Anyone Have Any Ideas?

[Dracone]

I recently got Vitro (http://vr-zone.com/forums/416522/polymorphic-win32-vitro-most-viraulent-virus.html), though I've got no idea how, except that our last anti-virus protection randomly and oddly canceled its service, even though we canceled the RENEWAL to be necessary a year later, not the, at the time, current rights to use it. There were only a few days of having no protection, but that's too long. I was away for a bit and didn't see that we had no protection until it was a little late.

The virus is quite well explained by that article, at least in a basic sense. I do have Avast, however, and Avast works in a way that just makes that virus all the more annoying. At first, Avast would detect Vitro in .exe files that did not appear important. I did scans and shit nonetheless, however, and thought I'd cleaned it out. However, viruses besides vitro re-appeared. The others were minor, and, since they popped up WITH Vitro, I thought Vitro was minor as well.

Now I'm quite certain that's far from the truth. And, as you can read from the article, it helps to have your shit backed up on an external drive, BEFORE this virus hits you. Unfortunately, I'm an idiot and never did that at any point with this computer. I thought virus protection would make shit all good. It going down for a few days ruined that idea.

So it looks like it's quite unstoppable currently, even though it's been around for a relatively long fucking time. And it looks like I'll be backing up all desired non-executable files onto an external device, formatting my hard drive, and reinstalling Windows. Unless SOMEONE out of you guys has somehow heard of or figured out a different and much easier way to fix this. I had to ask, because there's a lot of shit on this computer that no one in my house would like to lose. Hopefully I'm still able to access FireFox in the coming days to even read any responses.

Thanks in advance.

[Dracone]

Hmmm, I should mention that though that article was posted in February, absolutely nothing new has been learned about it, according to all the other and much more recent articles I've read. Thus, that's a very informative article despite being old.

Oh, and don't recommend any new type of Virus protection. All exe files included in any download are immediately detected by and infected by Vitro, and promptly rendered useless.

[SlackerLinux]

Run Linux and your virus issues will be a thing of the past
there's like under 50 virus like viruses out for Linux all quite harmless compared to the billions for windows mostly harmful
if you do get rid of this 1 another 1 is only gonna come next
reading the article since it infects every .exe its easiest to just wipe your pc( could very well be your only option).

[Hendrich]

Are you using Windows? Have you tried booting your system in safe mode, then using the anti-virus software to clean it out? I had quite a different Trojan, but doing that helped get rid of it, maybe this can work the same way?.

Try this link, it sounds like the only good way of getting rid of this thing without the usual "Install anti-virus, bla blah" bullshit. What this  site wants you to download sounds fishy though, but you're fucked either way so may as well give it a shot.

http://www.spywareremove.com/removeWin32Vitro.html

This sounds like one badass virus, it even affects MP3 files. The information I offered you isn't much, but its hard to find anything useful to get rid of this thing. You might want to take Slacker's advice and look at this as an opportunity to switch to a safer(?) OS, or be more careful on your new Windows installation. Cheers.

Other Info:
-Virus infects .exe/.scr/.htm/.html/.xml/.zip/.rar, so becareful when backing up files
-Check your control manager for these processes and see if you could delete them with any success (Also try it in Safe mode):
    * NtCreateFile
    * NtCreateProcess
    * NtCreateProcessEx
    * NtOpenFile
    * NtQueryInformationProcess
-Your PC might be fully infected and controlled by the virus next tiem you reboot/restart, such as when you try to login next time your PC will automatically restart afterwards, or you won't be able to see any shortcuts/Start Bar if you don't have a login box. So better backup before your next reboot.

[UniqPhoeniX]

Anyone know if getting ubuntu live cd and booting from that could help him clean out the virus, or at least backup some files? Any chance you can download it from another PC?

[Demolution]

Anyone know if getting ubuntu live cd and booting from that could help him clean out the virus, or at least backup some files? Any chance you can download it from another PC?

It seems that you can get an antivirus program running with a live CD, but I'm not sure how effective each of those programs are... Doesn't hurt to try however.
https://help.ubuntu.com/community/Antivirus

Linux virus infections are theoretically possible

[Dracone]

Thanks for all the suggestions.

Yes, I'm on Windows XP. And any type of scanning with Avast does not work...Remember, the exe files are infected themselves, and many are pretty damn important. So the only way to keep them intact would be to REPAIR them. Unfortunately, that just does nothing, least not with Avast. I never liked Avast really, but I had to grab something quickly when I realized our E-Trust CA whatever Suite pulled that shit and stopped, and I didn't know of anything else that was free. Was too late though.

Also, it doesn't seem like it's Conficker because this is all it's doing, but I'm being denied access to any anti-virus sites now, suddenly, including the link Hendrich posted. That's not listed as a Vitro symptom, at least not that I can remember from the articles I searched, or not within my tech knowledge of shit like this. I do see that .html files do get infected though, which I  must've missed. Still, it's a pain in the ass.

Something very interesting to note: Say I want to open Teamspeak, for example. I double click, and up pops Avast. Says that the Teamspeak.exe or whatever is infected by Vitro. I have the options, as Avast always asks, to Move to Chest, Delete, Repair, Move/Rename, or No Action. Repair is what I'd LIKE to have, but it doesn't do shit. And all the other actions result in simply rendering the exe useless anyhow. So, say I click No Action. I get this message:

C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

So for awhile I will get that message if I try to open Teamspeak. Same goes for everything else. And another curious thing is that if I leave it be for awhile, though I don't know how long exactly, I will be able to click the Teamspeak.exe again and it will give me the Avast dialogue box back. It's as though it nullifies the exe after I ignore it through Avast, but something occurs in the exe later on that activates it again, though it's still nonfunctional due to the infection.

EDIT: Another odd thing is that for some strange reason it still hasn't infected my tremulous.x86.exe.

EDIT 2: Oh yeah, Task Manager can't be brought up either. It got that exe too.

[mooseberry]

Also, it doesn't seem like it's Conficker because this is all it's doing, but I'm being denied access to any anti-virus sites now, suddenly, including the link Hendrich posted.

Try  this

[Dracone]

Helps somewhat, Mooseberry. I'll keep that page in mind. That Add/Remove programs thing looks good for a temporary thing so I could get somewhere with handling it altogether, but I can't even open that.

[mooseberry]

I havn't actually read that page, but its googles' version of hendrich's link. Glad it helped though.

EDIT: also try using this, if you can download it. www.abexo.com/afrcfree.exe

[Dracone]

Damn, thought that was going to get somewhere. Detected and infected it immediately though. Then, for some reason, it let me START running it anyhow. About 2 seconds later, infected it again though.

Thanks again though, was worth a shot.

Also, something's fucked up. Looks like this shit does something to make searches not work properly. I ran a full search of my entire computer for Win32.Vitro and it ended in like 20 seconds, with no results.

Another thing: Quite happy to say that it has NOT infected my .mp3 files, as Hendrich read of. Wouldn't wanna lose all that shit, so got it backed up.

[Archangel]

Damn, thought that was going to get somewhere. Detected and infected it immediately though. Then, for some reason, it let me START running it anyhow. About 2 seconds later, infected it again though.

Thanks again though, was worth a shot.

Also, something's fucked up. Looks like this shit does something to make searches not work properly. I ran a full search of my entire computer for Win32.Vitro and it ended in like 20 seconds, with no results.

because there's no file named that ??

Another thing: Quite happy to say that it has NOT infected my .mp3 files, as Hendrich read of. Wouldn't wanna lose all that shit, so got it backed up.

how do you know this ? for all you know, they might be.

 

Linux virus infections are theoretically possible

you have to worry more about getting your ass rooted.

[Amanieu]

Linux virus infections are theoretically possible

you have to worry more about getting your ass rooted.

Since this isn't a server, I'd say you should worry more about someone breaking into your house and stealing your computer.

[==Troy==]

Get your harddrive out, plug it into another PC, run a virus scan on that PC. If you are not going to run any of the exe files from the HDD, it will clean out everything. Good idea is to boot on from a _very_ low priveleges user.

[janev]

My 2 cents for what it's worth, though I am no expert, is to wipe your hard drive and follow better backup procedure next time. Any data that has been in contact with that system should be considered suspect. You will not get everything out of the system so you will be better off starting clean. This is probably not what you and your family want to hear. Hopefully you do not lose too much data. If you do start fishing stuff out of the infected system you will probably end up infecting your new system as well.

For future reference see that you make backups and keep your system clean. Data and OS should be kept separate and backup copies of data made (also for the less technically inclined family members) with regular intervals.

[Dracone]

We can get to shit through safe mode, but the whole HD idea is a pain in the ass compared to simply wiping and cleaning out fully EVERYTHING.

Besides, how am I going to run a virus scan on another PC? The virus scan software would have to be ON the harddrive, and it's like I said, every exe download is immediately infected and rendered useless anyhow. It doesn't matter anyhow, scans DO find it very easy, I've done them successfully with Avast. Actually fixing them is another story, as Avast cannot repair them, and repairing them would be the only way to save them since all other Avast options end up rendering them useless anyhow.

The virus hides itself in exe files especially and works from there, apparently. And, contrary to what I've read about being able to Add/Remove hardware remove it and work from there to clean it out, you cannot actually do that, as it does not appear in that list.

We managed to download one AV setup, but the virus has gotten to a point where an attempt to install any AV shit gets us the message, "An Administrator has set policies against performing this install."

So, it would seem that the virus is in the files it infects and those alone, and has no central area where it would infect other files from. So there are only 2 options; somehow come across a way to actually take the infected files and purge every one of them of the virus, which appears impossible by any currently known means, or do the old fashioned way of getting rid of this shit by backing up everything that doesn't get infected by the virus that we want to keep, and then wiping the Hard Drive absolutely completely and then getting our software related shit back together from square one.

Oh, and by the way: I know the .mp3 files I have aren't infected because Avast detects this virus quite easily. Unless I'm missing something.

[==Troy==]

You take another PC, with its own HDD and clean system. Install anrivirus of your choice there, attach infected HDD as slave, run full virus scan from uninfected system on filesystem of the infected drive. if paranoid : (Backup files, re-install infected system, Copy files back onto the now cleaned harddrive, run another virus scan just incase.)

[gimhael]

You can boot from a Live CD and run the virus scan from there. In Germany there is a distribution called Knoppicillin (based on Knoppix) which contains several commercial virus scanners (Avast, Kaspersky and some other), but unfortunately it isn't free. However, I don't know if a similar CD is available in the US.

[Demolution]

Have you tried a startup scan with Avast yet? Usually this one will clean out anything as long as you quarantine the files, and not just delete them.

Also, have you considered the Live CD idea as well?

[Dracone]

This topic can be locked. Too much shit has failed to work, as the virus does more and more damage. I cannot even run Windows Explorer in safe mode anymore, and the Run function does no good since nearly every exe file is now corrupted.

Thanks for the help, everyone, but there's a guy where my mom works who's head of the tech shit for the whole damn building, and he knew about Vitro immediately, and will be simply fixing shit through the way people usually have been for Vitro, on top of using some shit that Troy actually said, for precautions.

We've got the pictures and other documents we need, and I ran a scan on the USB drive we'll be moving the data with. It's clean and contains no exe files or any files the virus could infect with damaging effects. We'll lose our software, but that's honestly not a huge deal. Software can be re-installed quite easily.

Thanks again.

[frazzler]

I have a solution. Buy a new computer and download trem. Problem solved. =D

[mooseberry]

I really just don't know what to say to that. This is such an annoying failure of a post on so many levels.

[Dracone]

Well, back on my feet now. Everything's fixed and no sign of Vitro. Plus the computer's running good like it should be.

Should be back to Trem soon. I'll have no maps or anything, but downloading maps is never a huge problem, doesn't take that long usually. I'll just be grabbing an alternate client and Otic's hud, throwing my autogen back in there, and I'll be all good.