Author Topic: Win32:Vitro..keylogger?  (Read 11395 times)

Offline Tang_ed@cox.net

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Win32:Vitro..keylogger?
« on: February 26, 2009, 02:04:10 AM »
I woke up this morning and found my WoW account hacked. The first thing I did was run a scan with Avast and PCtools Spyware doctor. Avast alerted me five times that it had found Win32:Vitro and I asked it to delete the files.

I scanned again when I got home from work. Avast and Spyare doctor both came up clean, so I called blizzard and reset the password to my account. Within 15 minutes of logging out my password was reset again. So I decided to read up on Win32:vitro. Google brought me here and I'm pretty dismayed at what I've found.

However, recent scans with Avast and Spyware Doctor keep coming up clean and have since five A.M. this morning.

Am I dealing with two separate issues? Is win32:vitro gone? Would it even function as a keylogger?

In addition I've got an external hard drive that has a small executable on it plugged into my machine and my computer is networked with another. Should I wipe all three to ensure Win32:vitro is gone?

My finger is dangling over the reformat button. Any advice would be appreciated before uncertainty drives me back to the abacus.

Offline Jtaylor83

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1068
  • Gender: Male
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #1 on: February 26, 2009, 02:24:50 AM »
Win32:Vitro is a very new file infector from the authors of Virut. Its' payload doesn't include keylogging capabilities.

« Last Edit: February 26, 2009, 02:36:04 AM by Jtaylor83 »
Avast 6.0, MalwareByte's Anti-Malware, CCleaner, Defraggler, DownloadHelper, WOT, NoScript, KeyScrambler, Thunderbird, Firefox, Windows XP SP3.

Offline Tang_ed@cox.net

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #2 on: February 26, 2009, 02:47:30 AM »
Thanks Jtaylor.

That would mean I'm looking for something else in addition to the Win32:vitro hit from Avast to solve the WoW problem.

Eck. Looks like I may be reformatting anyway.




Offline Jtaylor83

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1068
  • Gender: Male
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #3 on: February 26, 2009, 02:50:53 AM »
You can also use Dr. Web CureIt.
Avast 6.0, MalwareByte's Anti-Malware, CCleaner, Defraggler, DownloadHelper, WOT, NoScript, KeyScrambler, Thunderbird, Firefox, Windows XP SP3.

Offline Tang_ed@cox.net

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #4 on: February 26, 2009, 02:58:54 AM »
I'll give it a shot.

Thanks again.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #5 on: February 26, 2009, 02:17:48 PM »
Some info on the original detections might be helpful.
As Vitro/Virut infects .exe, .scr (plus some others .mp3 and .wma files I believe) files as you access them. So if you only have 5 infections I would say that is low.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Tang_ed@cox.net

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #6 on: February 26, 2009, 04:49:58 PM »
Here are the suspicious log entries. I've included both the Vitro hits and two other recent entries that gave me chills. Thanks for pointing this out.

1/12/2009  5:47 a.m.     AAVM - scanning warning: x_AavmCheckFileDirectEx: Http:guildportal.com/ScriptResource.axd?d=ktu8AZGZYeOFn7iXiJruy6do6nqdrOGnX.
1/25/2009  9:37 a.m.     Sign of JS:FakeAV-F[trJ] has been found in "http://antispywareinternetscan.com/ScriptResource.com/promo/1/freescan.php?nu=77025301" file
2/25/2009  6:45 a.m.     Sign of "Win32:vitro has been found in C:\Dell\drivers \R174572\nvlddmkm.sy_\nvlddmkm.sy file
2/25/2009  6:46 a.m.     Sign of "Win32:vitro has been found in C:\Dell\drivers \R179640\nvlddmkm.sy_\nvlddmkm.sy file
2/25/2009  6:47 a.m.     Sign of "Win32:vitro has been found in C:\Dell\drivers \R174572\nvlddmkm.sy_\nvlddmkm.sy file
2/25/2009  7:05 a.m.     Sign of "Win32:vitro has been found in C:\Windows\System32\DriverStore\FileRepository\nvdd.inf_5c3ce63\nvlddmkm.sys file
2/25/2009  7:07 a.m.     Sign of "Win32:vitro has been found in C:\Windows\System32\DriverStore\FileRepository\nvdd.inf_e129fabf\nvlddmkm.sys file


Thanks for the help so far guys. Hopefully this can shed some light on things.

Edit:

After reading this thread:

http://forum.avast.com/index.php?topic=42926.0

I'm wondering if this could be a false positive. I'm looking at a reformat of my hardrive either way. My real concern is with some of the horror stories about Vitro circulating that have implied that it could have infected my entire network. Both computers are running fine after nearly 36 hours. No other .exe files have come up as infected. Regular and boot scans with every AV and Anti-spware tool I can lay hands on turn up nothing.

From the way others have described Vitro, I should be in serious trouble right now...right?

I plan to reformat tomorrow. What ever it is it can't be found and my account has been hijacked a second time after having the password reset.

Nothing else, banks, other subscription sites, etc. has been messed with.  This leads me to believe that only the one computer is infected and the laptop and networked drive are fine.

We're getting a little off topic, but any further insight you guys could offer would be awesome.
« Last Edit: February 26, 2009, 05:35:45 PM by Tang_ed@cox.net »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #7 on: February 26, 2009, 05:29:32 PM »
Yes it does and since these Win32:vitro detections are on Dell copies of nvidia driver files.

Example:
C:\Dell\drivers \R179640\nvlddmkm.sy_\nvlddmkm.sy

There has been an acknowledged false positive on those, so deletion wasn't a good decision (you have none left), the recommended action is normally given as move to the chest and is by far the best.

So that's the bad news out of the way, the good news is your system isn't infected with Win32:vitro a pretty virulent infection that would most certainly lead to a reformat and reinstall.

The JS:FakeAV-F[trJ] detection certainly looks good.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Tang_ed@cox.net

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #8 on: February 26, 2009, 05:38:26 PM »
Looks like you posted that during my meandering edit David. =)

I'll look into that hit when I get off work.

Thanks for the good news. I'll remember the vault from now on.
« Last Edit: February 26, 2009, 05:41:14 PM by Tang_ed@cox.net »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #9 on: February 26, 2009, 06:58:44 PM »
Yes, you have to be quick on the forums ;D
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline nikornkpk

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #10 on: March 01, 2009, 11:44:28 AM »
To clear Win32:Vitro virus. First start windows in seft mode. Use Avast latast update virus data base. Scan and delete all infected file. And scand with Malwarebyte too. By Malwarebyte it will help more better. If scan with Avast and found many infected files in windows system folder and windows can not start. Secondly one way to do is refomat hard drive an reinstall windows. I have successfull with first method. After that I up-date Avast virus data files every day and scan every day (for 2 or 3 day) I found it can help.

Offline ubuntu8787

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #11 on: April 14, 2009, 06:53:27 PM »
Easyest way to get rid of ALL viruses and have a 100% safe enviroment is to format all your hard drives,and install UBUNTU linux.It's been 3 years since i have NO worries about viruses,and all that stuff :)  (sadly,my windows got infected today,so i decided ill NEVER ever use windows as an OS again). faster,better,more reliable and secure.thanks Ubnuntu

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64881
  • Gender: Male
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #12 on: April 14, 2009, 07:04:47 PM »
Easyest way to get rid of ALL viruses and have a 100% safe enviroment is to format all your hard drives,and install UBUNTU linux.It's been 3 years since i have NO worries about viruses,and all that stuff :)  (sadly,my windows got infected today,so i decided ill NEVER ever use windows as an OS again). faster,better,more reliable and secure.thanks Ubnuntu
You could use avast for Linux ;)
I use Kubuntu 8.10 and I'm waiting for 9.04 version ;)
The best things in life are free.

Offline Keena

  • Newbie
  • *
  • Posts: 16
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #13 on: April 14, 2009, 08:05:31 PM »
Hey Tang.

I dont have any advice to give as I am seeking help of my own, but I just wanted to say that I feel for you about your WoW account. I wish you the best of luck in getting the mess cleaned up! Hope it goes well.

Offline Torsti2003z

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Re: Win32:Vitro..keylogger?
« Reply #14 on: May 05, 2009, 03:03:51 PM »
About the Win32:Vitro .. it is extremely dangerous virus.  I have stumbled upon many trojans and viruses and always Avast has blocked / taken care of them without problems. But it could do nothing to Virut. It just notified of infected files, and the notifications went on and on and on.. scanning apparently only spread the virus more, so I finally was forced to format everything I had on my PC. (My stupidity was that I was running on admin rights, which I will not do ever anymore on regular basis.)

It is not certain safe mode removal will help either. Best bet is find an not-infected computer, burn an bootable antivirus CD, and then scan infected PC with that. Then Windows repair.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now