Win32: Vitro advice..

So I’m attempting to fix my neighbors computer( actually just taking a look at it, I’m really not that good with these things). Avast’s webshield popped up blocking Win32: Vitro. I ran some scans for him with MalwareBytes(didn’t find anything) and Avast(which found two). Moved them to the virus chest where they currently reside. Since then I’ve run more scans and have found not threats. Is he in the clear? Also should I just delete the files in the Virus chest?

if the vitro/virut detection is correct…then he may be in deep s**t :-
this is a nasty file infector and Malwarebytes does not clean file infectors…the pro version will block the installer…if detected

if lucky avast have stopped it from spreading… Essexboy is notified

Virut and other File infectors - Throwing in the Towel? (Miekiemoes - Assistant Director of Research @ Malwarebytes)
http://miekiemoes.blogspot.com/2009_02_01_archive.html

Vitro aka Virut can be really tricky.It depends on the time it’s on the computer.If it’s active for more than 1 week,then format would be the solution i guess.
Before you do anything,kaspersky has released a really nice tool for this infection.Follow the instructions here :
http://support.kaspersky.com/faq/?qid=208280756
Review of Virut.ce can be found here http://www.securelist.com/en/analysis/204792122/Review_of_the_Virus_Win32_Virut_ce_Malware_Sample .

^ I don’t think it’s was on his computer for very long, he told about it happened this morning. At this moment I’ve updated his windows and I’m currently trying The Kapersky tool you recommended. I’ve downloaded the logging programs recommended here. I will try running scans after current reboot, and if you guys deem necessary will post logs.

yes, you should attach the logs from this guide
http://forum.avast.com/index.php?topic=53253.0

then essexboy will have a look tomorrow

Should I run these in Safe mode?

There is no need to do so…

if your trying to remove the virut with any tool used to remove it then it’s best to do in safe mode

just correcting im not gonna involved in any of these before getting a warning again… :confused:

Why not give Dr.Web a try.

Download and burn the iso to CD from a clean machine:
http://www.freedrweb.com/livecd/?lng=en

Then boot via Dr.Web Live CD try and cure all malware found.

Then once the scan is finished boot back to normal windows and scan with malwarebytes.

Note:No 100% assurance that The computer will be perfectly clean even after Dr.web and MBAM scanned and cured the files.Best option is to format and reinstall windows.

Further info on how to deal with this nasty infection will be given by essexboy.

what about combofix?

OTL isn’t producing the extras.txt file only OTL. Gonna try the suggestions so far with the cd. I’ll check this from work.

MD5’s look good for the main system files - are the alerts appearing any more ?

You could have struck lucky - a few ADS to remove

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL @Alternate Data Stream - 1360 bytes -> C:\ProgramData\Microsoft:p0hlN7TI8gW6nFYkkhPODj6ab @Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:8CE646EE @Alternate Data Stream - 1117 bytes -> C:\ProgramData\Microsoft:YfsOyVlgDHNr34ZJoMbRkDE

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

^I haven’t had any hits from further scans with avast since the initial detection, which still is in the virus chest.

  • Right after the reboot OTL ran automatically. After that I ran a quick scan using the suggested OTL custom scan in the log assist post. Here are the logs.

That looks good - you may have struck lucky

If all is well tomorrow let me know and I will tidy up