• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 45
  • Last Modified:

What possible cause for total user data deletion in Windows

Hi, we are trying to figure out why our data has been deleted; that is, Ms Office Docs, Videos and photos.   Brief history to-date, a week+ ago we ran a series of cleanup apps for viruses, spywares and malwares (ran it a series of time until all results returned 0 infections).  However, recently we noticed our docs were missing.  What could have caused this?
0
rayluvs
Asked:
rayluvs
  • 9
  • 6
  • 4
  • +2
6 Solutions
 
Thomas Zucker-ScharffSystems AnalystCommented:
sounds like a née or different profile is logged in. what version of windows?
0
 
bigeven2002Commented:
Hello,
After each of the virus/malware scans, were the results reviewed to what was removed or quarantined?   Since it sounds like there were existing infections, they may have already done their damage and deleted the files.

Did you have system restore configured for the machine?  If so, check that to see if you have any snapshots available prior to the infection.

Additionally, go to Start > Run, and type services.msc.  Locate the volume shadow copy service and start it.  Then navigate to a directory where the files should exist, right-click that directory name and choose Restore Previous versions.  Review the snapshots, if any, and then select a snapshot and choose Open.  This will open the snapshot to view the contents, check to see if your missing files are there.  If so, you can copy them to another location or choose to restore that directory right then and there.

The above is actually a long shot since many viruses/malware are designed to delete the system restore history to make recovery substantially more difficult.
0
 
rindiCommented:
Maybe your files were encrypted by ransomware? Have you checked for files that have gotten a new extension? Also check for a txt or html file with instructions for paying the ransom.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
John TsioumprisSoftware & Systems EngineerCommented:
High-quality viruses and malware can "pass" totally undetected.....
But the way you set the question "we noticed our docs were missing" makes me think if there is a human factor in the equation.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Usually, "missing" files indicate something other than malware. We find quite often that users either are set to the wrong autologous, or log into the wrong profile.
0
 
rindiCommented:
Missing can also mean that their extensions have changed, and so they aren't being recognized as the files they were and so they aren't being found. Ransomware normally changes the extensions of files.
0
 
rayluvsAuthor Commented:
good info guys.

Did the 'volume shadow copy', it was 'manual' and we started, but could find the folders.

As for 'different profile is logged', the user name is correct one.

As for encrypted by ransomware, we checked for file (videos, documentations, photo, etc.) of actual names we know existed; non were found.

Is there a way if it was ransomware?

Also maybe it was the user, but how to know, specially when this computer is the adoration of the actual user.  We doubt he wanted to deleted all his docs.

and finally, "extensions have changed"; again, we searched for actual files with names we are sure existed prior the problem,
0
 
rindiCommented:
First of all look for the ransom note. What was the reason you started with the malware scans in the first place? was the PC infected?
0
 
rayluvsAuthor Commented:
yes, infected.

No ransom note never presented displayed or suggested by windows...
0
 
rayluvsAuthor Commented:
we think we may have found something...

possible cause
userpropfile created
Could this had something to do?
(noticed that that windows created a series of temp folder for jamie)
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Yes. As I previously said, different profile. This sometimes happens when the dial is too full or when there is something else wrong with  the profile. Have you looked in the profile list in the registry?
0
 
rayluvsAuthor Commented:
Where is the profile list in the registry what should we look for?
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Backup registry, do search for profile list  (in hklm) there should be a list of several long id's wroth guide of each and a couple of short ones -those are the built-ins. Look for one with the word temp in it. Make sure you have an administrator login for this. Copy profile to a new one.  Rename old profile to <profilename>.bak.  log in with new profile.
0
 
rayluvsAuthor Commented:
searched within HKEY_LOCAL_MACHINE and no "profile list"...

rg
can you give the exact registry address?
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
Don't have it right now.  Try searching for S-1-5.
0
 
rayluvsAuthor Commented:
nope; we'll keep trying.
0
 
rindiCommented:
Look in the \Users\Jamie folder. If that was the original user account the data should be there. The just copy the data that isn't already backed up to some other storage. After that reinstall the OS using the PC's recovery partition, run all updates etc., create a new standard user account for the user (The Admin Account should only ever be used for specific Admin tasks). Reinstall any software needed, and then restore the data files from the backups.
0
 
rayluvsAuthor Commented:
Good advice! We'll proceed and inform back...
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
There have to be several entries listing  S-1-5 they are credentials built on to windows.
0
 
rayluvsAuthor Commented:
Hi rindi,

When proceeding with your comment, the user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
      
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814070').  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!

As for "profile listing" in Registry, never found it.  Yes there is a whole bunch of "S-1-5" but non related to our case, so thanx anyway.
0
 
rayluvsAuthor Commented:
Thanx for the assistance.  We chose our comments becuase it addresses directly to our situation and a viable solution for future members with same problema.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now