Hard drive contents randomly disappeared?

[Deleted User][Deleted User] Posts: 2,570
Forum Member
✭✭✭
I was wondering if anyone could shed any light any light on a problem my mum had the other day, that i'm absolutely stumped with.

She has a fairly old XP machine with a 300gb internal hard drive (with about 40gb free) and several externals, at 11am ish on Wednesday she said her PC "went blue" so she restarted and when it came back the majority of the contents of her HDD was missing, now having about 270gb free.

By the looks of it her profile had been completely wiped, apart from the odd file or two, she had two folders on her desktop and a Firefox favourite left. Quicklaunch had gone, her start menu had been wiped, as well as 95% of her My Documents folder where she kept her work, totally gone without a trace.

Checked eventvwr for oddities at around the time she said it happened, nothing that strange but there were two TCP/IP warnings saying that the maximum number of connections had been reached and throttled, along with another one but can't remember what it said (will get screenies of them tomorrow...)

Anyone ever seen anything similiar to this, i'm totally stumped.

Whatever has happened, it appears to have done a quick wipe of her hard drive, so hopefully the actual stuff is still there? I can't see 250gb of stuff being removed in a couple of seconds any other way, but the weird thing is there are still odd bits and pieces still present, like the off desktop folder, some applications, Firefox etc.

I did a system restore from the day before and it got the profile back, but little else of use (although in all honesty i'm not sure what the limitations of system restore are, does it just do the profile and other bits?)

She diligently scans everything she downloads these days, i've shown her how to keep virus definitions up to date etc but the way she uses a PC seems to invite trouble, she does a lot of crafting and various creative stuff, in the past i've found dodgy stuff in Photoshop brushes she's downloaded, and when I tried to run MBAM to do a scan yesterday it wouldn't start.

Comments

  • ZenithZenith Posts: 3,868
    Forum Member
    ✭✭✭
    Have you tried running MBAM under safe mode?

    It sounds like there are files on there that your Mum would like to keep. If so, I would tell her to stop using it for now, as she may overwrite files that are still on the drive.

    I can understand why you did a system restore, but that may have overwritten some files also.

    I would try a couple of things. Firstly, booting the pc from a Linux Live DVD/CD. You may then be able to see the files that are "missing". If so you could transfer them to an external HDD or USB stick (depending on size).

    You could also remove the HDD & put it in a USB caddy & connect to another pc or laptop to see if you can find the files.
  • RobinOfLoxleyRobinOfLoxley Posts: 27,040
    Forum Member
    ✭✭✭
    Check for hidden and system files and folders.
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/win_fcab_show_file_extensions.mspx?mfr=true

    Some viruses also hide files.A different virus scan maybe useful and this Unhide.exe utility.
    http://www.bleepingcomputer.com/download/unhide/
  • max99max99 Posts: 9,002
    Forum Member
    Malware hidden files was also going to be my main suggestion, as it's a common tactic for Ransomware to hide files and Start Menu items.

    But there are a few other possibilities and things to try. However, as mentioned above, the more you do with the computer, the more risk there is of overwriting the data.
    • Running a file recovery program like Recuva is obviously one of the main things which needs to be done. This can be run from a USB stick, so no need to install it to the hard drive and risk overwriting any data
      .
    • Check the Documents and Settings folder, as the user account may have been backed up/duplicated/renamed and is still present.

    • Search all files and folders (including hidden and system files) for *.jpg, *.doc, or whatever types of files you know should be present.

    • Running chkdsk /r might fix a disk corruption problem and bring the data back. There is a good chance of this working (especially as the machine crashed and wasn't shutdown properly), but, if the hard drive is failing, there's also a chance it may make things worse.

    If you do manage to find the data, ensure that from now on it's backed up onto one of the external drives.
Sign In or Register to comment.