Hi, I saw some posts about the win32:vitro virus.
I created this post to have three answers:
how to remove vitro once you’re infected (is it possible?)
Once you’re infected and took backups on a usb drive. How to make sure the USB drive is not infected before restoring the data?
How to make sure you wont have the virus back after a fresh install of windows XP?
Please, do not post in this topic something else than a full answer to one of these questions… users need to find a solution quickly to these 3 questions. (at least, it’s my guess).
Thanks in advance to the avast team.
1) Right now, it's difficult to say that you can get cleaned. Maybe running avast at boot time as soon as you can. Run Dr. Web CureIt also.
So there's no fix at the moment? correct?
2) Are you backing up documents and files and not executables (.exe, .com), right?
I did a full backup :-\ and found infection when scanning today from my Vista, up-to-date avast protected computer... it found infected exe files that it deleted... enough?
3)Scan the backup files with avast, Dr. WebCureIt.
I will, thanks for the tip
I would add the following question
4) How to prevent a win32:vitro infection? is an up-to-date Avast Home Edition 4.8 enough?
Thanks for the quick answers you already gave... as usual ;D
There are two solution to the problem, use Vista and you are not vulnerable, if using XP there is no cure for this very damaging random buggy file infector that beats Windows File Protection and the Windows Firewall on XP, it destroys beyond repair, so the only solution is to f-disk, format and re-install and keep the system from any peripherals etc. with the file infecting vector on it, the only way to avoid is safe-hex and protection, and you can read here in the forums what safe practices are (non-admin account for online activities, in-browser protection, fully updated and patched OS and third party software, updated malware scanner(s) and active software firewall or hardware firewall solution, that is it in a nutshell, all the other options like SafeMode scanning with special tools come to no avail, well have not been demonstrated in effecto,
Hi. I think I have removed Vitro from my laptop, so my question is: How can I be sure that my external HD is not infected?
Assuming I have another PC I can check it on, can I rely on a clean bill of health from Avast?
The major problem, by the way, was not reformatting my laptop, but trying to get all the bloody Lenovo drivers to work!
Just a quick question please.you state that Vista isn’t vulnerable to Win32:Vitro but i have vista running on my laptop and it is heavily infected with this virus.is Avast just telling me i have the virus but it is not actual doing any damage,or am i an exception to the rule that Vista isn’t vulnerable to this virus.any information would be greatly appreciated.thanks in advance and thanks for all the hard work and info you put into helping people`
Can you upload your ntdll.dll file to virustotal.com and fill me in with the results, vital in this stage is to do your later scans in Safe Mode, but I like the virustotal.com information first,
I had a thought, what about replacing the infected .dlls with fresh ones? Is there no program that can do this? Or after removing the generated Virus files trick XP into thinking it’s shut down then replace dlls in console. Surly this virus can be beaten without having to reinstall the entire OS.
Note: I found that several other things came with Vitro, Trojan {other} and A rootkit thing. From the information I found in these posts I was able to remove most if not all of them. But Vitro And Virut-C do not move. I have tried everything so far, I will Not Reinstall and MS can kiss my broke A** if they think I’m going to upgrade (Ha) To Vista. I did upgrade to Firefox and that has solved many problems, a bit ram heavy but it works. As for the other things that Vitro kindly left on my machine the Hijack This kit works on them and avast takes some if not all of the other offshoots out. What I want to know is who made this! I have seen rumours saying MS themself made it but I find that hard to believe.
No, Microsoft does not share and deploy viruses except Windows itself ;D
Joking. Virut is a very hard infection to get rid but, for sure, it’s not there to upgrade XP to Vista.
The malcreant of the various forms of the virut.h aka Vitro that is spreading on a system like bushfire isn’t just a simple script kiddie he is aware of advanced polymorphic virus techniques that are meant to destroy an Operational System utterly and beyond repair. Following data were on the 2008 variant and what it did: 002959.tmp.dll, 002960.tmp.dll, 002963.tmp.dll are some of the files found in the way it infects and these names with random numbers DIL*tmp, where * is a random number, VT100, 17PHolmes1001186.exe & mrofinu1001186.exe were being found on the infected machines whose owners were downloading illegal game keys when they got infected, code crypted starts with it starts with
üè)...S¹ ...‹Úf1.@†Ö@...âô
after importing > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > msvbvm60.dll: _CIcos
Technical write-up about the new variant: http://securitylabs.websense.com/content/Blogs/3300.aspx
For the variant here the decryptor is polymorphic and can be located either:
* Immediately before the encrypted code at the end of the last section
* At the end of the code section of the infected host in 'slack-space' (assuming there is any)
* At the original entry point of the host (overwriting the original host code)
The decryptor will either receive control directly or an API call within the host code body will be overwritten to point to it (EPO technique). In all cases where host code is overwritten by the virus the original bytes are stored within the encrypted virus body, and are restored before transferring control back to the host. This virus may also infect the files multiple times. Disabling and re-installing XP SP3 also is not an option…the virus is just too destructive in such a completely random and buggy fashion that the infected files remain beyond repair and danger of re-infection is imminent from infected systems and peripherals, a hopeless situation, best policy avoid infection through this very dangerous file infector!
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
Ensure that avast antivirus product is installed on ALL machines connected to the network that can access or host shares (see above for further detail).
Ensure that all available network shares are scanned with an up-to-date antivirus product, like avast
I do really appreciate your hints. I was following the threads about Win32:Vitro last few days cos I am fightin it as well. I think the situation is clear, I have just few more questions.
I decided to beta test Win7, deleted partitions, formatted drives and installed Win7 from a scratch. But, I am trying to save indispensable files (docs, pics and videos) from an infected external HDD. I thought, it is safe to connect this drive into fully secured Win7 with avast and spybot under restricted user account, then run avast full test and delete all infected files from that drive. Secondly do the scans with Dr.WebCureIt and Hijackthis. But - I am not sure yet and still in doubt whether this is safe or not.
The reason is: I wasn’t able to find out all the filetypes which are vulnerable (I know about exe, dll, htm, php, … and?). Is it able to infect also common files like jpegs, avis, mpegs, docs, xls, pdfs etc.?
Another important question: how is it with the Vista and Win7 resistance. I read some post saying using those OS you are not vulnerable, but I am not sure about this - especially when running 32bit versions of this operating systems.
It seems that the virus can beat the Windows File Protection on XP (and Windows firewall protection) and that of Vista when there is full encryption of the hard drive (been reported here). If you use back-up material that is from peripherals that has not been in contact with the file infector to copy unto a cleansed system that is OK. The file infector tries to infect “all and every” file, to what extent it has been successful can only be decided in the aftermath, you should check by changing the extension into a notepad.exe file to see if the infection persisted. The virus can only be safely handled/cleansed in Safe Mode, if a remainder is still there and the OS runs normally it again starts to spread like hay fire,
thank you for your reply… so that’s the bad news for me, cos I am trying to rescue files from obviously attacked hard drive. Brand new own photos and vids of high importance for me. Shaid! I’ll do my best to get rid of this evil and save my data.
So if it might infect files such as jpegs, it seems that Avast is not able to locate this polymorph in such files and is reporting it just in executable files… (scans found no infected jpegs or docs yet) Am I right? I hope these guys developing AVs will find some reliable solution soon… cos it seems there are no successes around these days ???
First, would like to give credit to all on this forum who have helped others with solving this horrible virus. Thanks guys.
I can attest to it harming a Vista system. I first noticed it when Google said some of my website pages had malware…After deleting those I found out html files on my system were infected. It had added a ton of iframe references to the end of html files. I booted with Avast and it found many files that were infected with Vitro and 2 with JunkPoly. I didn’t save the infected files to the Chest but deleted them, so now I have an unbootable system.
My question is what Linux bootable CD will work that will allow me access to the ntfs c drive so that I can copy off my data files to a USB stick? My original restore is on D: but not sure if it may have been affected. I want to totally reformat the HD from the Vista CD and start anew. Tips or suggestions are welcome.