Files moving randomly?

[cavaughan]

Strangest thing I have ever seen!

Ok, this user had an OS 10.39. MS office had definitely been infected by WM97.Thus-T (so identified by Sophos). Some of the instances had been removed but not all prior to updating to Tiger.

After updating to Tiger, everything was fine. Seeming all instances of the MS macro virus had been eliminated. So then the user applied the latest updates to Tiger. After rebooting, something was really strange.

1. Entourage started by default. There was no mail except a welcome message.

2. Files (I think all MS related) were suddenly gone from directories they had been in.

3. While sitting there searching for his files, he noticed that in his home directory some of those missing files would momentarily pop up and then dissappear.

After much time finally the computer has become stable. That is to say, that files are no longer randomly shuffling, but many of the files that had been in certain directories are no longer there. Entourage has none of his emails. He has searched his computer for files that have gone missing with no results.

Does anyone have any idea what the *$% is going on?

I have been blaming it on the macro virus, but I am really stumped.

Curtis

[Satcomer]

Tell him to jold down the option key while starting Entourage. A dialog box will come and tell him the rebuild the database.

[fryke]

Files popping in and out is (sadly) "normal" behaviour of Spotlight. While searching, it constantly updates the result list - and shows the top five of each category. Looks weird, sometimes.

[cavaughan]

Fryke? Are you telling me that if I am in, say, /Users/curtis/ as Spotlight updates I might see files pop in and out of this folder? I think you're just talking about the Spotlight result list.

[barhar]

'this user had an OS 10.39. MS office had definitely been infected by WM97.Thus-T (so identified by Sophos)', no - it was not. MS Office has not been 'definitely' infected. 'this user' may have (or had) MS Office Word files with the macro virus attached; but, MS Office can not, nor will be, infected by it.

'Some of the instances had been removed but not all prior to updating to Tiger.', and how was 'WM97/Thur-T' detected and removed? (please name specific actions / applications - and version numbers).

'After updating to Tiger, everything was fine.', how can this be? ... you just stated above that 'some ... instances (of 'WM97/Thus-T') had been removed but not all'! Why would anyone (with common sense), knowing 'definitely' that they have a virus - do anything, but remove the virus entirely? (if such actually existed - with respect to MacOS X)

'Seeming all instances of the MS macro virus had been eliminated.', eh - no. No MacOS X installer tests for, and therefore eliminates, any viruses. If 'this user' had 'some' remaining macro virus infected MS Word documents, prior to the 'Tiger' installation, they would remain - after the installation.

'Does anyone have any idea what the *$% is going on?', without 'this user's Mac in front of us - no!
If 'this user' is not you - and if you (in person) have not performed the virus removal, MacOS X 'Tiger' installation; or, seen the 'Entourage', missing files, and appearing / disappearing files - then all is hearsay, and the context of the original is blurred. Why not have 'this user' post to this thread; and have him ask and answer related questions.

'I have been blaming it on the macro virus, but I am really stumped.', yes, we can see and understand why.

----

'WM97/Thus-T' related:
Did you or 'this user' actually go to the WM97/Thus-T web page and click on the 'Description' link?, If so, did you or 'this user' set the Mac's clock's date between 01.01 and 09.01 of any year since 1999? if not, do so - and either you or have 'this user' post the results. Only then can either of you claim that 'WM97/Thus-T' existed / exists.

Did you or 'this user' actually go to the WM97/Thus-A (of which 'WM97/Thus-T was derived from) web page and click on the 'Description' link?, If so, did you or 'this user' set the name of his Mac's boot drive to 'C'? if not, do so - and either you or have 'this user' post the results.

Only by performing the above 'WM97/Thus-T' related steps, can you say 100% that 'this user's Mac had been the victim of said MS Word macro virus; otherwise, do not state such publicly.
If you did indeed determine that the Mac was infected - please post the factual details here, and also notify Apple, Microsoft, Sophos, other virus software publishers; and, as many as possible Mac and news related web sites - of such. I am quite sure they would be very interested in the (factual) details. Also, make sure they get your name(s) correct. Only than could anyone believe your statement - 'MS office had definitely been infected by WM97/Thus-T', and again; otherwise, do not state such publicly.

----

With respect to 'Entourage' - somehow the 'Microsoft User Data' folder (of MacOS X 10.3.9) is no longer in the current user's '~/Library/Documents/' folder. Locate it and manually move it there.

With respect to 'Files (I think all MS related) were suddenly gone from directories they had been in.' - well, could you not be any more vague? When installing MacOS X 'Tiger' (10.4.0), and 'if' an 'archive and install' was performed - not all the '/Library/' folder's sub-folders will be transferred from the 'Pervious Systems' sub-folders to the current equivalent sub-folders. This scenario has existed since the first MacOS X release. The user must manually move some of the files and / or folders - the respective current folders. If not, some applications may fail to run, or may not have available past related information (files).

With respect to 'While sitting there searching for his files, he noticed that in his home directory some of those missing files would momentarily pop up and then disappear. ', I was thinking as 'fryke' did; but, you finally stated more clearly in your second post - that the folder itself was flickering about - showing and removing items. Thus, without the Mac actually before me - I have no clue.

Nowhere in your post was it stated whether 'Disk Utility' was launched - via the 'Tiger Installation Disc' and the 'Disk Repair' and 'Repair Disk Permissions' actions were performed prior to 'Tiger's installation; and, 'Repair Disk Permissions' was performed after the installation. These are, now, normal (common sense) practices - when installing and / or updating MacOS X or related applications / files.

Nowhere was it mentioned whether MacOS X 'Tiger' 10.4.0, or 10.4.1, or 10.4.2 - is the version currently installed. Since 10.4.1 and 10.4.2 are updates - the 'Disk Utility' ritual should have been performed.

P.S. If you or 'this user' has a MS Word document with the 'MW97/Thus-T' - please state such, I would like to obtain a copy.

[cavaughan]

In response to Barhar:

Ok. This user had 10.39. Office was definitely infected with some macro virus. WM97/Thur-T was definitely one of them, as identified by Sophos. OK, technically it was doc files as well as the Normal.dot file that were infected.

Prior to installing Tiger I installed ClamXav on his computer and ran a scan. We knew he had some virus because other Windows machines were detecting the virus in the documents. However, ClamXav doesn't disinfect. I set it up to move any infected files. Well, it detected a virus in the Entourage database. So I stopped it. Moved the database back to where it was supposed to be. Everything was working fine.

So, I upgraded him to Tiger. We had not finished disinfecting all infected files.

After updating to Tiger, everything was working fine means that Entourage was working fine. I installed Sophos. We let Sophos disinfect and scan the entire HD. The next day Sophos was done, but the only it found was an instance of WM97/Thus-T in the Normal.dot file and it disinfected it. Again, everything was working fine - that is, Entourage was working fine.

So, seeminly all instances of the macro virus were eliminated by Sophos.

So since everything seemed to be in order the user decided to install all updates for Tiger. After which he had to reboot.

After rebooting for some reason Entourage was on - although it was never set to start up at startup. The only message in there was a greeting (the standard). No other messages were there.

This user claims (and I'm going to try to find out specifically what he is talking about) that after rebooting he saw files popping in and out of folders. Files that were missing from the folders they should be in. After much time this file shuffling finallly stopped. But many files were no longer in the folders they had been. In fact they are totally gone. The Entourage database and other files are also totally gone. I am trying to search for them right now, although I don't know what they look like exactly.


>With respect to 'Entourage' - somehow the 'Microsoft User Data' folder (of MacOS X 10.3.9) is no longer in the current user's '~/Library/Documents/' folder. Locate it and manually move it there.

OK, I see under ~/Documents/Microsoft User Data/ several files. The only interesting one is: Microsoft User Data.dmg which is some 204 Megs. Is that his Entourage folder?


>Nowhere in your post was it stated whether 'Disk Utility' was launched - via the 'Tiger Installation Disc' and the 'Disk Repair' and 'Repair Disk Permissions' actions were performed prior to 'Tiger's installation; and, 'Repair Disk Permissions' was performed after the installation. These are, now, normal (common sense) practices - when installing and / or updating MacOS X or related applications / files.

Actually I told him that he needed to do that. As far as I know, he hasn't.

[cavaughan]

Could anybody please somehow explain why files would have been deleted and moved? I would really like to understand how and why this could happen.

[cavaughan]

Guess what everyone! Happened again. Entourage files are gone and various doc files are now gone. Something really messed up with this system. Does anyone have any idea what might be causing this to happen? I just can't imagine.