I am running Vista Home Premium and Avast 4.8, both up to date as far as I can tell. Also Comodo firewall and Microsoft Security Essentials.

Last night I did a really stupid thing and grabbed a dodgy file from an unknown source (on usenet) - I wasn’t trying to download an .exe file.

As soon as the file began to download Avast on-access scanner alerted me to two threats.

For the first, Alureon, I sent it to the Chest as recommended. Then the second was Vitro, when I tried to send it to the Chest I got an error that the file could not be found.

Here are the warnings from the log:
16/01/2010 23:59:40 SYSTEM 1796 Sign of “Win32:Alureon-EN [Rtk]” has been found in “C:\Users\User\Documents\downloads\incomplete\rummikub\Rummikub_EUR_MULTi6_NDS-DDumpers.rar\Rummikub_EUR_MULTi6_NDS-DDumpers\Rummikub_EUR_MULTi6_NDS-DDumpers\Rummikub_EUR_MULTi6_NDS-DDumpers.exe$PLUGINSDIR\ic1.exe” file.

17/01/2010 00:00:08 SYSTEM 1796 Sign of “Win32:Vitro” has been found in “C:\Users\User\Documents\downloads\incomplete\rummikub\Rummikub_EUR_MULTi6_NDS-DDumpers.rar\Rummikub_EUR_MULTi6_NDS-DDumpers\Rummikub_EUR_MULTi6_NDS-DDumpers\Rummikub_EUR_MULTi6_NDS-DDumpers.exe$PLUGINSDIR\exrev.exe” file.

Am I correct in thinking/hoping that because Avast sent *DDumpers.exe to the chest, that is what it could not be found when it tried to deal with Vitro?

The .rar was still packed in my incoming folder, but wouldn’t delete while Avast had the alert up, but I deleted it in Safe Mode after shutting my computer off via the power button.

My usenet client’s history says the download failed after 15 seconds.

I tried to follow the big Vitro thread, but just couldn’t take it all in (been very unwell, I’ll blame by lousy judgement on that!). From reading the thread I downloaded Dr Web Cure It, Malware Bytes, AVG Virut tool, Super Anti Spyware, and got the newest Hijack This. (I already had Spybot S&D).

I ran scans on both computers in the house (I stupidly moved a usb drive from my computer to another after the alert without realising the danger, but I didn’t put anything on to the 2nd computer - intentionally at least. I put it in the second computer to try to download CureIt etc) in Safe Mode with Cure It, MBAM, AVG Virut tool, and absolutely nothing was found. Same for the Avast Boot-Time scanner. I installed and ran Super Anti Spyware once I was back in normal windows, it found cookies, that’s all.

This is my ntdll.dll and the same entries are on the 2nd computer: https://www.virustotal.com/analisis/3df96ace6d271b6fcf59b5ac8ef1507fe6bebd3474c82db52de4b3aa0d63c0b5-1263768793
Does that mean both definitely got infected?

How long after infection do the symptoms of this usually start? Everything is running smoothly.

Thanks very much for any and all advice.

(I know just how wrong it was to try to get the game by download but I haven’t been able to find it to buy. :-[ )

You may have dodged the bullet - lucky, not many AV’s catch virut this early before it can activate

Have you noticed any problems with your computer, excessive hard drive activity , more error messages than normal etc. ?

Yes, looks like you dodged a bullet.

As essexboy mentions Vitro is very active and virulent when established, infecting every .exe file that you open (and a number of other files) and avast would also be going bananas alerting on newly infected files. So if you aren’t seeing this excessive disk activity or more avast alerts, you could well be in luck.

Your assumption on “because Avast sent *DDumpers.exe to the chest, that is what it could not be found when it tried to deal with Vitro” could well be correct. However extracting any file from within an archive may result in a failure, but that would first off normally give an error, unsupported archive or words to that effect. So if you didn’t get that it would appear that avast was able to extract DDumpers.exe and send to the chest, resulting in the inability to deal with the second file (non-existent) detection.

Very lucky.

Oh what a relief! Thanks. I only switched to Avast from AVG 6 months ago and I’m very glad I did!

Both computers have always been stable, and there’s nothing out of the ordinary on mine so far. I’ve been back in normal Windows for over 6 hours now (but offline until I came here) and I’ve opened and closed quite a few programs.

What about those nt* entries being in ntdll.dll? I don’t really understand what the poster meant about “hooked in”(?), is it that they should be there but if Vitro is present it uses them to cause damage?

So if you didn't get that it would appear that avast was able to extract DDumpers.exe and send to the chest, resulting in the inability to deal with the second file (non-existent) detection.

No error.