Hit with the Virut Win32, reformating and reinstalling, but need answers to these questions/ Moved

I suppose there's no point of posting the hijacker log since I'm choosing to reformat the machine. However, here's a thread for reference that I included all of my logs prior to reformatting.

Link to logs removed as not relevant to question. ~ OB

here's what i need to know, my external hard drive, that I backed up and removed executables, I found out from connecting to another PC (not connected to the network) that had symantec antivirus on it found a few exe's with the virut during the scan from the "recycler" folder. Apparently, I deleted it, but didn't empty the folder before disconnecting.

1) So with this scenario, if the symantec quarantined those files scanned from the external, what are the chances that the virut will be spawning on that other PC ?

It is still disconnected from the network and I'm currently doing a full system scan (it was stupid of me to connect it to the pc, but I wanted to ensure that the external was clean and had to use some machine to check)

I NEVER DOUBLE CLICKED ON ANY OF THOSE EXE files, they were simply scanned and detected when I right clicked on the drive.

2) However, I read around that if you let the external hard drive go into auto play mode when you first power up the unit, then that auto play can INITIATE a virus. Is that true? Someone told me to look for an autorun.inf file. I couldn't find it on the external hard drive even after allowing me to view hidden files and folders from the windows explorer.

Edited by Orange Blossom, 16 April 2009 - 03:26 AM.

Hello mikenmike0001,

The HiJack This forum is dedicated to log analysis and malware removal. Since that is not the purpose of your posting, I have removed the link to your logs and am moving this topic to the Am I Infected forum where your questions can be addressed much more quickly.

Orange Blossom

Virut is difficult to detect

It's fairly easy to diagnois but almost impossible to be certain you got all the suspect files.

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

Edited by DaChew, 16 April 2009 - 06:43 AM.