MyCity » Ambulanta -> Arhiva Ambulante » Da li je ovo OK

Da li je ovo OK

Napisano na dan: 13.7.2009

Da li je ovo OK

Idi na vrh

Poslao: 13 Jul 2009 13:02
Idi na vrh
offline
  • Pridružio: 14 Nov 2003
  • Poruke: 324

Eksterni hard diskovi, prikačeni preko USB-a.

Molim proveru log-a:

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 7/13/2009 12:43:42 PM

Searching for connected USB Mass storage...
----------------------------------------
========================================

Searching for other storage...
----------------------------------------
C: {a532a7b0-662f-11de-96b5-806d6172696f}
D: {a532a7b1-662f-11de-96b5-806d6172696f}
========================================


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for a532a7b0-662f-11de-96b5-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for a532a7b1-662f-11de-96b5-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 7/13/2009 12:44:02 PM

Scanning for connected USB mass storage...
----------------------------------------
F: {55e11576-0b30-11de-9ea3-5050506f4531}
Added F:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on F:
----------------------------------------
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 55e11576-0b30-11de-9ea3-5050506f4531
----------------------------------------

----------------------------------------
Desktop.ini found at F:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive F:
========================================



New device connected at 7/13/2009 12:58:36 PM

Scanning for connected USB mass storage...
----------------------------------------
H: {010d4143-0b3d-11de-9ea5-5050506f4531}
Added H:
========================================

Scanning USB mass storage for files...
----------------------------------------
No blocked files found on H:
----------------------------------------
No Autorun.inf files found on H:
No mountpoint found for H:
No mountpoint found for 010d4143-0b3d-11de-9ea5-5050506f4531
----------------------------------------

----------------------------------------
Desktop.ini found at H:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
----------------------------------------

No mimics found on drive H:
========================================

========================================
Removed F:
========================================

Poslao: 13 Jul 2009 18:38
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

OK su.

Ukoliko se bojis infekcije koju si imao prosli put, onda da ti na brzinu objasnim sta treba da gledas u logu:

Citat:Mimics found on drive I: Ovo je zarazen drajv
Citat:No mimics found on drive F: Ovo je OK

Ovo pokazuje da li postoji trojanac koji sakriva foldere i postavlja sebe umesto foldera (mimika, imitiranje foldera).

Druge dve vrste infekcija koje ovaj program detektuje su infekcije koje se pokrecu automatski putem autorun.inf ili putem desktop.ini fajlova.
Tebi je ovde na svakom od ta dva diska nasao desktop.ini fajlove, ali su oba cisti. Zarazen desktop.ini fajl pokrece neki HTT fajl (ekstenzija HTT) koji pak dalje moze da pokrene trojanca. Znaci, ako se spominje neki HTT onda je to razlog za brigu.
Autorun.inf je komplikovan za objasnjavanje posto postoji milion mogucnosti. Spoljni hard diskovi ne bi trebali da sadrze autorun.inf.
Taj fajl legitimno bi trebao da postoji samo na onim USB uredjajima ili SD karticama koje su kupljene zajedno sa nekim programom na njima (recimo Kaspersky se sada prodaje na USB sticku, programi za navigacione uredjaje dolaze na SD karticama itd).

Poslao: 13 Jul 2009 21:17
Idi na vrh
offline
  • Pridružio: 14 Nov 2003
  • Poruke: 324

OK, bobby, hvala na pomoći i savetu.
Brinem se za ova dva eksterna harda, zaista ima podataka koje ne bih voleo da izgubim.
Meni je bilo sumnjivo što je našao onaj desktop.ini pa sam zbog toga odskenirao onim tvojim USBNoRisk programčetom. Odlična alatka, za pohvalu.

Hteo sam takođe da pitam, ako je program (mislim na ono tvoje programče) stalno uključeno a USB se ubacuju i izbacuju iz kompa, ima li šanse da sa nekog zaraženog USB-a uleti virus na komp pored USBNoRisk-a?

Ah, da...ovim tvojim programčetom sam našao na aparatu, na SONY kartici onaj mimics found pa sam je brže-bolje formatirao u aparatu.

Hvala, veliki si mi muku skinuo.

Ima li šanse da se obriše taj desktop.ini fajl?

Poslao: 13 Jul 2009 21:47
Idi na vrh
offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Nema potrebe da brises taj desktop.ini.
U ovom konkretnom slucaju on sluzi samo da folder Recycle ima ikonicu korpe. Ukoliko bi ga obrisao, korpa na tom HD-u bi izgubila svoju ikonicu i dobila bi ikonicu obicnog foldera.

USBNoRisk ce automatski da spreci malware koji se siri putem autorun.inf fajla tako sto ce preimenovati autorun.inf pre nego sto ga Windows Explorer registruje.
Time EXE fajl malwarea nece biti obrisan sa samog diska.
Ukoliko vidis da je USBNoRisk nasao neki autorun.inf, onda je najbolje da se javis ovde nama da to pogledamo i da nadjemo gde se krije EXE te infekcije.

Poslao: 13 Jul 2009 22:00
Idi na vrh
offline
  • Pridružio: 14 Nov 2003
  • Poruke: 324

Napisano: 13 Jul 2009 21:59

OK, hvala još jednom.
Ja svakog dana donesem po 2 USB koja su 100% zaražena.

Dopuna: 13 Jul 2009 22:00

Probao sam Malware, Spayware Doctor...slaba vajda.
Prolaze virusi pored njih kao pored bandere.

MyCity » Ambulanta -> Arhiva Ambulante » Da li je ovo OK

Ko je trenutno na forumu
 

Ukupno su 752 korisnika na forumu :: 3 registrovanih, 0 sakrivenih i 749 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: Belac91, branko7, ruger357