Vitro

[justinefremlouw]

So, I got infected with vitro yesterday (while my external was plugged in), so I backed up my videos, pics, etc to my probably already infected external anyway, and did destructive recovery.

System seems okay now, and even having my external plugged in and running doesn't seem to reinfect the system (NOTE that I haven't touched the contents of the external yet)  I assume that if it is infected, it is dormant (as Vitro requires execution of an infected file)

Now, I want to be sure that the external is clean, or remove/clean the infected files.  Formatting is not really an option as I have 700 GB of stuff in there.  What I want to know is will Avast detect and clean/remove the infected Virut/Vitro lying dormant in my external?  If not, is there any software that will?  Note that Vitro/virut isn't active as of now

[polonus]

Hi justinefremlouw,

I suggest that you do a full scan with DrWeb's CureIt (free for personal use to disinfect):

http://www.freedrweb.com/download+cureit/  (can run next to avast installed)


polonus

[Pondus]

Virut and other File infectors - Throwing in the Towel?
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html#IDComment15344616

Dealing with the dispicable Vitro / Virut (Win32.Virut) polymorphic virus
http://technosopher.wordpress.com/2009/04/21/vitro-virut-win32/

W32:Vitro (Virut) virus removal
http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=314

[justinefremlouw]

Hi, I've done quick scan with DrWeb's CureIt, complete scan with Avast, and AVZ scan.  I'm pretty sure that my system is clean.
What I'm trying to clean or verify is my external.  I'm currently scanning it with Avast.  Plan to scan it with DrWeb's CureIt and rmvirut after that.

What I want to know is whether these programs will suffice.  Meaning, if they all turned up clean or if they cured/removed the infected files, can I consider my external clean and use it as normal?  I just don't want to transfer the files from my external only to activate the possibly hidden virut again.

[polonus]

Hi justinefremlouw,

Well of course, our friend Pondus, is right in this respect where he cites the MBAM official and well-known malware eliminator, the Belgian lady Miekiemoes, that when an OS has really been compromised with a real virut strain to infect executables only a complete total recall of the OS is an option to restore. Virut has only seen to be adding to long forum threads but I haven't seen the real cure for an infected machine yet because of it's random and utter destruction capabilities, I only suggested drWeb's CureIt because it can establish remainders effectively...and do not forget to stay clean of infected peripherals and sites that harbour the malcode on networks (Intra- & Internet) because that will lead to an immediate re-infection to be back at base 1 immediately and you will come back from 1 to 0 (not a desirable situation),

polonus

[justinefremlouw]

Hmm, I've stated this above, but I will again, I have done Destructive Recovery/System Recovery/Format&Reinstall, etc whatever you want to call it.  Basically, I've wiped my internal HDD clean.

I'm trying to clean a possibly infected external HDD.  The HDD might have a strain of virut, but as of now, it's still dormant (AKA it's not running, it's not infecting any other files, etc) because I haven't touched anything inside of it.

The main reason that Virut is impossible to cure is because it infects more files even as you're curing files.  However, if it's still dormant, complete curing/removing of the infected files should be possible, as no new files are being infected, am I right?

Thanks

[Pondus]

as i understand it, all AV programs will detect virut/vitro ( but cleaning is another case ) so if you scan the external it should be detected if infected....
but maybe Essexboy is the one to answer this

[polonus]

Hi justinefremlouw & Pondus,

I have read that essexboy has come to the same conclusion as we have, as for the time being cleansing an operational system from the destructive virut file infector is no option really... but you can ask if he has arrived at a newer conclusion,

pol

[justinefremlouw]

@Pondus: Yes, this is exactly what I was asking.  I want to know if Avast can sufficiently detect all variants of Virut/Vitro.  Or if not, another program that can...

As for cleaning, even were it not possible, I could still delete the infected files and salvage some of my 700 GB of data.  I just don't want to assume it is clean and then reinfect everything with it again by executing an infected file from my external, nor do I want to reformat and lose all 700 GB of data

[Pondus]

AVG have a virut cleaner Nr.4 from bottom http://www.avg.com/ww-en/virus-removal.ndi-67762
Then you have Dr.Web and you are already running it ?
Norman had a virut cleaner but it is included in the Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en
do not know if Malwarebytes and Superantispyware wil detect

so you can scan with all, but i would also wait for a comment from Essexboy......

[justinefremlouw]

I'm running Avast and rmvirut as we speak.
DrWeb takes a long time, that's why I'm saving it for last XD
I will dl norman and scan with that too
Malwarebytes doesn't detect this, as I was scanning it yesterday with MBAM while my system was infected and it came up clean.  Dunno about Super, I will try that too later I guess...

Is Essexboy knowledgeable about this particular string?

[essexboy]

Do a full scan of the backup drive with Dr Web and unless absolutely necessary leave any exe files alone - data files should not be a problem if Dr Web clears them

[justinefremlouw]

Hi,

Once DrWeb Cures/removes all infected files, would using them be okay?  I heard virut also infects html and others
Also, most of my exe in my external are installers, so I don't mind losing them.  I assume that as long as I don't run any of them, I won't activate the strain right?  I was planning to use them as reference to re-dl all the installers I need.
Also, will it affect .rar, .zip, and .exe within .iso?


Thanks


EDIT: @Pondus: I've read your PM, but it seems the forum won't let me send PM.  On a different note, I can't edit my profile stuff either 0.o (signature, etc)

[Pondus]

EDIT: @Pondus: I've read your PM, but it seems the forum won't let me send PM.  On a different note, I can't edit my profile stuff either 0.o (signature, etc)

you need 20 post`s to do that, it is protection against spammers....

[justinefremlouw]

I scanned my external with Avast and rmvirut yesterday.
rmvirut found 2 infections and cleaned them.
Avast found 0 infections related to virut (how can this be? I had a folder full of exe installers...)

Going to do full scan with DrWeb Cure It and rescan with rmvirut today.
EDIT: rmvirut turned up clean.  Still scanning Dr Web.  Gonna scan with AVZ
EDIT2: Dr WEB scan, excluding nothing, including files in archives turned up clean.  How can this be?  None of the exe (aside from the 2 rmvirut found and cleaned) got infected by virut? (I have over 100 of installers amongst them).