• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

User files have disappeared in Windows 7

Hi all,

A user has brought be a laptop with with Windows 7 Home Preimum, which has a very strange problem.
Basically all the start menu links, desktop shortcuts and documents have gone missing. The default start menu is missing for all users including new users. Therefore files have goine missing from multiple directories. Normally I would expect the files to be hidden but  "Show hidden files, folders and drives" is selected and "Hide protected operating system files" in unchecked. I have tried using two "undeleted" programs to try and recover the files, but any program i have tried doesn't list the missing files for restore. I know the files exsisted on the laptop as I have see them referenced in the registry.

Therefore does anyone have any ideas of what may have happened and how to resolve it?

Many Thanks
Anthony

0
anthony_hurley
Asked:
anthony_hurley
  • 12
  • 8
  • 5
  • +4
3 Solutions
 
vopCommented:
It sounds like the laptop has become infected with a virus. These symptoms were seen after a user visited a perfectly innocuous website which had been compromised by a php injection attack. The chances are the infection includes a rootkit. The only real solution is to rebuild the machine, ideally using a brand new hard drive!  

0
 
anthony_hurleyAuthor Commented:
What about recovering the files?
0
 
ChiefTechGuruCommented:
Like vop said, potential virus infection.  If you've already cleaned an infection, use unhide.exe to see all files which were hidden by the infection.  Also take a look at this article on seeing hidden files in Windows 7.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
anthony_hurleyAuthor Commented:
As mentioned, Windows Explorer is already setup to show all hidden files.
Both Kaspersky and Malwarebytes have not found any infections on the system.
That said, I still used unhide.exe and still nothing.

:(
0
 
johnb6767Commented:
%temp%\SMTP
C:\windows\Temp\SMTP

See if these are present.....

If they are present.....

http://www.geekstogo.com/forum/index.php?app=core&module=attach§ion=attach&attach_rel_module=post&attach_id=50198

Extract the .bat file, and note the paths where the files belong. I have never had success with the batch, and have always corrected it when using it. The destinations are right, just a syntax issue....
0
 
johnb6767Commented:
Correction....     SMTMP is the folder name above.....

In fact, search all of your %TEMP% directories for *.LNK

I have seen a few issues where they were not in an SMTMP directory....
0
 
anthony_hurleyAuthor Commented:
The SMTMP folder doesn't exsist.
0
 
ChiefTechGuruCommented:
Can you boot PC off of bootable USB/CD/DVD?  If so, check to see if you can see the files from there.  Another option, running System Restore might do the trick.
0
 
Jason WatkinsIT Project LeaderCommented:
If possible, download/install/run Malwarebytes Anti-malware.

http://www.malwarebytes.org

This should make it so that you can start to work on recovering the computer. The files are hidden, so "Show hidden files and folders" from Windows Explorer and the user's data should reappear. Select all of the hidden user data and from the properties sheet, clear the Hidden attribute.

A complete rebuild of the computer IS the best option, however.
0
 
johnb6767Commented:
If you have already cleaned out your Temporary Files, then chances are these shortcuts are all gone. I would transfer them from a working (similar) machine

If you create NEW shortcuts, in the Start Menu (C:\Users\USERID\AppData\Roaming\Microsoft\Windows\Start Menu\Programs) do they appear?
0
 
ded9Commented:
Use recuva to recover the data

http://www.piriform.com/recuva


Might be a problem with Hard drive...if this is a new computer then replace it.



Ded9
0
 
web_trackerCommented:
I agree this definitely sounds like a malware infection as I have seen this on systems I work on in the past. Although you already ran malwarebytes it is possible that the infection is hidden some how that malwarebytes does not detect the virus. I would try to see if you can back up the files by connecting the drive externally to another computer, then you can use programs such as rkill, and roguekiller, before running malwarebytes. Do not reboot the computer after running rkill and roguekiller, until after you running malwarebytes or the malware may be reactivated. Once the infection is removed then run the unhide tool to get your desktop items back. Make sure you install the malwarebytes updates before you run the scan.
0
 
vopCommented:
Are there any dodgy-looking files seen in the msconfig startup tab, or in the Start | Programs | Startup group?

In my experience, the user's My Documents folders weren't affected, nor were other "non standard" document locations on the C: drive so the user was able to retrieve their documents.

There is a key called  ShowSuperHidden  in the registry under:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

setting the key value to 1 may possibly make the files visible again. No guarantees, mind.



0
 
anthony_hurleyAuthor Commented:
Thanks for the replys all, this is want I have previously done before posting this questions:

Made explorer show all hidden files (Files not showing)
Ran a full virus scan (No viruses found)
Ran a full MalwareBytes scan (No malware found)
Ran serveral "Undelete" programs (No deleted files found, where expected to find the missing files)
Ran Western Digital tools (No HDD errors found)
Removed drive and plugged into another PC using a caddie (Files still not showing)

I would say that the files were never there, however I know this is not the case.
0
 
ded9Commented:
Probably the user had tapped some recovery key and the data might be backed up in D drive or hidden partition...this kind of feature is available in HP computers.


Ded9
0
 
anthony_hurleyAuthor Commented:
Ded9,

There is a recovery partition, but can't see any software installed that would use this.
BTW this is a Dell Inspiron 1370.
0
 
ded9Commented:
0
 
anthony_hurleyAuthor Commented:
I will look into the Dell Data Safe. As for the users I see 5 users

All Users
Default
Default User
[User]
Public
0
 
ded9Commented:
Open [User]  and check documents folder..

If possible ..then also check default\documents
                                              defaultuser\documents

Check for any docs or files



Ded9
                                           
0
 
ded9Commented:
Its actually mydocuments folder...not just documents.



Ded9
0
 
anthony_hurleyAuthor Commented:
Nothing!!

I all my years of IT support I've never come across anything like this!

Almost given up!!
0
 
vopCommented:
Using standalone Ubuntu from a bootable CD-ROM and using that to look at what's on the drives may just reveal the missing files.




0
 
ded9Commented:
Last option is to check dell data safe.





Ded9
0
 
anthony_hurleyAuthor Commented:
Whilst I was holding out hope for Ubuntu, nothing was still showing  whilst using that OS.

Although I think I have found a solution now..........a large hammer!!!
0
 
ded9Commented:
Ask the user for any document he saved in the computer...i mean the exact file name...for e.g  file.doc

Then search the computer for that particular document.



Ded9
0
 
anthony_hurleyAuthor Commented:
I have searched for all documents *.doc, *.ppt etc and didn't find the documents.
Same goes for the start menu links *.lnk
0
 
vopCommented:
Have you tried a deep scan with Recuva, or used Tree Size Free to see if any directories appear to contain more files than expected which might just be the user's documents renamed to obscure their identity?

The options seem to be running out.

I hope the user kept some sort of backup.

0
 
ded9Commented:
i think the user had performed a clean installed accidently  by tapping the recovery keys.

I see this type of issue occur in case of faulty hard drive.




Ded9

0
 
anthony_hurleyAuthor Commented:
@VOP Tried a deep scan and nothing.
@Ded9 I'm with you with the HHD being the problem.,

Luckily the user had made a backup although 6 weeks ago (Better than nothing!!!)
New HDD is ordered, and I hope never to see this problem again.

Although no solution was found I will share the points just for input :)
0
 
anthony_hurleyAuthor Commented:
Thanks all for the suggestions, however I had already tried all of them to no avail. Still at least i know I tried everything!!!

Thanks
Anthony
0
 
vopCommented:
If it's any consolation, this is not an isolated incident.

Another question just popped up on E-E describing the same symptoms.

http://www.experts-exchange.com/Security/Vulnerabilities/Q_27390847.html

0
 
anthony_hurleyAuthor Commented:
No solution found
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 12
  • 8
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now