Malware name Win32:Vitro

[aph3x]

Heres EXACTLY how I got rid of it:

1. As soon as I realized I had it - I disconnected my PC from the internet
2. Immediately DISABLED System Restore
2. Immediately ran a BOOT TIME scan (not a regular scan in windows) - very important
3. Burnt a CD (because i wanted to make sure read only) with: A-Squared Antimalware, MalwareBytes and DR. Web CureIT.
4. Vitro generally infects your .exe's so bad they can't be repaired - I lost several Windows files and some other programs but unlike what I've heard from others - it didn't touch my word docs, powerpoint presentations, etc.   During the boot time scan I let avast just delete the infected files
5.  When the system came back up I ran Dr. WebCure it first
6. Then I ran A-Squared
7. Then I ran malware bytes
8. Then I ran another boot time scan (clean)
9. Ran A-squared again (clean)
10. Ran malware bytes again (clean)
11. Ran DR. Web CureIT again (clean)
12. At this point windows was limping along.  cmd.exe got infected, notepad.exe got infected and other windows files (although Windows did boot).
13.  And this is what made it so successful.  I did a NON destructive, NO-Reformat repair on my Windows installation. Using my Windows XP cd and the instructions from InformationWeek I had my system back up in PERFECT running order again.  See the link here: http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=189400897

That article on InformationWeek really saved me.  I had to reinstall some programs (Omnipage, CS3) but it was much better than DBAN.

I hope this helps someone else that gets infected by this nasty little bugger.

[scythe944]

Cool. Thanks for the info!

[MAXIUM]

Solution:

1º Format PC.
2º Reinstall Windows.
3º Add to file Host:

Code: [Select]

127.0.0.1 jl.chura.pl
127.0.0.1 chura.pl
127.0.0.1       www.zief.pl
127.0.0.1       ns1.terns.org
127.0.0.1       ns2.terns.org
127.0.0.1       mail.chura.pl

[polonus]

Hi malware fighters,

Below is a list of files that the W32/Virut Virus may be created as:

%System%\aewuuwufbvv.exe
%System%\arowzdrkjgtwr.exe
%System%\bgzmdaaauies.exe
%System%\bkzzrtliuprckz.exe
%System%\dllcache\sxch0st.exe
%System%\dllcache\wintcps.exe
%System%\ewmtgqkh.exe
%System%\explorer.exe
%System%\gyvtncthhidoir.exe
%System%\ifbtomotphe.exe
%System%\ikpprhznityacq.exe
%System%\irmwsyf.exe
%System%\khjdphmyttggvt.exe
%System%\lhttk.exe
%System%\mwaehuczvshuh.exe
%System%\mzdgz.exe
%System%\naszaoytn.exe
%System%\ocekhdcr.exe
%System%\orqbhjddhbfp.exe
%System%\qwkoykyojjn.exe
%System%\ruqbcalrxsfw.exe
%System%\sgvq.exe
%System%\sgwnlbki.exe
%System%\wbem\winscrvs.exe
%System%\xirwqznybc.exe
%System%\xroyiabh.exe
%System%\yvscb.exe
%System%\zeuvqlghbbfv.exe
%System%\zoxtyjayxnkwuh.exe
%ProgramFiles%\common files\system\msasp32.exe
%ProgramFiles%\common files\system\msiwa32.exe
%Windir%\antiv.exe

polonus

[orangbego]

Solution:

1º Format PC.
2º Reinstall Windows.
3º Add to file Host:

Code: [Select]

127.0.0.1 jl.chura.pl
127.0.0.1 chura.pl
127.0.0.1       www.zief.pl
127.0.0.1       ns1.terns.org
127.0.0.1       ns2.terns.org
127.0.0.1       mail.chura.pl

No need to add the hosts like above,
My Windows had just got the vitros about 3 weeks ago, my Hard Drive has 3 partitions, then i formated the windows partition. re-install windows xp, install Avast with updated virus databases, that's all are enough... vitro virus doesnt come back till now.. even the infected files are still there in my hard drive in other non-formated partitions...

[Omid Farhang]

No need to add the hosts like above,
My Windows had just got the vitros about 3 weeks ago, my Hard Drive has 3 partitions, then i formated the windows partition. re-install windows xp, install Avast with updated virus databases, that's all are enough... vitro virus doesnt come back till now.. even the infected files are still there in my hard drive in other non-formated partitions...

you should immunize your windows HOSTS, the virut has many many different generation, I've some sample of virut in my windows (quarantined) that avast! has not yet added them to their virus definition, they would, but take care till that time

[Omid Farhang]

Heres EXACTLY how I got rid of it:

1. As soon as I realized I had it - I disconnected my PC from the internet
2. Immediately DISABLED System Restore
2. Immediately ran a BOOT TIME scan (not a regular scan in windows) - very important
3. Burnt a CD (because i wanted to make sure read only) with: A-Squared Antimalware, MalwareBytes and DR. Web CureIT.
4. Vitro generally infects your .exe's so bad they can't be repaired - I lost several Windows files and some other programs but unlike what I've heard from others - it didn't touch my word docs, powerpoint presentations, etc.   During the boot time scan I let avast just delete the infected files
5.  When the system came back up I ran Dr. WebCure it first
6. Then I ran A-Squared
7. Then I ran malware bytes
8. Then I ran another boot time scan (clean)
9. Ran A-squared again (clean)
10. Ran malware bytes again (clean)
11. Ran DR. Web CureIT again (clean)
12. At this point windows was limping along.  cmd.exe got infected, notepad.exe got infected and other windows files (although Windows did boot).
13.  And this is what made it so successful.  I did a NON destructive, NO-Reformat repair on my Windows installation. Using my Windows XP cd and the instructions from InformationWeek I had my system back up in PERFECT running order again.  See the link here: http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=189400897

That article on InformationWeek really saved me.  I had to reinstall some programs (Omnipage, CS3) but it was much better than DBAN.

I hope this helps someone else that gets infected by this nasty little bugger.

all your steps are Ok and good, but, as the test that I've done in my laptop for "Virut", I found that AVIRA has covered all generation of Virut, so I offer you to download Avira Rescue System, this is an AntiVirus bootable disc with latest virus definition from Avira, Download it from Here, run it, burn it to a blank disc, boot your computer using this disc, let it do a full scan and remove everything that found. I'm sure it would remove anything that currently be in your computer. well, until that time alwil cover all generation of Virut, it's best solution to get rid of Virut after very infection, so, after infection,
do these:
1. disconnect from internet
2. download and burn Avira Rescue System using a clean computer and burn it to a disc
3. boot your computer using this disc and do a full scan, let it remove everything
4. back to windows, let avast! do a boot time scan using avast!
5. do full scan using MBAM, SAS, SpyBot S&D to prevent any download trojan to download virut for you again.
5. make sure your hosts is immunized
6. re-install corrupted programs.
7. fix your registry, it must be corrupted after steps above. ( I offer Auslogics Registry Cleaner and then Auslogics Registry Defrag)

[shakanovirgo]

hi there, this post saved my life (and my money)
i'd like to thank everyone who said the ways to get rid of these awfull infection
there's something else, could someone check my log and tell me if there's any tray of the virut:

Logfile of HijackThis v1.99.1
Scan saved at 08:12:32 a.m., on 29/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
D:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
D:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
D:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\svchost.exe
D:\Archivos de programa\Windows Media Player\wmplayer.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Archivos de programa\MSN Messenger\msnmsgr.exe
D:\Archivos de programa\Mozilla Firefox\firefox.exe
D:\Archivos de programa\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plusnetwork.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [avast!] D:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Archivos de programa\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Archivos de programa\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B919C893-2A7C-49E9-935F-F9B2B918D413}: NameServer = 200.40.220.245 200.40.30.245
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

Thanks again for giving solutions, not problems, thank you

[Omid Farhang]

your HijackThis logfile is clean and Ok

just I highly recommended you to update your windows to sevice pack 3, (download it from here)
and update your Internet Explorer to version 8 (download it from here)

Also, you can let Microsoft Update to install Service Pack 3 and other windows and Microsoft products updates for you

[DavidR]

@ shakanovirgo

First as mentioned, XP SP2 is way out of date with SP3 having been out for around 9 months. This would also allow IE6 SP2 to be upgraded to IE6 SP3 and there may be other updates that rely on your having SP3 installed, so it is an important update.

Second your JAVA is ancient too.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.

Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp

Or JRE version 6 update 13 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

With your history (excuse the pun) of out of date applications you need to visit this site to ensure that you haven't any other historic versions of software.
This site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

[shakanovirgo]

thanks a lot guys, updating right now.

EDIT: other thing, i use Firefox, and i think taht it's up to date, because there's no "pop-up" actualization window

[DavidR]

The latest version of firefox is 3.0.10, so if you haven't got that do a manual update.

[CharleyO]

***

Welcome to the forums, shakanovirgo.   

You have used an old version of HJT which can show incomplete and/or incorrect results.

Please download the latest version at the link below and post a new log.

http://filehippo.com/download_hijackthis/


***

[shakanovirgo]

charley0, thanks for the welcome, here's the log with hjt 2.0.2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:40:02 a.m., on 30/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
D:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
D:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
D:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\svchost.exe
D:\Archivos de programa\MSN Messenger\usnsvc.exe
D:\Archivos de programa\Windows Media Player\wmplayer.exe
D:\Archivos de programa\Java\jre6\bin\jqs.exe
D:\Archivos de programa\Mozilla Firefox\firefox.exe
D:\Archivos de programa\Xfire\Xfire.exe
D:\Archivos de programa\Java\jre6\launch4j-tmp\JDownloader.exe
D:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] D:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Xfire.lnk = D:\Archivos de programa\Xfire\Xfire.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Archivos de programa\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B919C893-2A7C-49E9-935F-F9B2B918D413}: NameServer = 200.40.220.245 200.40.30.245
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4086 bytes

David, i already updated java, i'm now downloading firefox 3.0.10, i had 3.0.6
omid, i'm triyng to find a window to download sp3, i only have a 60kbp/s download connection, and sp3 is 300mb so it'll take like 6 hours to download, so i'll see if i download this one in the weekend.

out of that, i've worked with my computer all day long and there's no sight of vitro till now, so i really think that that bitch it's out
thanks again

[sharanj]

Hello Guys,
I have been following this topic for the past one month as I my laptop is gravely injured by Win32:Vitro virus.
As you guys all mentioned,avast only detects the virus and the rest are useless in this issue.

Like you guys I too installed windows again and again but to my dismay the virus kept on coming..I was literally shocked to see the happenings..

I also noted that many of you are taking your backup and then have insatlled your windows.Now again you are copying your backup and the virus attacks your system after some sort of time..

I too was doing the same thing until yet yesterday I figured out what is the problem..

Guys the problem was the virus sits in our backup (mainly in .exe's and .html's) and so when we copy that again it attacks..
I took the backup of all my installation files and then formatted the entire system and then copied it again..
So when i started to install it again avast began to sound..

Now what I did was i didnt take any installation backups and downloaded everything from internet freshly..Now even after installing it I ran the boot scan for some 3 or 4 times and avast even didnt detect a single virus..

So my advice for u guys don take the backup and format your entire system.. Now install windows and the fresh set installation files and you won get the virus again!!!

Cheers,
SHARAN