Author Topic: Malware name Win32:Vitro  (Read 340225 times)

0 Members and 1 Guest are viewing this topic.

DeltaSystems

  • Guest
Re: Malware name Win32:Vitro
« Reply #315 on: July 28, 2009, 03:26:21 PM »
As much as I can say I'm blessed with better fortune than everyone else.... I'm not.... I probably know whats coming and the only solution to this but anyways

My entire computer is overrun with WIN32:Vitro virus, 99% of my Operating system and 72% of my files is completely infected.  Currently I'm sending this message through safe mode as its the only way to run my pc at this point since the pc freezes up on the start up screen on normal bootup.

Unfortunately I'm not one of the people graced with having a operating system cd therefore reformatting my whole drive Isn't an option... Is their any new solutions to deal with this FUBAR virus?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Malware name Win32:Vitro
« Reply #316 on: July 28, 2009, 03:47:20 PM »
With this level of infestation, your system is virtually unrecoverable as you see in this topic Vitro is extremely difficult to clean the virus uses encryption making repair of an infected file almost impossible. Once it gets this established you are talking about saving what data files that are important (bearing in mind .exe, .scr, .htm/l documents are targets) before formatting and starting from scratch.

I have no idea why you don't have an OS CD and I won't probe, but you need one as every time you open a file which is a target of vitro it will become infected. So you are going to have to get an OS CD as that really is the only option you have.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

DeltaSystems

  • Guest
Re: Malware name Win32:Vitro
« Reply #317 on: July 28, 2009, 03:58:40 PM »
well, reason why i don't have one is the maker of my pc didn't send me the backup copy of my windows operating system when they shipped it to me, but well if that's the only solution then, well i guess ill have to call Dell and see if i can have it shipped out to me, or go out and buy a new OS cd


wow... what a mess this virus is weaving... alright, thanks

Once i reformat what can be done in terms of avoiding another infection like this? as this will get old reeeal fast having to lose data every time to this.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Malware name Win32:Vitro
« Reply #318 on: July 28, 2009, 04:08:31 PM »
Dell should usually have a recovery CD and or a recovery partition which should restore your system to how it was when it left Dell.

There is no simple answer to your one line question "Once i reformat what can be done in terms of avoiding another infection like this?"

It requires that you have a good level of security Firewall that also provides outbound protection, anti-virus like avast, see my signature below. Above all keep your OS and security applications fully up to date avoiding vulnerabilities in out of date applications. I would also suggest a regular visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/. If all else fails a robust back-up and recovery strategy.

-- SYSTEM BACK-UP & RECOVERY
If you fail to plan, then you plan to fail.
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.

1. back-up all the things that you don't want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn't have to be a virus attack.

I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.

So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don't have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.

Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Malware name Win32:Vitro
« Reply #319 on: July 28, 2009, 05:57:27 PM »
Hi DeltaSystems

DavidR is correct, your operating system is virtually unrecoverable. However, this does not mean totally unrecoverable.
If you so wish, you might like to take the opportunity to get in some practice at malware fighting.

Save what you can of your data and picture / music / video files while in Safe Mode.

Run a boot-time scan - set your schedule in Safe Mode.

Firstly, turn off System Restore - right-click My Computer, go to Properties, then System Restore, check the box to turn off, click Apply, then OK.

Secondly, schedule your scan - right-click 'a' avast icon in the systen tray at bottom right corner of screen and choose Start avast! Antivirus. Once scanner (radio) is on screen, select Menu and then click Schedule Boot-time Scan from drop-down menu. Choose Scan of local disks, and first time through run a Quick (or Standard) scan with box for archive files checked. For Advanced options, select Ask for action, then click Schedule and then Yes to restart and run scan.

The boot scan may not run due to your computer being so infected, but if it does, wait for the first instance of malware to be found, then, when asked for action, select delete all and let the scanner delete all infected user files. Don't worry too much about what is deleted.

When the scan reaches the point where system files are being scanned you will be asked for action once again. This time choose to Move all infected files to virus chest and once again let the scanner do its biz. This may take a while so you will have to be patient. At times you may have to choose another option like perhaps Ignore, but use your good sense, and also probably best act on these options individually unless too much trouble. But anyway, do best to get a reasonable scan right through on this first run.

When complete, schedule a boot scan with Thorough setting, either in Normal Mode if the screen opens,  or turn computer off and schedule once again in Safe Mode. Don't waste any time doing this, just go straight through and run your Thorough scan. Check archives box again, and this time in Advanced options choose Move infected file to chest / Allow delete or move. Run scan through but keep your eye on it and again use your good sense if come to any trouble spots, and just attempt to get reasonable scan right through.

Recently, I used Sophos antirootkit as an extra option, so give that a go next.
Download and run if you can -- http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html. At the end of scan, Sophos shows suspect files inside the scanner and you will need to click the files to get more information, and make sure to follow directions from Sophos so you get good grasp of all the details. Sophos will either recommend or rate or something like that so you can make informed choice at cleanup time.

If you get this far you are doing well. At this point, I would download / run up to date mbam scan -- http://www.filehippo.com/download_malwarebytes_anti_malware/tech/

-- and take actions at completion to remove any suspect files.
http://forum.avast.com/index.php?topic=47121.msg396918#msg396918

Post mbam log here so avast forum experts can have alook at it. Most of this is for interest value and there may be some interesting things turned up, but still we're doing some practice at malware fighting mainly. So next thing to do is run another avast boot scan using the same settings as last time -- Thorough, archives, Move to chest and Allow move.

If you've got this far, you can probably open up in Normal Mode by now. But don't dilly dally about, rather post to the forum and wait for a reply.
« Last Edit: July 28, 2009, 06:01:34 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

emantoyaks

  • Guest
Re: Malware name Win32:Vitro
« Reply #320 on: July 29, 2009, 02:15:50 PM »
Lol... The best solutions is goto safemode just restart your PC and click 'F8" or 'F5" then download this Virut Removal Tool and Run:

To remove the Virus use this 3 combination to remove them:

http://www.avg.com/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.exe
http://www.scanforfree.com/download/win32-virut-gen-5-remover.php
http://download.norman.no/public/Norman_Virut_Cleaner.exe


Note: Make sure you are in Safemode...
so don't worry because there is a way to remove this Fucking Virus...






by: http://emantisoy.vze.com
« Last Edit: July 29, 2009, 02:27:39 PM by emantoyaks »

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Malware name Win32:Vitro
« Reply #321 on: July 29, 2009, 02:46:42 PM »
Lol... The best solutions is goto safemode just restart your PC and click 'F8" or 'F5" then download this Virut Removal Tool and Run:

To remove the Virus use this 3 combination to remove them:

http://www.avg.com/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.exe
http://www.scanforfree.com/download/win32-virut-gen-5-remover.php
http://download.norman.no/public/Norman_Virut_Cleaner.exe


Note: Make sure you are in Safemode...
so don't worry because there is a way to remove this F***ing Virus...



by: http://emantisoy.vze.com

Well, I hope you may talk more clean in a 'public' forum.

about removing Virut/Virto using tools is windows safe-mode, it's not final soloution because it's a virus that run in safe mode too.
even trusted antivirus such as avast or avira some times fail to deal with this virus in a infected system... avast and avira both can pervent it very well, but if you get infected because of doing something stupid such as disabling AV for run a keygen and such as it would be difficult for your AV to help you get rid of this bad virus.

usually this virus force you to re-install your windows, because it infected system core files and your AV would remove them... so it would be more easy to:

do a clean install of windows, before running everything, install your AV and update to prevent Virtu back from your other Hard Drive partitions/Flash driver and..., then scan all your other partitions of your hard drive, flash drive, memory cards and... and let it remove everything it find.
Twitter: OmidFarhangEn - OS: Manjaro KDE

emantoyaks

  • Guest
Re: Malware name Win32:Vitro
« Reply #322 on: July 29, 2009, 05:15:43 PM »
yAHHH... if the virus will not kill in safemode then format your drive C: and dont forget to backup your infected files because it maybe recover just use the utilities i have given...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Malware name Win32:Vitro
« Reply #323 on: July 29, 2009, 10:16:18 PM »
Hi emantoyaks and Omid Farhang,

Yes there are more ways to try and tackle this nasty file infector, and during this long thread you find a lot of expertise from the victims that fought this piece of nastiness.
Re: http://www.hm2k.com/posts/win32-virtob-virut-removal
The characteristics of the file infector are well known, it is highly infectious, it spreads like wildfire, it is so buggy by nature and randomly "hip-hop-like" infects, that it is capable to ruin an OS beyond repair in no time. Serious infections can therefore be dealt with in a drastic manner - a total recall - f-disk, re-format, re-install and cleanse every peripheral file to be cleansed from the virus before plugging it back on.
Some very good observations are cleansing in SafeMode and to avoid a re-start/re-boot to avoid additional damage - so one long, long cleansing session in SafeMode should be preferred, also the use of a virtual environment like sandbox is good to throw out the virus after the infector, but on XP the task is difficult because the windows file defending mechanisms and/or windows firewall circumventing tactics of the virus. The malcreant of this ruining virus must have known this Windows platform like the in-lining of the pockets in his pants to create such an effective malware....

polonus
« Last Edit: July 29, 2009, 10:54:34 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

emantoyaks

  • Guest
Re: Malware name Win32:Vitro
« Reply #324 on: July 30, 2009, 04:01:03 AM »
Yahhh,... Honestly I really infected this kind of Virus and It so hard to remove because they spread via all executable files even the WINDOWS and System32 are infected,.. It takes a long time to remove them but because of some utilities that I have discover, its now easy for me to remove him,..

The Virus is created by Assembly Language that's why its hard to remove the Assembly is the greatest programming language I have ever had....



I want to give 100% of grades for the creator of "Virut" because  it makes me challenge of his virus and his a kind of a Genius person, but they are not use his knowledge in a good things...

cheers...^^


Maybe this Thread is now Solved...^^ :)


Remember Guyz there is no Problem that we can't solved...^^
« Last Edit: July 30, 2009, 04:27:28 AM by emantoyaks »

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Malware name Win32:Vitro
« Reply #325 on: July 30, 2009, 10:27:03 AM »
...The Virus is created by Assembly Language that's why its hard to remove the Assembly is the greatest programming language I have ever had....

I want to give 100% of grades for the creator of "Virut" because  it makes me challenge of his virus and his a kind of a Genius person...

Agree!! 100%!!
Twitter: OmidFarhangEn - OS: Manjaro KDE

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Malware name Win32:Vitro
« Reply #326 on: July 30, 2009, 10:53:35 AM »
disagree!! 100%!!

why? because i can remember the old times when Z0mbie, Vecna, 29a and other real lords of VX scene were active... they made their viruses for fun (not for the money, botnet building, doing a harm to victim's computers etc.)... it was a research of win weaknesses etc.. the author of Virut (and the authors of Sality and similar nasties) are black hats, they are not (white) geeks, they are not even grey...

peter.lock

  • Guest
Fixed ? Time will tell
« Reply #327 on: July 30, 2009, 11:59:16 AM »
Read in the internet today IE8 is prone to virus attack.
That is the first hint, I noted that the IE7 pcs are not afected.
Next clue, it takes over windows processes... hm... what can drive windows processes.

work done :
boot linux.
copy the following from clean windows installation to overwrite infected windows files :
c:\windows : explorer.exe,
c:\windows\system32 : dllcache folder, win.com, java/w/ws.exe, krnl386.exe, logonui.exe, lsass.exe, ntdll.dll, ole32.dll, rundll32.exe,
                                svchost.exe, tcpsvcs.exe, user.exe, userinit.exe, winlogon.exe, winspool.exe, WISPTIS.exe, WudfHost.exe

boot windows
downgrade IE8 to IE7
run windows update, exclude IE8 permanently.
stop using IE to browse.

Feel free to include more system32 files as you see fit,
I selected the above and windows booted fine, virus free.

non-expert... school of hard knocks.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: Malware name Win32:Vitro
« Reply #328 on: July 30, 2009, 05:27:25 PM »
Hi Polonus

Quote
and to avoid a re-start/re-boot to avoid additional damage

I don't do my cleaning this way, unless I manage to get the system clean in one wash, which to tell truth is what happens most time anyway. And not that I come across virut/virto either - almost never - but in most of the tougher jobs I do tend to end up with restart at some time or other.

Makes good sense though to avoid restart/re-boot. I just haven't struck an ideal way of doing this yet, particularly when I'm using a few different tools and utilities on most jobs. Certainly worth some extra effort on my part to work on this approach. So thumbs up buddy.

@emantyaks
Quote
To remove the Virus use this 3 combination to remove them:

http://www.avg.com/filedir/util/avg_rem_sup.dir/rmvirut/rmvirut.exe
http://www.scanforfree.com/download/win32-virut-gen-5-remover.php
http://download.norman.no/public/Norman_Virut_Cleaner.exe
Okay I guess that's a search and destroy mission to frighten even the likes of virut. But the combo is really only total effective on the face of things, that is, total success on paper. When in reality the writers of malware take into account the strong points of removal tools, as well as the scripting strategies of (the very best of) anti-malware and antivirus weaponry, and then they lay traps that swallow pieces of search, and upend pieces of destroy, and so wind the lines of the cleaning operation back in favor of obfuscation and ruin, on all levels, except the one that plays the script back into the poison hands of noxious malware perps (well, perhaps not so dramatic an event(s), pardon my zeal).

The act of subversion by malware is equally an effective operation. I wouldn't go promoting any removal and cleaning combo as the surefire solution to wiping out the likes of virut and other similar malware. And I wouldn't go near anything put out by AVG. Not even with your computer.
« Last Edit: July 30, 2009, 05:29:19 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Malware name Win32:Vitro
« Reply #329 on: July 31, 2009, 12:14:15 AM »
disagree!! 100%!!

when you say that, I can say nothing more, because I trust you, using your product to protect my computer is showing that I trust you!! ;)
Twitter: OmidFarhangEn - OS: Manjaro KDE