Solved

Windows 7 data missing

Posted on 2014-04-25
30
329 Views
Last Modified: 2014-04-28
So... one day "John" called Tom (a W7 Home user) and convinced Tom to allow him (John) access to the computer... John claimed that there was a problem detected.

Tom paid John whilst allowing him access to which, of course, John went to the event log and scared Tom with some red X's.

They finish their call 30 minutes later and John hangs up.

Everything seems fine for a couple of days, but Tom doesn't feel comfortable and decides to utilize a logon password where none existed before.

Several weeks pass, Tom is using his computer hours a day and then one day the password doesn't work.

I'm not sure how, but Tom and a neighbor end up getting into the computer.

I'm called out because once they got in everything was missing.

Sure enough Tom's password gets you into the computer and everything is gone... kind of.  All programs remain.  All data is lost.  

Looking through Program Files and Program Files(x86) show creation dates dating years back... thus I don't think the computer was reformatted... this as well as Tom stating that they (he and his neighbor) did NOT re-install any software.

I've unhidden all files, even protected files, and still don't see anything.

Tom used Outlook quite extensively.  Not only is the pst gone, but Outlook opens as if it has never been used asking if you want to set up an email address, etc.

Any thoughts?
0
Comment
Question by:classnet
  • 11
  • 4
  • 4
  • +6
30 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023195
Perhaps you are being logged in with a temporary profile because the other profile (that houses all of the data) is corrupted. Once you log in to the computer Open My Computer>Local Disk C: (or whatever drive letter is shown for where windows is installed)>Users and see if you can locate the profile. I suggest you open each folder up and open the My Documents, Pictures, Desktop to see if you can find any data.

There are likely going to be several "User" folders so be safe and check all of them
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40023206
Check Tom doesn't have a new profile
Check John didn't install any free bonus software with a MBAM and AV scan
Look at the unhide utility to see if there's anything which has resisted your attempts to reveal anything on the PC

Don't use utilities like CCleaner which will remove any hidden data that has been moved into temporary folders
0
 

Author Comment

by:classnet
ID: 40023241
The only profiles are Tom's (Owner - he stated it's always been Owner) and one call TEMP with "Date Modified" of 2009 on all folders, UpdatusUser (for Nvidia?) and Public.

All of Owner folders (Desktop, My Pictures, etc) show a date modified of 4/15/2014.  This is when all hell broke loose.

Public subfolders have dates going back to 2009 as does UpdatusUser.
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023255
Can you see any data in the folders for Tom's profile (C:\Users\Owner). You may need to permit UAC from giving yourself permission and this could take some time before you can see the data. Did you try opening the Desktop, My Pictures etc folders to see what was in them?
0
 

Author Comment

by:classnet
ID: 40023275
BigPapaGotti:  Yes... I am familiar with that wait time.  No data...
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023289
Well that is certainly bizarre. Have you looked in Programs and features to see if you can find any sort of remote software installed such as TeamViewer, Logmein etc. Check Remote desktop to see if it is configured for remote access?

Is this a desktop or laptop?
Was this computer ever physically in the neighbors posession?
0
 

Author Comment

by:classnet
ID: 40023311
The computer is a desktop... the neighbor is not "John".  John sounded to be foreign.  

The neighbor was trying to assist Tom.

This is probably the most bizarre thing that I have come across.  Don't see any remoting tools.
0
 
LVL 1

Accepted Solution

by:
ProTechComputing earned 500 total points
ID: 40023315
I feel bad for Tom, as it's obvious he's been scammed.  I assume he paid "John" for his services.  With a credit card?  If so, notify his bank immediately and look for unauthorized charges.  Cancel and replace the card used.

I'm sure there is probably a Logmein type program residing on Tom's computer - if nothing else, do a search for the word Logmein in Regedit.

If possible, I'd try a program like Recuva from Piriform or Ontrack Easy Recovery Pro as a last resort to recover any data that's been deleted.

Hopefully, they recover at least some of the more important files.

After recovering any files, I'd fully reformat and clean install to be SURE any vulnerabilities are corrected.

Good luck!
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023361
ProTech beat me to it. Sounds like he has been taken advantage of and that some software exists somewhere on his machine that will allow someone remote access to his machine. My guess is that he would be able to get his data back for a large sum of money if he were to call "John"' back and explain what is going on.

Have you tried a simple search on his computer for any files that are missing? Say for instance he knows for certain he has a word document on his system called "Resume" Have you tried doing a simple search for "Resume" to see if this "John" character just moved these files to another folder on his system for easy recovery/restoration?
0
 
LVL 87

Expert Comment

by:rindi
ID: 40023445
Who is John? Did Tom even know him? Did he claim to be an m$ employee? I've heard of many scams where someone calls a PC user and asks him to give him access to the PC. Often at a later time they will try to get the user to pay them to release the data again.
0
 

Author Comment

by:classnet
ID: 40023458
Yes rindi, John claimed to be from MS.

I just have a hard time believing that several weeks would pass before John would follow up for ransom.

It's been 10 days since the data has disappeared... Tom called me as a last resort to wiping and starting all over.

I think it is something that Tom and his neighbor inadvertently did.  I just don't know what it could have been.
0
 
LVL 19

Expert Comment

by:marsilies
ID: 40023503
First off, whenever someone appears to have lost data on a drive, have that person STOP using the drive, immediately. If the data's been deleted, the more the drive is used, the less likely you'll be able to recover it fully.

It's possible the neighbor deleted and recreated the profile in order to regain access. That might've deleted the original folder and recreated it.

Have you looked into the TEMP profile folders? It's possible that the old profile was renamed that in the attempt to regain access to the PC.

Best practice would be to pull the drive out and access it on another PC. The Previous Versions feature in Windows 7 may be able to access an earlier version of the user folder and recover the lost files:
http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/


File recovery tools like Recuva and PhotoRec can look at the "free space" on the drives for files that have been deleted but not yet overwritten.
http://www.piriform.com/recuva
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

Remember to save recovered files to a drive other than the one you're recovering from.


Finally, whatever the outcome, be sure to set Tom up with some form of backup, whether to an external drive or to an online service. You should never have only one copy of any data you want to keep.
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023617
Well MS will never call anyone for starters.

Do you have a windows.old folder now? If you do follow this tutorial,
http://www.sevenforums.com/tutorials/16282-windows-old-folder-restore-into-new-installation.html
0
 
LVL 87

Expert Comment

by:rindi
ID: 40023621
He probably installed some malware that would work like a time bomb. Maybe antimalware tools like malwarebytes could help, but it is also possible the after the malware had done it's "job", it also removed itself from the PC.
0
 

Author Comment

by:classnet
ID: 40023626
Thanks everyone... I'm a pretty seasoned tech and am aware of everything we discussed: MS never calling, backups, stop using the computer to potential recover deleted items.

This situation is pretty strange... haven't come by this before.

No .old folder either.

I'd think it's not a re-partitioning issue... the programs are still there.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 87

Expert Comment

by:rindi
ID: 40023646
Programs usually aren't important. Those crooks go after the data. Also, chances are that he now has the user's data and can use it (email accounts along with the passwords, personal data that was on the PC, maybe bank data etc.). Besides the ransom they may get, they also sell the data to 3rd parties.

The damage done can be hard to repair. You'll have to change all the passwords or create new email accounts, check bank accounts etc. Whatever you do, don't pay the ransom, and get the authorities involved (maybe telephone numbers etc. can be traced).

Try to educate your current customers to be wary...
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023657
Sorry can you be more specific on what you mean by data.

Is data missing within all folders or do you mean user?

Sorry for the confusion.
0
 

Author Comment

by:classnet
ID: 40023667
joinaunion:  When he boots the computer it looks like a new user account... desktop is empty where he had many icons, etc.  No more music, pics, etc.

All his programs are there though.

If you open Outlook it wants to set up a new account.  Go into the mail applet in Control Panel and it shows no profiles.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40023676
did you try unhide?
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023677
When he boots computer does it show only 1 account to log onto as a option.
0
 

Author Comment

by:classnet
ID: 40023678
Trying Recuva at the moment... searching the entire drive for pst files.
0
 

Author Comment

by:classnet
ID: 40023681
1 account only.
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023703
Can you open up my computer then double click on C drive then on the right double click Users. Do you now see his user account? if so double click it you should now see a lot of stuff if you do follow directions here to restore the account.
http://windows.microsoft.com/en-ca/windows/fix-corrupted-user-profile#1TC=windows-7
0
 

Author Comment

by:classnet
ID: 40023712
I think that what happened is that Tom and his neighbor, in an attempt to fix the "password unknown" issue, created another "owner" profile.  You and I know that this would normally result in a owner.xxxx profile but that is not the case here.

I think, at the end of the day, that "John" bilked Tom out of some cash, but the Tom and the neighbor did the damage.
0
 
LVL 91

Expert Comment

by:nobus
ID: 40024196
i had something similar on 2 laptops, a week apart
only some folders were showing - no data
i was able to backup all data using getdataback  : http://www.runtime.org/      

so that's my advice : hook the disk to a working PC -  and run GDB
i hope it works for you too

**i was not able to find the cause of this
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 40024385
> John claimed to be from MS

Microsoft never calls an individual end user telling him his computer got issue and offer paid service to fix it. John was of course not from MS.
0
 
LVL 91

Expert Comment

by:nobus
ID: 40024486
i would  - try GDB, a s said
if unsuccessful - never pay ! - and o a factory restore -or in stall windows fresh
0
 

Author Comment

by:classnet
ID: 40026890
To move beyond this issue I used Recuva and undeleted everything possible and put the files into folders "Pictures", "Office" and "Other".

Over 1 million files were recovered.

It is now up to the user to weed through the mess... at least Tom has the files to weed through.

This was clearly a case of Tom and the neighbor treading where they shouldn't have...

Not sure how to allocate points...
0
 
LVL 91

Expert Comment

by:nobus
ID: 40026914
look in the help files, on closing questions
0
 

Author Closing Comment

by:classnet
ID: 40027050
Thanks for the Recuva solution.  Worked fine.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now