Solved

What possible cause for total user data deletion in Windows

Posted on 2016-09-24
21
29 Views
Last Modified: 2016-09-30
Hi, we are trying to figure out why our data has been deleted; that is, Ms Office Docs, Videos and photos.   Brief history to-date, a week+ ago we ran a series of cleanup apps for viruses, spywares and malwares (ran it a series of time until all results returned 0 infections).  However, recently we noticed our docs were missing.  What could have caused this?
0
Comment
Question by:rayluvs
  • 9
  • 6
  • 4
  • +2
21 Comments
 
LVL 27

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 100 total points
ID: 41813785
sounds like a née or different profile is logged in. what version of windows?
0
 
LVL 17

Assisted Solution

by:bigeven2002
bigeven2002 earned 125 total points
ID: 41813806
Hello,
After each of the virus/malware scans, were the results reviewed to what was removed or quarantined?   Since it sounds like there were existing infections, they may have already done their damage and deleted the files.

Did you have system restore configured for the machine?  If so, check that to see if you have any snapshots available prior to the infection.

Additionally, go to Start > Run, and type services.msc.  Locate the volume shadow copy service and start it.  Then navigate to a directory where the files should exist, right-click that directory name and choose Restore Previous versions.  Review the snapshots, if any, and then select a snapshot and choose Open.  This will open the snapshot to view the contents, check to see if your missing files are there.  If so, you can copy them to another location or choose to restore that directory right then and there.

The above is actually a long shot since many viruses/malware are designed to delete the system restore history to make recovery substantially more difficult.
0
 
LVL 88

Expert Comment

by:rindi
ID: 41813828
Maybe your files were encrypted by ransomware? Have you checked for files that have gotten a new extension? Also check for a txt or html file with instructions for paying the ransom.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 13

Assisted Solution

by:John Tsioumpris
John Tsioumpris earned 125 total points
ID: 41813976
High-quality viruses and malware can "pass" totally undetected.....
But the way you set the question "we noticed our docs were missing" makes me think if there is a human factor in the equation.
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814005
Usually, "missing" files indicate something other than malware. We find quite often that users either are set to the wrong autologous, or log into the wrong profile.
0
 
LVL 88

Expert Comment

by:rindi
ID: 41814014
Missing can also mean that their extensions have changed, and so they aren't being recognized as the files they were and so they aren't being found. Ransomware normally changes the extensions of files.
0
 

Author Comment

by:rayluvs
ID: 41814034
good info guys.

Did the 'volume shadow copy', it was 'manual' and we started, but could find the folders.

As for 'different profile is logged', the user name is correct one.

As for encrypted by ransomware, we checked for file (videos, documentations, photo, etc.) of actual names we know existed; non were found.

Is there a way if it was ransomware?

Also maybe it was the user, but how to know, specially when this computer is the adoration of the actual user.  We doubt he wanted to deleted all his docs.

and finally, "extensions have changed"; again, we searched for actual files with names we are sure existed prior the problem,
0
 
LVL 88

Expert Comment

by:rindi
ID: 41814046
First of all look for the ransom note. What was the reason you started with the malware scans in the first place? was the PC infected?
0
 

Author Comment

by:rayluvs
ID: 41814048
yes, infected.

No ransom note never presented displayed or suggested by windows...
0
 

Assisted Solution

by:rayluvs
rayluvs earned 0 total points
ID: 41814070
we think we may have found something...

possible cause
userpropfile created
Could this had something to do?
(noticed that that windows created a series of temp folder for jamie)
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814107
Yes. As I previously said, different profile. This sometimes happens when the dial is too full or when there is something else wrong with  the profile. Have you looked in the profile list in the registry?
0
 

Author Comment

by:rayluvs
ID: 41814126
Where is the profile list in the registry what should we look for?
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814182
Backup registry, do search for profile list  (in hklm) there should be a list of several long id's wroth guide of each and a couple of short ones -those are the built-ins. Look for one with the word temp in it. Make sure you have an administrator login for this. Copy profile to a new one.  Rename old profile to <profilename>.bak.  log in with new profile.
0
 

Author Comment

by:rayluvs
ID: 41814240
searched within HKEY_LOCAL_MACHINE and no "profile list"...

rg
can you give the exact registry address?
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814307
Don't have it right now.  Try searching for S-1-5.
0
 

Author Comment

by:rayluvs
ID: 41814611
nope; we'll keep trying.
0
 
LVL 88

Assisted Solution

by:rindi
rindi earned 150 total points
ID: 41814620
Look in the \Users\Jamie folder. If that was the original user account the data should be there. The just copy the data that isn't already backed up to some other storage. After that reinstall the OS using the PC's recovery partition, run all updates etc., create a new standard user account for the user (The Admin Account should only ever be used for specific Admin tasks). Reinstall any software needed, and then restore the data files from the backups.
0
 

Author Comment

by:rayluvs
ID: 41814918
Good advice! We'll proceed and inform back...
0
 
LVL 27

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814980
There have to be several entries listing  S-1-5 they are credentials built on to windows.
0
 

Accepted Solution

by:
rayluvs earned 0 total points
ID: 41815084
Hi rindi,

When proceeding with your comment, the user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
      
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814070').  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!

As for "profile listing" in Registry, never found it.  Yes there is a whole bunch of "S-1-5" but non related to our case, so thanx anyway.
0
 

Author Closing Comment

by:rayluvs
ID: 41823170
Thanx for the assistance.  We chose our comments becuase it addresses directly to our situation and a viable solution for future members with same problema.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hacking attemps 3 87
SMB patch management. 4 79
Zeus black pop up screen virus 7 68
Ensuring all VLANs/subnets are covered in VA & industry practices 5 96
A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question