|
Poslao: 22 Jun 2009 23:35
|
offline
- Pridružio: 04 Sep 2007
- Poruke: 130
|
USBNoRisk 2.4 (1 June 2009) by bobby
Started at 6/22/2009 11:33:44 PM
Searching for connected USB Mass storage...
----------------------------------------
I: {710e41e0-46fc-11de-802b-00508d59a11d}
H: {fe21aa0e-3e36-11de-8025-00508d59a11d}
========================================
Searching for other storage...
----------------------------------------
C: {0c44db79-3db6-11de-b67a-806d6172696f}
D: {0c44db7a-3db6-11de-b67a-806d6172696f}
F: {8245a7d2-3daa-11de-8022-806d6172696f}
G: {8245a7d3-3daa-11de-8022-806d6172696f}
========================================
Scanning removable storage...
----------------------------------------
No blocked files found on H:
No Autorun.inf files found on H:
No mountpoint found for fe21aa0e-3e36-11de-8025-00508d59a11d
No Desktop.ini files found on H:
No mimics found on drive H:
----------------------------------------
No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 710e41e0-46fc-11de-802b-00508d59a11d
----------------------------------------
Desktop.ini found at I:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
No mimics found on drive I:
----------------------------------------
Scanning fixed storage...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 0c44db79-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------
No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 0c44db7a-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------
No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 8245a7d2-3daa-11de-8022-806d6172696f
No Desktop.ini files found on F:
----------------------------------------
No blocked files found on G:
No Autorun.inf files found on G:
No mountpoint found for G:
No mountpoint found for 8245a7d3-3daa-11de-8022-806d6172696f
No Desktop.ini files found on G:
----------------------------------------
autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
----------------------------------------
[autorun]
Open=
shell\Open=I LOVE MY PEANUT
shell\Open\Command=WScript.exe .\24233.vbs
shell\Open\Default=1
shell\Explore=Explore
shell\Explore\Command=WScript.exe .\24233.vbs
----------------------------------------
========================================
Initial scan finished!
========================================
Processing script
----------------------------------------
710e41e0-46fc-11de-802b-00508d59a11d
Drive letter for GUID: I:
SectionStart = 9
SectionEnd = 12
f_delete:
file "I:\explorer.exe" deleted successfully
----------------------------------------
Delete folder tree I:\RECYCLED:
----------------------------------------
Delete: I:\RECYCLED\desktop.ini > Done!
Delete: I:\RECYCLED\INFO2 > Done!
Delete: I:\RECYCLED > Done!
----------------------------------------
Folder list for I:\:
----------------------------------------
d---- 0 I:\GRACEJ~1 I:\GRACE JONES
d---- 0 I:\pdf I:\pdf
d---- 0 I:\ELECTR~1.2 I:\Electro house 2008 vol.2
dr-hs 0 I:\RECYCLER I:\RECYCLER
d---- 0 I:\HARD_M~1 I:\Hard_Mix-Brazilian_House-WEB-(MPM0003)-2009-CopyCAT
d---- 0 I:\HED_KA~1 I:\Hed_Kandi_The_Mix_Spring_2009-3_CD-2009
d---- 0 I:\JOHNNY~1._LE I:\Johnny_Fiasco-Groove_On_(Incl._Lego_Remix)-(KFD010)-WEB-2009-SOULFUL
d---- 0 I:\JUSTIN~1._MA I:\Justin_Michael_and_Born_to_Funk_Ft._Maya-Change_is_on_the_Way-_PM067_-WEB-2009-BSiDE
d---- 0 I:\LA_VID~1.2 I:\La_Vida_Loca_-_The_Latin_House_Party_Vol.2
d---- 0 I:\VA-BUD~1 I:\VA - Buddha Bar - Sunlounger (2009)
d---- 0 I:\VA_-_H~1 I:\VA_-_House_this_(Mixed_by_Kneedeep)-2009-MST
d---- 0 I:\VA_-_M~1 I:\VA_-_Music_For_Cocktails_(Elite_Edition)-2CD-2009-LiR
d---- 0 I:\VA-BAR~1 I:\VA-Bar_Vista-Latino-2CD-2009
d---- 0 I:\VA-CHI~1 I:\VA-Chill Jazz Sessions (2009)
d---- 0 I:\VONMON~1 I:\Von Mondo - House Jazz Masters (2006)
d---- 0 I:\BORN_T~1 I:\Born_To_Funk-Get_Funky-(GKF061)-WEB-2008-IMT
dr-hs 0 I:\RESTORE I:\RESTORE
----------------------------------------
0c44db79-3db6-11de-b67a-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 4
Windows folder protection is off
f_delete:
file "C:\windows\system32\24233.vbs" deleted successfully
f_delete:
file "C:\windows\system32\101207.cmd" deleted successfully
----------------------------------------
8245a7d3-3daa-11de-8022-806d6172696f
Drive letter for GUID: G:
SectionStart = 5
SectionEnd = 8
f_delete:
file "G:\101207.cmd" deleted successfully
----------------------------------------
Folder list for G:\:
----------------------------------------
dr--- 0 G:\Dacha G:\Dacha
dr--- 0 G:\DRUM G:\DRUM
d--hs 0 G:\found.000 G:\found.000
dr--- 0 G:\HIPHOP~1 G:\hip hop
dr--- 0 G:\HOUSE G:\HOUSE
-rahs 0 G:\kht G:\kht
dr--- 0 G:\LONGE G:\LONGE
dr--- 0 G:\obuka G:\obuka
d---- 0 G:\podaci G:\podaci
d--hs 0 G:\RECYCLER G:\RECYCLER
dr--- 0 G:\REGGAE G:\REGGAE
d--hs 0 G:\SYSTEM~1 G:\System Volume Information
----------------------------------------
|
|
|
|
|
|
|
Poslao: 22 Jun 2009 23:39
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Zadnji skript:
{8245a7d3-3daa-11de-8022-806d6172696f}
f_delete: %DRIVE%kht
folder_list: %DRIVE%
|
|
|
|
|
|
|
Poslao: 22 Jun 2009 23:43
|
offline
- Pridružio: 04 Sep 2007
- Poruke: 130
|
USBNoRisk 2.4 (1 June 2009) by bobby
Started at 6/22/2009 11:41:45 PM
Searching for connected USB Mass storage...
----------------------------------------
I: {710e41e0-46fc-11de-802b-00508d59a11d}
H: {fe21aa0e-3e36-11de-8025-00508d59a11d}
========================================
Searching for other storage...
----------------------------------------
C: {0c44db79-3db6-11de-b67a-806d6172696f}
D: {0c44db7a-3db6-11de-b67a-806d6172696f}
F: {8245a7d2-3daa-11de-8022-806d6172696f}
G: {8245a7d3-3daa-11de-8022-806d6172696f}
========================================
Scanning removable storage...
----------------------------------------
No blocked files found on H:
No Autorun.inf files found on H:
No mountpoint found for fe21aa0e-3e36-11de-8025-00508d59a11d
No Desktop.ini files found on H:
No mimics found on drive H:
----------------------------------------
No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 710e41e0-46fc-11de-802b-00508d59a11d
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------
Scanning fixed storage...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 0c44db79-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------
No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 0c44db7a-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------
No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 8245a7d2-3daa-11de-8022-806d6172696f
No Desktop.ini files found on F:
----------------------------------------
No blocked files found on G:
No Autorun.inf files found on G:
No mountpoint found for G:
No mountpoint found for 8245a7d3-3daa-11de-8022-806d6172696f
No Desktop.ini files found on G:
----------------------------------------
autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
----------------------------------------
[autorun]
Open=
shell\Open=I LOVE MY PEANUT
shell\Open\Command=WScript.exe .\24233.vbs
shell\Open\Default=1
shell\Explore=Explore
shell\Explore\Command=WScript.exe .\24233.vbs
----------------------------------------
========================================
Initial scan finished!
========================================
Processing script
----------------------------------------
8245a7d3-3daa-11de-8022-806d6172696f
Drive letter for GUID: G:
SectionStart = 0
SectionEnd = 2
f_delete:
file "G:\kht" deleted successfully
----------------------------------------
Folder list for G:\:
----------------------------------------
dr--- 0 G:\Dacha G:\Dacha
dr--- 0 G:\DRUM G:\DRUM
d--hs 0 G:\found.000 G:\found.000
dr--- 0 G:\HIPHOP~1 G:\hip hop
dr--- 0 G:\HOUSE G:\HOUSE
dr--- 0 G:\LONGE G:\LONGE
dr--- 0 G:\obuka G:\obuka
d---- 0 G:\podaci G:\podaci
d--hs 0 G:\RECYCLER G:\RECYCLER
dr--- 0 G:\REGGAE G:\REGGAE
d--hs 0 G:\SYSTEM~1 G:\System Volume Information
----------------------------------------
|
|
|
|
|
|
|
|
|
|
|
Poslao: 23 Jun 2009 00:01
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Pa sve particije + USB stick + plejer su ti bili inficirani nekim crvom.
Taj crv se siri tako sto na svaku particiju ubacuje Autorun fajlove koji bi trebali automatski da se pokrenu kada otvoris particiju i zato umesto da otvoris particiju ti si ustvari pokretao tog crva.
To smo otklonili bili u samom startu.
Ostatak naseg ciscenja ovde smo proveli u nalazenju fajlova koje je taj crv kreirao na tvom kompu, i brisanju istih.
Oni nisu vise bili aktivni, ali je uvek postojala mogucnost da ti slucajno naletis na njih i pokrenes ih, pa je zato bilo pametno da i njih nadjemo i obrisemo.
Pride toga, nasli smo i ostatke 4 infekcija koje si ranije imao na USB sticku i na plejeru.
|
|
|
|
|
|
|
Poslao: 23 Jun 2009 00:05
|
offline
- Pridružio: 04 Sep 2007
- Poruke: 130
|
Hvala mnogo,kazi mi samo jos ovaj program sto si mi dao usbnorisk,jel sa njim moze da se uklanjaju virusi sa usb-a ili samo sprecava da ti predje virus ili sta god sa usb-a na komp?
|
|
|
|
|
|
|
Poslao: 23 Jun 2009 00:08
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
On automatski samo sprecava prelazak, a za brisanje je potrebno znati protumaciti log i napisati skript za ciscenje.
Taj sam program napisao bas za koriscenje u Ambulanti, i to pisanje skriptova uce samo clanovi AMF ekipe koja ovde resava slucajeve u Ambulanti.
|
|
|
|
|
|
|
|
|
Poslao: 23 Jun 2009 00:15
|
offline
- bobby
- Administrator
- Pridružio: 04 Sep 2003
- Poruke: 24135
- Gde živiš: Wien
|
Ne postoji AV koji prepoznaje sve viruse/crve/trojance/itd.
Tvoj nije prepoznao ovog crva, prosto.
|
|
|
|
|
|
), a zatim 
