Disappearing files

Has anyone every heard of certain files disappearing from My Documents and it's subfolders?
Sometime in the last week all my Word .doc's, Excel .xls's and some .jpg's have been wiped from My Documents and subfolders.
I first noticed it about a week ago. My Login pictures and desktop background had gone. I had recently installed new nvidia drivers for my graphics card and thought maybe this was the cause, and made a note to track it down at a later date.
However today I find all my letters and spreadsheets have gone - just from My Documents. - any .doc's and .xls's in other locations are all fine.
I went to my last ghost back up - and have identified that .doc .xls .jpg and .gif were all affected and wiped.
I would love to find out how this occured but have not the slightest idea of where to start!

any ideas?

Many thanks
Spotta

 

Spotta

Can you find these files by doing a serach?

 

No. they have gone.

and for some reason, I cannot run the online virus scan at www.symantec.com anymore. I never used to have any problem running it before.

I have Norton AV 2003 installed and am doing a virus scan now.

Spotta.

 

Spotta,
You may very well have a virus. I suggest you look for one of the pros like Newt or Noahdfear post. Look at their signature and follow the links to Ad-Aware, Hijackthis, Spybot and eTrust Online Virus Scan. I would at least down load Ad-Aware and Hijackthis and run the online virus scan.
One of the Pros will be along to help you out from here.
Sorry I can't help you more. But you can trust their instructions and help.

 

Thanks.

Norton AV found nothing.
I have adaware and spybot installed - again found nothing
I will try hijackthis and the etrust online scan.

many thanks
Spotta

 

Hijack this log - if it helps.

Logfile of HijackThis v1.98.0
Scan saved at 20:44:26, on 05/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office2003\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.n-e-t-working.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.n-e-t-working.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.catsarsedesign.co.uk "); (C:\Documents and Settings\Spotta\Application Data\Mozilla\Profiles\default\k1dnavcj.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", " "); (C:\Documents and Settings\Spotta\Application Data\Mozilla\Profiles\default\k1dnavcj.slt\prefs.js)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.realemail.co.uk
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\stardock\MCPCore.dll

 

Check out the possibility that you have inadvertently checked in under a different identity. The My Documents folder is unique to the user id.

 

surferdude2 - has an interesting idea and it may well be the problem. Either you using a different logon or a problem with the one you are using so that the files are on the hard drive but you aren't seeing them.

Try a Hd search with Agent Ransack.

 

Hi All.
I am definately logged in as myself, although I have also checked all my documents for the missing files with no success.
And a search with Agent Ransack also had no luck.

Alltogether I have lost over 400 .jpg's, a few .gif's and all .doc's & .xls's.
I had a folder for my business stuff with loads of subfolders containing quotes and invoices in both .xls and also .pdf conversions - these subfolders were all emptied of the excel docs but the .pdf's were left


Spotta.

 

upon further inspection what ever caused this has wiped said files from all of my C: drive. I have various programs with images missing - and it has also cleared my C: drive of .wav files as well!

any ideas?

Spotta

 

Wowza, This sounds like you have/had a virus. There have been lots of ones that do exactly what you describe. I pasted a few samples below, but there are many more. Is it possible that you have more than one machine? Could one of these other machines have accessed your hard drive over the network and performed the document whacking?

If you create a new .doc, does it get whacked? If it does, you could do some tricks with Filemon from sysinternals to see what process is doing the whacking.

As far as your data goes, if it was a virus that whacked those files, you are going to need to reload from your backup. If you don't have a backup and the files are mission critical, you need to turn off that machine right now, and contact a data recovery service.


http://securityresponse.symantec.com/avcenter/venc/data/w32.lavehn.a@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/worm.explore.zip.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.hunch.i@mm.html
l

 

Sounds like viril to me too. Scan with RAV. Don't write anything to the drive, move files, delete anything. Download Restoration. Do not save it to the drive! Save it to a floppy. It will run from there also.

If it is viril, you need to get rid of it before trying to recover any data, unless you recover it only long enough to burn to cd. Problem with doing that is you take a chance on burning the virus to the cd's also.

 

Restoration does not find them,
RAV says I'm clean,
Norton says I'm clean,
eTrust AV says I'm clean.

The back ups I restored from my ghost file remained in place for about a week, then today all .wav .doc .xls .jpg .gif have once more been wiped from my C: Drive

I just do not know what to try next. I am tempted to reformat and reinstall, but have files and folders on this OS that will need to be saved and put back afterwards, but how do I know one of these doesn't carry the virus?
What else can I do if all the AV scans say my system is clean - something has wiped these files.

At my wits end

Spotta

 

First, run and print a Belarc so you can keep track of what you want to put back on your computer. Since you can't find anything wrong with the scans, and the problem keeps reoccurring, I'd suggest a clean install of your XP OS. Be careful with your images- you may wind up putting the very problem you DON'T want back on. In fact, I'd trash them. Make a new image cd when you are satisfied everything is working correctly.

Johanna

 

Thanks Johanna,
That's what I was intending to do - I'm just worried I might move the problem over.

I will also make sure I keep my important documents on any drive rather than C:!

My machine has 4 Physical drives, partitioned to give 9. I take it that if I have a virus causing this - it's definately located on the C: drive???
I'd hate to go through a complete reinstall of windows and all my programs to find the problem still there.

Spotta

 

Sorry, Spotta, I wouldn't take the bet that the unknown virus could only be on "C ". Plenty of executables run from other partitions. I would reformat the whole thing... Let someone else give their opinion about the multiple drives, but I would assume any/all could be infected, too.

Johanna