Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virut in Flash Drive


  • Please log in to reply
6 replies to this topic

#1 bdazzled788

bdazzled788

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 15 March 2009 - 11:09 AM

Oh no...I was moving the hijackthis logs between an infected computer to my dad's clean computer but the usb stick had LSPFix.exe on it. Upon inserting it into my dad's laptop, etrust antivirus found Virut win.32 and it said it cured it but I am terrified that I have infected my dad's machine with it. I simply deleted LSPFix.exe from the flash drive and deleted it in the recycle bin but I have no idea if that was the right thing to do. Now I know I should have disabled Autorun but it is too late to do that. Do you think the machine would still be infected?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:25 PM

Posted 15 March 2009 - 11:17 AM

Run a MBAM scan on your dad's computer, let's make sure you don't end up having to reload 2 computers

The newer virut is incurable

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.
Chewy

No. Try not. Do... or do not. There is no try.

#3 bdazzled788

bdazzled788
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 15 March 2009 - 06:27 PM

I scanned his computer and this was all there was :

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 5.1.2600 Service Pack 2

03/15/2009 5:41:01 PM
mbam-log-2009-03-15 (17-41-01).txt

Scan type: Full Scan (C:\|D:\|H:\|U:\|Z:\|)
Objects scanned: 270984
Time elapsed: 3 hour(s), 0 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Is there still a chance the machine was infected? Thanks!

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:25 PM

Posted 15 March 2009 - 06:37 PM

That's good news, someone or some program has turned off those pesky microsoft warnings, I hit ignore so I can leave mine off

Before exposing a usb drive to an infected computer i always use

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

About the only thing I would want from a virut computer would be a log file
Chewy

No. Try not. Do... or do not. There is no try.

#5 bdazzled788

bdazzled788
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 15 March 2009 - 07:58 PM

Ok before I posted this topic, I plugged in a portable hard drive into the infected computer in safe mode to start backing up pictures/docs. Then I realized that before, when I put in a usb stick, the .exe on it became infected with virut automatically. Great, I did not turn off auto run on the infected computer and I put this portable hard drive in. I started to transfer pictures and I noticed a .zip being moved. (I had some .zips in picture folders) and QUICKLY canceled the transfer and unplugged the portable hard drive.

Sorry, but can you please explain exactly the steps I need to do in order to back up my files onto my portable hd? I don't want to miss any crucial steps that may allow the HD to get infected which I am praying that it didnt already. Also, are .mov suspect to the infection?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:25 PM

Posted 15 March 2009 - 08:08 PM

Video files are usually safe, like music they have to use some microsoft crud to entice you to download the infection

I use media player for online videos only

Zipped picture folders of jpeg would be safe, exe in a zip would be infected

There is no really safe way to use a virut computer to back up, a linux cd is better/best
Chewy

No. Try not. Do... or do not. There is no try.

#7 bdazzled788

bdazzled788
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 16 March 2009 - 01:32 PM

Ok, phew that is a relief. Thank so much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users