This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.
Course Of The Month
5 days, 8 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Windows 7 data missing
Posted on 2014-04-25
So... one day "John" called Tom (a W7 Home user) and convinced Tom to allow him (John) access to the computer... John claimed that there was a problem detected.
Tom paid John whilst allowing him access to which, of course, John went to the event log and scared Tom with some red X's.
They finish their call 30 minutes later and John hangs up.
Everything seems fine for a couple of days, but Tom doesn't feel comfortable and decides to utilize a logon password where none existed before.
Several weeks pass, Tom is using his computer hours a day and then one day the password doesn't work.
I'm not sure how, but Tom and a neighbor end up getting into the computer.
I'm called out because once they got in everything was missing.
Sure enough Tom's password gets you into the computer and everything is gone... kind of. All programs remain. All data is lost.
Looking through Program Files and Program Files(x86) show creation dates dating years back... thus I don't think the computer was reformatted... this as well as Tom stating that they (he and his neighbor) did NOT re-install any software.
I've unhidden all files, even protected files, and still don't see anything.
Tom used Outlook quite extensively. Not only is the pst gone, but Outlook opens as if it has never been used asking if you want to set up an email address, etc.
Any thoughts?
Tom paid John whilst allowing him access to which, of course, John went to the event log and scared Tom with some red X's.
They finish their call 30 minutes later and John hangs up.
Everything seems fine for a couple of days, but Tom doesn't feel comfortable and decides to utilize a logon password where none existed before.
Several weeks pass, Tom is using his computer hours a day and then one day the password doesn't work.
I'm not sure how, but Tom and a neighbor end up getting into the computer.
I'm called out because once they got in everything was missing.
Sure enough Tom's password gets you into the computer and everything is gone... kind of. All programs remain. All data is lost.
Looking through Program Files and Program Files(x86) show creation dates dating years back... thus I don't think the computer was reformatted... this as well as Tom stating that they (he and his neighbor) did NOT re-install any software.
I've unhidden all files, even protected files, and still don't see anything.
Tom used Outlook quite extensively. Not only is the pst gone, but Outlook opens as if it has never been used asking if you want to set up an email address, etc.
Any thoughts?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
11
4
4- +6
30 Comments
Perhaps you are being logged in with a temporary profile because the other profile (that houses all of the data) is corrupted. Once you log in to the computer Open My Computer>Local Disk C: (or whatever drive letter is shown for where windows is installed)>Users and see if you can locate the profile. I suggest you open each folder up and open the My Documents, Pictures, Desktop to see if you can find any data.
There are likely going to be several "User" folders so be safe and check all of them
There are likely going to be several "User" folders so be safe and check all of them
Active today
Check Tom doesn't have a new profile
Check John didn't install any free bonus software with a MBAM and AV scan
Look at the unhide utility to see if there's anything which has resisted your attempts to reveal anything on the PC
Don't use utilities like CCleaner which will remove any hidden data that has been moved into temporary folders
Check John didn't install any free bonus software with a MBAM and AV scan
Look at the unhide utility to see if there's anything which has resisted your attempts to reveal anything on the PC
Don't use utilities like CCleaner which will remove any hidden data that has been moved into temporary folders
Active 2 days ago
The only profiles are Tom's (Owner - he stated it's always been Owner) and one call TEMP with "Date Modified" of 2009 on all folders, UpdatusUser (for Nvidia?) and Public.
All of Owner folders (Desktop, My Pictures, etc) show a date modified of 4/15/2014. This is when all hell broke loose.
Public subfolders have dates going back to 2009 as does UpdatusUser.
All of Owner folders (Desktop, My Pictures, etc) show a date modified of 4/15/2014. This is when all hell broke loose.
Public subfolders have dates going back to 2009 as does UpdatusUser.
Can you see any data in the folders for Tom's profile (C:\Users\Owner). You may need to permit UAC from giving yourself permission and this could take some time before you can see the data. Did you try opening the Desktop, My Pictures etc folders to see what was in them?
Well that is certainly bizarre. Have you looked in Programs and features to see if you can find any sort of remote software installed such as TeamViewer, Logmein etc. Check Remote desktop to see if it is configured for remote access?
Is this a desktop or laptop?
Was this computer ever physically in the neighbors posession?
Is this a desktop or laptop?
Was this computer ever physically in the neighbors posession?
Active 2 days ago
The computer is a desktop... the neighbor is not "John". John sounded to be foreign.
The neighbor was trying to assist Tom.
This is probably the most bizarre thing that I have come across. Don't see any remoting tools.
The neighbor was trying to assist Tom.
This is probably the most bizarre thing that I have come across. Don't see any remoting tools.
I feel bad for Tom, as it's obvious he's been scammed. I assume he paid "John" for his services. With a credit card? If so, notify his bank immediately and look for unauthorized charges. Cancel and replace the card used.
I'm sure there is probably a Logmein type program residing on Tom's computer - if nothing else, do a search for the word Logmein in Regedit.
If possible, I'd try a program like Recuva from Piriform or Ontrack Easy Recovery Pro as a last resort to recover any data that's been deleted.
Hopefully, they recover at least some of the more important files.
After recovering any files, I'd fully reformat and clean install to be SURE any vulnerabilities are corrected.
Good luck!
I'm sure there is probably a Logmein type program residing on Tom's computer - if nothing else, do a search for the word Logmein in Regedit.
If possible, I'd try a program like Recuva from Piriform or Ontrack Easy Recovery Pro as a last resort to recover any data that's been deleted.
Hopefully, they recover at least some of the more important files.
After recovering any files, I'd fully reformat and clean install to be SURE any vulnerabilities are corrected.
Good luck!
ProTech beat me to it. Sounds like he has been taken advantage of and that some software exists somewhere on his machine that will allow someone remote access to his machine. My guess is that he would be able to get his data back for a large sum of money if he were to call "John"' back and explain what is going on.
Have you tried a simple search on his computer for any files that are missing? Say for instance he knows for certain he has a word document on his system called "Resume" Have you tried doing a simple search for "Resume" to see if this "John" character just moved these files to another folder on his system for easy recovery/restoration?
Have you tried a simple search on his computer for any files that are missing? Say for instance he knows for certain he has a word document on his system called "Resume" Have you tried doing a simple search for "Resume" to see if this "John" character just moved these files to another folder on his system for easy recovery/restoration?
Who is John? Did Tom even know him? Did he claim to be an m$ employee? I've heard of many scams where someone calls a PC user and asks him to give him access to the PC. Often at a later time they will try to get the user to pay them to release the data again.
Active 2 days ago
Yes rindi, John claimed to be from MS.
I just have a hard time believing that several weeks would pass before John would follow up for ransom.
It's been 10 days since the data has disappeared... Tom called me as a last resort to wiping and starting all over.
I think it is something that Tom and his neighbor inadvertently did. I just don't know what it could have been.
I just have a hard time believing that several weeks would pass before John would follow up for ransom.
It's been 10 days since the data has disappeared... Tom called me as a last resort to wiping and starting all over.
I think it is something that Tom and his neighbor inadvertently did. I just don't know what it could have been.
Active 5 days ago
First off, whenever someone appears to have lost data on a drive, have that person STOP using the drive, immediately. If the data's been deleted, the more the drive is used, the less likely you'll be able to recover it fully.
It's possible the neighbor deleted and recreated the profile in order to regain access. That might've deleted the original folder and recreated it.
Have you looked into the TEMP profile folders? It's possible that the old profile was renamed that in the attempt to regain access to the PC.
Best practice would be to pull the drive out and access it on another PC. The Previous Versions feature in Windows 7 may be able to access an earlier version of the user folder and recover the lost files:
http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/
File recovery tools like Recuva and PhotoRec can look at the "free space" on the drives for files that have been deleted but not yet overwritten.
http://www.piriform.com/recuva
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
Remember to save recovered files to a drive other than the one you're recovering from.
Finally, whatever the outcome, be sure to set Tom up with some form of backup, whether to an external drive or to an online service. You should never have only one copy of any data you want to keep.
It's possible the neighbor deleted and recreated the profile in order to regain access. That might've deleted the original folder and recreated it.
Have you looked into the TEMP profile folders? It's possible that the old profile was renamed that in the attempt to regain access to the PC.
Best practice would be to pull the drive out and access it on another PC. The Previous Versions feature in Windows 7 may be able to access an earlier version of the user folder and recover the lost files:
http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/
File recovery tools like Recuva and PhotoRec can look at the "free space" on the drives for files that have been deleted but not yet overwritten.
http://www.piriform.com/recuva
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
Remember to save recovered files to a drive other than the one you're recovering from.
Finally, whatever the outcome, be sure to set Tom up with some form of backup, whether to an external drive or to an online service. You should never have only one copy of any data you want to keep.
Active today
Well MS will never call anyone for starters.
Do you have a windows.old folder now? If you do follow this tutorial,
http://www.sevenforums.com/tutorials/16282-windows-old-folder-restore-into-new-installation.html
Do you have a windows.old folder now? If you do follow this tutorial,
http://www.sevenforums.com/tutorials/16282-windows-old-folder-restore-into-new-installation.html
He probably installed some malware that would work like a time bomb. Maybe antimalware tools like malwarebytes could help, but it is also possible the after the malware had done it's "job", it also removed itself from the PC.
Active 2 days ago
Thanks everyone... I'm a pretty seasoned tech and am aware of everything we discussed: MS never calling, backups, stop using the computer to potential recover deleted items.
This situation is pretty strange... haven't come by this before.
No .old folder either.
I'd think it's not a re-partitioning issue... the programs are still there.
This situation is pretty strange... haven't come by this before.
No .old folder either.
I'd think it's not a re-partitioning issue... the programs are still there.
Programs usually aren't important. Those crooks go after the data. Also, chances are that he now has the user's data and can use it (email accounts along with the passwords, personal data that was on the PC, maybe bank data etc.). Besides the ransom they may get, they also sell the data to 3rd parties.
The damage done can be hard to repair. You'll have to change all the passwords or create new email accounts, check bank accounts etc. Whatever you do, don't pay the ransom, and get the authorities involved (maybe telephone numbers etc. can be traced).
Try to educate your current customers to be wary...
The damage done can be hard to repair. You'll have to change all the passwords or create new email accounts, check bank accounts etc. Whatever you do, don't pay the ransom, and get the authorities involved (maybe telephone numbers etc. can be traced).
Try to educate your current customers to be wary...
Active today
Sorry can you be more specific on what you mean by data.
Is data missing within all folders or do you mean user?
Sorry for the confusion.
Is data missing within all folders or do you mean user?
Sorry for the confusion.
Active 2 days ago
joinaunion: When he boots the computer it looks like a new user account... desktop is empty where he had many icons, etc. No more music, pics, etc.
All his programs are there though.
If you open Outlook it wants to set up a new account. Go into the mail applet in Control Panel and it shows no profiles.
All his programs are there though.
If you open Outlook it wants to set up a new account. Go into the mail applet in Control Panel and it shows no profiles.
Active today
Can you open up my computer then double click on C drive then on the right double click Users. Do you now see his user account? if so double click it you should now see a lot of stuff if you do follow directions here to restore the account.
http://windows.microsoft.com/en-ca/windows/fix-corrupted-user-profile#1TC=windows-7
http://windows.microsoft.com/en-ca/windows/fix-corrupted-user-profile#1TC=windows-7
Active 2 days ago
I think that what happened is that Tom and his neighbor, in an attempt to fix the "password unknown" issue, created another "owner" profile. You and I know that this would normally result in a owner.xxxx profile but that is not the case here.
I think, at the end of the day, that "John" bilked Tom out of some cash, but the Tom and the neighbor did the damage.
I think, at the end of the day, that "John" bilked Tom out of some cash, but the Tom and the neighbor did the damage.
Active today
i had something similar on 2 laptops, a week apart
only some folders were showing - no data
i was able to backup all data using getdataback : http://www.runtime.org/
so that's my advice : hook the disk to a working PC - and run GDB
i hope it works for you too
**i was not able to find the cause of this
only some folders were showing - no data
i was able to backup all data using getdataback : http://www.runtime.org/
so that's my advice : hook the disk to a working PC - and run GDB
i hope it works for you too
**i was not able to find the cause of this
Active 1 day ago
> John claimed to be from MS
Microsoft never calls an individual end user telling him his computer got issue and offer paid service to fix it. John was of course not from MS.
Microsoft never calls an individual end user telling him his computer got issue and offer paid service to fix it. John was of course not from MS.
Active today
i would - try GDB, a s said
if unsuccessful - never pay ! - and o a factory restore -or in stall windows fresh
if unsuccessful - never pay ! - and o a factory restore -or in stall windows fresh
Active 2 days ago
To move beyond this issue I used Recuva and undeleted everything possible and put the files into folders "Pictures", "Office" and "Other".
Over 1 million files were recovered.
It is now up to the user to weed through the mess... at least Tom has the files to weed through.
This was clearly a case of Tom and the neighbor treading where they shouldn't have...
Not sure how to allocate points...
Over 1 million files were recovered.
It is now up to the user to weed through the mess... at least Tom has the files to weed through.
This was clearly a case of Tom and the neighbor treading where they shouldn't have...
Not sure how to allocate points...
Featured Post
Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers.
According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar.
Int…
Suggested Courses
Course of the Month5 days, 8 hours left to enroll
Earn Certification
Managing Projects with Microsoft Project 2013 (Exam 74-343)
$49.00$44.10
707 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.