Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not sure whether it's data recovery or virus. Any experience here/guidance


  • Please log in to reply
3 replies to this topic

#1 kevsat78

kevsat78

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 29 May 2013 - 11:07 AM

Hey guys,

 

I'm not exactly new to the forum, but I have to admit, I don't use it that often. I've run into a rather interesting request from a client and was wondering if anyone would like to shed some light. I had a client give me a laptop running windows 7 home premium. He left the machine home over the weekend and when he got back to it it seems to have had EVERY file deleted. All his folders are still in the correct places in documents but anything file related inside the folders has been deleted. His MS Office software seems to have been uninstalled as well and the system logs are reset to the day he got home. It's like it did a factory reinstall but kept all his folders intact with no documents inside. Does this sound familiar to anyone? I have plenty of data recovery options and of course the tools on here www.bleepingcomputer.com are invaluable to me. I just don't want to make too many moves until I have some insight. ANYONE FAMILIAR WITH THIS SCENARIO???

 

THANKS,

 

that geek at kmc


Edited by kevsat78, 29 May 2013 - 11:08 AM.


BC AdBot (Login to Remove)

 


#2 kevsat78

kevsat78
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 29 May 2013 - 11:10 AM

Of course, he had already run all the usual suspects. RKill + Combofix, MBAM, and I think he mentioned avast. Strangely... It also installed 91 updates, as if it had lost all of it's updates once he shutdown from trying virus removal and unhide.exe and got nothing.  



#3 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:10:36 AM

Posted 29 May 2013 - 11:22 AM

Hi kevsat78,

It's hard to say just by that description alone, but it sounds like the system may have gone through a "factory reset" that's provided by some of the manufacturers. I had a client with a similar scenario: PC wouldn't boot, attempted recovery, accidentally restored system to factory state and lost everything. This operation will delete all files/folders on the machine and set it up like brand new again - although if you are trying to recover anything it's better to not make any modifications until you run the recovery utilities.

I would try Recuva by Piriform to try and locate the missing files, or if you want to try something offline look into PhotoRec (which comes on the Parted Magic CD I believe). These are both great data recovery options, and hopefully you can still get access to your old files.

Best of luck!

whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#4 kevsat78

kevsat78
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:36 PM

Posted 29 May 2013 - 11:31 AM

Thanks for your reply. I have some great paid recovery software, and the "factory restore" was his words. It hasn't been reset to factory settings. I'd know (at least, I like to think I'd recognize the difference, lol). His file system (document folders, etc.) is perfectly intact. All folders are there. AND MS Office was a part of the "package" that Toshiba would have included in the "factory reset" even if he'd used his own recovery disk, that wouldn't have gone anywhere. It looks like someone took the time to go through each folder and delete only the documents with file extensions .docx , .jpg etc Leaving a ton of empty folders. It even emptied all the files etc. in the system files and program files folder. All the sub folders are there, but nothing else. I can't locate drivers even.... The reason I turned to bleepingcomputer.com is because, malware is getting meaner and meaner and I didn't know if anyone recognized this as something coming from some mutation of that "hide all your files" virus. It's just a very unique situation...


Edited by kevsat78, 29 May 2013 - 11:33 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users