I'm not sure what I'm doing here but I'm frantic and searching for anything. I just signed up, skimmed the directions and I'm tossing this up in the hope that someone can solve this - and I'm hoping I did it all right.
About three weeks ago I got a call from a client who said files had vanished. I went to the server and could not find the files (Windows 2000 Server with single C drive running the OS, 2 mirrored IDE drives/RAID 1 as file storage/D drive).
I updated the virus definitions (running Symantec 7.5 Corp Ed), I ran the NIMDA and other tools from the SARC site.
I downloaded Software Shelf File Rescue (http://www.softwareshelf.com/products/
) and ran it. It found all the files deleted back for six months or more but none of the missing files. NO TRACE of the missing files.
I went to the backup drives - THREE of them, two client computers and my off site laptop drive (there was no other backup like tape or CD-ROM). On all three of the other computers the same files missing from server were also missing. My laptop also has the Norton 7.5 Corp Edition and runs ZoneAlarm.com's PRO (paid) version. Nothing - all files and directories missing from other computers were also gone from my laptp.
This was all very odd and I contacted a bunch of people: HighpointTech, the maker of the IDE RAID controller, my fellow geeks, the computer store where the computer was made/purchased, I even posted on www.elance.com
and no one had heard of this but many thought it to be the Nimda virus. While the Nimda has been caught by the Symantec 7.5 Corp Edition we are running, running of the Nimda removal tool found nothing. Neither did any of the other tools I ran.
No more troubles and no answers so I gave up for three weeks - until yesterday. I came in because one of the two RAID 1 drives had died. It had a loud, familiar click - of a dead drive. I split the RAID and put the working drive on the regular IDE cable as a slave. This seemed to work fine for an hour as I copied all files to the backup drives on the other computers.
Then the second of the two RAID drives started clicking like the first and wouldn't read (these were both IBM 46 gig drives which have been failing like mad so it could be just a weird coincidence).
When I went to the backup I had just created the office staff told me none of the files they were working on were there. While three weeks ago it was a 7 file loss, all files used by the same woman, this time it was a hundred or more files in a couple dozen directories. Curiously the directories were also gone along with the files (and the files ran the gamut, BMP, JPG, TIF, DOC, WPD, XLS, Publisher, a variety).
I have spent all yesterday and today calling people and trying to figure out what this is with no luck. But today a new clue: messages and a folder vanished from Netscape.
One of the people in the office started a folder in Netscape and put several messages in there. One of which was an outgoing message with a Word doc attached. He printed the file as backup and wrote on the printout the send date and other info. When he went to edit the Word doc today he discovered it missing. So he figure he would get it out of his email - and not only was the message gone that had the doc as an attachment, the entire folder he had created was gone with all the messages that had been underneath.
Soooo? what it seems to be is a virus that deletes all files in a directory AND the parent directory without leaving a trace (not in recycle bin, not visible with Software Shelf's File Recovery, just completely GONE). It will delete these files and the parent directory on any computer, anywhere and will even delete messages and a folder from Netscape. It deleted the same files from the other computers in the office as well as my laptop which was sitting at home. Other theories were internal sabotage (eight or so people have been fired from this office in the last two months) or someone coming in over the DSL - both of which seem unlikely. There isn't enough smarts in the fired employees to do this. Coming in from outside seemed possible until this latest round. They couldn't have gotten to my laptop (well, maybe - but it's on a different DSL connection in a different city) AND how would they know to get to the email folder in Netscape?
Does this sound crazy and impossible? Know this - I still don't believe it and I'm living it. I would be less surprised to grow another foot in height than this vanishing file act.
I'm in Park City UTAH USA and if you are anywhere in the area and think you can solve this please contact me at firstname.lastname@example.org. The company losing the files is willing to pay to have someone stop the madness as soon as possible.