[ previous ] [ next ] [ threads ]
 
 From:  "Molle Bestefich" <molle dot bestefich at gmail dot com>
 To:  "Lee Sharp" <leesharp at hal dash pc dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] OT Strange Virus?
 Date:  Mon, 7 Aug 2006 22:17:02 +0200 
Lee Sharp wrote:
> A Windows XP Pro system that slowly looses jpegs.  Seriously.
> A directory full of mixed files, and over time the jpegs, and only the jpegs,
> will go missing.

Could be a virus, but since you say it's not...
I'd check the event log (run "eventvwr") as step one.  Look for any
error messages, and I'd pay particular attention to messages about bad
sectors, NTFS errors and the likes.

(And then I'd probably store the files in a repository, using
something like TortoiseSVN.  Makes it real easy to see whether files
are missing or not, plus you'd have a sort-of backup.  Easy to store
the repository on a samba server, too.)

> Several pages if this in several directories as soon as I one one.

Did you mean"of this" and "open one folder"?

> 353 1:23:58 PM explorer.exe:1256 OPEN C:\Documents and
Settings\Cap'n\Desktop\Scooby\AWD.jpg\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA NOT FOUND Options:
Open  Access: Read

Looks rather harmless, since a) it's opening for read access only, and
b) the stream is non-existent.

That said, I've never seen my explorer.exe do the above, so there's a
reasonable chance that it's an in-process COM object that is doing
this.

For example, since you're browsing a folder (or so I'm guessing), it
could be a column handler COM object.  Try nuking all of them (backup
first) from HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers and see if
the above goes away.

(If you're at all interested in making it go away, heh, seeing as it
seems harmless.)