Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hit with the Virut Win32, reformating and reinstalling, but need answers to these questions/ Moved

  • Please log in to reply
2 replies to this topic

#1 mikenmike0001


  • Members
  • 1 posts
  • Local time:09:18 PM

Posted 15 April 2009 - 05:08 PM

I suppose there's no point of posting the hijacker log since I'm choosing to reformat the machine. However, here's a thread for reference that I included all of my logs prior to reformatting.

Link to logs removed as not relevant to question. ~ OB

here's what i need to know, my external hard drive, that I backed up and removed executables, I found out from connecting to another PC (not connected to the network) that had symantec antivirus on it found a few exe's with the virut during the scan from the "recycler" folder. Apparently, I deleted it, but didn't empty the folder before disconnecting.

1) So with this scenario, if the symantec quarantined those files scanned from the external, what are the chances that the virut will be spawning on that other PC ?

It is still disconnected from the network and I'm currently doing a full system scan (it was stupid of me to connect it to the pc, but I wanted to ensure that the external was clean and had to use some machine to check)

I NEVER DOUBLE CLICKED ON ANY OF THOSE EXE files, they were simply scanned and detected when I right clicked on the drive.

2) However, I read around that if you let the external hard drive go into auto play mode when you first power up the unit, then that auto play can INITIATE a virus. Is that true? Someone told me to look for an autorun.inf file. I couldn't find it on the external hard drive even after allowing me to view hidden files and folders from the windows explorer.

Edited by Orange Blossom, 16 April 2009 - 03:26 AM.

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:18 AM

Posted 16 April 2009 - 03:27 AM

Hello mikenmike0001,

The HiJack This forum is dedicated to log analysis and malware removal. Since that is not the purpose of your posting, I have removed the link to your logs and am moving this topic to the Am I Infected forum where your questions can be addressed much more quickly.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:18 AM

Posted 16 April 2009 - 06:37 AM

Virut is difficult to detect

It's fairly easy to diagnois but almost impossible to be certain you got all the suspect files.

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

More information:

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

Edited by DaChew, 16 April 2009 - 06:43 AM.


No. Try not. Do... or do not. There is no try.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users