Disappearing Files & Programs

I'm posting this in hope those who experienced the same thing could share or those who had the slightest idea of what this may be to advise on this issue/threat.

Our configuration...
- All computers are running on Windows Home 10 2004 or later.
- All computers have secondary local user account Administrator activated using different password. Used for administration/troubleshooting purposes.
- All users are using only non-administrator user account to prevent installation or running of unknown software. They cant install software themselves or run critical programs that changes system settings.


Around mid February this year I've received a complaint from one of my users whose files just mysteriously disappeared. Upon checking I've found the following...

- Computer prompted various errors of missing links and programs upon logging into windows.
- Files (doc, xls & etc) had disappeared almost entirely from Documents, Desktops & Download folder.
- Files in Program Files, WindowsApps & Program Files (x86) had mostly disappeared. Folders for non-Microsoft programs had disappeared whilst Microsoft's programs had all disappeared.
- Shortcut links on desktop to programs had disappeared.
- Hard disk removed from computer and plugged into another.
- Used Recuva to check for deleted files but found nothing was deleted and nothing can be recovered.
- Used chkdsk and hard disk is reported healthy.
- Scanned for virus using Defender, Comodo Antivirus & Malwarebytes but found nothing.

At this point I'm guessing that it has to do with hard drive corruption and proceed to break the bad news to user.


Last week, another user reported of similar problem...

- User noticed a slight slowdown of computer.
- Windows prompted update and restart.
- Second day, user turned on computer and noticed and error prompted missing app from WindowsApp folder.
- Computer running slow with taskbar not responsive.
- Further checks shows that files (doc, xls & etc) from Documents, Desktop & Download are mostly missing.
- Shortcut links on desktop to programs had disappeared.
- Files in Program Files, WindowsApps & Program Files (x86) had mostly disappeared. Folders for non-Microsoft programs had disappeared whilst Microsoft's programs had all disappeared.
- Hard disk removed and checked with Recuva. More than 90% of files were found to be deleted and subsequently recovered.
- Run chkdsk and resulted in restoration of few cross linked files. Probably due to force shutdown by user due to windows not responding.
- Scanned for malware but found no traces.
- Plugged back in and looked through msconfig and each task in Task Scheduler but found nothing suspicious.
- No corrupted or temporary user profiles found.

From here, I'm trying hard not to relate both these existing users' experience but they look awfully similar.


This week, another user reported of similar condition. This time it happened in real-time in front of me...

- Computer running extremely slow. Checked Task Manager but found CPU idling at 1~5%, HDD idling at less than 25%, RAM was utilized at about 50%, Network isn't download anything heavy. Windows update not running.
- Any commands/click took approximately 2 minutes to happen.
- Taskbar not responsive.
- Able to finally use command prompt to run force shutdown command.
- Computer booted in safe mode. Computer appears to be slightly slow. Files are still intact. Nothing suspicious found.
- Computer rebooted into normal mode but stuck on boot-up. Forced power off.
- Computer booted again. Computer still slow.
- Shortcut links on desktop to programs had disappeared.
- Files in Program Files, WindowsApps & Program Files (x86) had mostly disappeared. Folders for non-Microsoft programs had disappeared whilst Microsoft's programs had all disappeared.
- Computer forced power off to prevent further files removal in case of virus.
- Hard drive removed and checked with Recuva. No user files (doc, xls & etc) deleted. Only files for programs.
- Apps & Features still shows all the list of software installed.
- Running programs (e.g. cmd, msconfig etc) as administrator failed prompting path not found. However, when running as normal user, programs like C:\Windows\system32\cmd.exe exists and runs normally.
- No error on chkdsk.

At this point, I can only related three of these computer to having their Program Files, WindowsApps & Program Files (x86) removed. By what? I'm unsure since no malware was detected. Backdoor trojan? Targeted hacking activity? Corrupted hard drive? Or simply Windows Update wiping off data for failed installation?

Hello p33pm3 and welcome to TF ,

I would check drive health with a Crystal Disk Info, Hard Drive Sentinel or similar just to confirm it's not a drive issue. Unlikely, yes, I agree - but let's get that out of the way.

Have you run sfc and dism to confirm they're okay?

Run SFC Command in Windows 10

Hey thanks!

I did run SMART reader within BIOS for these machines and they are running fine.

I didn't manage to run SFC or DISM as...
1. the computers are already running very slow to even right-click on a file.
2. I cant run program that requires elevated (admin) rights.
3. they could only restore Windows' own errors but my case is affecting third party software/apps more.

My best next step is to do a full Windows restoration. I also have doubts on the safety/stability of the existing windows recovery on the computers to run SFC and DISM.

I did try to run through the posts a couple weeks back to see any similar cases popped up. But I don't see any.

steve108 said:

Hello p33pm3 and welcome to TF ,

I would check drive health with a Crystal Disk Info, Hard Drive Sentinel or similar just to confirm it's not a drive issue. Unlikely, yes, I agree - but let's get that out of the way.

Have you run sfc and dism to confirm they're okay?

Have you considered doing a full scan with something like MalwareBytes?

Thanks for the advise! Did so for my network shares as well as used Defender for scanning.

Agree on your presumption on the cause.

Try3 said:

I suggest that you run Windows Defender Offline Scan - TenForumsTutorials

I also think that you should isolate all your backup disks from the network and not reconnect them until the problem is resolved.

Once the WDOffline scan is done, I think you should isolate each computer & each server from the network and restore its last system image. Only reconnect any after all have been restored.

When that is all done, I suggest that you scan each backup disk whilst still isolated from the network. Then you can consider reconnecting them.

I can think of no alternative explanation for your reported symptoms than malware.
- The fact that you have not found any just means you have not found any and nothing more.
- Unless, of course, the disappearances are caused by the deliberate action of some malcontent with physical access to the network.

Best of luck,
Denis

- - - Updated - - -

Did that as well. Scanned all > 300,000 files and found nothing.

Usually, in my past experiences of virus activities, traces could be found but this time... nothing.

steve108 said:

Have you considered doing a full scan with something like MalwareBytes?

I'm not going to rule out what you suggest here, but it's great to have a view outside of my box.

- The deletion process was executed in front of me on the 3rd case, so external boot device is ruled out. Moreover, the first case happened at a remote location and not connected in any way to where I am.
- Password guessing or hacking admin privilege could be possible if the perpetrator is working within our network like one of our worker or neighboring office worker. But then again, like the first case, it happened at a remote location.
- Scheduled task is very likely. As I've mentioned, I did go through each scheduled task on one of the computer and found nothing suspicious. But as you suggested, it might have been cleared off it's own tracks after execution. I'm leaning more towards this theory, in case of future cases (hopefully not!) as I've seen how malware did a file-less remote executions bypassing detection by antivirus engines using Task Scheduler alone.

I had a hint of suspicion that it may be an act by our business competitors but every thing seems so detailed as three of them works in the same department. I could be laughed at for even suggesting this. Like what you've asked "why would they?" So, for now I'm putting my bets on malware or some sophisticated 0-day vulnerability infection.

I just hope someone might read my post, having the same symptoms and point out to me it's just a something to be little be worried about.

Try3 said:

If the WD Offline scan also found nothing then I tend more towards direct malicious action by somebody with physical access to the network.
- Somebody who could boot up from, say, an Installation USB on each computer then use its Command window to run a series of deletion commands. Do you have settings & passwords set in your Bios to prevent booting from installation USBs?
- Or somebody who could sit on one network server / client computer to do the same remotely. But some of the examples you've mentioned would require Admin if not System or even Installer privileges if Windows had booted normally. And I think they would have been more likely to have tried to mess up several computers at the same time.
- Or somebody who could sit on one network server / client computer and plant scripts to do the deletions at a later time, possibly using hidden tasks in Task scheduler. This might be a rational explanation for the example you mentioned witnessing even though it would require the high-level permissions I mentioned. The script could include deleting the TS task & the script itself when it had done its job.

I know that there might be malware so sophisticated that it can evade WD scanning.
But for it also to be able to evade scanning by those other utilities you've tried as well is really something.
People sometimes refer darkly to malware by 'state actors' with sophisticated technical resources sufficient to avoid detection.
But why would a state try to annoy & confuse you & your users, in particular, by deleting things rather than by disabling your computer / stealing information from it?

Denis