Solved

Excel Files empty after Blue Screen

Posted on 2010-11-18
4
362 Views
Last Modified: 2012-05-10
I have ran into a problem with a computer that I have not seen before and thought I would run it by the all knowing and beneficent Experts.

We have a user on our network who is out of the office for a couple of days.  The person who is filling in for him was experiencing some hangs while working yesterday, so he rebooted the computer.  During the reboot he says that a blue screen came up and began scrolling the message Deleting Files for a couple of minutes, then the message changed to Restoring Files.  After a few minutes the system continued to reboot and he logged in.  Everything seemed to work for the rest of the day.

This morning he opened a spreadsheet we use to track customer sales information, and it was empty.  This spreadsheet should have had a sheet for each month's sales going back to August of 2006.  The only sheet that was in it was the sheet for August 2006 and it had no data, and the column headings, formulas and formatting were gone.

After checking the other files that are used often on this machine, we found that several were in the same state, but not all of them.  I also found that system restore had been turned off at some point and all restore points are gone.

I checked the event logs and the only thing out of the ordinary I see are a long list of DCOM Error messages stating:  The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout

The workstation has Kaspersky's corporate client installed on it, and the definitions are up to date.  We had performed a full scan two days ago and it found nothing.  We are using the Firewall in Kaspersky and not the Windows Firewall, but if I go into control panel and try to open Windows Firewall, I get a message that the Firewall/Internect connection sharing service is not running.  I have tried to start the service but it wont start.

Do these symptoms sound like a virus, or maybe a hacker?  The user uses MSN Messenger to exchange information with clients, and I noticed that he has Limewire installed.
0
Comment
Question by:dsgvwf
  • 2
  • 2
4 Comments
 
LVL 48

Expert Comment

by:dbrunton
ID: 34166672
>>  Do these symptoms sound like a virus, or maybe a hacker?

Yes.

Check the date/time stamps for the files concerned and see when they were modified.  If you've got a bunch around the same time then it is most likely you've been attacked.
0
 

Author Comment

by:dsgvwf
ID: 34166782
It appears that the affected files were all updated yesterday before the user rebooted.  After doing some more digging it appears that the files which had not been opened yesterday morning, but are used on a regular basis were also changed.  When I try to open them I get a message that they are linked to another workbook (they shouldn't have been) and when I use the link editor it shows the location of the linked files to be in the temporary internet files folder.

Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?
0
 
LVL 48

Accepted Solution

by:
dbrunton earned 500 total points
ID: 34167322
>>  Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?

Well, something happened.  Needn't have been a macro virus but could be a virus that Kapersky hasn't identified.  That the workbook is in the temporary internet files folder is strange.  Has the user accessed an Excel file using IE.
0
 

Author Closing Comment

by:dsgvwf
ID: 34167405
I don't think the user has accessed the file from IE.

I have decided to transfer the Users data to a flash drive, scan it for viruses from a known safe computer, and then repartition the hard drive and start over.

Thanks for your help
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now