Solved

Excel Files empty after Blue Screen

Posted on 2010-11-18
4
364 Views
Last Modified: 2012-05-10
I have ran into a problem with a computer that I have not seen before and thought I would run it by the all knowing and beneficent Experts.

We have a user on our network who is out of the office for a couple of days.  The person who is filling in for him was experiencing some hangs while working yesterday, so he rebooted the computer.  During the reboot he says that a blue screen came up and began scrolling the message Deleting Files for a couple of minutes, then the message changed to Restoring Files.  After a few minutes the system continued to reboot and he logged in.  Everything seemed to work for the rest of the day.

This morning he opened a spreadsheet we use to track customer sales information, and it was empty.  This spreadsheet should have had a sheet for each month's sales going back to August of 2006.  The only sheet that was in it was the sheet for August 2006 and it had no data, and the column headings, formulas and formatting were gone.

After checking the other files that are used often on this machine, we found that several were in the same state, but not all of them.  I also found that system restore had been turned off at some point and all restore points are gone.

I checked the event logs and the only thing out of the ordinary I see are a long list of DCOM Error messages stating:  The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout

The workstation has Kaspersky's corporate client installed on it, and the definitions are up to date.  We had performed a full scan two days ago and it found nothing.  We are using the Firewall in Kaspersky and not the Windows Firewall, but if I go into control panel and try to open Windows Firewall, I get a message that the Firewall/Internect connection sharing service is not running.  I have tried to start the service but it wont start.

Do these symptoms sound like a virus, or maybe a hacker?  The user uses MSN Messenger to exchange information with clients, and I noticed that he has Limewire installed.
0
Comment
Question by:dsgvwf
  • 2
  • 2
4 Comments
 
LVL 48

Expert Comment

by:dbrunton
ID: 34166672
>>  Do these symptoms sound like a virus, or maybe a hacker?

Yes.

Check the date/time stamps for the files concerned and see when they were modified.  If you've got a bunch around the same time then it is most likely you've been attacked.
0
 

Author Comment

by:dsgvwf
ID: 34166782
It appears that the affected files were all updated yesterday before the user rebooted.  After doing some more digging it appears that the files which had not been opened yesterday morning, but are used on a regular basis were also changed.  When I try to open them I get a message that they are linked to another workbook (they shouldn't have been) and when I use the link editor it shows the location of the linked files to be in the temporary internet files folder.

Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?
0
 
LVL 48

Accepted Solution

by:
dbrunton earned 500 total points
ID: 34167322
>>  Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?

Well, something happened.  Needn't have been a macro virus but could be a virus that Kapersky hasn't identified.  That the workbook is in the temporary internet files folder is strange.  Has the user accessed an Excel file using IE.
0
 

Author Closing Comment

by:dsgvwf
ID: 34167405
I don't think the user has accessed the file from IE.

I have decided to transfer the Users data to a flash drive, scan it for viruses from a known safe computer, and then repartition the hard drive and start over.

Thanks for your help
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question