A few years ago when support for Windows Vista ended I picked up a HP Compaq 8200 Micro tower for my father, that was being donated out from the It department of a local area health clinic a friend worked at. The machine itself was a mostly stock core I3 version, with the exception of added ram scavenged from another computer of same type and frequency.
He's the archetype of baby boomer computer illiterate, as well as penny wise and dollar/pound stupid, so he was using the computer for simple things like email, reading online news and investment articles, watching things on you tube, scanning and printing documents, etc. He was also not doing anything like paying for cloud based storage/backup.
He does whatever he does on the computer until a few months ago this year, when I get a series of panicked calls and emails (using my mother's computer) telling me that the computer won't start. I eventually manage to get him calmed down enough to try to turn the thing on and give me the error message, so I can look it up. The message looks to be associated with a bad master boot record, so I go over there with a copy of Windows 7 and try to rewrite it. No luck there, so I make a Linux Mint Live USB, start up, run Clam AV, and transfer over his documents, financial documents,passwords, photos, etc. over to another USB drive, and then do a reformat/fresh Windows 7 install on his machine, getting drivers set up, setting up new Administrator and everyday use accounts for him, getting Libre Office installed etc.
For a month or so everything seemed fine, he continues on as normal, until one morning I get a series of emails again. The computer had sometime during the night or early morning turned itself back on, and system restored itself back to the state it was at before it went down the first time. I had reformatted the hard drives on the machine, deleting all partitions and redoing everything from scratch. so all local copies of this data should have been destroyed. Back up images were not being made to an external hard drive or anywhere else that I was aware of. I don't think he'd be able to do a system restore from a back up image even if there was one saved somewhere at that house. The only answer I could come up with was that his data existed out there somewhere without his consent or under his control, and that someone for some reason had remotely turned on a shut down computer and restored it to a state from a few weeks earlier. After a few days I managed to get him to pull the power cable from the back of the tower, change all his passwords, as well as put a watch on all his financial accounts, as tax documents, investment stuff etc. were included in the restored data, to try to control potential damage and make whatever data that might be out there useless. I was finally able to get out to their place last night, and after turning off their Roku, my mothers computer, unplugged power from their gateway, made sure the LAN cable was unplugged from his computer , and started his up. On booting up it had one option for Windows 7 that lead to the recovery environment, the other to Windows 7 Pro (recovered). Sure enough upon booting up it takes me to his computer as it was before all this happened. Everything I did after reformatting is gone. I opened up the Event Viewer, and was able to find entries relating to recovery in June(when it went down) and July (when it turn on and restored itself) but was not able to make much more of it than that.
How did this happen? What can I do to find out what happened or further secure my parents information?
The friend who got the donation computer in the first place did mention that the IT department he worked for was trying to move things into the cloud, but I haven't been in contact with him for over a year, and that was mentioned maybe two or three years ago. When my father received this computer it had a fresh reformat/install of Windows 7 Pro. I have set their computers to update automatically, so all drivers/patches should have been current. Could this computer be registered in a block of serial numbers by the clinic it was donated from to a cloud backup server, and have been caught up in a company wide restore? Could my father's computer be part of some sort of botnet? I've never heard of a shut off computer starting on it's own and then remotely restoring, but that looks to be the case here.
He's the archetype of baby boomer computer illiterate, as well as penny wise and dollar/pound stupid, so he was using the computer for simple things like email, reading online news and investment articles, watching things on you tube, scanning and printing documents, etc. He was also not doing anything like paying for cloud based storage/backup.
He does whatever he does on the computer until a few months ago this year, when I get a series of panicked calls and emails (using my mother's computer) telling me that the computer won't start. I eventually manage to get him calmed down enough to try to turn the thing on and give me the error message, so I can look it up. The message looks to be associated with a bad master boot record, so I go over there with a copy of Windows 7 and try to rewrite it. No luck there, so I make a Linux Mint Live USB, start up, run Clam AV, and transfer over his documents, financial documents,passwords, photos, etc. over to another USB drive, and then do a reformat/fresh Windows 7 install on his machine, getting drivers set up, setting up new Administrator and everyday use accounts for him, getting Libre Office installed etc.
For a month or so everything seemed fine, he continues on as normal, until one morning I get a series of emails again. The computer had sometime during the night or early morning turned itself back on, and system restored itself back to the state it was at before it went down the first time. I had reformatted the hard drives on the machine, deleting all partitions and redoing everything from scratch. so all local copies of this data should have been destroyed. Back up images were not being made to an external hard drive or anywhere else that I was aware of. I don't think he'd be able to do a system restore from a back up image even if there was one saved somewhere at that house. The only answer I could come up with was that his data existed out there somewhere without his consent or under his control, and that someone for some reason had remotely turned on a shut down computer and restored it to a state from a few weeks earlier. After a few days I managed to get him to pull the power cable from the back of the tower, change all his passwords, as well as put a watch on all his financial accounts, as tax documents, investment stuff etc. were included in the restored data, to try to control potential damage and make whatever data that might be out there useless. I was finally able to get out to their place last night, and after turning off their Roku, my mothers computer, unplugged power from their gateway, made sure the LAN cable was unplugged from his computer , and started his up. On booting up it had one option for Windows 7 that lead to the recovery environment, the other to Windows 7 Pro (recovered). Sure enough upon booting up it takes me to his computer as it was before all this happened. Everything I did after reformatting is gone. I opened up the Event Viewer, and was able to find entries relating to recovery in June(when it went down) and July (when it turn on and restored itself) but was not able to make much more of it than that.
How did this happen? What can I do to find out what happened or further secure my parents information?
The friend who got the donation computer in the first place did mention that the IT department he worked for was trying to move things into the cloud, but I haven't been in contact with him for over a year, and that was mentioned maybe two or three years ago. When my father received this computer it had a fresh reformat/install of Windows 7 Pro. I have set their computers to update automatically, so all drivers/patches should have been current. Could this computer be registered in a block of serial numbers by the clinic it was donated from to a cloud backup server, and have been caught up in a company wide restore? Could my father's computer be part of some sort of botnet? I've never heard of a shut off computer starting on it's own and then remotely restoring, but that looks to be the case here.
Last edited:
Facebook
Twitter
Instagram