Question

Locked

Stumped experienced Tech...Files Mysteriously Deleted?

By service ·
Greetings all. I love tech challenges but this one has me stumped!

So basically I have a laptop that that???s running Windows Vista Basic and all my documents, favorites, pictures, etc got deleted mysteriously. My main concern is recovering the files.

Few Google hits yielded that I may have corrupt user profiles so I attempted to restore the user profile and created a new one and the same thing happened with the new user profile that I created! All the files on the desktop started to delete one by one in front of my eyes.

First thought I might have a really nasty virus so I hooked the drive up to an external enclosure and scanned it on another PC with AVG, Malware Bytes, Ad-Aware and not a single virus!

Secondly I tried to use data recovery software R-Studio, Easus Professional and was able to see that the documents were indeed deleted so I recovered them to find that they were all corrupted.

I???m just about all out of options and I???m thinking about throwing the towel in unless someone has any suggestions? I would greatly appreciate it!

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Well...

by seanferd In reply to Stumped experienced Tech. ...

The first thing to do would be to not use the drive at all and slave it to another machine, or boot from live media, before poking around. A raw disk image backup would be even better. If you use the OS at all, especially using the internet or installing anything, you are likely to render deleted items unrecoverable.

So, not knowing how you approached recovery, I might only suggest that you may have corrupted the files which were only deleted before.

Have you tested the drive itself with the vendor's utility? It could have some bad sectors, or it could be failing. A chkdsk might also tell you if something is wrong with the filesystem.

Indeed, it is odd that your user files but nothing else were killed. That sounds like a drag and drop accident more than anything else. But as you note, the files disappeared before your eyes, so maybe there is ransomware involved, and you should be scanning for malware with some different tools, best done with the OS offline, or at least in Safe Mode. (But installing anything on the drive itself lowers any chances of file recovery.)

Collapse -

Reponse To Answer

by service In reply to Well...

Thanks for your reply. The drive tests all checked out in addition to chkdsk so I don???t think it???s a faulty hard drive causing the problem. All applications are functioning normally.

Do you have any suggestions on any other programs I can utilize to scan the hard drive for ransomware? The computer with the issue is running Kaspersky and nothing was found in the scan. Also another important note I left out was that the user who first noticed the problem was opening a zip file from a Mac computer and then noticed the file deletion.

Collapse -

You could attack this with one of the many Rescue Disc's

by OH Smeg In reply to Stumped experienced Tech. ...

I personally like the Trinity Rescue Kit here

http://trinityhome.org/Home/index.php?front_id=12&wpid=5

F Secure

http://www.f-secure.com/en/web/home_global/support/installers

I have had great success with these in the past but there are numerous others available.

Michael Kassner wrote an article on Rescue CD's and how to use them a while ago but I currently can not find it after the site redesign. The only one I can find is this one which was prior I believe.

http://www.techrepublic.com/blog/security/rescue-cds-tips-for-fighting-malware/3803

Col

Collapse -

It may be too late but..

by Chi-7 In reply to Stumped experienced Tech. ...

As mentioned above, the first thing is to take the drive off line and via external enclosure or USB to SATA / IDE adapter mount it as read only and make a "bit copy" of the drive, this copy becomes the surgical subject, preserving the original.

In my world of Linux "Sleuth Kit / Autopsy" would be the tool of choice to examine the slack space which is where files deleted from the file allocation table are assigned, the fear is once anything is written to the drive the slack space has been altered, the more fragmented the drive, the more widespread the possibility of file corruption.

As previously mentioned could be a drag and drop incident, ransom ware or deleted / corrupted user profile which would destroy the file permission, definitely a 64 oz. coffee and possibly pint of "old #7" project.

best of luck!

Collapse -

Files Mysteriously Deleted

by bni1369 In reply to Stumped experienced Tech. ...

Have you checked the permissions on that drive? Sometimes, files will not show up unless you take 'ownership' of that drive. Just a thought.

Back to Malware Forum
6 total posts (Page 1 of 1)  

Security Forums