User files have disappeared in Windows 7
Hi all,
A user has brought be a laptop with with Windows 7 Home Preimum, which has a very strange problem.
Basically all the start menu links, desktop shortcuts and documents have gone missing. The default start menu is missing for all users including new users. Therefore files have goine missing from multiple directories. Normally I would expect the files to be hidden but "Show hidden files, folders and drives" is selected and "Hide protected operating system files" in unchecked. I have tried using two "undeleted" programs to try and recover the files, but any program i have tried doesn't list the missing files for restore. I know the files exsisted on the laptop as I have see them referenced in the registry.
Therefore does anyone have any ideas of what may have happened and how to resolve it?
Many Thanks
Anthony
A user has brought be a laptop with with Windows 7 Home Preimum, which has a very strange problem.
Basically all the start menu links, desktop shortcuts and documents have gone missing. The default start menu is missing for all users including new users. Therefore files have goine missing from multiple directories. Normally I would expect the files to be hidden but "Show hidden files, folders and drives" is selected and "Hide protected operating system files" in unchecked. I have tried using two "undeleted" programs to try and recover the files, but any program i have tried doesn't list the missing files for restore. I know the files exsisted on the laptop as I have see them referenced in the registry.
Therefore does anyone have any ideas of what may have happened and how to resolve it?
Many Thanks
Anthony
It sounds like the laptop has become infected with a virus. These symptoms were seen after a user visited a perfectly innocuous website which had been compromised by a php injection attack. The chances are the infection includes a rootkit. The only real solution is to rebuild the machine, ideally using a brand new hard drive!
ASKER
What about recovering the files?
Like vop said, potential virus infection. If you've already cleaned an infection, use unhide.exe to see all files which were hidden by the infection. Also take a look at this article on seeing hidden files in Windows 7.
ASKER
As mentioned, Windows Explorer is already setup to show all hidden files.
Both Kaspersky and Malwarebytes have not found any infections on the system.
That said, I still used unhide.exe and still nothing.
:(
Both Kaspersky and Malwarebytes have not found any infections on the system.
That said, I still used unhide.exe and still nothing.
:(
%temp%\SMTP
C:\windows\Temp\SMTP
See if these are present.....
If they are present.....
http://www.geekstogo.com/forum/index.php?app=core&module=attach§ion=attach&attach_rel_module=post&attach_id=50198
Extract the .bat file, and note the paths where the files belong. I have never had success with the batch, and have always corrected it when using it. The destinations are right, just a syntax issue....
C:\windows\Temp\SMTP
See if these are present.....
If they are present.....
http://www.geekstogo.com/forum/index.php?app=core&module=attach§ion=attach&attach_rel_module=post&attach_id=50198
Extract the .bat file, and note the paths where the files belong. I have never had success with the batch, and have always corrected it when using it. The destinations are right, just a syntax issue....
Correction.... SMTMP is the folder name above.....
In fact, search all of your %TEMP% directories for *.LNK
I have seen a few issues where they were not in an SMTMP directory....
In fact, search all of your %TEMP% directories for *.LNK
I have seen a few issues where they were not in an SMTMP directory....
ASKER
The SMTMP folder doesn't exsist.
Can you boot PC off of bootable USB/CD/DVD? If so, check to see if you can see the files from there. Another option, running System Restore might do the trick.
If possible, download/install/run Malwarebytes Anti-malware.
http://www.malwarebytes.org
This should make it so that you can start to work on recovering the computer. The files are hidden, so "Show hidden files and folders" from Windows Explorer and the user's data should reappear. Select all of the hidden user data and from the properties sheet, clear the Hidden attribute.
A complete rebuild of the computer IS the best option, however.
http://www.malwarebytes.org
This should make it so that you can start to work on recovering the computer. The files are hidden, so "Show hidden files and folders" from Windows Explorer and the user's data should reappear. Select all of the hidden user data and from the properties sheet, clear the Hidden attribute.
A complete rebuild of the computer IS the best option, however.
If you have already cleaned out your Temporary Files, then chances are these shortcuts are all gone. I would transfer them from a working (similar) machine
If you create NEW shortcuts, in the Start Menu (C:\Users\USERID\AppData\R
If you create NEW shortcuts, in the Start Menu (C:\Users\USERID\AppData\R
Use recuva to recover the data
http://www.piriform.com/recuva
Might be a problem with Hard drive...if this is a new computer then replace it.
Ded9
http://www.piriform.com/recuva
Might be a problem with Hard drive...if this is a new computer then replace it.
Ded9
I agree this definitely sounds like a malware infection as I have seen this on systems I work on in the past. Although you already ran malwarebytes it is possible that the infection is hidden some how that malwarebytes does not detect the virus. I would try to see if you can back up the files by connecting the drive externally to another computer, then you can use programs such as rkill, and roguekiller, before running malwarebytes. Do not reboot the computer after running rkill and roguekiller, until after you running malwarebytes or the malware may be reactivated. Once the infection is removed then run the unhide tool to get your desktop items back. Make sure you install the malwarebytes updates before you run the scan.
Are there any dodgy-looking files seen in the msconfig startup tab, or in the Start | Programs | Startup group?
In my experience, the user's My Documents folders weren't affected, nor were other "non standard" document locations on the C: drive so the user was able to retrieve their documents.
There is a key called ShowSuperHidden in the registry under:
HKEY_CURRENT_USER\Software
setting the key value to 1 may possibly make the files visible again. No guarantees, mind.
In my experience, the user's My Documents folders weren't affected, nor were other "non standard" document locations on the C: drive so the user was able to retrieve their documents.
There is a key called ShowSuperHidden in the registry under:
HKEY_CURRENT_USER\Software
setting the key value to 1 may possibly make the files visible again. No guarantees, mind.
ASKER
Thanks for the replys all, this is want I have previously done before posting this questions:
I would say that the files were never there, however I know this is not the case.
Made explorer show all hidden files (Files not showing)
Ran a full virus scan (No viruses found)
Ran a full MalwareBytes scan (No malware found)
Ran serveral "Undelete" programs (No deleted files found, where expected to find the missing files)
Ran Western Digital tools (No HDD errors found)
Removed drive and plugged into another PC using a caddie (Files still not showing)
I would say that the files were never there, however I know this is not the case.
Probably the user had tapped some recovery key and the data might be backed up in D drive or hidden partition...this kind of feature is available in HP computers.
Ded9
Ded9
ASKER
Ded9,
There is a recovery partition, but can't see any software installed that would use this.
BTW this is a Dell Inspiron 1370.
There is a recovery partition, but can't see any software installed that would use this.
BTW this is a Dell Inspiron 1370.
User might have executed dell data safe..
Check for any dell data safe backup
http://support.dell.com/support/topics/global.aspx/support/kcs/document?c=us&cs=19&l=en&s=dhs&docid=DSN_62A668E1C3AA857AE040AE0AB8E12942&isLegacy=true
http://support.dell.com/support/topics/global.aspx/support/kcs/document?c=us&l=en&s=dhs&docid=DSN_353560&isLegacy=true
Also post the screenshot of user folder c:\users ..how many users do you see.
Ded9
Check for any dell data safe backup
http://support.dell.com/support/topics/global.aspx/support/kcs/document?c=us&cs=19&l=en&s=dhs&docid=DSN_62A668E1C3AA857AE040AE0AB8E12942&isLegacy=true
http://support.dell.com/support/topics/global.aspx/support/kcs/document?c=us&l=en&s=dhs&docid=DSN_353560&isLegacy=true
Also post the screenshot of user folder c:\users ..how many users do you see.
Ded9
ASKER
I will look into the Dell Data Safe. As for the users I see 5 users
All Users
Default
Default User
[User]
Public
Open [User] and check documents folder..
If possible ..then also check default\documents
defaultuser\documents
Check for any docs or files
Ded9
If possible ..then also check default\documents
defaultuser\documents
Check for any docs or files
Ded9
Its actually mydocuments folder...not just documents.
Ded9
Ded9
ASKER
Nothing!!
I all my years of IT support I've never come across anything like this!
Almost given up!!
I all my years of IT support I've never come across anything like this!
Almost given up!!
Using standalone Ubuntu from a bootable CD-ROM and using that to look at what's on the drives may just reveal the missing files.
Last option is to check dell data safe.
Ded9
Ded9
ASKER
Whilst I was holding out hope for Ubuntu, nothing was still showing whilst using that OS.
Although I think I have found a solution now..........a large hammer!!!
Although I think I have found a solution now..........a large hammer!!!
Ask the user for any document he saved in the computer...i mean the exact file name...for e.g file.doc
Then search the computer for that particular document.
Ded9
Then search the computer for that particular document.
Ded9
ASKER
I have searched for all documents *.doc, *.ppt etc and didn't find the documents.
Same goes for the start menu links *.lnk
Same goes for the start menu links *.lnk
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks all for the suggestions, however I had already tried all of them to no avail. Still at least i know I tried everything!!!
Thanks
Anthony
Thanks
Anthony
If it's any consolation, this is not an isolated incident.
Another question just popped up on E-E describing the same symptoms.
https://www.experts-exchange.com/questions/27390847/Missing-shortcuts-on-desktop-and-start-menu-after-removing-ZeroAcesss-rootkit.html
Another question just popped up on E-E describing the same symptoms.
https://www.experts-exchange.com/questions/27390847/Missing-shortcuts-on-desktop-and-start-menu-after-removing-ZeroAcesss-rootkit.html
ASKER
No solution found