Solved

What possible cause for total user data deletion in Windows

Posted on 2016-09-24
21
21 Views
Last Modified: 2016-09-30
Hi, we are trying to figure out why our data has been deleted; that is, Ms Office Docs, Videos and photos.   Brief history to-date, a week+ ago we ran a series of cleanup apps for viruses, spywares and malwares (ran it a series of time until all results returned 0 infections).  However, recently we noticed our docs were missing.  What could have caused this?
0
Comment
Question by:rayluvs
  • 9
  • 6
  • 4
  • +2
21 Comments
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 100 total points
ID: 41813785
sounds like a née or different profile is logged in. what version of windows?
0
 
LVL 17

Assisted Solution

by:bigeven2002
bigeven2002 earned 125 total points
ID: 41813806
Hello,
After each of the virus/malware scans, were the results reviewed to what was removed or quarantined?   Since it sounds like there were existing infections, they may have already done their damage and deleted the files.

Did you have system restore configured for the machine?  If so, check that to see if you have any snapshots available prior to the infection.

Additionally, go to Start > Run, and type services.msc.  Locate the volume shadow copy service and start it.  Then navigate to a directory where the files should exist, right-click that directory name and choose Restore Previous versions.  Review the snapshots, if any, and then select a snapshot and choose Open.  This will open the snapshot to view the contents, check to see if your missing files are there.  If so, you can copy them to another location or choose to restore that directory right then and there.

The above is actually a long shot since many viruses/malware are designed to delete the system restore history to make recovery substantially more difficult.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41813828
Maybe your files were encrypted by ransomware? Have you checked for files that have gotten a new extension? Also check for a txt or html file with instructions for paying the ransom.
0
 
LVL 13

Assisted Solution

by:John Tsioumpris
John Tsioumpris earned 125 total points
ID: 41813976
High-quality viruses and malware can "pass" totally undetected.....
But the way you set the question "we noticed our docs were missing" makes me think if there is a human factor in the equation.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814005
Usually, "missing" files indicate something other than malware. We find quite often that users either are set to the wrong autologous, or log into the wrong profile.
0
 
LVL 87

Expert Comment

by:rindi
ID: 41814014
Missing can also mean that their extensions have changed, and so they aren't being recognized as the files they were and so they aren't being found. Ransomware normally changes the extensions of files.
0
 

Author Comment

by:rayluvs
ID: 41814034
good info guys.

Did the 'volume shadow copy', it was 'manual' and we started, but could find the folders.

As for 'different profile is logged', the user name is correct one.

As for encrypted by ransomware, we checked for file (videos, documentations, photo, etc.) of actual names we know existed; non were found.

Is there a way if it was ransomware?

Also maybe it was the user, but how to know, specially when this computer is the adoration of the actual user.  We doubt he wanted to deleted all his docs.

and finally, "extensions have changed"; again, we searched for actual files with names we are sure existed prior the problem,
0
 
LVL 87

Expert Comment

by:rindi
ID: 41814046
First of all look for the ransom note. What was the reason you started with the malware scans in the first place? was the PC infected?
0
 

Author Comment

by:rayluvs
ID: 41814048
yes, infected.

No ransom note never presented displayed or suggested by windows...
0
 

Assisted Solution

by:rayluvs
rayluvs earned 0 total points
ID: 41814070
we think we may have found something...

possible cause
userpropfile created
Could this had something to do?
(noticed that that windows created a series of temp folder for jamie)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814107
Yes. As I previously said, different profile. This sometimes happens when the dial is too full or when there is something else wrong with  the profile. Have you looked in the profile list in the registry?
0
 

Author Comment

by:rayluvs
ID: 41814126
Where is the profile list in the registry what should we look for?
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814182
Backup registry, do search for profile list  (in hklm) there should be a list of several long id's wroth guide of each and a couple of short ones -those are the built-ins. Look for one with the word temp in it. Make sure you have an administrator login for this. Copy profile to a new one.  Rename old profile to <profilename>.bak.  log in with new profile.
0
 

Author Comment

by:rayluvs
ID: 41814240
searched within HKEY_LOCAL_MACHINE and no "profile list"...

rg
can you give the exact registry address?
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814307
Don't have it right now.  Try searching for S-1-5.
0
 

Author Comment

by:rayluvs
ID: 41814611
nope; we'll keep trying.
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 150 total points
ID: 41814620
Look in the \Users\Jamie folder. If that was the original user account the data should be there. The just copy the data that isn't already backed up to some other storage. After that reinstall the OS using the PC's recovery partition, run all updates etc., create a new standard user account for the user (The Admin Account should only ever be used for specific Admin tasks). Reinstall any software needed, and then restore the data files from the backups.
0
 

Author Comment

by:rayluvs
ID: 41814918
Good advice! We'll proceed and inform back...
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814980
There have to be several entries listing  S-1-5 they are credentials built on to windows.
0
 

Accepted Solution

by:
rayluvs earned 0 total points
ID: 41815084
Hi rindi,

When proceeding with your comment, the user informed us that prior our intervention, that is what they did (the copy part).  When they logged in they notice the '001', etc. folders.  So they just copied the contents of their \Users\Jamie folder to whatever folder they saw as their %userprofile% as their current folder.
      
That said, now we know exactly why their personal data were missing: it was deleted by window as soon as they logged off from their temp user account (as we stated  in our fining in 'ID: 41814070').  Unfortunately, they never paid attention to the message since it display quickly and vanishes (as they said).

For the benefit of all members that may run into this problem:

Possible cause:
As some of the Ees here stated, could be corruption, infection, windows system files damage, etc.

Solution:
To try solve this problem we found a series of tedious steps that comprehend of working with registry, etc.  However, we found a great tool really help: ReProfiler (http://iwrconsultancy.co.uk/download).  The tool re-associate the profile to the account.  You first download & install, make sure the bad username is not logged, then set the assign: Done!

As for "profile listing" in Registry, never found it.  Yes there is a whole bunch of "S-1-5" but non related to our case, so thanx anyway.
0
 

Author Closing Comment

by:rayluvs
ID: 41823170
Thanx for the assistance.  We chose our comments becuase it addresses directly to our situation and a viable solution for future members with same problema.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now