whatever this is,is locking me out of say my games on my computer.and it will not let me download&install[Malwarebytes.org]or.superAntispyware.com]i simply cannot find no answers at all,sooo,please somebody please help me remove this.and it shows to be in C:\Windows\hh.exe.or if i try and run the malwarebytes comes up[unable to execute file:C:\program files\Malwarebytes:Anti-Malware mba.exe]so please send me anything to help remove these permantly.thanks.
it’s a new hardcore file infector from the authors of Virut…
Hi janr46,
The Virut family of viruses uses polymorphism to hide from all anti-virus protection, it infects executable files. File infection makes it very hard to repair a system that has been infected. W32/Vitro injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.
* NtCreateFile
* NtCreateProcess
* NtCreateProcessEx
* NtOpenFile
* NtQueryInformationProcess
I would strongly recommend rebuilding the system from backups.
Windows can be rebuilt as described in the following link: http://www.informationweek.com/showArticle.jhtml?articleID=189400897 or failing this a format of the system will be required,
polonus
been having the same prob here for 2 days now, normally have been able to remove such stuff but this one is a hard one
formatting c: 3 times now, but keeps comming back somehow ???
I have this same problem and rebuilding didn’t solve it. Can anyone help? Thanks.
I am having this problem too, as informed by polonus it seems to be attacking exe processes e.g. logonui.exe, explorer.exe etc.
I have tried to repair - it fails so deleting the files resulted in deletion of important files in my windows systems !!!
Ended up having to rebuild windows system, but the virus comes back again…any suggestion?
Thanks
Same thing happened to me.
I had a Snapshot for backup, when I restore with BartPE, the virus Win32:Vitro come back after a few minutes.
What can we do? anyone with the solution?
Please let us know when there is a cleaning procedure available for files infected with the Vitro payload.
This IS a particularly nasty one!
I have spent about 20 hours battling it, only to have to resort to a total scorched-Earth solution.
- I copied all essential data files to a separate hard drive
- Deleted the system partition
- Did a total repartition and reformat of the System hard drive, then reinstalled EVERYTHING
Vitro is now gone and has not returned. However, Avast reports that it still exists in some files on the separate hard drive, so I have to keep them segregated for the present time.
I’d like to warn friends about Vitro! Does anybody know what the other virus protection peeps are calling it?
Hi Jim Selleck,
Did you made an upload of an infected executable to virustotal.com and can you post the results you get there here as an attached file? The following information I distilled from tweakers netherlands:
If you are infected by virut vitro, then this is an advanced virus that tries to infect all kind of files. After a reformat a re-infection can occur easily through infected back-ups.
I informed above in the thread:
"The Virut family of viruses uses polymorphism to hide from all anti-virus protection, it infects executable files. "Buggy" file infection makes it very hard to repair a system that has been infected. W32/Vitro injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.
- NtCreateFile
- NtCreateProcess
- NtCreateProcessEx
- NtOpenFile
- NtQueryInformationProcess"
So virut will attach to an important system file that is used for a plethora of things, and so creates room for the virus as it pleases so-to-say, because almost every program makes use of these system-APIs. Also the virus scanner itself is not immune from it…
Scanning from another computer is not a very bright thing to do either in case of a file-injector involved seen to re-infection, the only sensible thing to do in such a case is using a PE CD.
The virus only injects when it is active, but an autorun is also enough to infect.
Best policy is preventing infection by running fully updated and patched Windows and third party software, and to use in browser security like Firefox with NoScript installed. Malcreants at the moment will use every weakness in IE browsers known for spreading their drive-by-malware-infectors…and one ounce of prevention is worth 10 kg of cleansing after the fact…
polonus
Dear sweet lord, I hope someone gets a solution for this. I just lost a computer to this virus. Going with scorched earth. Also, it jumped to my USB drive (autorun?) and almost got my laptop.
Avast is catching this, when Norton and McAfee did NOT. Still, I am very uncomfortable with this virus. Any way to clean the infected files?
Oy. And it acted like a loop virus, too, but I think that spools.exe is a different one.
OneRing2Rule
I got this Virus, ITS BAD!!
One a single computer on my network so far, (THANK GOD)
Wipe out nearly every .exe file, including explorer.exe, and drivers that need to run!
Definately Polomorphic and attacking running executable files, not sure how it worms though since no other infections on the internal network.
Also make .tmp and 213123421 type backups of itself seen first in the root of C:
Quickly everywhere.
My Plan…
Remove HDD, Backed up all NON-EXECUTABLE FILES, left out programs, as they are possibly infected.
Formating and reinstalling seems best idea for any polymorphic virus that attacks with such a brute force.
Well, it’s making me money for sure. 8) I’m into computer repair on the side and she’s a bitch of a virus. Got five customers now with it. In every case, they downloaded something from zShare and had either Norton or McAfee. I downloaded the same file with Avast on a non-networked test cpu and Avast caught it.
Still, there is no solution other then doing what the Aussie said. Yank the HDD out, copy all of the data files, non-exec. types and nuke the HD. I’m repartitioning and reformatting aggressively. After reinstalling windows, I’ll rescan with Avast to make sure that it’s not on there somehow.
What are other scanners calling this one? A Google search of “vitro virus computer” is only showing a few results for Avast, none for Kapersky or the other ones…
Michael
Hi OneRing2Rule,
It is from the makers of virut aka virux, and the complexity of this last strains like virux.u are striking, read the analysis of a few of the tricks of this infector here:
http://securitylabs.websense.com/content/Blogs/3300.aspx
These malcreants for sure aren’t amateurs, they know every trick in the book, and because in some ways the infector is buggy, it is almost impossible to repair the damage. So until DrWebCureIt can repair the files “en masse”, the best way to go is called “Total Recall”,
polonus
i am at my public library,so don*t have no worries.yeah,that win32-vitro virus really got me again!!problem is i do not go to nooo,sites i do not trust!!and my computer is once again is in the repair shop.it had gotten so bad,that when i turned on my computer,that there was no icons what so ever,but,could use computer in safemode.that was a [???]sorry.so where is that virus coming from???is there any real way to keep it away??permantly???sorry,like i said my computers in the shop again,so maybe will be tommorrow before i can get it out,so anyone who gets that virus,i really know what you all are going thru,and good luck.
Polonus, Thanks for the tips and the interesting but over-my-head reading.
Will it be safe to move HTM files from the original machine’s HD?
And is the act of copying and moving enough to trigger an infection to spread?
All I want to copy are .doc, .mp3, and .htm files. The .htm files are negotiable.
Finally, I would like to know how I can tell if the USB drive is infected. I’ve got stick it in SOMETHING to reformat it.
Any hints?
Hi OneRing2Rule,
As long as there is no executable file on the partition, because the active file infector spreads like hayfire, and it corrupts because it does not simply attach, it is a polymorphic one and destructive, re:
http://forum.avast.com/index.php?topic=42554.msg356009#msg356009
It is hooking in API handling dll’s makes its maneuvering room go really far. I would disinfect the pen drives etc. with a usb disinfector tool, and what you wanna save, save that in RTF to make these files inert.
Try to scan with DrWebCureIt from here: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe
Good also against polymorphics…
Place this launch.exe (updated to the latest version) on a non-compromised USB stick protected with the file that usb disinfector has left there (do not remove), download from here: http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
Instructions to use here:
http://www.myantispyware.com/2009/01/08/flash-disinfector-free-autoruninf-trojans-removal-tool/
polonus
I was infected. I hooked up my external HD where I had my back ups and scanned it with avast and detected win32:vitro. I tried to delete and move to virus chest several times, but it didn’t work. Is there anyway to remove the infected file or files so I can retrieve my backed up data? I need my movies, music, games, favorites etc…
Hi Exile,
Your only chance is where you have backups that this virus has not touched. In most cases the experience of the workings of such a critter in the aftermath is the only thing that teaches victims a backup policy of some sort, best thing next is not to panic, that won’t help…
As the virus uses the open spaces left in the code of executables and it does so indiscriminately and rather sloppy and buggy it makes cleansing a quite difficult task because it is so destructive on exe, MP3 files etc.
Then another way in which the virus operates using a specific dll that works for a plethora of tasks using API’s is another complicating factor, it also immediately attacks a scanner because it attacks executables, so these should be renamed to run in another format on Windows, certainly rename the infector file extension. The miscreant(s) haven’t left many options open to us. Cleansing from a CD is the best option, having your data stored somewhere else a blessing,
polonus
I got this one also. I was able to remove it with Dr. Web from http://www.freedrweb.com/ I used the free scanner and it took the bugger out, of course it took about 2500 exe files with it but after a couple of days I am back up and running as before. I did not reformat my hard drive. This is the worst one I have come across since the introduction of boot sector viruses in the DOS days. I ran a thorough scan with AVAST after the Dr. Web scan and it cleaned up the rest. Just for information purposes I had my laptop, desktop and 3 flash drives infected in about one hour. All is good now though, but several hours lost.
this new variant of Virut is still being analysed (it’s quite complex)… what’s sure is the capability of infecting any PE module and this variant is most probably responsible also for injecting some stuff into html pages… i guess it contains also an IRC client as the older variants did… the detection will be updated today to cover the recent mutation…