Solved

Excel Files empty after Blue Screen

Posted on 2010-11-18
4
365 Views
Last Modified: 2012-05-10
I have ran into a problem with a computer that I have not seen before and thought I would run it by the all knowing and beneficent Experts.

We have a user on our network who is out of the office for a couple of days.  The person who is filling in for him was experiencing some hangs while working yesterday, so he rebooted the computer.  During the reboot he says that a blue screen came up and began scrolling the message Deleting Files for a couple of minutes, then the message changed to Restoring Files.  After a few minutes the system continued to reboot and he logged in.  Everything seemed to work for the rest of the day.

This morning he opened a spreadsheet we use to track customer sales information, and it was empty.  This spreadsheet should have had a sheet for each month's sales going back to August of 2006.  The only sheet that was in it was the sheet for August 2006 and it had no data, and the column headings, formulas and formatting were gone.

After checking the other files that are used often on this machine, we found that several were in the same state, but not all of them.  I also found that system restore had been turned off at some point and all restore points are gone.

I checked the event logs and the only thing out of the ordinary I see are a long list of DCOM Error messages stating:  The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout

The workstation has Kaspersky's corporate client installed on it, and the definitions are up to date.  We had performed a full scan two days ago and it found nothing.  We are using the Firewall in Kaspersky and not the Windows Firewall, but if I go into control panel and try to open Windows Firewall, I get a message that the Firewall/Internect connection sharing service is not running.  I have tried to start the service but it wont start.

Do these symptoms sound like a virus, or maybe a hacker?  The user uses MSN Messenger to exchange information with clients, and I noticed that he has Limewire installed.
0
Comment
Question by:dsgvwf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 48

Expert Comment

by:dbrunton
ID: 34166672
>>  Do these symptoms sound like a virus, or maybe a hacker?

Yes.

Check the date/time stamps for the files concerned and see when they were modified.  If you've got a bunch around the same time then it is most likely you've been attacked.
0
 

Author Comment

by:dsgvwf
ID: 34166782
It appears that the affected files were all updated yesterday before the user rebooted.  After doing some more digging it appears that the files which had not been opened yesterday morning, but are used on a regular basis were also changed.  When I try to open them I get a message that they are linked to another workbook (they shouldn't have been) and when I use the link editor it shows the location of the linked files to be in the temporary internet files folder.

Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?
0
 
LVL 48

Accepted Solution

by:
dbrunton earned 500 total points
ID: 34167322
>>  Could it be that we have received some sort of macro virus that zaps the files when they are opened and since the user ran a disk clean up after the system rebooted yesterday, so that would have deleted the temp internet files and thus broke the link?

Well, something happened.  Needn't have been a macro virus but could be a virus that Kapersky hasn't identified.  That the workbook is in the temporary internet files folder is strange.  Has the user accessed an Excel file using IE.
0
 

Author Closing Comment

by:dsgvwf
ID: 34167405
I don't think the user has accessed the file from IE.

I have decided to transfer the Users data to a flash drive, scan it for viruses from a known safe computer, and then repartition the hard drive and start over.

Thanks for your help
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question