windows script host

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/22/2009 11:33:44 PM

Searching for connected USB Mass storage...
----------------------------------------
I: {710e41e0-46fc-11de-802b-00508d59a11d}
H: {fe21aa0e-3e36-11de-8025-00508d59a11d}
========================================

Searching for other storage...
----------------------------------------
C: {0c44db79-3db6-11de-b67a-806d6172696f}
D: {0c44db7a-3db6-11de-b67a-806d6172696f}
F: {8245a7d2-3daa-11de-8022-806d6172696f}
G: {8245a7d3-3daa-11de-8022-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on H:
No Autorun.inf files found on H:
No mountpoint found for fe21aa0e-3e36-11de-8025-00508d59a11d
No Desktop.ini files found on H:
No mimics found on drive H:
----------------------------------------

No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 710e41e0-46fc-11de-802b-00508d59a11d
----------------------------------------
Desktop.ini found at I:\Recycled\ contains interesting CLSID string
----------------------------------------
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
----------------------------------------
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},InfoTip = @%SystemRoot%\system32\SHELL32.dll,-22915
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},IntroText = @%SystemRoot%\system32\SHELL32.dll,-31748
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E},LocalizedString = @%SystemRoot%\system32\SHELL32.dll,-8964
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,@ = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Empty = %SystemRoot%\System32\shell32.dll,31
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon,Full = %SystemRoot%\System32\shell32.dll,32
HKLM\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InProcServer32,@ = shell32.dll
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 0c44db79-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 0c44db7a-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 8245a7d2-3daa-11de-8022-806d6172696f
No Desktop.ini files found on F:
----------------------------------------

No blocked files found on G:
No Autorun.inf files found on G:
No mountpoint found for G:
No mountpoint found for 8245a7d3-3daa-11de-8022-806d6172696f
No Desktop.ini files found on G:
----------------------------------------

autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
----------------------------------------
[autorun]
Open=
shell\Open=I LOVE MY PEANUT
shell\Open\Command=WScript.exe .\24233.vbs
shell\Open\Default=1
shell\Explore=Explore
shell\Explore\Command=WScript.exe .\24233.vbs
----------------------------------------
========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
710e41e0-46fc-11de-802b-00508d59a11d
Drive letter for GUID: I:
SectionStart = 9
SectionEnd = 12
f_delete:
file "I:\explorer.exe" deleted successfully
----------------------------------------
Delete folder tree I:\RECYCLED:
----------------------------------------
Delete: I:\RECYCLED\desktop.ini > Done!
Delete: I:\RECYCLED\INFO2 > Done!
Delete: I:\RECYCLED > Done!
----------------------------------------
Folder list for I:\:
----------------------------------------

d----   0   I:\GRACEJ~1   I:\GRACE JONES
d----   0   I:\pdf   I:\pdf
d----   0   I:\ELECTR~1.2   I:\Electro house 2008 vol.2
dr-hs   0   I:\RECYCLER   I:\RECYCLER
d----   0   I:\HARD_M~1   I:\Hard_Mix-Brazilian_House-WEB-(MPM0003)-2009-CopyCAT
d----   0   I:\HED_KA~1   I:\Hed_Kandi_The_Mix_Spring_2009-3_CD-2009
d----   0   I:\JOHNNY~1._LE   I:\Johnny_Fiasco-Groove_On_(Incl._Lego_Remix)-(KFD010)-WEB-2009-SOULFUL
d----   0   I:\JUSTIN~1._MA   I:\Justin_Michael_and_Born_to_Funk_Ft._Maya-Change_is_on_the_Way-_PM067_-WEB-2009-BSiDE
d----   0   I:\LA_VID~1.2   I:\La_Vida_Loca_-_The_Latin_House_Party_Vol.2
d----   0   I:\VA-BUD~1   I:\VA - Buddha Bar - Sunlounger (2009)
d----   0   I:\VA_-_H~1   I:\VA_-_House_this_(Mixed_by_Kneedeep)-2009-MST
d----   0   I:\VA_-_M~1   I:\VA_-_Music_For_Cocktails_(Elite_Edition)-2CD-2009-LiR
d----   0   I:\VA-BAR~1   I:\VA-Bar_Vista-Latino-2CD-2009
d----   0   I:\VA-CHI~1   I:\VA-Chill Jazz Sessions (2009)
d----   0   I:\VONMON~1   I:\Von Mondo - House Jazz Masters (2006)
d----   0   I:\BORN_T~1   I:\Born_To_Funk-Get_Funky-(GKF061)-WEB-2008-IMT
dr-hs   0   I:\RESTORE   I:\RESTORE

----------------------------------------

0c44db79-3db6-11de-b67a-806d6172696f
Drive letter for GUID: C:
SectionStart = 0
SectionEnd = 4
Windows folder protection is off
f_delete:
file "C:\windows\system32\24233.vbs" deleted successfully
f_delete:
file "C:\windows\system32\101207.cmd" deleted successfully
----------------------------------------

8245a7d3-3daa-11de-8022-806d6172696f
Drive letter for GUID: G:
SectionStart = 5
SectionEnd = 8
f_delete:
file "G:\101207.cmd" deleted successfully
----------------------------------------
Folder list for G:\:
----------------------------------------

dr---   0   G:\Dacha   G:\Dacha
dr---   0   G:\DRUM   G:\DRUM
d--hs   0   G:\found.000   G:\found.000
dr---   0   G:\HIPHOP~1   G:\hip hop
dr---   0   G:\HOUSE   G:\HOUSE
-rahs   0   G:\kht   G:\kht
dr---   0   G:\LONGE   G:\LONGE
dr---   0   G:\obuka   G:\obuka
d----   0   G:\podaci   G:\podaci
d--hs   0   G:\RECYCLER   G:\RECYCLER
dr---   0   G:\REGGAE   G:\REGGAE
d--hs   0   G:\SYSTEM~1   G:\System Volume Information

----------------------------------------

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Zadnji skript:
{8245a7d3-3daa-11de-8022-806d6172696f}
f_delete: %DRIVE%kht
folder_list: %DRIVE%

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

USBNoRisk 2.4 (1 June 2009) by bobby

Started at 6/22/2009 11:41:45 PM

Searching for connected USB Mass storage...
----------------------------------------
I: {710e41e0-46fc-11de-802b-00508d59a11d}
H: {fe21aa0e-3e36-11de-8025-00508d59a11d}
========================================

Searching for other storage...
----------------------------------------
C: {0c44db79-3db6-11de-b67a-806d6172696f}
D: {0c44db7a-3db6-11de-b67a-806d6172696f}
F: {8245a7d2-3daa-11de-8022-806d6172696f}
G: {8245a7d3-3daa-11de-8022-806d6172696f}
========================================

Scanning removable storage...
----------------------------------------

No blocked files found on H:
No Autorun.inf files found on H:
No mountpoint found for fe21aa0e-3e36-11de-8025-00508d59a11d
No Desktop.ini files found on H:
No mimics found on drive H:
----------------------------------------

No blocked files found on I:
No Autorun.inf files found on I:
No mountpoint found for 710e41e0-46fc-11de-802b-00508d59a11d
No Desktop.ini files found on I:
No mimics found on drive I:
----------------------------------------


Scanning fixed storage...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 0c44db79-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on C:
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 0c44db7a-3db6-11de-b67a-806d6172696f
No Desktop.ini files found on D:
----------------------------------------

No blocked files found on F:
No Autorun.inf files found on F:
No mountpoint found for F:
No mountpoint found for 8245a7d2-3daa-11de-8022-806d6172696f
No Desktop.ini files found on F:
----------------------------------------

No blocked files found on G:
No Autorun.inf files found on G:
No mountpoint found for G:
No mountpoint found for 8245a7d3-3daa-11de-8022-806d6172696f
No Desktop.ini files found on G:
----------------------------------------

autorun.inf found in Qoobox
----------------------------------------
Content of C:\QooBox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
----------------------------------------
[autorun]
Open=
shell\Open=I LOVE MY PEANUT
shell\Open\Command=WScript.exe .\24233.vbs
shell\Open\Default=1
shell\Explore=Explore
shell\Explore\Command=WScript.exe .\24233.vbs
----------------------------------------
========================================
Initial scan finished!
========================================

Processing script
----------------------------------------
8245a7d3-3daa-11de-8022-806d6172696f
Drive letter for GUID: G:
SectionStart = 0
SectionEnd = 2
f_delete:
file "G:\kht" deleted successfully
----------------------------------------
Folder list for G:\:
----------------------------------------

dr---   0   G:\Dacha   G:\Dacha
dr---   0   G:\DRUM   G:\DRUM
d--hs   0   G:\found.000   G:\found.000
dr---   0   G:\HIPHOP~1   G:\hip hop
dr---   0   G:\HOUSE   G:\HOUSE
dr---   0   G:\LONGE   G:\LONGE
dr---   0   G:\obuka   G:\obuka
d----   0   G:\podaci   G:\podaci
d--hs   0   G:\RECYCLER   G:\RECYCLER
dr---   0   G:\REGGAE   G:\REGGAE
d--hs   0   G:\SYSTEM~1   G:\System Volume Information

----------------------------------------

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ima li jos kakvih problema?

Ukoliko nema, ostaje nam samo da deinstaliramo ComboFix i USBNoRisk:

klikni start (ili ), a zatim RUN.

Na Visti koristiti Start Search polje ukoliko Run nije dostupan.

U liniju za unos teksta ukucaj (iskopiraj) sledeće:

combofix /u

Primeti da postoji razmak između "ComboFix" i "/u".



a zatim klikni OK (ili pritisni Enter).

Sačekaj da se proces deinstalacije završi.


USBNoRisk se deinstalira tako sto u samom programu kliknes na dugme Uninstall, sto ce izbrisati folder c:\USBNoRisk i fajlove u njemu.
Sam EXE fajl USBNoRiska mozes obrisati rucno ukoliko ti nije vise potreban.
USBNoRisk mozes koristiti i kasnije - pokrenes ga pre nego sto prikljucis neki USB uredjaj i USBNoRisk ce spreciti svako automatsko pokretanje programa (samim tim i malwarea) sa USB uredjaja. Time sprecavas da ti malware zarazi komp.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ok,jel mozes da mi kazes u cemu je bio problem?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Pa sve particije + USB stick + plejer su ti bili inficirani nekim crvom.
Taj crv se siri tako sto na svaku particiju ubacuje Autorun fajlove koji bi trebali automatski da se pokrenu kada otvoris particiju i zato umesto da otvoris particiju ti si ustvari pokretao tog crva.
To smo otklonili bili u samom startu.
Ostatak naseg ciscenja ovde smo proveli u nalazenju fajlova koje je taj crv kreirao na tvom kompu, i brisanju istih.
Oni nisu vise bili aktivni, ali je uvek postojala mogucnost da ti slucajno naletis na njih i pokrenes ih, pa je zato bilo pametno da i njih nadjemo i obrisemo.
Pride toga, nasli smo i ostatke 4 infekcija koje si ranije imao na USB sticku i na plejeru.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Hvala mnogo,kazi mi samo jos ovaj program sto si mi dao usbnorisk,jel sa njim moze da se uklanjaju virusi sa usb-a ili samo sprecava da ti predje virus ili sta god sa usb-a na komp?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

On automatski samo sprecava prelazak, a za brisanje je potrebno znati protumaciti log i napisati skript za ciscenje.
Taj sam program napisao bas za koriscenje u Ambulanti, i to pisanje skriptova uce samo clanovi AMF ekipe koja ovde resava slucajeve u Ambulanti.

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Kako anti virus nije reagovao?

• 0Niko još nije pohvalio poruku.
  Registruj se da bi pohvalio/la poruku!

Ne postoji AV koji prepoznaje sve viruse/crve/trojance/itd.
Tvoj nije prepoznao ovog crva, prosto.