• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 114
  • Last Modified:

All doc, xls, and pdf's are gone

Hello I have a user that is running windows 10 and sometime over the weekend all of their doc's. xls, and pdf's are missing. Ran malwarebytes checked the recycle bin no luck. I never had an issue like this before any suggestions
0
Deerek11
Asked:
Deerek11
4 Solutions
 
Norm DickinsonGuruCommented:
Check to see if the files have been renamed with a different extension, such as filename.pdf.locky, indicating that your use has been infected by ransomware. What are there for files in the normal document folders? Can you run a free data recovery tool to see if there is deleted information on the drive? Perhaps someone deleted the files and then emptied the trash can. A program such as the ten listed in this article may be just the ticket. https://fossbytes.com/top-best-free-data-recovery-software-2016/

Otherwise, I will revert to advice I have been giving continuously since the late 1970's, Monday-Morning-Quarterback style, to make sure to have a reliable backup. Recover the files from backup that automatically ran the night before (if any). Everyone has had to lose files at some point in history in order to become focused on backing up; this may just be the next graduate from the school of hard knocks if they lost everything and do not have a backup. These days, an automated, cloud-based backup is so inexpensive compared to the cost of data recovery or data loss, that it just doesn't make sense not to back up regularly. Good luck.
0
 
KimputerCommented:
Usually with cryptoware, the executable will delete itself after finishing its run (thereby avoiding detection, leaving only encrypted files and the txt and html payment instructions behind).
I predict in your case, you have about 0.000000000000000000001% chance of getting your files back.
0
 
☠ MASQ ☠Commented:
See if image files are also affected (.jpg) etc.  I agree that it's probably ransomware so disconnect from network shares as if that is the case the trojan can affect similar files on any share the PC has read/write access to.

Try searching by specific file name "my document" rather than "*.doc" which should find encrypted file names with the locker extension.

There's a slim chance that a different form of malware has simply moved the files to a hidden location but those are usually picked up by MBAM.

If you want to find out what caused this try an offline scan by booting to an AV scanner CD image such as the Kapersky Rescue CD
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
KnightsmanCommented:
Is it just those files?  Sounds like they accidentally ran a recovery.
0
 
Rob HensonFinance AnalystCommented:
I assume they have used the correct User login details. If there are multiple profiles on the machine, there will be a list in C:\Users\UserName

An Admin user may be able to see the contents of all users folders to see if the files are under a different User Profile.

Thanks
Rob H
0
 
Deerek11Author Commented:
I am on the system and notice inside the my document folder there are some word doc's and some pdf's but on the desktop all of the folders that had doc's and pdf's all of that is gone.  Can cryptoware or these type of threat remove some files but not others?? Some jpegs are there but the ones in those folders are missing .... Weird
0
 
KimputerCommented:
No, cryptoware usually wants you to see the files that are encrypted. It also wants you to pay, and therefore the files you should read are in capitals like "DECRYPT_INSTRUCTION.HTML" or  "READ ME HOW TO PAY" etc etc.
If those are not there, it's probably a user error (drag select followed by DEL).
0
 
Norm DickinsonGuruCommented:
Running a data recovery software will show you what was on the disk recently - and sometimes quite a while ago. That should really be your next step to determine what has been deleted and to find a copy of it. I assume at this point that a backup was not available to recover from?
0
 
nobusCommented:
i have also seen cases where windows 10 ran an upgrade - without keeping the data, and without warning the customers.
so that 's what i think happened
you can try recoveruing the data - biut chances are not good (overwritten files are lost)
i use GDB for recovering : http://www.runtime.org/

***be sure to install this on another system, and hook this drive to it for recovering data
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now