"nicim izazvano" brisanje fajlova... virus ili problem sa diskom ?! dilema

sami od sebe su poceli da se brisu fajlovi u My Documents.
dok sam trazio neki dokument po nekim direktorijumima primetio sam da prvo nemam vise ikone foldera(destop.ini fajl po direktorijumima je obrisan) , a kasnije i da nemam foldere... i kompletan c:\docs & settings\(korisnik)\application data !!!

da li je neko imao slicnu situaciju ?!?!

ne znam da li da sumnjam na hardware, software, viruse, spoljni upad...


drugi put mi se desava za mesec dana !


sumnje>
1. smatrao sam da je doslo do greske na hardu
(smart javljao da je CRC hardware recovery problem --- u nekom programu)

medjutim obrisani su podaci na dva diska...

ako je problem sa tim hw recovery - onda je problem u DMA na ploci

2. virus ?! ubacio sam omiljeni AV - bitdefender.
nasao mi je

C:\WINDOWS\system32\drivers\setup\hosts\hostsmon.exe
Backdoor.Generic.104430
Deleted

http://www.threatexpert.com/re...f9-591c-4778-972c-8af90164421c


kada mi se prvi put to desilo imao sam instaliran diskeeper autodefrag (sa forsiranim IIAS... kako vec bese),
i pripisao sam brisanje podataka njemu...
* nisam imao vremena da analiziram - vratio podatke 70% i nastavio sa radom
- nisam cistio viruse ?!
- tada su obrisani bar 80% my documents i deo application data / samo obrisan quicklunch * tj app.data/microsoft
- sada je obrisano sve, ali tek onda kada sam se logovao kao admin u safe modu.




jednostavno nisam siguran sta je ucinilo da


windows xp sp3
antivirus avg 8.5 free / azuriran i aktivan
stalno vezan na net preko dodatnog rutera.
korisnik - bez administratorskih prava
MyDocs na fizicki drugom disku (za razliku od windowsa i docs and settings)
konstantno on-line, preko rutera, na kome je "podesen" firewall...



scenario 2(novije)
1. poceo sam da kopiram 40 GB filmova sa diska na disk
2. u toku kopiranja resio da pogledam neki dokument...
3. primetio sam da mi fale neke ikone dodeljene folderima (pretpostavio sam da je opet doslo do brisanja !)
4. utvrdio sam da se brisu podaci iz my documents
(pomerio mi se i language bar - malo ulevo - ostavio slobodan prostor do tray-a)
5. brzo sam restartovao komp u safe mode
- logovao se kao admin
- video da imam jos podatke u myDocs
- posle pola minuta kompletan myDocs tog korisnika (mene) nestao



preko get data back sam vratio 60 % podataka,
i vratio sam ono sto mi je bitno tako da je ok.

Skinite program HijackThis.
Kada ga preuzmete, preimenujte fajl u bilo sta, npr. “destruct0.exe”. Pokrenite ga i kliknite “Do a system scan and save a logfile”. Taj log iskopirajte ovde.

vec sam radio hijack, ali nisam koristio izmenu imena fajla

koristio sam auto-analizu kao sto je opisano u
http://www.elitesecurity.org/t...ijackThis-loga-preko-interneta

nasao mi je cool2search - toolbar .. i neki xml parser - ne znam tacno sada.


odradicu i poslacu u sledecem postu !


Hvala na interesovanju.


da li ste culi da se nekome desila slicna stvar - brisanje kompletnog my documents i application data ?!



pozdrav

Sa ovakvim, koji brise samo My Documents i Application Data, nisam imao "srece" da se sretnem. :)

hijack -> karambol.exe

(( ponovo se pojavila jedna stavka CoolWebSearch ?!
bio sam ga fiksirao ?! 3 stavke...))

hvala.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:54:25, on 19.6.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\totalcmd\TOTALCMD.EXE
D:\tmp\karambol.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://online.bancaintesabeograd.com/retail/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ui.skype.com/ui/0/3.5.0.239/en/passwordreminder/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Srdjan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: magicMail.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: magicMail.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: magicMail.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll
O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Send to Mindjet MindManager - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {A7C346A3-B076-46B3-97F0-D00F6B479451} (FileInterface Class) - https://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia....ockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{17D988B9-1B4F-4E5B-AFBC-93E4E8498172}: NameServer = 192.168.253.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{62B3E02E-B47F-430F-A108-9255B70CEECC}: NameServer = 82.117.194.2,82.117.194.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 8874 bytes

Stiklirajte sledece objekte i kliknite “Fix checked”
O4 - S-1-5-18 Startup: magicMail.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: magicMail.lnk = ? (User 'Default user')
O9 - Extra button: Send to Mindjet MindManager - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.bancaintesabeograd.com/RetailDLL/SGCMSCCD.DLL
O16 - DPF: {A7C346A3-B076-46B3-97F0-D00F6B479451} (FileInterface Class) - https://online.bancaintesabeograd.com/RetailDLL/FSINT.dll
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = linksys.com,linksys.com

• Preuzmite i instalirajte program Malwarebytes` Anti-Malware - http://www.malwarebytes.org/mbam-download.php
• Pokrenite ga i izvrsite update(Update > Check for Updates) i po zavrsetku potvrdite sa OK.
• Posle update-a odaberi Scanner, oznacite Perform full scan i pritisnite Scan.
• Kada se skeniranje zavrsi pritisnite OK, pa Show Results da vidite izvestaj.
• Proverite da li su svi pronadjeni fajlovi stiklirani(ako nisu selektujte ih), pritisnite Remove Selected i potvrdite sa OK.
• Program ce vas upitati da restartujes racunar i vi to potvrdite.
• Takodje posle ukljanjanje malware-a sa racunara dobicete log fajl(izvestaj) koji cete iskopirati ovde.

odradio fixiranje (mada su to programi koje cesto koristim magicMail i mindJet...)
pokrenuo skeniranje i prosledjujem izvestaj.


Malwarebytes' Anti-Malware 1.38
Database version: 2318
Windows 5.1.2600 Service Pack 3

6/21/2009 2:49:25 PM
mbam-log-2009-06-21 (14-49-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 259595
Time elapsed: 2 hour(s), 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\xmllib.xmldp (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xmllib.xmldp.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0b6ef17e-18e5-4449-86ea-64c82d596eae} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6d0111e3-3060-4d23-b2bc-42ed86cbe9a3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72a128e0-2240-40c8-9e92-5387d64f839e} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{a4b39a09-026d-47bf-ad94-fa3993d89d35}\RP186\A0110728.EXE (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{a4b39a09-026d-47bf-ad94-fa3993d89d35}\RP158\A0093767.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\ULi5289\ULiStopAP.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Ok. Da li i dalje imate problema? Ja mislim da bi to bilo to.

Hvala puno na pomoci,
nadam se da necu imati problema.
Kad se pojavi problem izgubim skoro sve podatke :-/
((Sad sam spreman - pravim backup skoro svaki dan - za svaki slucaj))


Pozdrav,
i hvala puno na pomoci i na idejama.

Srdjan

Nema na cemu. ;)
P.S. Za backup bih vam preporucio Acronis® True Image Home 2009.