannot run on my system)

This script will remove the infection from web pages:
http://www.cedit.biz/scripts/14-virusmalware-repair/25-repair-ziefpl-iframe-injection.html

More generalized malware/virus scanner:
http://www.novirusthanks.org/progs/3/

Please note that Avast will detect the virus if it has infected an EXE file, but will not detect infected web pages. It is entirely possible for antivirus programs to get infected, then infect other files when you try to scan them.

This virus will infect system files such as explorer.exe, winlogon.exe, cmd.exe, taskmgr.exe and also system restore. It would be a very good idea to reformat your hard drive (dont just reinstall windows over top!)

I know it can be sad losing so much important stuff but it has to be done (I have just lost 4 Terabytes on my server PC )

The best defence is not to go to suspect web sites, keep your virus scanner up to date and use a decent firewall (not microsoft's).

Block these IP addresses:
61,235,117,80     (ntkmpla dot info)
221,5,74,38     (zief dot pl)
212,85,96,95     (jL dot chupa dot nl)
218,93,205,30     (jL dot chura dot nl)
(Replace the commas with dots)

[lilbootz]

hmmmmmmmmm

yeh.... managed to skate by a few bugs that ive picked up in the past... but it bears repeating this one is kind of mean... hats off to the creator(s)

anyways, i was wondering... say you have a secondary HD that you keep with an OS etc etc just in case Vitro happens on the HD youre using at the time of infection/destruction

you wouldnt be able to boot from that os backup drive with the infected drive without the backup drive getting infected (tried it)

so im about to try this to see if i can at least get access to the stored data on the infected drive without infecting the backup drive, heres how:

while running on my back up OS drive, i picked up a bat file that renames *.exe to *.XXX and *.dll to *.ddd

so what i was thinking was:

delete only the windows folder on the infected drive, do a reinstall and start up the infected drive alone (unplugging the back up) with just the cmd prompt

if the new installation on the infected drive did work, when you get to the cmd, run the batch file(s), then do a reinstall windows just deleting the windows folder, to kill off any residual bugs that would be left over in the windows folder

think it would work? yeh it would render any programs useless, but it should leave all the data intact (music vids etc)

if the new installation on the infected drive didnt work, you could boot from the back up drive with the corrupted drive in secondary then copy all the non-exe data, ie music video etc... right? and not infect the back up OS drive

yeh i know the infected exe/dll will still be there and still need to be formatted later, but they should be inert right? hopefully allowing you to take the music/video/etc non program stuff

ehhhh i ono 

might could try running the batch files from a modified boot disk too o-0

[lilbootz]

 

hmmmmmmmmmmmmmmmmm

this one time at virus camp...

umm so yah...

i got to the cmd prompt in safe mode using the fresh (over top install, not fully formatted, infected drive)

inserted my burned cd with my batch files and copied my batch files to my c drive

tried to run them... and they screwed up... poorly written bunch of errors

so rather than give up or look for new batch files to use.. or write my own cuz im lazy like that...

i did this:

in the cmd prompt: C:\explorer

explorer starts, at this point i dont care if the virus was running (didnt seem like it was anyways)

open my c drive and took every file except the windows install and put them in one folder

right clicked that folder (called it dex) , went to security, owned all the files (made sure to check the sub directories thing)

picked my nose for a while while the system sat there and applied the ownership attributes

came back a bit later and in cmd prompt typed this

C:\del /s /f C:\dex\*.exe

let that finish out

then typed in the cmd prompt

C:\del /s /f C:\dex\*.dll

then

C:\del /s /f C:\dex\*.js

then

C:\del /s /f C:\dex\*.htm

then

C:\del /s /f C:\dex\*.html

then

C:\del /s /f C:\dex\*.tmp

then

C:\del /s /f C:\*.exe

C:\del /s /f C:\*.dll

C:\del /s /f C:\*.htm

C:\del /s /f C:\*.html

C:\del /s /f C:\*.js

C:\del /s /f C:\*.tmp

C:\del /s /f C:\*.com

those last lines killed all the *.exe, html, htm, js, tmp, com, dll in the new windows install

restalled windows, reinstalled my net adaptor, downloaded avast, scheduled a boot time

the damned thing got to 90% before it found one vitro...

in the only place i forgot to look, in the system volume information, and now that i think about it... this crucial little thing for the del cmd

C:\del /s /f /a:h

the /a:h is the big one (i think?) cuz i may have overlooked the hidden files...   

but.... im running on my fresh (over the top of the old install) installation running right now, with avast running in the background... no virus alerts so far... 

_____

just owned the system volume information

(please wait system is picking its nose)   

started cmd and ran this

C:\del /f /s C:\system~1\*.exe

then

C:\del /f /s C:\system~1\*.dll

then

C:\del /f /s /a:h system~1\*.exe

then

C:\del /f /s /a:h system~1\*.dll

so far so good...

ill prolly be back here crying about this damned virus in a few hours again...

but for the moment, i have a fresh OS, my AVS (avast) is running, and all of my old data, mp3, avi, etc etc etc (minus the dll, exe, etc etc etc)

[RaconRC]

My computer has been infected by Win32:Vitro, to now it has only infected some uninportant files and I am wondering if a anti virus-program can remove it (In the future)? How long will it probably take? I am wondering how long I can wait before I take action (of course I am going to take a backup of all important pictures and text-documents)

Thank for helping!

[lilbootz]

well so far so good...

music, video and everything that i didnt delete is still intact for the moment and no sign of the bug

hmm the method i used is kind of like scorched earth... but with certain files hiding out in bunkers surviving the mass destruction

[killingtime]

My computer has been infected by Win32:Vitro, to now it has only infected some uninportant files and I am wondering if a anti virus-program can remove it (In the future)? How long will it probably take? I am wondering how long I can wait before I take action (of course I am going to take a backup of all important pictures and text-documents)

Thank for helping!

afaik, and imho, there are no programs to rid yourself of win32.vitro. Avast! and Dr Web CureIt can detect but not fix. It is a MAJOR virus and completely fatal. Who knows how long it will take before AV programs are able to fix it? Best thing is to bite the bullet and do FFR. Back up your important files but then unplug that media until you're back up and running.

I had(?) it. I am on my second re-install of everthing.

The best thing to to do is...

1. unplug all your external drives/media.
2. unplug the AC (and battery if it's a laptop).
3. do an FFR (fdisk, format, re-install).
4. keep your external media unhooked until you know you're in the clear.

Sorry for the bad news. I hope this helps you.

[RaconRC]

I understand that I have to clear my hard drive. I have vista on my computer, can someone please write step by step how to completely remove everything from the computer (or is formatting enough?). On this forum someone had formatted their hard drive numerous times and still the virus was coming back, I just want to be completely sure it will be removed.

[Lisandro]

1. unplug all your external drives/media.
2. unplug the AC (and battery if it's a laptop).
3. do an FFR (fdisk, format, re-install).

Step three, with fdisk or any partition manager that could clean the partition (like http://www.ptdd.com/bootablecds.htm, http://www.ptdd.com/download.htm, http://www.ultimatebootcd.com/, or Super Fdisk Bootable CD 1.0: http://www.softpedia.com/get/System/Hard-Disk-Utils/Super-Fdisk-Bootable-CD.shtml).

[killingtime]

I understand that I have to clear my hard drive. I have vista on my computer, can someone please write step by step how to completely remove everything from the computer (or is formatting enough?). On this forum someone had formatted their hard drive numerous times and still the virus was coming back, I just want to be completely sure it will be removed.

Definitely don't plug external media (that maybe infected) back into your computer. After my first FFR, I plugged in a USB flash. I had USB Firewall running and it found four infected files (SVCHost.exe was one). By then it was too late. I think(?) I was re-infected because my LAN became inaccessible. Leaving nothing up to chance, I did FFR again.

Maybe setup an alternate computer to scan your drive(s) with Avast and Dr Web.

My Blackberry is/was infected as well (SVCHost.exe)! It must be on the micro SD card.

[Lisandro]

I had USB Firewall running

To prevent infections from USB drives, you can install USB Firewall before using any USB drive.

[RaconRC]

Tree questions:

1. I have heard that Vitro can infect Mp3 files, I have backup of some music and wonders if i should worry?

2. How long time will it take the virus to damage my system, i have had it 2 weeks now and it has affected only some minor files on one of my hard drives (got two). I want to wait a bit longer before i format my drive when i have better time, will it be safe?

3. I downloaded the file with virut on C, and transferred it to F (my other disc) where i tried to run it and the AVG responded. Afterward AVG reported that virut had infected a couple of minor files. A couple of days ago (after i changed to avast) said that a file was infected with Vitro, all the files has been on the F disc, is both discs infected?

[Belgarion]

Back story first
I was looking for a firmware update for my DVD rewriter and clicked on a link which was supposedly a system checker by mistake. Cant remember the name of it now. AVAST immediately warned me and advised a boot scan which i did and started to delete infected files which I know now was a mistake.

OK I had it bad with over 615 Vitros detected with the recommended Dr Web scanner in safe mode.
Avast is my regular anti virus (never let me down before).

Anyway I am clear of it now and it did not require a reinstall format and fdisk.

Method.
 Turn off System Restore on all drives
Download or get the DR Web scanner onto the infected PC and do a normal scan and tell it to cure . Then restart in safe mode and have DR Web do a thorough scan again telling it to cure (any it cant cure should be deleted. This can take a very long time but let it finish as it only takes 1 file for your system to reinfect and also DR Web does not find all the Vitro or Virut56 infections.

Do not allow to start normally as this insta infects you again. Restart in safe mode and do a full AVAST scan. Delete files that AVAST still finds and schedule a boot scan. Allow this scan to delete the infected files. It is possible you may lose some critical windows files in my case it was the delfolders.exe in win32 tools directory amongst others. Get these from another Non infected machine preferably burned to a CD then you can copy them safely.

I would recommend you download Malwarebytes and Spybot Search and destroy and run them updated.

Lastly change your firewall to anything other than the Windows one.

Good luck you are going to need it. If you are not sure of the above steps then don't try it as you will not clear this terrible virus.

There is also a Virut56 remover at Symantec but I am not sure if that works.

My method did for me without formatting but took much longer than a complete windows reinstall.
I have Nvidia Active Armour now.

[sharptooth53]

heres what i did download spyware doctor have it do a full scan twice...(the first time i did a normal reboot and didnt work).... to be sure it detected all manifestations of this garbage.... then when it shows "congradulations you removed everything" (again).....yank out the power chord.... i did.... it worked only after i did this...and when i turned it back on no errors appeared at all from the hard shut down.     well ihad supposably 136 problems with like 300 infections all in the registry. but what was weird was that the paths to the problems like the different folders named didn't even show in the registry at the time they were there or afterwards, weird huh? well so far so good, i ran each kind of scan separately over my whole hard drive and came out clean. i havent did a whole full scan yet though, i havent had the time to watch it yet. will check back later to see how things go.....reformat fdisk  reinstall from scratch not me no way i couldnt i aint had a disk drive to copy to yet. working on that. by the way is there someway to get every instance of your computer to usb flash by chance? if under 16 gb of course not pics vids and such just everything (not in) my documents. thanks to the person who said about spyware doctor.

[Rickster090]

Oh, another thing..

make sure that you scan any usb sticks or removable hard drives..

then if this doesn't work. format your external devices then format both of your Hard drives..

re-install your OS then restart your computer in Safe mode.
and run an anit-virus and anti-spyware to remove any other traces.

this has worked for me, and i now have total control over my computer again

Good Luck.