Solved

Excel Files empty after Blue Screen

Posted on 2010-11-18
4
361 Views
Last Modified: 2012-05-10
I have ran into a problem with a computer that I have not seen before and thought I would run it by the all knowing and beneficent Experts.

We have a user on our network who is out of the office for a couple of days.  The person who is filling in for him was experiencing some hangs while working yesterday, so he rebooted the computer.  During the reboot he says that a blue screen came up and began scrolling the message Deleting Files for a couple of minutes, then the message changed to Restoring Files.  After a few minutes the system continued to reboot and he logged in.  Everything seemed to work for the rest of the day.

This morning he opened a spreadsheet we use to track customer sales information, and it was empty.  This spreadsheet should have had a sheet for each month's sales going back to August of 2006.  The only sheet that was in it was the sheet for August 2006 and it had no data, and the column headings, formulas and formatting were gone.

After checking the other files that are used often on this machine, we found that several were in the same state, but not all of them.  I also found that system restore had been turned off at some point and all restore points are gone.

I checked the event logs and the only thing out of the ordinary I see are a long list of DCOM Error messages stating:  The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout

The workstation has Kaspersky's corporate client installed on it, and the definitions are up to date.  We had performed a full scan two days ago and it found nothing.  We are using the Firewall in Kaspersky and not the Windows Firewall, but if I go into control panel and try to open Windows Firewall, I get a message that the Firewall/Internect connection sharing service is not running.  I have tried to start the service but it wont start.

Do these symptoms sound like a virus, or maybe a hacker?  The user uses MSN Messenger to exchange information with clients, and I noticed that he has Limewire installed.
0
Comment
Question by:dsgvwf
  • 2
  • 2
4 Comments
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
>>  Do these symptoms sound like a virus, or maybe a hacker?

Yes.

Check the date/time stamps for the files concerned and see when they were modified.  If you've got a bunch around the same time then it is most likely you've been attacked.
0
 

Author Comment

by:dsgvwf
Comment Utility
It appears that the affected files were all updated yesterday before the user rebooted.  After doing some more digging it appears that the files which had not been opened yesterday morning, but are used on a regular basis were also changed.  When I try to open them I get a message that they are linked to another workbook (they shouldn't have been) and when I use the link editor it shows the location of the linked files to be in the temporary internet files folder.

Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?
0
 
LVL 47

Accepted Solution

by:
dbrunton earned 500 total points
Comment Utility
>>  Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?

Well, something happened.  Needn't have been a macro virus but could be a virus that Kapersky hasn't identified.  That the workbook is in the temporary internet files folder is strange.  Has the user accessed an Excel file using IE.
0
 

Author Closing Comment

by:dsgvwf
Comment Utility
I don't think the user has accessed the file from IE.

I have decided to transfer the Users data to a flash drive, scan it for viruses from a known safe computer, and then repartition the hard drive and start over.

Thanks for your help
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now