Link to home
Start Free TrialLog in
Avatar of Sheldon Livingston
Sheldon LivingstonFlag for United States of America

asked on

Windows 7 data missing

So... one day "John" called Tom (a W7 Home user) and convinced Tom to allow him (John) access to the computer... John claimed that there was a problem detected.

Tom paid John whilst allowing him access to which, of course, John went to the event log and scared Tom with some red X's.

They finish their call 30 minutes later and John hangs up.

Everything seems fine for a couple of days, but Tom doesn't feel comfortable and decides to utilize a logon password where none existed before.

Several weeks pass, Tom is using his computer hours a day and then one day the password doesn't work.

I'm not sure how, but Tom and a neighbor end up getting into the computer.

I'm called out because once they got in everything was missing.

Sure enough Tom's password gets you into the computer and everything is gone... kind of.  All programs remain.  All data is lost.  

Looking through Program Files and Program Files(x86) show creation dates dating years back... thus I don't think the computer was reformatted... this as well as Tom stating that they (he and his neighbor) did NOT re-install any software.

I've unhidden all files, even protected files, and still don't see anything.

Tom used Outlook quite extensively.  Not only is the pst gone, but Outlook opens as if it has never been used asking if you want to set up an email address, etc.

Any thoughts?
Avatar of BigPapaGotti
BigPapaGotti

Perhaps you are being logged in with a temporary profile because the other profile (that houses all of the data) is corrupted. Once you log in to the computer Open My Computer>Local Disk C: (or whatever drive letter is shown for where windows is installed)>Users and see if you can locate the profile. I suggest you open each folder up and open the My Documents, Pictures, Desktop to see if you can find any data.

There are likely going to be several "User" folders so be safe and check all of them
Avatar of ☠ MASQ ☠
Check Tom doesn't have a new profile
Check John didn't install any free bonus software with a MBAM and AV scan
Look at the unhide utility to see if there's anything which has resisted your attempts to reveal anything on the PC

Don't use utilities like CCleaner which will remove any hidden data that has been moved into temporary folders
Avatar of Sheldon Livingston

ASKER

The only profiles are Tom's (Owner - he stated it's always been Owner) and one call TEMP with "Date Modified" of 2009 on all folders, UpdatusUser (for Nvidia?) and Public.

All of Owner folders (Desktop, My Pictures, etc) show a date modified of 4/15/2014.  This is when all hell broke loose.

Public subfolders have dates going back to 2009 as does UpdatusUser.
Can you see any data in the folders for Tom's profile (C:\Users\Owner). You may need to permit UAC from giving yourself permission and this could take some time before you can see the data. Did you try opening the Desktop, My Pictures etc folders to see what was in them?
BigPapaGotti:  Yes... I am familiar with that wait time.  No data...
Well that is certainly bizarre. Have you looked in Programs and features to see if you can find any sort of remote software installed such as TeamViewer, Logmein etc. Check Remote desktop to see if it is configured for remote access?

Is this a desktop or laptop?
Was this computer ever physically in the neighbors posession?
The computer is a desktop... the neighbor is not "John".  John sounded to be foreign.  

The neighbor was trying to assist Tom.

This is probably the most bizarre thing that I have come across.  Don't see any remoting tools.
ASKER CERTIFIED SOLUTION
Avatar of ProTechComputing
ProTechComputing

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ProTech beat me to it. Sounds like he has been taken advantage of and that some software exists somewhere on his machine that will allow someone remote access to his machine. My guess is that he would be able to get his data back for a large sum of money if he were to call "John"' back and explain what is going on.

Have you tried a simple search on his computer for any files that are missing? Say for instance he knows for certain he has a word document on his system called "Resume" Have you tried doing a simple search for "Resume" to see if this "John" character just moved these files to another folder on his system for easy recovery/restoration?
Who is John? Did Tom even know him? Did he claim to be an m$ employee? I've heard of many scams where someone calls a PC user and asks him to give him access to the PC. Often at a later time they will try to get the user to pay them to release the data again.
Yes rindi, John claimed to be from MS.

I just have a hard time believing that several weeks would pass before John would follow up for ransom.

It's been 10 days since the data has disappeared... Tom called me as a last resort to wiping and starting all over.

I think it is something that Tom and his neighbor inadvertently did.  I just don't know what it could have been.
First off, whenever someone appears to have lost data on a drive, have that person STOP using the drive, immediately. If the data's been deleted, the more the drive is used, the less likely you'll be able to recover it fully.

It's possible the neighbor deleted and recreated the profile in order to regain access. That might've deleted the original folder and recreated it.

Have you looked into the TEMP profile folders? It's possible that the old profile was renamed that in the attempt to regain access to the PC.

Best practice would be to pull the drive out and access it on another PC. The Previous Versions feature in Windows 7 may be able to access an earlier version of the user folder and recover the lost files:
http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/


File recovery tools like Recuva and PhotoRec can look at the "free space" on the drives for files that have been deleted but not yet overwritten.
http://www.piriform.com/recuva
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

Remember to save recovered files to a drive other than the one you're recovering from.


Finally, whatever the outcome, be sure to set Tom up with some form of backup, whether to an external drive or to an online service. You should never have only one copy of any data you want to keep.
Well MS will never call anyone for starters.

Do you have a windows.old folder now? If you do follow this tutorial,
http://www.sevenforums.com/tutorials/16282-windows-old-folder-restore-into-new-installation.html
He probably installed some malware that would work like a time bomb. Maybe antimalware tools like malwarebytes could help, but it is also possible the after the malware had done it's "job", it also removed itself from the PC.
Thanks everyone... I'm a pretty seasoned tech and am aware of everything we discussed: MS never calling, backups, stop using the computer to potential recover deleted items.

This situation is pretty strange... haven't come by this before.

No .old folder either.

I'd think it's not a re-partitioning issue... the programs are still there.
Programs usually aren't important. Those crooks go after the data. Also, chances are that he now has the user's data and can use it (email accounts along with the passwords, personal data that was on the PC, maybe bank data etc.). Besides the ransom they may get, they also sell the data to 3rd parties.

The damage done can be hard to repair. You'll have to change all the passwords or create new email accounts, check bank accounts etc. Whatever you do, don't pay the ransom, and get the authorities involved (maybe telephone numbers etc. can be traced).

Try to educate your current customers to be wary...
Sorry can you be more specific on what you mean by data.

Is data missing within all folders or do you mean user?

Sorry for the confusion.
joinaunion:  When he boots the computer it looks like a new user account... desktop is empty where he had many icons, etc.  No more music, pics, etc.

All his programs are there though.

If you open Outlook it wants to set up a new account.  Go into the mail applet in Control Panel and it shows no profiles.
did you try unhide?
When he boots computer does it show only 1 account to log onto as a option.
Trying Recuva at the moment... searching the entire drive for pst files.
1 account only.
Can you open up my computer then double click on C drive then on the right double click Users. Do you now see his user account? if so double click it you should now see a lot of stuff if you do follow directions here to restore the account.
http://windows.microsoft.com/en-ca/windows/fix-corrupted-user-profile#1TC=windows-7
I think that what happened is that Tom and his neighbor, in an attempt to fix the "password unknown" issue, created another "owner" profile.  You and I know that this would normally result in a owner.xxxx profile but that is not the case here.

I think, at the end of the day, that "John" bilked Tom out of some cash, but the Tom and the neighbor did the damage.
i had something similar on 2 laptops, a week apart
only some folders were showing - no data
i was able to backup all data using getdataback  : http://www.runtime.org/      

so that's my advice : hook the disk to a working PC -  and run GDB
i hope it works for you too

**i was not able to find the cause of this
> John claimed to be from MS

Microsoft never calls an individual end user telling him his computer got issue and offer paid service to fix it. John was of course not from MS.
i would  - try GDB, a s said
if unsuccessful - never pay ! - and o a factory restore -or in stall windows fresh
To move beyond this issue I used Recuva and undeleted everything possible and put the files into folders "Pictures", "Office" and "Other".

Over 1 million files were recovered.

It is now up to the user to weed through the mess... at least Tom has the files to weed through.

This was clearly a case of Tom and the neighbor treading where they shouldn't have...

Not sure how to allocate points...
look in the help files, on closing questions
Thanks for the Recuva solution.  Worked fine.