Malware name Win32:Vitro

[CharleyO]

***

Hi shakanovirgo -

While you are aware of a few things already from the posts above, some will be listed again.

An analysis of your HJT log shows the following problems :

Platform: Windows XP SP2 (WinNT 5.01.2600)
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft's windowsupdate site to download the newest version of the service pack.

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=7E853D72-626A-48EC-A868-BA8D5E23E045&search=SAS-Search

O17 - HKLM\System\CCS\Services\Tcpip\..\{B919C893-2A7C-49E9-935F-F9B2B918D413}: NameServer = 200.40.220.245 200.40.30.245
Most likely your ISP and if so, this one is OK.
http://www.robtex.com/dns/ns3.antel.net.uy.html

~~~~~~

Overview of running tasks:

smss.exe   
System task   
Session Manager Subsystem

winlogon.exe   
System task   
Microsoft Windows Logon Process

services.exe   
System task   
Windows Service Controller

lsass.exe   
System task   
Local Security Authority Service

svchost.exe   
System task   
Microsoft Service Host Process

svchost.exe   
System task   
Microsoft Service Host Process

Explorer.EXE   
System task   
Microsoft Windows Explorer

aswUpdSv.exe   
Virusscan   
Avast Anti-Virus Component

ashServ.exe   
Virusscan   
Avast

spoolsv.exe   
System task   
Microsoft Printer Spooler Service

nvsvc32.exe   
Application   
NVIDIA Driver Helper Service

ashMaiSv.exe   
Virusscan   
Avast Anti-Virus Component

ashWebSv.exe   
Virusscan   
avast! Web Scanner

ashDisp.exe   
Virusscan   
Avast AntiVirus

RTHDCPL.EXE   
Driver   
Realtek HD Audio Sound Effect Manager

RUNDLL32.EXE   
System task   
Microsoft Rundll32

ctfmon.exe   
System task   
Alternative User Input Services

svchost.exe   
System task   
Microsoft Service Host Process

usnsvc.exe   
Application   
Messenger Sharing USN Journal Reader Service

wmplayer.exe   
Application   
Microsoft Windows Media Player

jqs.exe   
Backgroundtask   
jqs.exe

firefox.exe   
Application   
Mozilla Firefox

Xfire.exe   
Backgroundtask   
Xfire Gaming Client/Utility

JDownloader.exe   
Unknown task   
Unknown task

HijackThis.exe   
Application   
Merijn Hijackthis


***

[shakanovirgo]

here's what i'm doing right now:
-Downloading a firewall ( i used to think that the windows one was enough, looks like it's not)
-fixed the entry of my HJT log:02-BHQ
-017 is my ISP
-sheduled the download of sp3 for saturday

if you think that should be enough prevention, i'll do it.
Thanks

[chummy]

[
all your steps are Ok and good, but, as the test that I've done in my laptop for "Virut", I found that AVIRA has covered all generation of Virut, so I offer you to download Avira Rescue System, this is an AntiVirus bootable disc with latest virus definition from Avira, Download it from Here, run it, burn it to a blank disc, boot your computer using this disc, let it do a full scan and remove everything that found. I'm sure it would remove anything that currently be in your computer. well, until that time alwil cover all generation of Virut, it's best solution to get rid of Virut after very infection, so, after infection,
do these:
1. disconnect from internet
2. download and burn Avira Rescue System using a clean computer and burn it to a disc
3. boot your computer using this disc and do a full scan, let it remove everything
4. back to windows, let avast! do a boot time scan using avast!
5. do full scan using MBAM, SAS, SpyBot S&D to prevent any download trojan to download virut for you again.
5. make sure your hosts is immunized
6. re-install corrupted programs.
7. fix your registry, it must be corrupted after steps above. ( I offer Auslogics Registry Cleaner and then Auslogics Registry Defrag)

Hi Omid

   A real newbie here but will this work? I want to try it but a little worried.

[CharleyO]

***

You are welcome, shakanovirgo.   

Glad to have helped and if you have anymore problems, please post again.


***

[Omid Farhang]

Hi Omid

   A real newbie here but will this work? I want to try it but a little worried.

well, in those steps there are nothing, Avira Rescue System has been covered all generation of Virto and it must work, anyway, if it don't work, at least it would not corrupt anything.

hope it work for you.

[dannyman12345]

Hello guys,

Also I had the w.32.vitro virus and it did a hell lot of damage.
I am recovered now, formatted all my partitions. and reinstalled windows

Now, I have 2 harddrives. The second harddrives I cant format in DOS, because in Dos it is not shown. In windows I have to install a mass storage device first, then windows can see the other drive.

Since partitions in the second drive are not formatted yet, I am afraid when I install the driver, the stations will be infected and I can start all over again.

I have avast home edition installed.

What is the safest way to complete this?

Thannks

[polonus]

Hi dannyman12345,

I think the safest way is to  do this completely with the system fully unconnected in SAFE MODE, and then scan everything with an updated av solution like DrCureIt from a dvd/cd you have burnt from a known uncompromised system. Only when all is clear you can run it is normal mode again, else you can get reinfected at the blink of an eye, because the virus stays in memory, so in between boots take the current off (stroom onderbreken a.u.b.),

polonus

[kris84]

Hi All, I recently got infected by this virus, after reading all of the posts I have decided to go with the formatting option. I understand this virus is still very much undiscovered and new attack zones are being found everyday. But what I would really like to know is if it will/has/can infect my pics? Most if not all are JPEG files. They are photos of my children so I would be Shattered if I had to lose them all! I am also very unclear where I could have pick this up from as we only use the internet for Ebay, Bank, Facebook and hotmail. I am more than Happy to lose everything else on my computer just not my photos. Please if someone could answer my question I would be ever so grateful!
 TY to everyone who has posted how they removed the virus as it has given me options! Kris 

[Omid Farhang]

Hi All, I recently got infected by this virus, after reading all of the posts I have decided to go with the formatting option. I understand this virus is still very much undiscovered and new attack zones are being found everyday. But what I would really like to know is if it will/has/can infect my pics? Most if not all are JPEG files. They are photos of my children so I would be Shattered if I had to lose them all! I am also very unclear where I could have pick this up from as we only use the internet for Ebay, Bank, Facebook and hotmail. I am more than Happy to lose everything else on my computer just not my photos. Please if someone could answer my question I would be ever so grateful!
 TY to everyone who has posted how they removed the virus as it has given me options! Kris 

no, it would not, as what happened to me, it only infected .exe files in my computer in all partitions
but, during taking backup, make sure your backup target don't get infected.

[kris84]

no, it would not, as what happened to me, it only infected .exe files in my computer in all partitions
but, during taking backup, make sure your backup target don't get infected.
[/quote]


Thanx for that Omid!!

[kris84]

Hi again all, I have a pre paid internet usb dongle, All the programs needed to run it are stored on the dongle, they are .exe I am unsure if I can get them replaced! What are the chances that my dongle is infected? We are going to experiment with a spare HDD and see if it gets infected from the dongle! If I find out before anyone here replies, I will post results for others. wish me luck!!!   

[kris84]

Hi again all, I have a pre paid internet usb dongle, All the programs needed to run it are stored on the dongle, they are .exe I am unsure if I can get them replaced! What are the chances that my dongle is infected? We are going to experiment with a spare HDD and see if it gets infected from the dongle! If I find out before anyone here replies, I will post results for others. wish me luck!!!   


Well I did it and great news seems my internet dongle was not infected!!! hooray!!!

[RaconRC]

Is this virus also spyware?

[kithoo]

Hi everyone, I just got hit by this this morning. I've tried basically nothing whatsoever beside running MalWareBytes - which did nothing.

So I come to you guys, to give me, basically, a step by step of what I need to do to recover from this. 

I have another computer, which is connected to the same network at the infected PC - this is a standard home network through a regular old router.  Is it now infected?  I don't have any form of open filesharing or anything running and it hasn't run any executables that are from the infected PC.

I just installed Avast! personal edition and got a HJT log - so here we go.  What should I do?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:09 PM, on 5/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Games\Impulse\Now\ImpulseNow.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Users\Edward\Desktop\RootkitRevealer.exe
C:\Windows\system32\UI0Detect.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Program Files\cFosSpeed\cfosspeed.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Edward\Downloads\avast_home_setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QT Lite\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Launch LgDevAgt] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] C:\Windows\TEMP\x9yw2d.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\Windows\TEMP\x9yw2d.exe (User 'Default user')
O4 - Startup: ImpulseNow.lnk = C:\Games\Impulse\Now\ImpulseNow.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: *.gametap.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA7EE8F8-C85E-46A2-AF4D-C6DB7D6FB181}: NameServer = 205.152.150.23,205.152.132.23
O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Program Files\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JG - Sysinternals - www.sysinternals.com - C:\Users\Edward\AppData\Local\Temp\JG.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: PS3 Media Server - Unknown owner - C:\Program Files\PS3 Media Server\win32\service\wrapper.exe (file missing)
O23 - Service: QWNCHHQP - Sysinternals - www.sysinternals.com - C:\Users\Edward\AppData\Local\Temp\QWNCHHQP.exe
O23 - Service: R - Sysinternals - www.sysinternals.com - C:\Users\Edward\AppData\Local\Temp\R.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7249 bytes


EDIT - I am willing to format, but I want to make sure that I do it properly.  I'd like to migrate to Windows 7 64 bit anyway, so it works out in the long run, I just dread having to do all the reinstalling twice.  I should also say that it only pops up a single window, one time, on reboot.  It doesn't seem to be doing much of anything else, so I can probably live with it for a short while if I must.

[CharleyO]

***

Welcome to the forums, kithoo.   

An analysis of your HJT log shows the following problems :

It seems that you don't use an anti-virus scanner or your scanner is not active. Only an anti-virus scanner can protect you against new viruses.

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall. Perhaps you are using Vista's firewall?

O4 - HKUS\S-1-5-18\..\Run: [] C:\Windows\TEMP\x9yw2d.exe (User 'SYSTEM')
BAD entry that should be fixed. No search results.

O4 - HKUS\.DEFAULT\..\Run: [] C:\Windows\TEMP\x9yw2d.exe (User 'Default user')
BAD entry that should be fixed. No search results.

O15 - Trusted Zone: *.gametap.com
Questionable entry because it is in the trusted zone. If you didn't add '*.gametap.com' to your trusted pages, it should be fixed.

O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} (GameTap Web Updater) - http://archives.gametap.com/static/cab_headless/GameTapWebUpdater.cab
Questionable entry. Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O17 - HKLM\System\CCS\Services\Tcpip\..\{EA7EE8F8-C85E-46A2-AF4D-C6DB7D6FB181}: NameServer = 205.152.150.23,205.152.132.23
Do you know the IP or Domain '205.152.150.23,205.152.132.23'? If not, fix this entry. This could be your ISP service. Are you a BellSouth/ATT customer?

O20 - AppInit_DLLs: c:\progra~1\ThunMail\testabd.dll
BAD entry that should be fixed. The filename is associated with the malware groups: Worm, Cloaked Malware
http://www.prevx.com/filenames/X95523613197856939-X1/TESTABD.DLL.html
Related to: Virus.Win32.Virut.ce
http://www.precisesecurity.com/files-process/2009/05/04/testabd-dll/

The next 2 entries are questionable and possibly bad but, since they are both related to Sysinternals, please wait for comments from others before fixing the 2 entries below.

O23 - Service: JG - Sysinternals - www.sysinternals.com - C:\Users\Edward\AppData\Local\Temp\JG.exe
The unsafe files using this name are associated with the malware group: Cloaked Malware
http://www.prevx.com/filenames/147413771515036476-X1/JG.EXE.html

O23 - Service: QWNCHHQP - Sysinternals - www.sysinternals.com - C:\Users\Edward\AppData\Local\Temp\QWNCHHQP.exe
No search results found.

~~~

Overview of running tasks :

taskeng.exe   
System task   
Task Scheduler Engine

Dwm.exe   
System task   
Desktop Window Manager

Explorer.EXE   
System task   
Microsoft Windows Explorer

firefox.exe   
Application   
Mozilla Firefox

MSASCui.exe   
Anti Add/Spyware software   
Microsoft Windows Defender Antispyware

RtHDVCpl.exe   
System task   
High definition audio codec driver from Realtek Semiconductor

VCDDaemon.exe   
Backgroundtask   
Elaborate Bytes Virtual CloneDrive

BJMYPRT.EXE   
Driver   
Canon My Printer

CNMNSUT.EXE   
Unknown task   
Unknown task

jusched.exe   
Backgroundtask   
Sun Java Update Scheduler

iTunesHelper.exe   
Application   
Apple Itunes

LGDevAgt.exe   
Unknown task   
Unknown task

LCDMon.exe   
Backgroundtask   
Logitech G-series LCD Monitor

LGDCore.exe   
System task   
Driver/utility for Logitech G-Series gaming keyboards and mice

wmpnscfg.exe   
Backgroundtask   
Windows Media Player Network Sharing Service Confi

ImpulseNow.exe   
Unknown task   
Unknown task

mobsync.exe   
System task   
Microsoft Synchronization Manager

LCDMedia.exe   
Backgroundtask   
Logitech G-series Media Display

LCDClock.exe   
Driver   
Logitech G-series LCD Clock

RootkitRevealer.exe   
Unknown task   
Unknown task

UI0Detect.exe   
Unknown task   
Unknown task

DTProShellHlp.exe   
Unknown task   
Unknown task

cfosspeed.exe   
Unknown task   
Unknown task

javaw.exe   
Application   
Sun Java

SearchFilterHost.exe   
System task   
Microsoft® Windows® Operating System

avast_home_setup.exe   
Unknown task   
Unknown task

HijackThis.exe   
Application   
Merijn Hijackthis


***