Solved

All doc, xls, and pdf's are gone

Posted on 2016-09-20
9
97 Views
Last Modified: 2016-10-03
Hello I have a user that is running windows 10 and sometime over the weekend all of their doc's. xls, and pdf's are missing. Ran malwarebytes checked the recycle bin no luck. I never had an issue like this before any suggestions
0
Comment
Question by:Deerek11
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 13

Accepted Solution

by:
Norm Dickinson earned 250 total points
ID: 41806470
Check to see if the files have been renamed with a different extension, such as filename.pdf.locky, indicating that your use has been infected by ransomware. What are there for files in the normal document folders? Can you run a free data recovery tool to see if there is deleted information on the drive? Perhaps someone deleted the files and then emptied the trash can. A program such as the ten listed in this article may be just the ticket. https://fossbytes.com/top-best-free-data-recovery-software-2016/

Otherwise, I will revert to advice I have been giving continuously since the late 1970's, Monday-Morning-Quarterback style, to make sure to have a reliable backup. Recover the files from backup that automatically ran the night before (if any). Everyone has had to lose files at some point in history in order to become focused on backing up; this may just be the next graduate from the school of hard knocks if they lost everything and do not have a backup. These days, an automated, cloud-based backup is so inexpensive compared to the cost of data recovery or data loss, that it just doesn't make sense not to back up regularly. Good luck.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 41806515
Usually with cryptoware, the executable will delete itself after finishing its run (thereby avoiding detection, leaving only encrypted files and the txt and html payment instructions behind).
I predict in your case, you have about 0.000000000000000000001% chance of getting your files back.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 41806610
See if image files are also affected (.jpg) etc.  I agree that it's probably ransomware so disconnect from network shares as if that is the case the trojan can affect similar files on any share the PC has read/write access to.

Try searching by specific file name "my document" rather than "*.doc" which should find encrypted file names with the locker extension.

There's a slim chance that a different form of malware has simply moved the files to a hidden location but those are usually picked up by MBAM.

If you want to find out what caused this try an offline scan by booting to an AV scanner CD image such as the Kapersky Rescue CD
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Expert Comment

by:Knightsman
ID: 41806654
Is it just those files?  Sounds like they accidentally ran a recovery.
0
 
LVL 33

Expert Comment

by:Rob Henson
ID: 41806704
I assume they have used the correct User login details. If there are multiple profiles on the machine, there will be a list in C:\Users\UserName

An Admin user may be able to see the contents of all users folders to see if the files are under a different User Profile.

Thanks
Rob H
0
 

Author Comment

by:Deerek11
ID: 41806808
I am on the system and notice inside the my document folder there are some word doc's and some pdf's but on the desktop all of the folders that had doc's and pdf's all of that is gone.  Can cryptoware or these type of threat remove some files but not others?? Some jpegs are there but the ones in those folders are missing .... Weird
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 125 total points
ID: 41806821
No, cryptoware usually wants you to see the files that are encrypted. It also wants you to pay, and therefore the files you should read are in capitals like "DECRYPT_INSTRUCTION.HTML" or  "READ ME HOW TO PAY" etc etc.
If those are not there, it's probably a user error (drag select followed by DEL).
0
 
LVL 13

Assisted Solution

by:Norm Dickinson
Norm Dickinson earned 250 total points
ID: 41806822
Running a data recovery software will show you what was on the disk recently - and sometimes quite a while ago. That should really be your next step to determine what has been deleted and to find a copy of it. I assume at this point that a backup was not available to recover from?
0
 
LVL 92

Assisted Solution

by:nobus
nobus earned 125 total points
ID: 41808160
i have also seen cases where windows 10 ran an upgrade - without keeping the data, and without warning the customers.
so that 's what i think happened
you can try recoveruing the data - biut chances are not good (overwritten files are lost)
i use GDB for recovering : http://www.runtime.org/

***be sure to install this on another system, and hook this drive to it for recovering data
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

An article on effective troubleshooting
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question