We help IT Professionals succeed at work.

FILES are VANISHING without a trace

davidbaker
davidbaker asked
on
I'm not sure what I'm doing here but I'm frantic and searching for anything. I just signed up, skimmed the directions and I'm tossing this up in the hope that someone can solve this - and I'm hoping I did it all right.

VANISHING FILES:

About three weeks ago I got a call from a client who said files had vanished. I went to the server and could not find the files (Windows 2000 Server with single C drive running the OS, 2 mirrored IDE drives/RAID 1 as file storage/D drive).

I updated the virus definitions (running Symantec 7.5 Corp Ed), I ran the NIMDA and other tools from the SARC site.

I downloaded Software Shelf File Rescue (http://www.softwareshelf.com/products/) and ran it. It found all the files deleted back for six months or more but none of the missing files. NO TRACE of the missing files.

I went to the backup drives - THREE of them, two client computers and my off site laptop drive (there was no other backup like tape or CD-ROM). On all three of the other computers the same files missing from server were also missing. My laptop also has the Norton 7.5 Corp Edition and runs ZoneAlarm.com's PRO (paid) version. Nothing - all files and directories missing from other computers were also gone from my laptp.

This was all very odd and I contacted a bunch of people: HighpointTech, the maker of the IDE RAID controller, my fellow geeks, the computer store where the computer was made/purchased, I even posted on www.elance.com and no one had heard of this but many thought it to be the Nimda virus. While the Nimda has been caught by the Symantec 7.5 Corp Edition we are running, running of the Nimda removal tool found nothing. Neither did any of the other tools I ran.

No more troubles and no answers so I gave up for three weeks - until yesterday. I came in because one of the two RAID 1 drives had died. It had a loud, familiar click - of a dead drive. I split the RAID and put the working drive on the regular IDE cable as a slave. This seemed to work fine for an hour as I copied all files to the backup drives on the other computers.

Then the second of the two RAID drives started clicking like the first and wouldn't read (these were both IBM 46 gig drives which have been failing like mad so it could be just a weird coincidence).

When I went to the backup I had just created the office staff told me none of the files they were working on were there. While three weeks ago it was a 7 file loss, all files used by the same woman, this time it was a hundred or more files in a couple dozen directories. Curiously the directories were also gone along with the files (and the files ran the gamut, BMP, JPG, TIF, DOC, WPD, XLS, Publisher, a variety).

I have spent all yesterday and today calling people and trying to figure out what this is with no luck. But today a new clue: messages and a folder vanished from Netscape.

One of the people in the office started a folder in Netscape and put several messages in there. One of which was an outgoing message with a Word doc attached. He printed the file as backup and wrote on the printout the send date and other info. When he went to edit the Word doc today he discovered it missing. So he figure he would get it out of his email - and not only was the message gone that had the doc as an attachment, the entire folder he had created was gone with all the messages that had been underneath.

Soooo?  what it seems to be is a virus that deletes all files in a directory AND the parent directory without leaving a trace (not in recycle bin, not visible with Software Shelf's File Recovery, just completely GONE). It will delete these files and the parent directory on any computer, anywhere and will even delete messages and a folder from Netscape. It deleted the same files from the other computers in the office as well as my laptop which was sitting at home. Other theories were internal sabotage (eight or so people have been fired from this office in the last two months) or someone coming in over the DSL - both of which seem unlikely. There isn't enough smarts in the fired employees to do this. Coming in from outside seemed possible until this latest round. They couldn't have gotten to my laptop (well, maybe - but it's on a different DSL connection in a different city) AND how would they know to get to the email folder in Netscape?

Does this sound crazy and impossible? Know this - I still don't believe it and I'm living it. I would be less surprised to grow another foot in height than this vanishing file act.

I'm in Park City UTAH USA and if you are anywhere in the area and think you can solve this please contact me at dcb@bakerdigital.com. The company losing the files is willing to pay to have someone stop the madness as soon as possible.

Comment
Watch Question

Commented:
I'd look to the Magistr.A or PE_Magistr.B virus.  Acts alot like the CIH virus.  Try downloading www.trendmicro.com trial software and pattern update and see if trend picks up anything.  Remember to boot in safe mode before scanning for this virus.

Commented:
Hi!

This must be a new virus??? But not very likely.

More likely a trojan, a new trojan is not so rare than a new virus!

Nimda has variants, and bossible there might be new ones too, but the virus will have similar strings so this is not an option any more.
The hakker tool's and tojans are badly detected by most anti virii product.

http://www.europe.f-secure.com/virus-info/
The most better antivirus to found these torj's is FSAV, but the ver 5.xx , have to say is not as good to users as Norton and, it do slow a lot. Ver 4.XX do not run on 2000.

Trojan ports, have a zone alram log file, try see if those are present
http://www.doshelp.com/trojanports.htm

Also do you need Telnet port? That might be used in hack so consider to block it.

Hardware failure:
Run drive condition test those are available from drive maker IBM gives this tool free.
http://www.storage.ibm.com/hdd/support/download.htm

Replace the power suply, as it's server macine, that may have current problems whit IDE RAID, is my most suspected, see also if there are services log's for it's errors. Make a log if they are not in use.

Ps
Once had a faulty MB which destroyed every HD installed, the IDE controller did leak random write signals, but that was a long ago and the tech was not secured by control circuits which do cut the device operation off.

Matti
David -

How are you making out? Any solution yet? I just had a thought on your problem - Maybe it is just a remote computer affected - I don't know if this is possible but I would start by scanning the machine that originally had the file problem. Please keep us posted as to your progress

Thanks,

Rick

Commented:
U may be right
It is Mad but

Pls. See My Q
about a virus coding Ur data !!!!

http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=virus&qid=20230519

Commented:
I mean ENCRYPTION not coding!
use netstat command and check the ports open. Check if any backdoors have been installed in your computer. No ports above 1500 must be in use.  remove the computer from network. check registry HKLM\software\microsoft\windows\currenversion\run
for any unrecognised entries.
Hello all,
I am Computer101, a moderator from Experts-Exchange and also an expert within this topic area. This question has been open a long time.  What I am going to do is allow feedback from the questioner and experts.  If it is not resolved, I will delete or accept an answer based on the info I have been given, Experts, feel free to offer input.  I will monitor these questions for a period of 5-7 days and come back and evaluate.  I will have another moderator (who is also an expert in this topic area) look at the question also to ensure we do the right thing for this question.

Thank you
Computer101
Community Support Moderator
1) Change important passwords to handle the ex-employees
2) Run ZoneAlarm somewhere, to fully protect AND watch (for free) for the internet ones
3) Look for anything connected to internet, and disconnect
===============
Do this (and more) all at once, so THEY do not see you coming

Count up all your disk space, see what may be missing (used by another)
Apply all patches and upgrades

Most important, don't ask for advise and then not listen. Accept any help where it is found.
Done?

Maybe you have had disgruntled worker. Rare enough, but it happens. Recently rereported, once there was a file that diappeared. Suddenly people got attention. They had been lonely. Attention feels good. --- Suddenly, more and more files disappeared. More and more attention given. It took a videocam to catch culprit in act. Moral was, that company should heed more the morale and well-being of staff, providing opportunities that are real, sharing, and actually even noticing that the staff exists and is important.
ping

Commented:
> as soon as possible.

add some physical security.

One company had disk crash. real. it became weekly. the regular ones were generating my mechanic on night shift, according to film

guy was old and lonely. ignored by company, no upward mobility, no one to talk to on shift. Disk crash got him companionship, sense of involvement in company. So he helped it become weekly event.

ans1) get camera online, someone just may like the latest topic, the attention, etc

oh heck, flamer did that. must have read same article, huh?

still, the thread rings of that, where there was one initial problem, and that one has been cured, you've moved on to another problem, to find what it is it would help to draw a line where first problem ends, and like Sherlock deal what is then left.  Backup all files. Record logons/access. Make snapshots of filelists, datestamps, periodically. Compare.

Talk.

Have nice corporate meeting. Provide donuts. Lay cards on table. Let all staff know how it stands. Ask their opinion, that is always the best place to start (and improves morale)(and gets site specific enhancements for any advise)

Commented:
Recommend Revisit of both A/V and backup utilities.

At least Symantec/Norton and ArcServe have been noted recently for running some auto-purging, including versions having that as default (more transparent to admin + user).

Namely, once a file is backed up or logged, the utilities themselves will periodically remove them if left 'unused' for a period of time. This can be as little as a week, it is transparent (no_notif), and shares symptoms with descriptions: "files disappearing". Further, some suggestions that relevant files may not have been archived in the first place (ie: buggie). While this may be a nice feature to keep disks clean, it is said to be performing undesireable functions that were not preconfigured, or at least increases confusion of user/admins.

Something to check out - see what is running on the affected systems, and validate configurations.

Commented:
(hmm, only one q# listed for davidbaker, and... zero feedback here ...)

Commented:
hi david.. i have the same thing happen to me..
i work in a company.. and a similar incedent came across twice.. all the data completely vanished.. not even lost fragments could be retrieved.. i suspect a virus or a trojan that deletes the home folder or even the drive containing the infected file.. i expect it also deletes itself cuz in both machines there was no trace of trojan or virus.. i ran both mcafee and norton with the latest update.. and they came out clean.. so most likely the infectant was deleted as well..
non of the employee has the smarts to pull such things.. and both computers log on the net using a dialup.. the virus or whatever that is didnt seem to have infected other machines on the network...
Due to no feedback, I am looking at deleting this one.

C101
E-E Moderator

Commented:
> stop the madness as soon as possible.

Due to length of comments, and some extra input from most on how the central issue(s) is(are) more important than many PAQs, I lean towards not deleting. While customer initial comment is very long and descriptive, the (missing) feedback is necessary for any comparative anaylsis of contributions.

If customer has not signed on to EE for half a year, it may be better just to give a few points to each of above 'trying to help' and close the account, likely a forgotten password. Sorry, about that, I was interested in the resolution. I suspect more than one problem was involved here.

Thus preserving the words, but closing with answer of "unresolved" with diminished points.
200 is way too much to be associated with this q# in a PAQ for purchase, without the slightest feedback.
Noted, all will get some

:-)

C101
> Recommend Revisit of both A/V and backup utilities.

hmmm, set an AutoPurge = "on"?
Unresolved question placed in PAQ for 0 points.

Computer101
E-E Moderator
I know this is an old thread however was a low level undelete utility used to see if the files are still on the disk?  A disgrunteled employee would not likely run a wipe or govt wipe (7 times) to zap selected files.  I am curious if there are any traces left of the original files.  I suppose a trojan could wipe.
dwcorwith

Author

Commented:
Hello all:

This is David Baker and I apologize for not checking back. The end result is/was not satisfying: I was fired, another company was hired who put in a Sonic Wall hardware firewall. That seemed to do the trick for two years, almost to the day. Then files vanished again and I was called back. I decided to dump the entire server and just get an entirely new one in case it was the hardware in some way. It's been a few months now and no files have vanished but I'm not feeling entirely pleased. I don't know what caused it so I'm scared. I've installed a DVD burner and do weekly backups of all the data so things won't be as big a disaster if it happens again but I'll certainly be out of a job again if it does.
Dave,
Next time and hopefully you won't need this however you could try "undelete" by Executive software. http://www.executive.com   I have used it on a couple of drives where I was looking for deleted photos.  It works fine as long as there hasen't been a great deal of read/writes to your drive.  
cheers,
dwcorwith

Author

Commented:
The odd thing is I two different undelete programs including one that had worked great before. And it found dlls and temp files that had been deleted a year or more before. It found all documents and data files that had purposely been deleted by the office staff. But it didn't find even a fragment of a single file that had innapropriately vanished. I was freaking out. I even called Mark Cooper at Drive Services Company, a recovery place I use regularly. I described the problem and he told me not to bother sending the drive it. Then, ahem, I was dismissed... Now I'm back and I don't lose sleep over this any more but I am still curious at to what caused it. It's made me a much better backer-upper since if it happens again I losing that client forever.
I preach backup, backup, backup to all my clients and I don't work on anyone's system w/o first doing the backup.  If they don't do it, they pay me to do it for them.  Even then, and I'm very careful, I still loose data on a rare occasion.  But in your case, it sounds like you exhausted all of you avenues. Best of luck.
Cheers,
dwcorwith

Explore More ContentExplore courses, solutions, and other research materials related to this topic.