Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Personal files and settings disappeared


  • Please log in to reply

#1
Shaney

Shaney

    Member

  • Member
  • PipPip
  • 26 posts
Hi,

I'm really stumped and hope you can help me.

PC - Fujitsu Siemens Amilo MS2212
OS - Windows Vista
HDD 60 Gb
Date problem was noticed 4th November at about 21:00
Recovery tool - getdataback for NTFS

Symptoms -
All personal files missing, log in remains the same. I think this might be after a virus.

Problem -
I can log on to the PC exactly the same as usual and it runs fine and accesses the internet OK.
The problem is that the computer has none of the personal files on either the desktop or in my documents or anywhere. I have also noticed that none of the personal apps like skype or Office or email or Mozilla or favourites are there either.

It's like the computer was pretty much when it was first bought.

I have had a look around their harddrive and noticed that some folders have access denied.
The next step I did was to run a virus scan, which did not show much info bar a couple of tracking cookies.

I have now put on a file recovery application and have found all of the folders like 'my docs' and 'xyz docs', but there is about 11 copies of the same file, in each NTFS instance.
There are about 7 different NTFS instances to choose from and they all contain the same files. Given that the HDD is only 60 Gb the recovery estimation is in the terabytes, which seems a bit strange. I recovered their my documents from one of the NTFS instances but nearly all of the word documents are unreadable along with most of their pictures

It's like a virus has installed itself hidden or corrupted or encrypted all the 'my docs' files and then deleted itself.

I have searched and searched the internet for a similar problem but to no avail, so any help or pointers you can give me would really help as I am out of ideas.

Azarl has helped delete the Malware, but I would really appreciate some help understanding what has happened to the files and what can be done to recover them.

Thanks in advance,


Shane.

Edited by Shaney, 13 December 2010 - 05:46 AM.

  • 0

Advertisements


#2
Humza

Humza

    Member

  • Member
  • PipPip
  • 14 posts
I'm not a Geeks To Go qualified malware person or anything, but why don't you check how much storage is used up in your primary HDD: Computer > Right click on C. If there is about 6GB or less then unfortunately there wont be a garuntee d way to get your files back that I know of.

If not please reply and Ill try and go from there.
  • 0

#3
phillpower2

phillpower2

    Mechanised Mod

  • Moderator
  • 23,061 posts
Humza Bobat may be on the right track with a lack of storage space being available on the HDD causing your issues.
Vista Shadow Copy requires a minimum of 15% of the total HDD storage space on a permanent basis to back data up to, if it doesn`t have it the data becomes corrupt and the HDD can fail, see the attached link for some info;
http://www.wikihow.c...n-Windows-Vista
You may need to use an external USB HDD enclosure to transfer your data across to another computer http://www.newegg.co...N82E16817729011 (this is an example only) for attempting to retrieve your data from the HDD try one of these http://www.snapfiles...tarecovery.HTML or one of these http://3d2f.com/tags...sh/disk/repair/ Recuva has a good success rate.
Hope this helps you and let us know how it goes.
  • 0

#4
Troy

Troy

    Tech Staff

  • Technician
  • 8,841 posts
Hey mate,

What do you find when you boot off a bootable disc like Linux? This will let you bypass permissions issues and see the data as it is.
  • 0

#5
Troy

Troy

    Tech Staff

  • Technician
  • 8,841 posts

The problem is that the computer has none of the personal files on either the desktop or in my documents or anywhere. I have also noticed that none of the personal apps like skype or Office or email or Mozilla or favourites are there either.

It's like the computer was pretty much when it was first bought.

This comment has me thinking, perhaps the system was restored back to original condition, which would wipe off user data and installed programs. Did your parents do anything, or give it to anyone else first?
  • 0

#6
Shaney

Shaney

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi Troy,

They had this (Malware) window that kept on popping up asking them to do something (they can't remember) and they just closed it until one time my Dad hit OK, just to get rid of it. The Malware then proceeded to do something and then finished, leaving the computer almost exactly like when they first got it, except that all of the logon credentials were not changed.

I have used some tools to look at the data (please see this thread - http://www.geekstogo...ps-disappeared/) and then had a got some hel from a guy called azarl, but he was only able to get rid of any malware.

It'sa really tricky one as I ca nsee the data when I remove the HDD and attach it to my PC and run a recovery tool on it, the weird bit is that it is in about 8 or so instances and the files are multiple meaning if I try to recover it I would be recovering about a terabyte of data from an 80 Gb HDD!!

You could be right about the restore, is there any way I can check this? Also any suggestions on a good linux boot app?

I am really stumped that this type of malware or problem isn't known as my folks cannot be the only unfortunate people for this to happen to.
Any help or suggestions would be welcomed.


Thanks,

Shane.
  • 0

#7
Shaney

Shaney

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Another weird one is that all of the files for the usr profile, e.g Desktop, Documents and Music etc were all created on 4th November at 21:51
I also found a folder called tmp (created on 4/11/10 at 21:49) and in it was a txt files that had this:

"Start"
"In Main"
TARGET=d:
DRIVE=
WINRE_ROOT_DIR=
The entry {ad6c7bc8-fa0f-11da-8ddf-0013200354d8} was successfully created.
The operation completed successfully.
The operation completed successfully.
The entry {572bcd56-ffa7-11d9-aae0-0007e994107d} was successfully created.
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.


Any ideas?

Best,

Shane.
  • 0

#8
Humza

Humza

    Member

  • Member
  • PipPip
  • 14 posts
That is really wierd, as for a good linux boot thing I would recommend http://www.ultimatebootcd.com/ purely because of the tools availible.
  • 0

#9
Troy

Troy

    Tech Staff

  • Technician
  • 8,841 posts
Attaching it to your computer would achieve the same thing as a boot disc. So when you attach it, you still cannot see the actual data hiding anywhere, and only be recovery software can you see stuff listed?

What a shocker. I personally would grab a 1TB and recover the lot and be done with it. As it is your parents data, give them the 1TB in a USB caddy as a christmas present and let them sort through it! :D
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP