# Win32:Vitro



## Black Panther (May 14, 2009)

My dad's XP is looping... login/logoff loop.

I suspect a virus...

However first I wanted to copy userinit.exe into his system32 folder...

Now this is a laptop, so I can't just take the HDD out and stick it in another pc.

Would inserting his laptop's XP recovery diskette give me access to C:/ and to the userinit file on USB thumb-drive?


----------



## newtekie1 (May 14, 2009)

You can try booting to the XP CD, and selecting repair, that should load the recovery console to a C: Prompt.  However, the functions are very limitted.

I would boot to some kind of Live CD(Linix or BartPE) and use that to copy the file over.


----------



## El Fiendo (May 14, 2009)

Has it asked if you want to start up in Safe Mode at all? That alone should work. As the computer is booting, tap F8 to bring up the advanced options menu. Select boot in safe mode. 

You might be able to do a recovery from the XP recovery diskette, but honestly I've never had one of these so I don't know what it all covers.

Lastly, if its a Sata HDD you can use it in any computer as the connectors are still the same. If it is IDE, this product is all you'd need. I picked one up at a local shop for less than that, and I'll keep it around until the day Sata is everything. Newegg won't work for you, but you should be able to find it in a local shop like I did.


----------



## Black Panther (May 14, 2009)

Safe mode doesn't work either.

That connector needs me to remove the laptop's hdd out I guess huh? 

Even in 'normal' mode (not safe mode) his XP logon screen is funny... I haven't seen it yet, he's bringing it here later - anyway he said his XP logon screen is black and not blue...

Then he inputs his user password, his desktop wallpaper shows for a couple of seconds, then once again a black screen giving him the choice to either restart, shut down, or log off.

I wonder which virus it is this time...

He left the laptop on overnight and in the morning he said there was the avast warning. He selected delete (probably deleting the userinit too?) and shut it down.

*Which would be the best OS to run off a thumb drive?*
Right now I got only a couple 8GB dvds left which I don't want to waste...


----------



## El Fiendo (May 14, 2009)

Sorry, as for the best OS to run off flash drive, I'm not real adept in that area so I'm not certain.

Yes, that connector requires the HDD to come out of the laptop, and then it connects to your PC via regular IDE cable and 4 pin molex. I'd use that as a last resort though. 

Strange that Safe Mode doesn't work though.


----------



## intel igent (May 14, 2009)

i had a case where i was defragmenting my HDD's and then got the smart idea to surf while it was doing so! needless to say it buggered up windoze  it was acting similar to what you are describing BP all i did was insert the Xp disc and reboot and it worked  i guess it grabbed the missing/corrupt file's while it was loading/rebooting? hope it help's?


----------



## Hayder_Master (May 14, 2009)

you can use the an adapter with USB output (like hard rack or something) and put it in any pc


----------



## Black Panther (May 14, 2009)

I just got the laptop here.

Tried safe mode... there is no task bar, no icons...

The only thing which functions was ctrl-alt-del to bring up the task manager.

So I was able to browse system32 -- the userinit file is there though I don't know whether it's corrupted.

Then I started up Avast through adding a new application through same task manager. 
Immediately it found a virus in the memory in system32\clipsrv.exe called Win32:Vitro

Got a boot-time scan scheduled, rebooted laptop... found other virus in Documents and Settings.... Win32:JunkPoly 

Edit: From what I googled about the Vitro virus... things don't look bright at all. It infects windows executables and doesn't allow them to get repaired, making the OS not work... 

Now I'll let the boot-scan finish........ and see what happens....


----------



## Black Panther (May 14, 2009)

Decided to reinstall XP...

Infected files included---

clipsrv.exe
cmd.exe
dllhost.exe
mnmsrvc.exe
progman.exe
sc.exe
ups.exe
userinit.exe (so I guessed one... )


----------



## Black Panther (May 15, 2009)

Virus survived the XP reinstall.

It even got in my thumbdrive... I thought the pc was clean and used my thumbdrive to install drivers....

I managed to get in Safe Mode, and am currently backing up some 13GB of stuff on my pendrive (probably re-infecting it again...)

Then I'll do a format and clean xp install...

then re-scan my pendrive and clean it up...

then scan his 1.5TB worth of external HDD's full of downloads... only the devil knows what I'll find there

... sigh...


----------



## pepsi71ocean (May 15, 2009)

should have done a linux swap to see about the files



and before you reinstall write 000000000's to the drive. Use any of the disk cleaners on the UBCD. I always do 3-5 passes between formats, since using the windows disk seems to only wipe the MTF and the MBR for some reason?


----------



## Black Panther (May 15, 2009)

Thanks everyone - much appreciation!

*Please don't bother posting anymore advice on how to access laptop's hard drive  ...*

That part of the complex problem I have with Dad's laptop has been solved.
It's complex because I discovered the culprit being a Win32:Vitro virus infection.

I just read an entire 17-page thread on this specific virus on Avast!WebForum... finding out that not only is this virus missed by many popular AV programs but also that those which detect it are unable to repair the infected files.

Before reading above link, I (thought I had) cleaned up the Win32:Vitro. At least what I had done now enables me to enter safe mode for backing up documents etc.

(I requested this thread to be renamed to *Win32:Vitro* and moved to the Networking Forum - so if some mod happens to be reading this... )

____________________________________________________________________________​*
For who might be interested about this Win32:Vitro, here's what I've learnt so far:*


1) At present to-date it is unrepairable.
Few AV programs detect it - and those which do are only able to move infected files to chest or delete them.

2) It infects exe and htm or html files which are smaller than 100K.
However, the few av programs which detect Vitro detect only the exe files, ignoring infected htm and html files totally!

3) Disconnect infected computer if it's on a shared network.

4) First thing to do is to enter Safe Mode immediately and backup any important files you don't want to lose, and afterwards format the HDD and make a clean fresh OS install. 
Things won't get worse since in Safe Mode (per online rumours...) Vitro lies inactive.

--------As weird as this might sound - If you need make any backups - *DO NOT scan or follow any suggestions your AV program comes up with*.

Doing so will move or delete (never repair!) essential Windows System32 executables like mnmsrvc.exe, progman.exe, userinit.exe etc and on reboot you get either an OS which doesn't load at all or an infinite logon/logoff loop.

Keeping in mind that at the end you'd be getting no choice other than reformatting and fresh OS install (or binning pc!), it's definitely counterproductive to attempt any form of repair before backing up what you need to back up.

--------For same above reasons *DO not reboot infected pc at all* no testing unless you're sure you got nothing to lose. Enter Safe Mode at the first Win32:Vitro warning you get. Period. 
Every reboot spreads Vitro to more files, your OS will get worse, giving you logon/logoff loops or just a black screen - and it'd be even more difficult to make your precious backups!

This was what happened to my Dad's laptop. He had left it running overnight, waking up to the Avast 'radio-active spinning fan' virus alert. 
Now Dad's no techie - he wouldn't imagine the consequences for following Avast's suggestion and move or delete userinit.exe so he moved/deleted every file Avast brought up and shut down the laptop.
Later same day, he persisted in scanning and rebooting "hoping it'll go away", finally phoning me when "XP wasn't allowing him in anymore" and for him all hope was lost! 
When he brought me his laptop, there was _no way_ to log in at all not even in Safe Mode (hence me starting this thread!)

Ultimately, I entered Safe Mode "half-way" having just mouse pointer and black screen, no taskbar, no icons. 
Just for lack of anything else I pressed Ctrl-Alt-Del and luck had it that the Task Manager popped up! 

At the time I didn't even know there was a virus, let alone its name..

I started Avast using 'New Task' in Task Manager getting a warning immediately on starting the memory scan. I scheduled a boot scan and rebooted.
I deleted all virus threats in bootscan, thinking laptop would be clean and just needing to run Windows Repair to replace the deleted system files.

What I got in reality was a bootable OS (with a different login screen than the usual XP one) which rang bells when I found myself unable to update windows, turn on firewall or update Avast...

5) Treat any storage media you connected to the infected pc as infected as well.

Before restoring your backed up data, scan it with AV and delete ALL htm and html files.

I wouldn't suggest trying to repair or clean up the infection without formatting, unless you are very bored and have loads of patience and spare time!

It's been described as one of the worst viruses ever, using polymorphism to disguise itself.
It's a virut strain and is capable of even infecting other malware (think a virus getting infected with another virus?) 



			
				Polonus (malware fighter) said:
			
		

> W32/Vitro injects code in running processes and hooks the following functions in ntdll.dll which transfers control to the virus every time any of these function calls are made.
> 
> * NtCreateFile
> * NtCreateProcess
> ...





> I just lost a computer to this virus.  Going with scorched earth.  Also, it jumped to my USB drive (autorun?) and almost got my laptop. Avast is catching this, when Norton and McAfee did NOT.



In the thread linked above, it's rumoured that Vista and Windows 7 users are immune to Win32:Vitro.
Uhh, if someone would be willing to test... I got plenty of Vitro-infected files available to share  Myself, I've been checking my 2 Vista x64 rigs in system specs the entire afternoon (good reason enough since I regularly exchange pendrives/emails/downloads with dad - 2 days ago I even let him access my NAS remotely ) Thankfully I got no Vitro - dunno if it's due to be being careful or just because my OS is Vista and not XP.


----------



## Deleted member 24505 (May 15, 2009)

If its a sata laptop hard drive,you can connect it to a desktop like any onther sata hdd.,same connectors.


----------



## ohyeah (Jun 29, 2009)

Vista is NOT immune. My Vista Home x32 has several variations of the Vitro malware on thousands of exe files. As soon as I get the CD will be deleting the partition, reformating, and reinstalling.


----------



## brickhouse (Aug 25, 2009)

*gahhh*

Can anyone give me some suggestions?

Recently my acer aspire one (netbook) got infected with vitro, i managed to get about 5 files off on a usb that i desperately needed.

I took the hdd out (in an aspire one its increidbly confusing to do!) therefore i was wondering if it was safe to put it in an enclosure and connect it via usb to my desktop, or will the virus just go yay!

I was hoping if i could connect it via the enclosure i could get the rest of the stuff off that i needed and re-format it.

Any suggestions?


----------



## Black Panther (Aug 25, 2009)

Just don't touch any htm & html files, and any exe files smaller than 100Kb.


----------



## From_Nowhere (Aug 25, 2009)

I do believe this is the virus that killed my old MSI laptop last year. Thankfully I have all of my needed files on an external hard drive (that was only hooked up to that MSI when I first got it new).

My MSI laptop was running Windows Vista Ultimate x64 so those thinking Vista isn't immune...


The MSI laptop is now powered down on a shelf in my closet. I'm saving up for a SSD, and Win 7 to put on it.


----------

