Got the Win 32:vitro; now Windows won't load

[takepityonme]

Hi,

I got a malicious virus on my PC last night (I think it said win 32:vitro trojan-gen).  Nasty thing that kept popping up alerts to move things into the chest.  I did so, and then avast asked me to reboot so that it could do a scan pre-windows.  I did so, and it proceeded to find a lot of programs infected while scanning before Windows loaded.  I assumed the correct course of action was to move items to the chest.  It indicated several programs were infected and probably was at work for at least 2 hours.

Now the computer hangs.  It'll boot up, get to the "pastoral" background of windows, but nothing loads up - no icons, no start bar, nothing.  I can move the cursor with the mouse, but that's it.  It boots to the "welcome" message, then loads up the windows background and then does nothing.  I assume some programs instrumental to the startup have been put in the chest or something.

I have two separate HDs on this pc, so I made the infected the HD the slave and am typing this on the infected PC, but with the 2nd HD as the primary HD.

Is there a way to get the other HD running with Windows?  Can I just scan it again using avast?  Any help would be appreciated.  There is a lot of important info on that drive so I really need to rescue it.

Thanks.

[polonus]

Hi takepityonme

For info: http://forum.avast.com/index.php?topic=42709.0
You should have switched to SafeMode upon detection, after a while that vitro has had his way with your executables etc. your OS may be beyond repair because of this very destructive buggy file-infector, and the only remedy might be a fdisk, format, reinstall total recall action. Furtherdo not re-connect anything that could be infected back unto that machine after cleansing (peropharals, pendrive and files etc.) because a reinfection may be immanent.

polonus

[DavidR]

Sorry to have to be the 2nd bearer of bad news, but this vitro is even worse than virut a variant of it. It is a very virulent virus and infects .exe files as you use your system and avast is reacting to these as they are infected and you eventually get to the point were all system .exe files could be infected, resulting in what you experienced a trashed system.

If you check the forums for virut or vitro you will see those who don't catch it very early, e.g. the actual file infecter and not just as the .exe files are infected end up with no other course of action but a format and reinstall.

You can try this tool to see if it can repair any infected files on the previous master HDD - DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode.

DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

Try to back-up what data files you have, but you have t exercise care not to back-up .exe, .htm, .html or .scr files. Whilst the above mentions .mp3 and .wma files I'm not 100% on if these are actually at risk (but you would still have to be careful).

The DrWeb Live CD may be a good starting point for both your old master HDD to see if a) and files are found to be infected and b) if it can repair them in situ before backing-up. This might help confirm if any media files have been infected.

[takepityonme]

Guys,

Thanks for the quick replies.  Just to make sure I understand, is it ok to copy over non-executable files that I want to keep (e.g. pictures, videos, word files, etc.)?  Please confirm.

I don't mind restarting from scratch - just want to save the pictures, documents, etc. that are irreplacable.

Thanks.  I'll try the programs you referenced first.

[takepityonme]

Ok, I ran that drweb virus program, but how do I get it to run on my infected SECONDARY drive?  That drive that is running windows currently is fine; the one that was formerly the primary (and infected) is now the secondary f:/ drive.

Thanks.

[DavidR]

That is my understanding, non-executables, but technically .htm, .html, .mp3 and .wmv aren't executable (as they don't run independently but through another application), but could possibly be infected.

Well I would have though if you have two drives it would scan both. I have never used it, have you not downloaded the associated pdf documentation that I gave the link for ?

[takepityonme]

Thanks.  The scan ran and I have several options.  There were several exe files found to be infected.  Do I:

- cure, remove move or delete?

Also, are these programs salvageable, or infected forever?

I'm guessing I need to just cut my losses and wipe the drive after saving my important documents and files.  Any advice as to which clean-up option I should pick would be appreciated.  Thanks.

[DavidR]

Try the cure first, but (no guarantees, like all things in life) there are times when even that doesn't work as this uses encryption to try and stop it from being repaired and vitro is another stage up from virut which DrWeb had some reasonable success with.

Many find that once it get a grip you are fighting an uphill battle, so it is important to salvage what you can, to make any re-installation less painful.

Like data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don't want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

Some have gone down the scorched earth policy with an fdisk (low level disk format), followed by the format (fat32/NTFS, etc.) and then re-installation. Fortunately I have never had to go down that path, so I haven't a great deal of practical experience. I know it was bad enough when I got this system almost a year ago when the only thing on it was the OS, but I was well prepared and not under this kind of duress.

~~~~
Pre-emptive measures for the future:
I would suggest you also look disk imaging software. I use Drive Image 7.1, the last version by PowerQuest before it was bought by Symantec and merged into its Norton Ghost disk imaging software, another option is Acronis true Image, there are others, most of them are paid options.

I take an image back-up of my primary hard disk partitions every week as part of my system maintenance. This is saved to my second HDD or it can also be written to a DVD. I also back-up volatile data files, .doc, .xls, etc. along with emails, bookmarks, address book, registration keys, etc. (anything you don't want to lose) every day sometimes several times a day.
So if I experience a problem like yours (haven't to date) then I just restore my last back-up disk image (takes about 15 minutes) followed by the last daily data back-up (takes seconds rather than minutes) and I will have lost virtually nothing.

Compare that with your experience and the money I paid for my disk imaging software would have paid for itself if it had to be used just once if you valued your time at just £5 per hour. I have had to use it several times (not virus related) where it has hauled my a** out of the fire, it is an absolute god send.

[takepityonme]

Thanks for the prompt reply.  But if I use that HDD backup software, won't it back up potentially some bad viruses as well?  Is it better to manually save files?

Also, any idea how to save the emails I've kept in Outlook folders?  Remember that the HD with the Outlook is on my slave drive.

Many thanks.

[DavidR]

As I said I take regular back-up of the imaging software, weekly and I keep the last 5 weeks worth. How long did it take you to find out you had a problem, I would believe it would be less than a week. So going back to that one should see you in the clear, so what if it doesn't, I go back to the next and the next, etc.

It is an exact copy of your partition/drive, that is why it is called an image, now tell me that 'isn't' better than manual back-up

Did you not notice that I also do manual back-ups:

I also back-up volatile data files, .doc, .xls, etc. along with emails, bookmarks, address book, registration keys, etc. (anything you don't want to lose) every day sometimes several times a day.

So it isn't a one or the other as data files are more volatile I want to back them up more frequently than once a week.

You can't back-up individual emails as OE doesn't store them as individual emails but in database files, these are .dbx files so a search for *.dbx would show where they are.

[takepityonme]

As I said I take regular back-up of the imaging software, weekly and I keep the last 5 weeks worth. How long did it take you to find out you had a problem, I would believe it would be less than a week. So going back to that one should see you in the clear, so what if it doesn't, I go back to the next and the next, etc.

It is an exact copy of your partition/drive, that is why it is called an image, now tell me that 'isn't' better than manual back-up

Did you not notice that I also do manual back-ups:

I also back-up volatile data files, .doc, .xls, etc. along with emails, bookmarks, address book, registration keys, etc. (anything you don't want to lose) every day sometimes several times a day.

So it isn't a one or the other as data files are more volatile I want to back them up more frequently than once a week.

You can't back-up individual emails as OE doesn't store them as individual emails but in database files, these are .dbx files so a search for *.dbx would show where they are.

David,

Thanks for the reply.  Since I haven't been making an image of my HD regularly, do you suggesting just copying over the non .exe files that I deem irreplaceable onto a safe drive, and then remaking the infected one?

Also, I use Outlook, not Outlook Express.  Does that make a difference in terms of recovering my folders/emails?

Thanks.

[DavidR]

I have already suggested that I believe.

Yes it makes a difference as Outlook used .pst files.