Solved

All doc, xls, and pdf's are gone

Posted on 2016-09-20
9
91 Views
Last Modified: 2016-10-03
Hello I have a user that is running windows 10 and sometime over the weekend all of their doc's. xls, and pdf's are missing. Ran malwarebytes checked the recycle bin no luck. I never had an issue like this before any suggestions
0
Comment
Question by:Deerek11
9 Comments
 
LVL 13

Accepted Solution

by:
Norm Dickinson earned 250 total points
ID: 41806470
Check to see if the files have been renamed with a different extension, such as filename.pdf.locky, indicating that your use has been infected by ransomware. What are there for files in the normal document folders? Can you run a free data recovery tool to see if there is deleted information on the drive? Perhaps someone deleted the files and then emptied the trash can. A program such as the ten listed in this article may be just the ticket. https://fossbytes.com/top-best-free-data-recovery-software-2016/

Otherwise, I will revert to advice I have been giving continuously since the late 1970's, Monday-Morning-Quarterback style, to make sure to have a reliable backup. Recover the files from backup that automatically ran the night before (if any). Everyone has had to lose files at some point in history in order to become focused on backing up; this may just be the next graduate from the school of hard knocks if they lost everything and do not have a backup. These days, an automated, cloud-based backup is so inexpensive compared to the cost of data recovery or data loss, that it just doesn't make sense not to back up regularly. Good luck.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 41806515
Usually with cryptoware, the executable will delete itself after finishing its run (thereby avoiding detection, leaving only encrypted files and the txt and html payment instructions behind).
I predict in your case, you have about 0.000000000000000000001% chance of getting your files back.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 41806610
See if image files are also affected (.jpg) etc.  I agree that it's probably ransomware so disconnect from network shares as if that is the case the trojan can affect similar files on any share the PC has read/write access to.

Try searching by specific file name "my document" rather than "*.doc" which should find encrypted file names with the locker extension.

There's a slim chance that a different form of malware has simply moved the files to a hidden location but those are usually picked up by MBAM.

If you want to find out what caused this try an offline scan by booting to an AV scanner CD image such as the Kapersky Rescue CD
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 7

Expert Comment

by:Knightsman
ID: 41806654
Is it just those files?  Sounds like they accidentally ran a recovery.
0
 
LVL 33

Expert Comment

by:Rob Henson
ID: 41806704
I assume they have used the correct User login details. If there are multiple profiles on the machine, there will be a list in C:\Users\UserName

An Admin user may be able to see the contents of all users folders to see if the files are under a different User Profile.

Thanks
Rob H
0
 

Author Comment

by:Deerek11
ID: 41806808
I am on the system and notice inside the my document folder there are some word doc's and some pdf's but on the desktop all of the folders that had doc's and pdf's all of that is gone.  Can cryptoware or these type of threat remove some files but not others?? Some jpegs are there but the ones in those folders are missing .... Weird
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 125 total points
ID: 41806821
No, cryptoware usually wants you to see the files that are encrypted. It also wants you to pay, and therefore the files you should read are in capitals like "DECRYPT_INSTRUCTION.HTML" or  "READ ME HOW TO PAY" etc etc.
If those are not there, it's probably a user error (drag select followed by DEL).
0
 
LVL 13

Assisted Solution

by:Norm Dickinson
Norm Dickinson earned 250 total points
ID: 41806822
Running a data recovery software will show you what was on the disk recently - and sometimes quite a while ago. That should really be your next step to determine what has been deleted and to find a copy of it. I assume at this point that a backup was not available to recover from?
0
 
LVL 92

Assisted Solution

by:nobus
nobus earned 125 total points
ID: 41808160
i have also seen cases where windows 10 ran an upgrade - without keeping the data, and without warning the customers.
so that 's what i think happened
you can try recoveruing the data - biut chances are not good (overwritten files are lost)
i use GDB for recovering : http://www.runtime.org/

***be sure to install this on another system, and hook this drive to it for recovering data
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question