Selective responses inline:
Friendship Center wrote:
....
me. They swore up and down it just HAD to be the
installation of Office 2003 to make some of the important
(I mean very important files, like invoices and records)
disappear.
== Opening the paranoia door just a bit, I said to myself:
Self, It's sure sounding like you have someone dissatisfied at
work there. I think about now I'd be looking at the boot logs or
minimum the Event Logs Applications, Security and System to see
what went on with that machine while I wasn't there. Depending
on their settings, it might be too late, but since some other
things were indicated as "disappearing", there might be time
stamps for those actions in the logs. If there ins't at least
one of those logs running, then someone needs a clue x 4's
attention.
Start, Programs, Adminstrative Tools, Event Viewer.
I talked to everyone in the office and no one
claims to have touched the computer. Non-office members
have no idea where these important files are hidden.
== IF it's malicious, no surprise there. You'd have to be good
at reading body languages to tell much from that.
I DO find it interesting that they settled on the 2k3 install
being the source of the problem though; like someone had fed
them? If anyone trusted is good at body language, it might be
worth having them around while you ask some "additional"
questions around there.
In this folder, most of the files are still there. It
just so happens the IMPORTANT ones are selectively gone.
== Again, my paranoia hairs stand up.
I humored them and said I would ask around to see if this
is a possibility. I am not positive this is a legit copy
of Office, which is why there is the possibility if it
== I would figure that one one out ASAP. If it's not, and you
have someone malicious there, you could end up taking the hit for
it. I'd distance myself from them if it's pirated, until they
straighten that out, non-profit or not. I do non-profit work
too, but non-profit or not, I play "dumb" and claim I need the
original CD and key for whatever purpose, just to check. That
way you don't insult anyone. I have a little script I wrote to
bring up a window asking for it, just in case anyone questions me
or doesn't believe me, but I've never had to use it.
If you get the key, then it's easy to check whether it's
pirated or not without getting anyone in trouble.
was burned (they haven't shown me the copy they used) it
was burned with a virus. But for a virus to select only
invoice files is strange to me.
===> Well, no, not really that strange. A macro virus or even
just malware could do stuff like that. If you're up to doing the
research, I'd start at Symantec and McAfee, but that won't help
if you have a disgruntled employee.
They are asking/begging for the files to come back. They
are like, can system restore do it? I told them no. But
I know if a file is deleted it can be recovered still,
unless the area on the hard disk has already been
rewritten over.
==> Wellll, probably not, UNLESS the drive disk is only say ten
percent used. After this long, if the machine's been used at
all, there's a pretty good chance most of them are severely
corrupted and not recoverable by now.
IF it's that important though, I'd suggest getting them
started with a good uneraser/undeleter and let someone there do
the monkey work; after all, they'll recognize usable data a lot
faster than you will. When they find it, then you go recover it.
There might be a few of them undeleteable though, you never know.
But, I'd bet it's faster to just have someone sit down and retype
them all into a template from paper records. And if there are no
paper records, well, it's definitely time to walk away.
Any chance someone covered some of their tracks by getting rid
of just certain invoices?
So I already reconfirmed that it wasn't the installation
that got rid of these selective important word files.
But since this is a nonprofit organization with little
computer help (I rarely come in since I moved out of
state), they don't back anything up. I stressed over and
over to burn backups of important files to no avail.
==> Then the best you can do now is give them pitying, sorrowful
facial expressions when you tell them they're just outa luck, but
maybe you can try a long shot, "but don't get your hopes up".
I'll also bet that somene there probably has a cabinet full of
floppies they took home to use and ... never brought back. I've
never seen an org where someone didn't take stuff home to work
on, or study, or whatever the excuse of the day might be.
So does anyone think that there is a way to recover a
lost deleted file off the hard drive (if it isn't too
late)?
==> I really don't think so. Maybe a few, as I said above, and
it doesn't hurt to TRY, but I don't hold much hope. If you want
to try that, get that computer shut down, keep it shut down, and
get a good undelete prog and see what's there. It's going to be
a LOT of work, so you'll need a gopher or monkey.
Also, today when I came in to help again, looking at the
startup menu, all the program files are gone from the
list, or the folders lead to <empty> menus. Even all the
accessories are the same, all <empty>. I am manually
trying to rebuild these things for them.
==> Go look at the LOGS! ASAP! Anything there?
You're wasting your time by rebuilding that, based on this
development. If you can, take the computer completely out of
there where you can work on it alone and control when it's used
and by whom (you).
They asked if there was a virus that could do this, but
they swear they have the latest in antivirus (AVG) and
==> When was the ref file last updated? I bet it's not
current.
also use the online virus sweaper from Household
something or other (which is a good one)
==> How can you say it's a good one if you don't know what it
is?
and also run Ad-
==> Adaware is only one specific set of spyware. Adaware
doesn't BLOCK spyware. It "finds" it AFTER it's gotten on the
system and gone to work. When was the most recent scan run? Not
this week, I bet.
You also need things like Spybot Search & Destroy, Pest
Patrol, etc.. The more the better. No single malware program
will protect completely - it's been proven over and over.
Spyware Blaster is another one.
All are up to date. I find it
==> As of WHEN? Last week? Last month? Yesterday? They are
only "up to date" if you can go to the update site and NOT find
any updates available. Else, they are NOT up to date. Sorry,
but that's a truism; you can't take anyone's word for. YOU have
to check it yourself if it's important to you.
hard to believe a virus would selectively only delete the
word files that contain invoices and member lists and
other very important files and then leaving all the rest
okay with no signs otherwise.
==> No, not really, as previously mentioned. I'd want to know I
was working on a legal machine though before I started any
research to verify this; it's too much work for a consultant or
pro-bono.
I am puzzled about this system and where all the program
shortcuts went and the word files. Can this be
recovered?
==> Maybe, like I said, it depends on how long it's been and how
busy the computer's been. The computer should have been locked
down immediately until the files were recovered and the problem
figured out.
Oh, and if they're going online with it, which it's pretty
obvious they are, you can probably kiss even the shortcuts
goodby; tremendous amounts of data get created/deleted while
you're online.
Well, for many, many thousands of dollars, as in tens of
thousands, there are companies that can read stuff like that, but
it's VERY, VERY expensive.
I am going to start these people on a backup
program for all important files immediately.
==> I wouldn't, if I were you. I wouldn't do another thing
until I knew I had a legal computer system in front of me and
they agreed to shut the thing down until I was finished. Don't
believe them when they say they can't do without it.
Besides, backing up just the "important files" is useless.
ALL DATA must be backed up! That's like being a little bit
pregnant.
Better yet, any chance of taking it out of there with you?
THEN, I'd consider setting them up with a backup process after it
was rebuilt (or not). I'd have them do it manually and also set
up Task Scheduler to do it for them when they aren't around.
I can't
believe they never backed anything up,
==> Why? You've apparently been around there for awhile, so you
have to share some of that blame. I see it all the time. They
never get sympathy from me until they lost everything, and then
it's only knowing looks of understanding, not sympathy.
and I am afraid to
say they lost these things for good, but they still are
demanding an explanation.
==> If you're doing this pro-bono or as a consultant, either
way, WHY are you afraid of their demands? THEY caused their
existing problem, regardless of what actually caused the initial
loss of data. Had they used accepted and normal procedures, the
wouldn't have this problem. THEY, by your own words, did not
heed your advice, even though you should have insisted,
especially if they're paying you anything. If they won't accept
that, then I'd leave.
You could easily be wasting time by trying to rebuild anything.
You're at the point now where a full backup is required if
anything is to be saved, and then the machine will need complete
reformats and reinstalls, along with complete updates and known
good av an spy/trojan etc. protections, and a two-way firewall
BEFORE it ever sees the internet.
Then start analyzing the backed up data with av, spy, trojan,
etc., and only when that's done, start to re-build anything. If
the computer is infected, so will the backups be: That's why it
must be separately analuyzed. If there's really something in the
computer causing the data loss, then you're rebujilding things on
a house of cards; don't do it. The backup should actually have
been your first move; I tried to hint at it in my last mail, but
I guess you missed it.
My three cents, anyway.
Pop