Was this a virus??

[bam]

Using ETrust which tells me I'm up to date. WinXP

Was mvoing around on the computer the other day and noticed some programs
which usually start right up were taking longer than usual. Then in the
middle of an email my pointer slowed down to a halt and the whole computer
forze.

The only thing to do was to reboot, which I did. When it came to log in,
some pop up window said it didn't have any personal settings and it would
create one - something like that. When I got to my desltop all my icons were
gone and all the files that were on the desktop. Then I discovered that
almost everything in my Documents and Settings folder had been re-created
with nothing in them - and believe me, there was a lot of stuff in there.
All my Paper Port docs, OE Address Book, All Favorites and Bookmarks,
everything in Thunderbird and Firefox - wiped out.

Anyone ever hear of this?

Bryan

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Using ETrust which tells me I'm up to date. WinXP

Was mvoing around on the computer the other day and noticed some programs
which usually start right up were taking longer than usual. Then in the
middle of an email my pointer slowed down to a halt and the whole computer
forze.

The only thing to do was to reboot, which I did. When it came to log in,
some pop up window said it didn't have any personal settings and it would
create one - something like that. When I got to my desltop all my icons were
gone and all the files that were on the desktop. Then I discovered that
almost everything in my Documents and Settings folder had been re-created
with nothing in them - and believe me, there was a lot of stuff in there.
All my Paper Port docs, OE Address Book, All Favorites and Bookmarks,
everything in Thunderbird and Firefox - wiped out.

Sounds like it could have been that the part of the registry (computer
settings database) for your profile was broken. When this happens XP will
sometimes re-create the profile anew, hence you not seeing any documents etc.

Open My Computer, go into Documents and Settings and see what folders are
there. If your profile is called "bam", then you may see a folder called
"bam" (original profile) and then a "bam.001" (new, empty profile).

You can simply move out all of the old profile's My Documents folder if
this is the case. If not, right-click My Computer, select "Manage" and
navigate to the System and Application Event Logs and see if there have
been any entries (recently) relating to "Winlogon", "User32", "Disk",
"NTFS" or any other entries with the red error symbols by them. Reply back
if you find anything.

This is symptomatic of possible hard disk failure; you may want to take
measures to copy all of your important information off the computer, when
you manage to find it that is!

HTH
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDYVI+7uRVdtPsXDkRAi3+AKCRtcWfjxTnDoKIzRkmSYw8dz/FwACglVLK
Ru+cWeeg2n63xwAJ1UP8ptQ=
=w4Pl
-----END PGP SIGNATURE-----

 

[bam]

Sounds like it could have been that the part of the registry (computer
settings database) for your profile was broken. When this happens XP will
sometimes re-create the profile anew, hence you not seeing any documents
etc.

Open My Computer, go into Documents and Settings and see what folders are
there. If your profile is called "bam", then you may see a folder called
"bam" (original profile) and then a "bam.001" (new, empty profile).

You can simply move out all of the old profile's My Documents folder if
this is the case. If not, right-click My Computer, select "Manage" and
navigate to the System and Application Event Logs and see if there have
been any entries (recently) relating to "Winlogon", "User32", "Disk",
"NTFS" or any other entries with the red error symbols by them. Reply back
if you find anything.

This is symptomatic of possible hard disk failure; you may want to take
measures to copy all of your important information off the computer, when
you manage to find it that is!

Thanks for the info Adam. Yes, there was some indication in the Application
event log that something big occurred. And Windows did create a second file,
but there was nothing in either the old or new one. I now have file
fragments Found.000 and 001 which collectively contain over 15,000 objects
and over 1 GB of .chk files. Much of it turns out to be my internet cache,
but there are also emails and desktop items I've located.

The hard drive is at least 4 years old and the only reason I hesitate to get
a new one is the trouble in reinstalling everything. Is there any way to
exactly duplicate my drive to a new one and just substitute it? (here are
the reports below):

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 10/24/2005
Time: 10:59:11 AM
User: N/A
Computer: BAM
Description:
Checking file system on C:
The type of the file system is FAT32.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
Volume Serial Number is 0DCC-55FD
Unrecoverable error in folder \Documents and Settings\BAM.
Convert folder to file (Y/N)? Yes
Convert lost chains to files (Y/N)? Yes
Insufficient disk space to recover lost data.
1295136 KB in 15636 recovered files.
Windows found problems with the file system that could not be corrected.
39068512 KB total disk space.
2418336 KB in 1251 hidden files.
214912 KB in 6633 folders.
23686688 KB in 127169 files.
32 KB in bad sectors.
12030080 KB are available.

32768 bytes in each allocation unit.
1220891 total allocation units on disk.
375940 allocation units available on disk.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1508
Date: 10/24/2005
Time: 10:59:21 AM
User: NT AUTHORITY\SYSTEM
Computer: BAM
Description:
Windows was unable to load the registry. This is often caused by
insufficient memory or insufficient security rights.

DETAIL - The system has attempted to load or restore a file into the
registry, but the specified file is not in a registry file format. for
C:\Documents and Settings\BAM.BAM\ntuser.dat

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1508
Date: 10/24/2005
Time: 11:10:23 AM
User: NT AUTHORITY\SYSTEM
Computer: BAM
Description:
Windows was unable to load the registry. This is often caused by
insufficient memory or insufficient security rights.

DETAIL - The system has attempted to load or restore a file into the
registry, but the specified file is not in a registry file format. for
C:\Documents and Settings\BAM.BAM\ntuser.dat

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1511
Date: 10/24/2005
Time: 11:10:36 AM
User: NT AUTHORITY\SYSTEM
Computer: BAM
Description:
Windows cannot find the local profile and is logging you on with a temporary
profile. Changes you make to this profile will be lost when you log off.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Thanks and regards,

Bryan

 

[Mich]

Using ETrust which tells me I'm up to date. WinXP

Was mvoing around on the computer the other day and noticed some programs
which usually start right up were taking longer than usual. Then in the
middle of an email my pointer slowed down to a halt and the whole computer
forze.

The only thing to do was to reboot, which I did. When it came to log in,
some pop up window said it didn't have any personal settings and it would
create one - something like that. When I got to my desltop all my icons were
gone and all the files that were on the desktop. Then I discovered that
almost everything in my Documents and Settings folder had been re-created
with nothing in them - and believe me, there was a lot of stuff in there.
All my Paper Port docs, OE Address Book, All Favorites and Bookmarks,
everything in Thunderbird and Firefox - wiped out.

Anyone ever hear of this?

Bryan

That happened to me once, turned out it was a hard night of drinking.

Mich...

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the info Adam. Yes, there was some indication in the Application
event log that something big occurred. And Windows did create a second file,
but there was nothing in either the old or new one. I now have file
fragments Found.000 and 001 which collectively contain over 15,000 objects
and over 1 GB of .chk files. Much of it turns out to be my internet cache,
but there are also emails and desktop items I've located.

Looking at the log entries I'd definitely agree, what a pain!

The hard drive is at least 4 years old and the only reason I hesitate to get
a new one is the trouble in reinstalling everything. Is there any way to
exactly duplicate my drive to a new one and just substitute it? (here are
the reports below):

I would say you could use a drive imaging product such as Symantec's Drive
Image or Ghost, but there are two reasons why, despite the time and effort,
I'd advise reinstalling on a new drive:

1) Imaging from a broken drive can mean that when you restore it to a new
drive, any filing system errors will come with it. Also if there are any
bad sectors the imaging program may mark those sectors on the new disk as
"bad".

2) Your Windows is using the FAT32 filing system which is far less reliable
or efficient than Windows XP's NTFS filing system.

I would buy two new drives as well as a disk imaging program and once
you're back up and running on a fresh install get some backups onto the
secondary disk. You could go with a (physically) small external USB drive
for the second disk, and keep it away from the computer when not backing up
to make it extra safe.

HTH
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDYh747uRVdtPsXDkRAqVAAKCF2DF9fOho/kmNZwCISt6bjALe/gCgh4ww
tQdp72DlXeHWL1MWzRejxHs=
=8g1q
-----END PGP SIGNATURE-----

 

[bam]

Looking at the log entries I'd definitely agree, what a pain!

I've been successful in recovering fragments - got all my Favorites back by
searching for test that wouldn't be anywhere else.

I would say you could use a drive imaging product such as Symantec's Drive
Image or Ghost,

Looks like Casper has good reviews........


but there are two reasons why, despite the time and effort,

I'd advise reinstalling on a new drive:

1) Imaging from a broken drive can mean that when you restore it to a new
drive, any filing system errors will come with it. Also if there are any
bad sectors the imaging program may mark those sectors on the new disk as
"bad".

2) Your Windows is using the FAT32 filing system which is far less
reliable
or efficient than Windows XP's NTFS filing system.

Agreed - but I have so many programs that have been upgraded so many
times........going back to square one would warrant a vacation.

I would buy two new drives as well as a disk imaging program and once
you're back up and running on a fresh install get some backups onto the
secondary disk. You could go with a (physically) small external USB drive
for the second disk, and keep it away from the computer when not backing
up
to make it extra safe.

I'm looking at an external drive right now....maybe down the road another.

Thanks again.

Bryan

 

[bam]

That happened to me once, turned out it was a hard night of drinking.

Mich...

But did you ever buy a motorcycle on Ebay??

Bryan