Corrupt Windows Profile, All Programs and Personal Files are Missing

Note this is a work computer that another user used last. I'm not sure what they did, but I'm trying to fix their mistakes. Its possible they downloaded a virus.

The only other recent changes were the installation of Java 32 bit and Java 64 bit, which have now been removed. 

After the user rebooted/crashed the desktop, upon boot, the desktop was black with no icons except for the Recycling Bin. The taskbar was visible. Almost all non Microsoft software crashed with blank application icons. Chrome, VLC, all no longer work and are no longer listed in C:/Programs Files. Both C:/Program Files and C:/Program Files(x86) have been purged of all user installed software.

There are remnants that they were installed. The programs are still listed in the Control Panel's Uninstall a Program menu. The only application still working is Steam and Avira Antivirus.

All personal files are also deleted/missing. My Documents, My Downloads, My Music, My Pictures were all deleted. Trying to access them brings up an error C:/Users/Profile/Documents in unavailable. After looking around, both My Documents and My Desktop were found in the recycling bin and somewhat successfully restored. However all software is still missing.

As an odd aside, explorer.exe would only halfway load on startup. The taskbar and other explorer.exe features were working, but the actual File Explorer was not. Attempting to launch it caused an installation popup for Lenovo Hightails to open and repeatedly fail. It would crash explorer.exe and make it unresponsive. I believe this is a defunct piece of software that came with the Lenovo PC. After carefully manually removing Hightails from the Windows Install registry and its main registry location, I could not use explorer.exe and File Explorer. It's worth noting that Microsoft Edge does not work (it previously did) although Internet Explorer does. This was only to get explorer.exe working. All personal files and software was already deleted at this point.

At first it seemed like a hard drive error, however most Microsoft software works fine and My Documents was found in the Recycling bin...

I ran sfc /scannow and chkdsk /f. Both found errors which they said were successfully fixed. Nothing changed after the repairs. Booting into safe mode did not change anything.

Is it possible my Windows User profile is corrupt and not pointing to the correct file locations? My C:/Users/Profile/ only has the hidden .AppData folder. The normal Documents folder, etc have all been deleted. The .AppData folder seems correct and has remnants of the broken programs inside them. C:/Program Data also has folders showing that other software was installed. However the C:/Program Files folders are missing the relevant software.

For example, trying to launch 7zip brings up an error that the shortcut it refers to has changed or moved. There is a C:/Program Files/7-zip folder, but it only has a .dll and no other files or executables. Perhaps the virus couldn't delete this file? Chrome and all its folders and files appear to have been deleted.

Any help would be greatly appreciated! I'm fairly computer savvy and can answer questions for additional information.

Edited by Tiber, 05 December 2017 - 03:32 PM.

If these files were deleted then the more the computer is being used the more chance there is a sector will be written to thus preventing recovery. Personally I would remove the drive and attach it to another computer using a USB adapter before attempting to recover any data.

You can attempt to recover personal files with Recuva or one of the other programs such as Easeus Data Recovery or Minitools Data Recovery which require purchase to recover anything over 1 or 2GB.

Creating a new user account after recovering personal data should bring back your programs.

If these files were deleted then the more the computer is being used the more chance there is a sector will be written to thus preventing recovery. Personally I would remove the drive and attach it to another computer using a USB adapter before attempting to recover any data.

 

You can attempt to recover personal files with Recuva or one of the other programs such as Easeus Data Recovery or Minitools Data Recovery which require purchase to recover anything over 1 or 2GB.

 

Creating a new user account after recovering personal data should bring back your programs.

I used Recuva to look at the files. With 200,000 results. While some look to have been overwritten with a new Office 360 update, most look like they were old version of program that got replaced. Errant .oldWindows files (from the Windows 7 upgrade months ago I think). A search for "vlc" returns no results. A search for "chrome" only returns files from other programs. There aren't enough files to recover any of the programs and no actual .exe's.
 

It just seems odd that Windows managed to misplace all personal files and software. Also metro apps like Calculator and Microsoft Edge do not work at all. Some changes are there, some aren't. It doesn't appear to be a bad sector. 

I've ran an Avira Full system scan with no big results. I ran Microsofts Safety Scanner and Defender programs with no results. I'm preparing to install Windows update 1709, with hopes that it will detect any Windows file corruption.

Edited by Tiber, 05 December 2017 - 05:03 PM.

It is strange that the profile would be corrupted like this. I've never seen something like this.  Is there another user account on the computer you can login to? If Recuva failed take a look at one of the other programs. They may find something Recuva missed.

Edit: I think the only thing you can do at this point is create a new user profile after attempting to recover any personal data, if possible. 

Edited by JohnC_21, 05 December 2017 - 05:05 PM.

Hi, did you try a system restore to before this happened? Win 10 makes a complete registry backup every 7-10 days, it is called regback and resides in the c:\windows\system32\config folder.

It is possible to restore this backup (fixes many problems) if the backup you have was made before the problem occurred. This can do no harm.

You need to use the recovery environment, and as your machine still boots this is straight forward. Go to shutdown and select "restart" before selecting restart press and hold the "Shift" key, then click on restart.

Windows will open the recovery:-

You need to access the command prompt , typically it will have x:\windows\system32> at the prompt, at this type:-

(NOTE:- SYNTAX IS IMPORTANT USE SPACES WHERE SHOWN, type exactly as you see here)

bcdedit |find "osdevice" (press enter) The | is above the \ key.

It will return osdevice ......partition X (where X is a drive letter) for most win 10 users this will be D assume it is D if not change D to whatever the bcdedit cmd returns.

Next type:- D: (press enter)

The prompt now looks like this D:\> at this type:-

cd d:\windows\system32\config (press enter)

Next type:- dir (press enter) the contents of the config file will appear if you see a file called Regback note the creation date, if it was before the problem then proceed, if not you have lucked out, and this will not work. (note win 10 makes regbackup's every 7-10 days so you should be OK)

Next type:- cd regback (press enter)

Next type:- copy *.* d:\windows \system32\config (press enter)

Type:- All to the Yes\No\All prompt

Once completed restart computer. 

I'm guessing that the "other user" is no longer with the company and probably didn't leave on the best of terms.  Also sounds like they had local admin rights.  I'm guessing that they deleted as much as possible from the machine before returning it.

This doesn't sound like a virus as much as it sounds like deliberate actions.