Re: Please Help

From: Karl Levinson [x y] \(MVP\) (levinson_k@excite.com)
Date: 10/11/02 

From: "Karl Levinson [x y] \(MVP\)" <levinson_k@excite.com>
Date: Fri, 11 Oct 2002 09:45:46 -0400

"Robert R Kircher, Jr." <rrkircher@hotmail.com> wrote in message
news:uSA1OGOcCHA.1652@tkmsftngp09...
> Hello All,
>
> I sure hope there is some out there that can at least point me in the
right
> direction to figure this problems out.
>
> The basic problem is that many file have been modified and are now only 4k
> and can not be opened by their native application. The issues is not
> particular on the file type. It has affected DOC, XLS, WPS and other
files
> in the same way.
>
> Here is some further details. All of our files are in about 10 different
> root directories on our servers RAID. Each root is shared to the
> appropriate users. each root has may folders and files. One of these
roots
> has a the folder that is exhibiting this folder corruption. This folder
is
> also shared to one User Group. It is only the folders and files with in
> this directory that are affected.
>
> Each file that has been modified has been modified at the same time,
meaning
> that 10 files will have the same timestamp. Not all files are affected
all
> the time, but those that are not affected are at the bottom of an alpha
> sorted list of file so it's like what ever is causing the starts at the
top
> and touches file 1 - say 10 and leave files 11 - 15 alone. In other
> affected folders all file are corrupted.
>
> In all cases the corruption start at the top of the file list with in a
> director assuming an alpha sort. this is also true for the affected
> directories, although some directories have been skipped.
>
> I smell like some sort of virus to me but I can't find anything on any of
> the virus sites that describes the symptoms.
>
> BTW: McAfee NetShield scans show nothing!!!

You're right, sounds like a possible virus.

As for the 4k files, I think your only resort will be a restore from tape
backup. [If the data is critical and you've got a lot of money, there are
places you can send your hard drives to have data recovery done. This
probably starts around $1000 just to look, with no guarantee that you'll get
any data back, and your drives will possibly be destroyed in the process.

A virus like this would probably appear in the Task List on the infected
computer. Try using CTRL-ALT-DEL to bring up task manager, sort the
processes by CPU if possible. VBS files might be running under a process
such as CSCRIPT or WSCRIPT. Doing an End Task on a suspicious process like
this might stop the virus from overwriting files, at least until the next
reboot.

Also, run MSCONFIG [Start, Run, MSCONFIG, OK] or for Windows 2000, download
and run Startup Cop from www.download.com or www.google.com to look for
suspicious files starting up at bootup.

You could also try searching one or more suspect computers for *.WS* files,
*.VB* files, *.SHS files, etc.

For any virus question like this, try making sure the antivirus program has
the latest update for the day / week, and consider running a second
antivirus scan using a free or trial download from f-secure or whatever,
also with the latest updates. Disable the first memory-resident on-access
antivirus scanner first, usually using the icon in the system tray near the
clock in the lower right corner. The virus may not be on the server, so
scan both the shared drives and the workstations. Try scanning some of the
workstation drives across the network from a known virus-free computer, if
you wish.

You could also try submitting some of the suspicious files to any antivirus
vendor using their web page.

I suppose there is a chance there is no virus, or the virus has already been
eradicated by antivirus.

If you have no tape backups, you may want to remove the server from the
network and possibly shut down all computers to avoid further damage to
files.

Quantcast