Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

All doc, xls, and pdf's are gone

Posted on 2016-09-20
9
Medium Priority
?
104 Views
Last Modified: 2016-10-03
Hello I have a user that is running windows 10 and sometime over the weekend all of their doc's. xls, and pdf's are missing. Ran malwarebytes checked the recycle bin no luck. I never had an issue like this before any suggestions
0
Comment
Question by:Deerek11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 13

Accepted Solution

by:
Norm Dickinson earned 1000 total points
ID: 41806470
Check to see if the files have been renamed with a different extension, such as filename.pdf.locky, indicating that your use has been infected by ransomware. What are there for files in the normal document folders? Can you run a free data recovery tool to see if there is deleted information on the drive? Perhaps someone deleted the files and then emptied the trash can. A program such as the ten listed in this article may be just the ticket. https://fossbytes.com/top-best-free-data-recovery-software-2016/

Otherwise, I will revert to advice I have been giving continuously since the late 1970's, Monday-Morning-Quarterback style, to make sure to have a reliable backup. Recover the files from backup that automatically ran the night before (if any). Everyone has had to lose files at some point in history in order to become focused on backing up; this may just be the next graduate from the school of hard knocks if they lost everything and do not have a backup. These days, an automated, cloud-based backup is so inexpensive compared to the cost of data recovery or data loss, that it just doesn't make sense not to back up regularly. Good luck.
0
 
LVL 36

Expert Comment

by:Kimputer
ID: 41806515
Usually with cryptoware, the executable will delete itself after finishing its run (thereby avoiding detection, leaving only encrypted files and the txt and html payment instructions behind).
I predict in your case, you have about 0.000000000000000000001% chance of getting your files back.
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 41806610
See if image files are also affected (.jpg) etc.  I agree that it's probably ransomware so disconnect from network shares as if that is the case the trojan can affect similar files on any share the PC has read/write access to.

Try searching by specific file name "my document" rather than "*.doc" which should find encrypted file names with the locker extension.

There's a slim chance that a different form of malware has simply moved the files to a hidden location but those are usually picked up by MBAM.

If you want to find out what caused this try an offline scan by booting to an AV scanner CD image such as the Kapersky Rescue CD
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 7

Expert Comment

by:Knightsman
ID: 41806654
Is it just those files?  Sounds like they accidentally ran a recovery.
0
 
LVL 33

Expert Comment

by:Rob Henson
ID: 41806704
I assume they have used the correct User login details. If there are multiple profiles on the machine, there will be a list in C:\Users\UserName

An Admin user may be able to see the contents of all users folders to see if the files are under a different User Profile.

Thanks
Rob H
0
 

Author Comment

by:Deerek11
ID: 41806808
I am on the system and notice inside the my document folder there are some word doc's and some pdf's but on the desktop all of the folders that had doc's and pdf's all of that is gone.  Can cryptoware or these type of threat remove some files but not others?? Some jpegs are there but the ones in those folders are missing .... Weird
0
 
LVL 36

Assisted Solution

by:Kimputer
Kimputer earned 500 total points
ID: 41806821
No, cryptoware usually wants you to see the files that are encrypted. It also wants you to pay, and therefore the files you should read are in capitals like "DECRYPT_INSTRUCTION.HTML" or  "READ ME HOW TO PAY" etc etc.
If those are not there, it's probably a user error (drag select followed by DEL).
0
 
LVL 13

Assisted Solution

by:Norm Dickinson
Norm Dickinson earned 1000 total points
ID: 41806822
Running a data recovery software will show you what was on the disk recently - and sometimes quite a while ago. That should really be your next step to determine what has been deleted and to find a copy of it. I assume at this point that a backup was not available to recover from?
0
 
LVL 93

Assisted Solution

by:nobus
nobus earned 500 total points
ID: 41808160
i have also seen cases where windows 10 ran an upgrade - without keeping the data, and without warning the customers.
so that 's what i think happened
you can try recoveruing the data - biut chances are not good (overwritten files are lost)
i use GDB for recovering : http://www.runtime.org/

***be sure to install this on another system, and hook this drive to it for recovering data
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question