IceBlackIce Posted February 11, 2009 Share Posted February 11, 2009 Hello all,First and foremost, this will sound you weird, believe me, if i was in your place i would think the same, but try to read it with an open mind.I work for an IT shop, and give support for customers with their computers, i have this situation in one that is costing me some years of life, i will try to explain the best I can.The customer had a computer, he called me saying that some user data was gone (excel, word and some pics), I went and took a look there, but couldnt find anything suspiscious, with various diagnostic tools like procexp, autoruns and like that. The computer had avast installed and updated, but since i couldnt find what was causing it, i assumed it was somekind of virus or rootkit and installed the computer again with Windows XP (after being formatted) and installed mcafee, but this time the customer was working as a limited user, and I turned on the audit when deleting files in the folder the customer usually worked.Some months later he calls me again and the problem was back, same situation, some user data was gone, no program files affected as far as I could tell. The files were deleted in all the folders the customer worked, and even in some pens that he used to do backups. The thing is that now i would know what was causing it because i had the logs right? wrong...the files were being deleted but no process was showing up in the log, heres the log of one of itAbertura de objecto: Servidor do objecto: Security Tipo de objecto: File Nome do objecto: C:\dados\Trabalho\Os meus documentos\Agente Antonio Soares\Fax Diversos\Fax SR. Rui-21-02-2008.docx ID de identificador: 1124 ID de operação: {0,723700} ID de processo: 4 Nome de ficheiro de imagem: Nome do utilizador principal: TEXTOPC$ Domínio principal: GRUPO_TRABALHO ID de início de sessão principal: (0x0,0x3E7) Nome de utilizador cliente: Utilizador Domínio cliente: TEXTOPC ID de início de sessão cliente (0x0,0x5A239) Acessos DELETE ReadAttributes Privilégios - Contagem Sid restrita: 0As a way to try to solve things, I would think that it was related to hardware, so a new computer was put there, with Windows Vista and called it a problem solved. But as you would guess the problem occured again, some months after with the exact same behavior, user data being deleted, but now as I have instructed, the backups are safe, because the costumer only plugs in the pen when doing backups and then plugs out, leaving the files safe. There are 2 computers in the network, the other one has Windows Vista too and nothing ever occured to that one.The costumer now noticed a new behaviour, the "My Computer" icon disappears from the desktop some time before the problem occurs.Does this tale rings a bell in any of you? Because nothing to me makes sense in this problem, logic tells me it must be software related, but what? The costumer tells me it installs nothing suspicious, there was even a time he was working as limited user and the thing occured still.Any help would be greatly appreciated...Thanks Link to comment Share on other sites More sharing options...
Tripredacus Posted February 11, 2009 Share Posted February 11, 2009 No this is new to me. My first question is whether or not the user saves their files in their profile (%user profile%) such as My Documents or on the desktop. I have seen profile corruption occur where files disappear. So here are some questions to get you started:1. Does the user save his files in the profile directory?2. On the Vista computer, is the UAC enabled?3. Is the user in the Administrators group? (you might want to make his account a Limited-User account)Maybe I can think of more questions later. Link to comment Share on other sites More sharing options...
IceBlackIce Posted February 11, 2009 Author Share Posted February 11, 2009 Thanks for the reply, this problem cant be profile related since, some of the data is in profile folders but others arent. Vista is with UAC enabled and atm the user wasnt in limited-user account because previously the problem occured while the user was with limited access. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now