Solved

All doc, xls, and pdf's are gone

Posted on 2016-09-20
9
71 Views
Last Modified: 2016-10-03
Hello I have a user that is running windows 10 and sometime over the weekend all of their doc's. xls, and pdf's are missing. Ran malwarebytes checked the recycle bin no luck. I never had an issue like this before any suggestions
0
Comment
Question by:Deerek11
9 Comments
 
LVL 13

Accepted Solution

by:
Norm Dickinson earned 250 total points
Comment Utility
Check to see if the files have been renamed with a different extension, such as filename.pdf.locky, indicating that your use has been infected by ransomware. What are there for files in the normal document folders? Can you run a free data recovery tool to see if there is deleted information on the drive? Perhaps someone deleted the files and then emptied the trash can. A program such as the ten listed in this article may be just the ticket. https://fossbytes.com/top-best-free-data-recovery-software-2016/

Otherwise, I will revert to advice I have been giving continuously since the late 1970's, Monday-Morning-Quarterback style, to make sure to have a reliable backup. Recover the files from backup that automatically ran the night before (if any). Everyone has had to lose files at some point in history in order to become focused on backing up; this may just be the next graduate from the school of hard knocks if they lost everything and do not have a backup. These days, an automated, cloud-based backup is so inexpensive compared to the cost of data recovery or data loss, that it just doesn't make sense not to back up regularly. Good luck.
0
 
LVL 35

Expert Comment

by:Kimputer
Comment Utility
Usually with cryptoware, the executable will delete itself after finishing its run (thereby avoiding detection, leaving only encrypted files and the txt and html payment instructions behind).
I predict in your case, you have about 0.000000000000000000001% chance of getting your files back.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
Comment Utility
See if image files are also affected (.jpg) etc.  I agree that it's probably ransomware so disconnect from network shares as if that is the case the trojan can affect similar files on any share the PC has read/write access to.

Try searching by specific file name "my document" rather than "*.doc" which should find encrypted file names with the locker extension.

There's a slim chance that a different form of malware has simply moved the files to a hidden location but those are usually picked up by MBAM.

If you want to find out what caused this try an offline scan by booting to an AV scanner CD image such as the Kapersky Rescue CD
0
 
LVL 7

Expert Comment

by:Knightsman
Comment Utility
Is it just those files?  Sounds like they accidentally ran a recovery.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 31

Expert Comment

by:Rob Henson
Comment Utility
I assume they have used the correct User login details. If there are multiple profiles on the machine, there will be a list in C:\Users\UserName

An Admin user may be able to see the contents of all users folders to see if the files are under a different User Profile.

Thanks
Rob H
0
 

Author Comment

by:Deerek11
Comment Utility
I am on the system and notice inside the my document folder there are some word doc's and some pdf's but on the desktop all of the folders that had doc's and pdf's all of that is gone.  Can cryptoware or these type of threat remove some files but not others?? Some jpegs are there but the ones in those folders are missing .... Weird
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 125 total points
Comment Utility
No, cryptoware usually wants you to see the files that are encrypted. It also wants you to pay, and therefore the files you should read are in capitals like "DECRYPT_INSTRUCTION.HTML" or  "READ ME HOW TO PAY" etc etc.
If those are not there, it's probably a user error (drag select followed by DEL).
0
 
LVL 13

Assisted Solution

by:Norm Dickinson
Norm Dickinson earned 250 total points
Comment Utility
Running a data recovery software will show you what was on the disk recently - and sometimes quite a while ago. That should really be your next step to determine what has been deleted and to find a copy of it. I assume at this point that a backup was not available to recover from?
0
 
LVL 91

Assisted Solution

by:nobus
nobus earned 125 total points
Comment Utility
i have also seen cases where windows 10 ran an upgrade - without keeping the data, and without warning the customers.
so that 's what i think happened
you can try recoveruing the data - biut chances are not good (overwritten files are lost)
i use GDB for recovering : http://www.runtime.org/

***be sure to install this on another system, and hook this drive to it for recovering data
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now