Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Excel Files empty after Blue Screen

Posted on 2010-11-18
4
Medium Priority
?
370 Views
Last Modified: 2012-05-10
I have ran into a problem with a computer that I have not seen before and thought I would run it by the all knowing and beneficent Experts.

We have a user on our network who is out of the office for a couple of days.  The person who is filling in for him was experiencing some hangs while working yesterday, so he rebooted the computer.  During the reboot he says that a blue screen came up and began scrolling the message Deleting Files for a couple of minutes, then the message changed to Restoring Files.  After a few minutes the system continued to reboot and he logged in.  Everything seemed to work for the rest of the day.

This morning he opened a spreadsheet we use to track customer sales information, and it was empty.  This spreadsheet should have had a sheet for each month's sales going back to August of 2006.  The only sheet that was in it was the sheet for August 2006 and it had no data, and the column headings, formulas and formatting were gone.

After checking the other files that are used often on this machine, we found that several were in the same state, but not all of them.  I also found that system restore had been turned off at some point and all restore points are gone.

I checked the event logs and the only thing out of the ordinary I see are a long list of DCOM Error messages stating:  The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout

The workstation has Kaspersky's corporate client installed on it, and the definitions are up to date.  We had performed a full scan two days ago and it found nothing.  We are using the Firewall in Kaspersky and not the Windows Firewall, but if I go into control panel and try to open Windows Firewall, I get a message that the Firewall/Internect connection sharing service is not running.  I have tried to start the service but it wont start.

Do these symptoms sound like a virus, or maybe a hacker?  The user uses MSN Messenger to exchange information with clients, and I noticed that he has Limewire installed.
0
Comment
Question by:dsgvwf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 49

Expert Comment

by:dbrunton
ID: 34166672
>>  Do these symptoms sound like a virus, or maybe a hacker?

Yes.

Check the date/time stamps for the files concerned and see when they were modified.  If you've got a bunch around the same time then it is most likely you've been attacked.
0
 

Author Comment

by:dsgvwf
ID: 34166782
It appears that the affected files were all updated yesterday before the user rebooted.  After doing some more digging it appears that the files which had not been opened yesterday morning, but are used on a regular basis were also changed.  When I try to open them I get a message that they are linked to another workbook (they shouldn't have been) and when I use the link editor it shows the location of the linked files to be in the temporary internet files folder.

Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?
0
 
LVL 49

Accepted Solution

by:
dbrunton earned 1500 total points
ID: 34167322
>>  Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?

Well, something happened.  Needn't have been a macro virus but could be a virus that Kapersky hasn't identified.  That the workbook is in the temporary internet files folder is strange.  Has the user accessed an Excel file using IE.
0
 

Author Closing Comment

by:dsgvwf
ID: 34167405
I don't think the user has accessed the file from IE.

I have decided to transfer the Users data to a flash drive, scan it for viruses from a known safe computer, and then repartition the hard drive and start over.

Thanks for your help
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question