Frosted Unlucky Files...they're magically deleted

[MountainNetworks]

Ok, this is very weird. And I'd like some logical explanation other than Mecury being in retrograde

Two separate clients with two entirely separate operating systems.

Client 1. Not connected to the internet. They don't work with floppies or bring any foreign removable media into the office. Windows 98se in a peer to peer. Only 2 workstations. Only 1 application which is a DOS app.

Client 2. Is connected to the internet. Windows 2000 Server and 4 XP Professional Workstations.

Both clients have experienced massive file deletions. everyone swears that nobody has done anything. In both cases, it looks like someone came in, highlighted a bunch of files, and pressed the delete key. In both cases, everyone swears that nobody has touched anything. In both cases, the deletions occured on the weekend.

My clients aren't technically saavy. They're usually afraid to touch anything outside of their application programs that they use. Especially the vet practice (client 1). Client 1 lost their data this weekend while Client 2 experience this phenomena a couple of weeks ago.

The deletions seem to be limited to files between W and Z. Other than gnomes or pissed off pixies, what could cause deletions like this, assuming everyone is telling the truth and nobody has touched a thing?

 

[thorswolf]

No way to know without more details. Offhand I would say that only two things can do this: a virus or a human. I'd tend to discount the virus because of the W to Z thing.

Best bet is to get some sort of auditing going. That way, if it happens again, you'll have a lead. I didn't read if your users had backups, but it would be a great opportunity to offer it to them ;-)

Yves

 

[TekTippy4U]

Is Your Disk Space up to snuff.....atleast 10% free, preferably more...
(in 98 anyway)..If you go into My Computer and right click the Local Hard disk (C:\) and choose "properties" and "Disk Cleanup" on the General Tab..you'll see a setting for automatically running DiskCleanup if you run low on disk space (Settings Tab)

Though this probably isn't the cause,(usually only deletes Temporary Internet Files/etc) it's a possibility to look into...
I have no idea what it will do , AFTER deleting TIF/etc. and STILL needs more space.

I must say from your description it sounds more Human (maybe even unintentional somehow), especially since Client1 and Client2 don't connect in any way...

Another thought; has anyone Run WinALign in the 98 Client..
TaskScheduler has a cleanup task listed, built in at first(probably a DiskCleanup)....until it's deleted/disabled, it can run on it's own at regularly scheduled times, if it's set.(Again, Both setups being affected, seems impossible this way)
Check your Recycling Bin in Client1(98 box) at the least.

A Curious question I have for anyone/everyone is;
Can a virus/trojan/worm/malware be transferred to a Burned CD, during the burning process????.
(I'm inclined to think it can be)



TT4U

Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.

 

[SkipCox]

TT4U,

Yes, you can easily xfer a virus when recording a cd.

Skip

http://home.comcast.net/~scox9/index.html

 

[TekTippy4U]

Yes, you can easily xfer a virus when recording a cd.{/i]

thanx for confirming skipcox

TT4U

Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.

 

[MountainNetworks]

for the win98 systems. They're brand new hard drives, fresh installs of win98se, and the only thing they use their computers for is their legacy DOS application. It's a Vet practice.

There's nothing to clean up, and they're not on the internet. It's an isolated environment. In fact, I can honestly say they are unhackable

You'll just have to take my word for it about the office dynamics. Nobody doubleclicks on "My Computer" or any other desktop icon. They have a pre-programmed keyboard shortcut key. They come in, press cntrl-f1, the screen fills with their DOS program (no windows access) and that's where it stays until they shut down the program for the day.

I guess maybe the "mecury in retrograde" thing is the best explanation I'm gonna get.

 

[mainegeek]

Hello Mountain,
The only common link between the two client at this point appears to be You. Perhaps you infected them unknowingly during a previous service call??

 

[MountainNetworks]

Infected them with what? Allow me to reiterate. Both clients are completely updated with the latest antivirus software (I prefer mcafee today). All are updated with the latest virus definition files, even the one who is isolated from the internet. The incidents are too isolated and singular to be viral activity. I believe I can say with a certain degree of confidence that it's not a virus. Can anti-virus software delete files?

 

[MountainNetworks]

We've got a working theory for the one client with the missing files.

The client had been running two 486 computers, one with 8mb Ram and the other with 16mb Ram. Both stations were running windows 95 and networked peer to peer. To run their Veterinary practice, they've been using a DOS based program written in COBOL. That's all they've ever used their computers for.

No Good deed goes unpunished:

I aquired two pentium II computers from another client who recently upgraded their infrastructure and OS environment to XP Professional. I refurbished both these computers and donated them to the Veterinary practice. Initially, I installed Windows 2000 on them, installed their software and deployed them in the practice. However, as we soon found out, programs written in COBOL don't print with Windows 2000. Both refurbished machines were taken back. I installed brand new seagate 40gb hard drives, purchased new RAM, formatted the drives in FAT and installed Windows 98 on both refurbished machines. Once deployed, both machines operated with minimal incident for about a month or so.

"Today it works, tomorrow it doesn't, Windows is Like that":

Over time, the number of program related errors increased. Using utilties that come with the software, the database files were rebuilt to restore operation on a couple of occasions. Right about the time I started this thread, I got a call from the client that the program wouldn't execute. I found several files missing from the program directory and restored them from backup. When I rebooted the machine, windows complained of registry problems which it fixed with the automatic scanreg. All was well with the world for about a week. The program began to die again when access accounts from certain letters of the alphabet. While doing the database rebuilding that I've successfully done before, the entire system hung, forcing a hard crash reboot.

That's the last we saw of the windows operating system, and the windows partition in general. Using several low level disk checking utilities, no errors or defects were reported from the hard disk. As I attempted to reinstall windows, I was forced to restart setup two or three times while scandisk did it's best to recover what was left of the FAT file system and it's directory structure. When all was done, we were left with a bunch of FILExxx.CHK files and DIR0000xx directories.

The good news is the data has been backed up, and all the current data resides in DIR000035 (I was able to search by program extension (dir /s *.vpd)

The Burning question... What would cause an otherwise stable and VIRUS FREE machine to implode on itself? As it turns out, the program itself may be the culprit. First of all, the program isn't Y2k compliant. So the database files and dates themselves may be causing the frequent database corruptions. Secondly, when this program was written, 40GB hard drives didn't exist, and Windows 98 had just come out.

Windows 98 creates two copies of it's FAT file system, which it references as Copy 1 and Copy 2. One copy is at the begining of the disk, and the other copy is at the end of the disk. The program only knows about one copy. When it writes to the disk, it uses the BIOS for I/O since it's DOS based. The BIOS may be misinterpreting the requests from the program. The second cause is probably the partition itself.

Today I will be rebuilding this disk. At the advice of the program vendor's tech support, I'll be selecting "N" to the Large Volume support in fdisk, which will limit the partition to a 2gb partition running FAT16. We'll see if that fixes the problem.

All this leaves me with one question... When a Windows 98 operating system implodes without any clear indication as to why, is there any utility that goes through the FILExxx.CHK and the DIR000?? to try to determine where they came from? Norton's Utilities gets you some kind of access to these files, but I'm wondering if there is a utility that tries to put the directory structure back together, based on information found in the files themselves.

Thanks...

 

[TekTippy4U]

Just a guess, but, might as well;
The Fat32 thing may be the culprit with that odd cobol software, just cause if it was written to operate in 32kb clusters like Fat16, instead of 4kb like Fat32(up to a certain disc size; 8-10gb?)....Ya know, like NTFS 4.0 can't read fat32, yet it can fat16. And the clusters are getting thrown around 2-4 at a time..
Also that y2k prob too...hmmm

An idea would be to Fat16 it into 2gb parts and also try to use 95 again if possible(I'm sure you were trying to avoid that)..and also schedule Scandisk to run at every boot up, no matter what..View the win98 help file, hence;

-----------------------------------------------------------
To add ScanDisk to your StartUp folder

On the taskbar, right-click Start, and then click Open.
Click the Programs folder, and then click the StartUp folder.
On the File menu, point to New, and then click Shortcut.
In Command line, type:
Scandskw.exe
Click Next.
In Select a name for the shortcut, type:
ScanDisk
Click Finish.

To check for disk errors when your computer starts

In your StartUp folder, right-click ScanDisk.
Click Properties.
On the Shortcut tab, type one or more of the following after the text that appears in Target:Type To
x:
(substitute the drive letter for x)
Specify the drive you want to check.
/a Check all your local hard disks.
/n Start and quit ScanDisk automatically.
/p Prevent ScanDisk from correcting any errors it finds.


Notes
To check drive D and start and quit ScanDisk automatically, in Target, type:

c:\windows\scandskw.exe d: /n

To check all hard disks but prevent ScanDisk from correcting any errors it finds, in Target, type:

c:\windows\scandskw.exe /a /p

-----------------------------------------------------------

TT4U

Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.

 

[hotfusion]

One more theory:
Hard drives when supplied new have a certain number of sectors in reserve not seen or counted in the size, the idea being that if a duff sector arises on the disc, it can be 'replaced' from the bank of reserves, so maintaining the advertised drive capacity.(for a while)
A good idea.
Trouble is, as I understand it, these sectors are replaced without prompting and if the original had data on it, tough luck, you just got it replaced with an empty one.
Could this explain the random deletions?
And is it likely to happen to two computers at the same time?
Just a thought.....
Andy.

 

[TekTippy4U]

I've seen this recommended here quite a bit for data rec.

http://www.runtime.org/gdb.htm

I don't think it's free, yet an exploration of the site _may_ offer an evaluation ver..

TT4U

Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.

 

[MountainNetworks]

hotfusion:

The one client I'm positive is a user error. But your theory makes sense for the vet practice.

Tektippy: Thanks for the link! I've been looking for an exhaustive data recovery program. I have other clients that could benefit from this kind of thing from time to time.

 

[TekTippy4U]

Hey buddy;
Two more links for u to look into;

http://support.microsoft.com/default.aspx?scid=kb;en-us;148821

in this link the fdisk /x will NOT let you access more than 8 GB , cause of LBA limitations, so post back before using(not that u would anyway)

http://www.firmware.com/support/bios/w95fdisk.htm

TT4U

Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.

 

[MakeItSo]

Hey guys! I have read thris thread with growing astonishment. This sounds really sever and inexplicable, but a theory has just crossed my mind:

You said that they're vets right?

Any tomographic machine near the computer(s)?
--> Strong magnetic fields!
Perhaps its not the computers, but the environment they're in. If so, moving them to another place in the room could fix the problem.

Let me know if this applies. I'm reeaaally curious about this.

Andreas Galambos
EDP / Technical Support Specialist
(andreas.galambos@bowneglobal.de)
HP:

http://www.andygalambos.de

 

[MountainNetworks]

MakeItSo:

Very insightful! It's not applicable in this case, but you're absolutely correct about that being a potential cause nonetheless. One of the initial theories I checked was EMF from a power junction that might have been too close to the computer. There were none. I quickly rejected the notion primarly because the two original machines were in the same location for 8 years and never had a problem. And ... both original machines (both 486) never had a problem. Did I happen to mention that both original machines never had a problem? :-D

In this case, I'm certain the problem was as hotfusion suggested, "Hard drives when supplied new have a certain number of sectors in reserve not seen or counted in the size, the idea being that if a duff sector arises on the disc, it can be 'replaced' from the bank of reserves, so maintaining the advertised drive capacity.(for a while)"

The machine in question has been rebuilt with an old 1.6gb hard drive and has been running flawlessly (well, as flawlessly as windows 98se can run). The client has also purchased two new computers which will be installed next week with the latest updates from their software manufacturer.

Thanks...

 

[MakeItSo]

Oh, btw: some older BIOS do not support large HDs. Perhaps a BIOS update (if these BIOS are updatable) would have also done it. Perhaps you can make use of this in future.
Updates can be downloaded from the respective manufacturers site (Award, AMI a.s.o)

It's probably best if your client switch to new machines as they intend to do.

Anyway: wish you better luck next time...
;-)

MakeItSO

 

[MountainNetworks]

MakeItSo:

I updated the BIOS before I installed the OS the first time. As a general rule, whenever I refurbish a machine, I upgrade the BIOS if possible.

After I install the new workstations at this client site, I'll be getting the old workstation back. I'll be glad to put it on the open internet if anyone wants to have a crack and identifying ... for certain ... the root cause of the problems.

Thanks...

 

[frankeeeee]

TekTippy4U's suggestion to have ScanDisk run on start up sounds like a good idea.

FILExxx.CHK files and DIR0000xx directories are the result of cross-linked files and ScanDisk generates them when it cannot resolve the situation I believe.

It sounds like the computer may not be shutting down properly. Be certain that the unit is not simply being powered off at the end of the work day and that the proper steps are taken - go to "Start" to Shut Down and allow Windows to save it's settings before tripping the power switch. It's a very basic thing but it might be what is causing this trouble.

 

[MountainNetworks]

Frankeeeee:

Actually, in this case it seems that scandisk was causing the problem. Quoting TekTippy:

Just a guess, but, might as well;
The Fat32 thing may be the culprit with that odd cobol software, just cause if it was written to operate in 32kb clusters like Fat16, instead of 4kb like Fat32(up to a certain disc size; 8-10gb?)....Ya know, like NTFS 4.0 can't read fat32, yet it can fat16. And the clusters are getting thrown around 2-4 at a time..
Also that y2k prob too...hmmm

I can assure you the users were not improperly shutting down the workstation.

Everone:

In a couple of days I'll have this machine back from the client (They've purchased and installed new workstations). At that time I'll put this machine on the public internet and you can all have a crack at it. Keep in mind this machine will only have antivirus software running on it, so connect at your own risk.