Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Windows 7 data missing

Posted on 2014-04-25
30
Medium Priority
?
341 Views
Last Modified: 2014-04-28
So... one day "John" called Tom (a W7 Home user) and convinced Tom to allow him (John) access to the computer... John claimed that there was a problem detected.

Tom paid John whilst allowing him access to which, of course, John went to the event log and scared Tom with some red X's.

They finish their call 30 minutes later and John hangs up.

Everything seems fine for a couple of days, but Tom doesn't feel comfortable and decides to utilize a logon password where none existed before.

Several weeks pass, Tom is using his computer hours a day and then one day the password doesn't work.

I'm not sure how, but Tom and a neighbor end up getting into the computer.

I'm called out because once they got in everything was missing.

Sure enough Tom's password gets you into the computer and everything is gone... kind of.  All programs remain.  All data is lost.  

Looking through Program Files and Program Files(x86) show creation dates dating years back... thus I don't think the computer was reformatted... this as well as Tom stating that they (he and his neighbor) did NOT re-install any software.

I've unhidden all files, even protected files, and still don't see anything.

Tom used Outlook quite extensively.  Not only is the pst gone, but Outlook opens as if it has never been used asking if you want to set up an email address, etc.

Any thoughts?
0
Comment
Question by:classnet
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 4
  • 4
  • +6
30 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023195
Perhaps you are being logged in with a temporary profile because the other profile (that houses all of the data) is corrupted. Once you log in to the computer Open My Computer>Local Disk C: (or whatever drive letter is shown for where windows is installed)>Users and see if you can locate the profile. I suggest you open each folder up and open the My Documents, Pictures, Desktop to see if you can find any data.

There are likely going to be several "User" folders so be safe and check all of them
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 40023206
Check Tom doesn't have a new profile
Check John didn't install any free bonus software with a MBAM and AV scan
Look at the unhide utility to see if there's anything which has resisted your attempts to reveal anything on the PC

Don't use utilities like CCleaner which will remove any hidden data that has been moved into temporary folders
0
 

Author Comment

by:classnet
ID: 40023241
The only profiles are Tom's (Owner - he stated it's always been Owner) and one call TEMP with "Date Modified" of 2009 on all folders, UpdatusUser (for Nvidia?) and Public.

All of Owner folders (Desktop, My Pictures, etc) show a date modified of 4/15/2014.  This is when all hell broke loose.

Public subfolders have dates going back to 2009 as does UpdatusUser.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023255
Can you see any data in the folders for Tom's profile (C:\Users\Owner). You may need to permit UAC from giving yourself permission and this could take some time before you can see the data. Did you try opening the Desktop, My Pictures etc folders to see what was in them?
0
 

Author Comment

by:classnet
ID: 40023275
BigPapaGotti:  Yes... I am familiar with that wait time.  No data...
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023289
Well that is certainly bizarre. Have you looked in Programs and features to see if you can find any sort of remote software installed such as TeamViewer, Logmein etc. Check Remote desktop to see if it is configured for remote access?

Is this a desktop or laptop?
Was this computer ever physically in the neighbors posession?
0
 

Author Comment

by:classnet
ID: 40023311
The computer is a desktop... the neighbor is not "John".  John sounded to be foreign.  

The neighbor was trying to assist Tom.

This is probably the most bizarre thing that I have come across.  Don't see any remoting tools.
0
 
LVL 1

Accepted Solution

by:
ProTechComputing earned 2000 total points
ID: 40023315
I feel bad for Tom, as it's obvious he's been scammed.  I assume he paid "John" for his services.  With a credit card?  If so, notify his bank immediately and look for unauthorized charges.  Cancel and replace the card used.

I'm sure there is probably a Logmein type program residing on Tom's computer - if nothing else, do a search for the word Logmein in Regedit.

If possible, I'd try a program like Recuva from Piriform or Ontrack Easy Recovery Pro as a last resort to recover any data that's been deleted.

Hopefully, they recover at least some of the more important files.

After recovering any files, I'd fully reformat and clean install to be SURE any vulnerabilities are corrected.

Good luck!
0
 
LVL 9

Expert Comment

by:BigPapaGotti
ID: 40023361
ProTech beat me to it. Sounds like he has been taken advantage of and that some software exists somewhere on his machine that will allow someone remote access to his machine. My guess is that he would be able to get his data back for a large sum of money if he were to call "John"' back and explain what is going on.

Have you tried a simple search on his computer for any files that are missing? Say for instance he knows for certain he has a word document on his system called "Resume" Have you tried doing a simple search for "Resume" to see if this "John" character just moved these files to another folder on his system for easy recovery/restoration?
0
 
LVL 88

Expert Comment

by:rindi
ID: 40023445
Who is John? Did Tom even know him? Did he claim to be an m$ employee? I've heard of many scams where someone calls a PC user and asks him to give him access to the PC. Often at a later time they will try to get the user to pay them to release the data again.
0
 

Author Comment

by:classnet
ID: 40023458
Yes rindi, John claimed to be from MS.

I just have a hard time believing that several weeks would pass before John would follow up for ransom.

It's been 10 days since the data has disappeared... Tom called me as a last resort to wiping and starting all over.

I think it is something that Tom and his neighbor inadvertently did.  I just don't know what it could have been.
0
 
LVL 20

Expert Comment

by:marsilies
ID: 40023503
First off, whenever someone appears to have lost data on a drive, have that person STOP using the drive, immediately. If the data's been deleted, the more the drive is used, the less likely you'll be able to recover it fully.

It's possible the neighbor deleted and recreated the profile in order to regain access. That might've deleted the original folder and recreated it.

Have you looked into the TEMP profile folders? It's possible that the old profile was renamed that in the attempt to regain access to the PC.

Best practice would be to pull the drive out and access it on another PC. The Previous Versions feature in Windows 7 may be able to access an earlier version of the user folder and recover the lost files:
http://www.howtogeek.com/howto/11130/restore-previous-versions-of-files-in-every-edition-of-windows-7/


File recovery tools like Recuva and PhotoRec can look at the "free space" on the drives for files that have been deleted but not yet overwritten.
http://www.piriform.com/recuva
http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

Remember to save recovered files to a drive other than the one you're recovering from.


Finally, whatever the outcome, be sure to set Tom up with some form of backup, whether to an external drive or to an online service. You should never have only one copy of any data you want to keep.
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023617
Well MS will never call anyone for starters.

Do you have a windows.old folder now? If you do follow this tutorial,
http://www.sevenforums.com/tutorials/16282-windows-old-folder-restore-into-new-installation.html
0
 
LVL 88

Expert Comment

by:rindi
ID: 40023621
He probably installed some malware that would work like a time bomb. Maybe antimalware tools like malwarebytes could help, but it is also possible the after the malware had done it's "job", it also removed itself from the PC.
0
 

Author Comment

by:classnet
ID: 40023626
Thanks everyone... I'm a pretty seasoned tech and am aware of everything we discussed: MS never calling, backups, stop using the computer to potential recover deleted items.

This situation is pretty strange... haven't come by this before.

No .old folder either.

I'd think it's not a re-partitioning issue... the programs are still there.
0
 
LVL 88

Expert Comment

by:rindi
ID: 40023646
Programs usually aren't important. Those crooks go after the data. Also, chances are that he now has the user's data and can use it (email accounts along with the passwords, personal data that was on the PC, maybe bank data etc.). Besides the ransom they may get, they also sell the data to 3rd parties.

The damage done can be hard to repair. You'll have to change all the passwords or create new email accounts, check bank accounts etc. Whatever you do, don't pay the ransom, and get the authorities involved (maybe telephone numbers etc. can be traced).

Try to educate your current customers to be wary...
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023657
Sorry can you be more specific on what you mean by data.

Is data missing within all folders or do you mean user?

Sorry for the confusion.
0
 

Author Comment

by:classnet
ID: 40023667
joinaunion:  When he boots the computer it looks like a new user account... desktop is empty where he had many icons, etc.  No more music, pics, etc.

All his programs are there though.

If you open Outlook it wants to set up a new account.  Go into the mail applet in Control Panel and it shows no profiles.
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 40023676
did you try unhide?
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023677
When he boots computer does it show only 1 account to log onto as a option.
0
 

Author Comment

by:classnet
ID: 40023678
Trying Recuva at the moment... searching the entire drive for pst files.
0
 

Author Comment

by:classnet
ID: 40023681
1 account only.
0
 
LVL 16

Expert Comment

by:joinaunion
ID: 40023703
Can you open up my computer then double click on C drive then on the right double click Users. Do you now see his user account? if so double click it you should now see a lot of stuff if you do follow directions here to restore the account.
http://windows.microsoft.com/en-ca/windows/fix-corrupted-user-profile#1TC=windows-7
0
 

Author Comment

by:classnet
ID: 40023712
I think that what happened is that Tom and his neighbor, in an attempt to fix the "password unknown" issue, created another "owner" profile.  You and I know that this would normally result in a owner.xxxx profile but that is not the case here.

I think, at the end of the day, that "John" bilked Tom out of some cash, but the Tom and the neighbor did the damage.
0
 
LVL 93

Expert Comment

by:nobus
ID: 40024196
i had something similar on 2 laptops, a week apart
only some folders were showing - no data
i was able to backup all data using getdataback  : http://www.runtime.org/      

so that's my advice : hook the disk to a working PC -  and run GDB
i hope it works for you too

**i was not able to find the cause of this
0
 
LVL 37

Expert Comment

by:bbao
ID: 40024385
> John claimed to be from MS

Microsoft never calls an individual end user telling him his computer got issue and offer paid service to fix it. John was of course not from MS.
0
 
LVL 93

Expert Comment

by:nobus
ID: 40024486
i would  - try GDB, a s said
if unsuccessful - never pay ! - and o a factory restore -or in stall windows fresh
0
 

Author Comment

by:classnet
ID: 40026890
To move beyond this issue I used Recuva and undeleted everything possible and put the files into folders "Pictures", "Office" and "Other".

Over 1 million files were recovered.

It is now up to the user to weed through the mess... at least Tom has the files to weed through.

This was clearly a case of Tom and the neighbor treading where they shouldn't have...

Not sure how to allocate points...
0
 
LVL 93

Expert Comment

by:nobus
ID: 40026914
look in the help files, on closing questions
0
 

Author Closing Comment

by:classnet
ID: 40027050
Thanks for the Recuva solution.  Worked fine.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question