Malware name Win32:Vitro

system · April 10, 2009, 3:39am

This Vitro virus makes me sooooooooooooooo glad I’m still running WindowsME on my computer.
My wife on the other hand… Not so happy. Her system has been killed by this virus 5 times in the last week. And mine hasn’t been effected or infected at all. She has Avast on her computer and the thing will detect the Win32 Vitro file on every system32 she has. Been through file recoveries, and formats and the pesky things still comes back.

Donovan · April 10, 2009, 4:20am

Confused Computer User post:200:

???

Donovansrb10 post:199:

Woulden’t it be possible if the REMOVAL TOOL added its own extintion with a whole different coding like “.ffs” or “.wgr” so it wouldn’t infect it?

Up until now I’ve never seen those types of files. I looked for a description and only found one for “.ffs” at:

http://en.wikipedia.org/wiki/Unix_File_System

The thing is that we can’t safe these files in formats that windows doesn’t recognize and then try to execute them. It would be like trying to run a “.exe” file on MAC OS X. It wont happen unless you use special applications. (see link)
http://www.pcuser.com.au/pcuser/hs2.nsf/lookup+1/83ADDE11BB01E5A1CA256C48000F4708

So even if the file is a non executable it would have to be opened by one that is so still not much choice since that would probably be opened.

I could be wrong… I’m not sure if the “.wgr” type of files run on windows.

Maybe the program could add the extintions so it works like with Microsoft Small Busness. O_o

system · April 10, 2009, 4:29am

LMFAO!!! OK, I had to quote this and thank you for posting it. In a matter of 10 seconds i went from wanting to put my fist thru my Pc, to laughing and starting with a clear and focused mind… LOL Bash with a hammer then burn it in a microwave hahaha ok, now back to going Xena on this damn viruses ass…

system · April 10, 2009, 4:55am

ok in my system 32 folder ( I am running XP service pack 3 ) there is the winlogon.exe file, but also in my C:Windows/Temp folder there is an exe file named winlognn ( thats winlogNn - 2 “n” s) could that temp folder file be the issue??? it was created yesterday ( 4/9/2009) . we reformatted this POS on 4/6/2009 and with it being in the TEMP folder, Im thinking thats the virus… ( sorry I am not a very computer-savvy girl lol

ConfusedComputerUser · April 10, 2009, 12:42pm

I have no clue what that is. Sorry.

system · April 10, 2009, 7:42pm

Only 3 antivirus detect Vitro on my system…

AVAST!
GData
McAfee

http://www.virscan.org/report/f40c8875f64c9bc2b76f6e82fd8438cc.html
http://www.virustotal.com/es/analisis/948936c8f36f3f29f8e64df8eced9e27

system · April 10, 2009, 8:48pm

Hi guys i been reading this topic over the past few days looking for ways to remove this virus without formating but no luck. so insted i did format and i did get the virus again using old back ups lmao.

I removed my old backups but did manage to keep some ISO files which are same (no virus alert from avast).

With my old backups i had txt documents that had the virus in. .exe had them in.

A JPEG picture did not have it in.

I am wondering about MP3, when my pc got infected i had another HDD 400gig full of music and flims. i did turn off the pc and disconnect that drive when messing around. I managed to get rid of the virus i think. But i am unsure about my 400gig, i have run a few .avi and opened a few .txt files and no virus alert. before i go to be i will run a scan.

What file types are effected by this virus? and whar are not.

I read that only xp is effected by this virus? strange hey.

Last question i have a friend that has important movies and stuff on his pc, he has been affected with this virus but he has no way of backing up his stuff. is there any way on how to remove it without formating and losing everything?. If he does a virus scan and removes the virus it will eat away his system files so thats out of the question.

any help

Thank you so much.

Adam Evans.

BTW two virus programs that i know pick this up, AVG FREE and AVAST! HOME FREE.

cheers guys

system · April 11, 2009, 12:14am

Make a thorough bootscan with AVAST first before doing a backup. And allow it to delete all infected files. Don’t worry your movies won’t be deleted.
After it’s done with the cleaning, your system will continue booting. DONT ALLOW IT TO CONTINUE BOOTING!! Turn-off your system immediately before it completes the boot-up process because Vitro still exists.

3.If you wanna backup in a clean environment without any worries about vitro infecting in the background, You download LINUX UBUNTU. Burn it, boot it, and do all the backup from there. It has a simple burning utility that should be enough for your purpose. But don’t backup HTML/HTM files and EXE files especially exe files below 100KB in size because most Virus passes AVAST detection. that’s all.

Off topic: I just found the funniest Vitro removal guide in the following link!
skip immediately to the Vitro manual removal instruction part for the best humor ;D ;D ;D ;D
http://www.spywareremove.com/removeWin32Vitro.html

system · April 12, 2009, 4:12am

how did you know that it your HTML files are not infected? by scanning with AVAST? You should know that so far AVAST can't detect an infected HTML file! You better try to open the file with notepad and you will see the malicious link in iFrame attached at the bottom. The same applies to EXE files. Not all infected EXE files can be detected by avast so the size is our only hint.

yes lol i checked them all (and notepad ++ has a nice function to search in all files in a given directory for text… Strg+F)
nothing like iframe was detected… neither i opened it with a webbrowser; just viewed it!

system · April 12, 2009, 6:47am

Hi DonNils,

It’s something that looks like this at the bottom of HTM page:

Misak changed http → hxxp (live malware link)

system · April 12, 2009, 8:26am

yep … but here is nothing infected… i looked everything up… nothing

system · April 12, 2009, 11:34am

For those of you who are new to this thread, a few tools to help. These should be run from safe mode if possible.

Removal tools:
http://www.avg.com/us.virus-removal.ndi-67762 (I found this not to be 100% effective, but its a good start)
http://www.scanforfree.com/09/win32-virut-gen-5-removal.html (I think this may be an old one. It cannot run on my system)

This script will remove the infection from web pages:
http://www.cedit.biz/scripts/14-virusmalware-repair/25-repair-ziefpl-iframe-injection.html

More generalized malware/virus scanner:
http://www.novirusthanks.org/progs/3/

Please note that Avast will detect the virus if it has infected an EXE file, but will not detect infected web pages. It is entirely possible for antivirus programs to get infected, then infect other files when you try to scan them.

This virus will infect system files such as explorer.exe, winlogon.exe, cmd.exe, taskmgr.exe and also system restore. It would be a very good idea to reformat your hard drive (dont just reinstall windows over top!)

I know it can be sad losing so much important stuff but it has to be done (I have just lost 4 Terabytes on my server PC )

The best defence is not to go to suspect web sites, keep your virus scanner up to date and use a decent firewall (not microsoft’s).

Block these IP addresses:
61,235,117,80 (ntkmpla dot info)
221,5,74,38 (zief dot pl)
212,85,96,95 (jL dot chupa dot nl)
218,93,205,30 (jL dot chura dot nl)
(Replace the commas with dots)

system · April 14, 2009, 5:54pm

hmmmmmmmmm

yeh… managed to skate by a few bugs that ive picked up in the past… but it bears repeating this one is kind of mean… hats off to the creator(s)

anyways, i was wondering… say you have a secondary HD that you keep with an OS etc etc just in case Vitro happens on the HD youre using at the time of infection/destruction

you wouldnt be able to boot from that os backup drive with the infected drive without the backup drive getting infected (tried it)

so im about to try this to see if i can at least get access to the stored data on the infected drive without infecting the backup drive, heres how:

while running on my back up OS drive, i picked up a bat file that renames *.exe to *.XXX and *.dll to *.ddd

so what i was thinking was:

delete only the windows folder on the infected drive, do a reinstall and start up the infected drive alone (unplugging the back up) with just the cmd prompt

if the new installation on the infected drive did work, when you get to the cmd, run the batch file(s), then do a reinstall windows just deleting the windows folder, to kill off any residual bugs that would be left over in the windows folder

think it would work? yeh it would render any programs useless, but it should leave all the data intact (music vids etc)

if the new installation on the infected drive didnt work, you could boot from the back up drive with the corrupted drive in secondary then copy all the non-exe data, ie music video etc… right? and not infect the back up OS drive

yeh i know the infected exe/dll will still be there and still need to be formatted later, but they should be inert right? hopefully allowing you to take the music/video/etc non program stuff

ehhhh i ono :

might could try running the batch files from a modified boot disk too o-0

system · April 15, 2009, 12:24am

:-X :-X :-X

hmmmmmmmmmmmmmmmmm

this one time at virus camp… :o

umm so yah…

i got to the cmd prompt in safe mode using the fresh (over top install, not fully formatted, infected drive)

inserted my burned cd with my batch files and copied my batch files to my c drive

tried to run them… and they screwed up… poorly written bunch of errors

so rather than give up or look for new batch files to use… or write my own cuz im lazy like that…

i did this:

in the cmd prompt: C:\explorer

explorer starts, at this point i dont care if the virus was running (didnt seem like it was anyways)

open my c drive and took every file except the windows install and put them in one folder

right clicked that folder (called it dex) , went to security, owned all the files (made sure to check the sub directories thing)

picked my nose for a while while the system sat there and applied the ownership attributes

came back a bit later and in cmd prompt typed this

C:\del /s /f C:\dex*.exe

let that finish out

then typed in the cmd prompt

C:\del /s /f C:\dex*.dll

then

C:\del /s /f C:\dex*.js

then

C:\del /s /f C:\dex*.htm

then

C:\del /s /f C:\dex*.html

then

C:\del /s /f C:\dex*.tmp

then

C:\del /s /f C:*.exe

C:\del /s /f C:*.dll

C:\del /s /f C:*.htm

C:\del /s /f C:*.html

C:\del /s /f C:*.js

C:\del /s /f C:*.tmp

C:\del /s /f C:*.com

those last lines killed all the *.exe, html, htm, js, tmp, com, dll in the new windows install

restalled windows, reinstalled my net adaptor, downloaded avast, scheduled a boot time

the damned thing got to 90% before it found one vitro…

in the only place i forgot to look, in the system volume information, and now that i think about it… this crucial little thing for the del cmd

C:\del /s /f /a:h

the /a:h is the big one (i think?) cuz i may have overlooked the hidden files… :-X

but… im running on my fresh (over the top of the old install) installation running right now, with avast running in the background… no virus alerts so far… :o :o :o

just owned the system volume information

(please wait system is picking its nose)

started cmd and ran this

C:\del /f /s C:\system~1*.exe

then

C:\del /f /s C:\system~1*.dll

then

C:\del /f /s /a:h system~1*.exe

then

C:\del /f /s /a:h system~1*.dll

so far so good…

ill prolly be back here crying about this damned virus in a few hours again…

but for the moment, i have a fresh OS, my AVS (avast) is running, and all of my old data, mp3, avi, etc etc etc (minus the dll, exe, etc etc etc)

system · April 15, 2009, 12:27pm

My computer has been infected by Win32:Vitro, to now it has only infected some uninportant files and I am wondering if a anti virus-program can remove it (In the future)? How long will it probably take? I am wondering how long I can wait before I take action (of course I am going to take a backup of all important pictures and text-documents)

Thank for helping!

system · April 15, 2009, 6:16pm

well so far so good…

music, video and everything that i didnt delete is still intact for the moment and no sign of the bug

hmm the method i used is kind of like scorched earth… but with certain files hiding out in bunkers surviving the mass destruction

system · April 16, 2009, 12:27am

afaik, and imho, there are no programs to rid yourself of win32.vitro. Avast! and Dr Web CureIt can detect but not fix. It is a MAJOR virus and completely fatal. Who knows how long it will take before AV programs are able to fix it? Best thing is to bite the bullet and do FFR. Back up your important files but then unplug that media until you’re back up and running.

I had(?) it. I am on my second re-install of everthing.

The best thing to to do is…

unplug all your external drives/media.
unplug the AC (and battery if it’s a laptop).
do an FFR (fdisk, format, re-install).
keep your external media unhooked until you know you’re in the clear.

Sorry for the bad news. I hope this helps you.

system · April 16, 2009, 3:50pm

I understand that I have to clear my hard drive. I have vista on my computer, can someone please write step by step how to completely remove everything from the computer (or is formatting enough?). On this forum someone had formatted their hard drive numerous times and still the virus was coming back, I just want to be completely sure it will be removed.

Lisandro · April 16, 2009, 4:51pm

Step three, with fdisk or any partition manager that could clean the partition (like http://www.ptdd.com/bootablecds.htm, http://www.ptdd.com/download.htm, http://www.ultimatebootcd.com/, or Super Fdisk Bootable CD 1.0: http://www.softpedia.com/get/System/Hard-Disk-Utils/Super-Fdisk-Bootable-CD.shtml).

system · April 17, 2009, 8:28am

Definitely don’t plug external media (that maybe infected) back into your computer. After my first FFR, I plugged in a USB flash. I had USB Firewall running and it found four infected files (SVCHost.exe was one). By then it was too late. I think(?) I was re-infected because my LAN became inaccessible. Leaving nothing up to chance, I did FFR again.

Maybe setup an alternate computer to scan your drive(s) with Avast and Dr Web.

My Blackberry is/was infected as well (SVCHost.exe)! It must be on the micro SD card.

Malware name Win32:Vitro

Announcements