Spontaneous Windows Refresh

[glennd]

Last week I got a call from a customer who claims she was chatting with someone on facebook when the computer suddenly started doing bizarre things (as if it had been taken over). After a while she switched it off and walked away. Later she returned and switched it on only to find all of her programs, desktop icons etc gone. By the time i saw it, it was looking like a fresh installation. Documents and pictures are still there. While we're chatting and trying to work out what happened I'm throwing every kind of anti-virus, root kit, malware scanner i've got at it, it comes up 100% clean. The event viewer goes back as far as the incident. As best I can determine, a Windows Refresh has been performed. She denies everything except chatting on facebook.

Has anyone every heard of such a thing?

 

[Vicenarian]

Scheduled tasks?
Some weird program like Faronics Deep Freeze installed?
Maybe try LastActivityView to see what went on before it happened?

Just some ideas.

 

[glennd]

Part of the Refresh is deleting all events, activity etc, resetting windows back to factory so there is no "before it happened". LastActivityView just shows post refresh activity. Even the telstra mobile broadband lost its settings. (OMG another phone call to Telstra!!) Internet explorer is reset so there's no bookmarks, history or anything

 

[Rayspcsolutions]

I am thinking your client did a system restore ... had a couple weeks ago where the client says "I don't know what happened, turned it off one night and turned it on the next day and everything was gone" When he brought it to me it was like it was just purchased ... all the trialware and crap on it. I was able to restore his QB file and most of his photos. I think he was embarrassed for whatever reason and didn't want to tell me he initiated a factory restore. He now backs up his data regularly ... we will see how long that lasts.

 

[glennd]

i suspect the customer is not telling the whole story, that's not unusual but nevertheless, it would be interesting to know if a spontaneous refresh really has ever happened.

I believe they found the Loch Ness Monster also?

 

[Mainstay]

Totally agree - customer isn't being fully forthcoming OR they are oblivious. Had a customer (business client) who performed a factory restore in an attempt to fix their sound card (speaker cable unplugged). I pulled a Hail Mary to get their QuickBooks data restored, they were non-plussed. Fire ME. Good Gawd.

 

[Moltuae]

Later she returned and switched it on only to find all of her programs, desktop icons etc gone. By the time i saw it, it was looking like a fresh installation. Documents and pictures are still there.

That sounds to me like Windows has loaded a temporary profile due to a corrupt user profile.
http://www.eightforums.com/tutorials/38817-youve-been-signed-temporary-profile-fix.html

 

[cypress]

I am gonna assume the system is in fact Windows 8 when hearing the word Windows Refresh. I gotta go with Ray and say that the customer isn't probably telling the whole story.

 

[glennd]

agreed, as apparently no-one's ever heard of this happening on it's own. yes, windows 8, i failed to mention that. I'm guessing there was some kind of Windows catastrophic failure and the user was presented with an option she didn't understand but agreed to which resulted in an undesirable outcome.

I didn't think about temporary profile. I must remember to look next time i have that machine.

 

[NJW]

I had a client with Windows 8 who was using Windows Refresh every week to get rid of the Windows 8.1 upgrade prompts ...

 

[glennd]

It's baaacck! She rings after hours friday and leaves a message. i call back monday morning, no answer, no voice mail. She calls back monday night after hours, leaves another message.

Phone tag stops being amusing after a while. Need to remind her of business hours and the fact that she has a car and knows how to drive it.

Anyway, she's convinced she has a virus, don't know why. Viruses don't propagate well by committing suicide.

 

[Moltuae]

If the profile has returned back to normal, I think that reaffirms that a temporary profile was the reason for the missing icons. Assuming that's that's what happened, the cause may be a failing HDD, in which case the problem will likely return sooner or later.

 

[glennd]

back on the bench. she doesn't want to see it any time soon. Again, she says she was browsing on facebook when it happened. i looked around and it looks like a brand new windows installation. there's no other profiles that i can find. event viewer goes back to the day of the incident, ie nothing but indications of a new installation. the only difference i can see with last time is this time everything is gone. photos, documents, desktop, the lot. (good thing i did a backup not too long ago). gsmart indicates no failures. gsmart short test is ok. running long test now. full scan with avg rescue disk, kaspersky rescue disk, combo fix, running more as i type.

i don't expect to find anything. i'm thinking she hit something on facebook.

 

[Krynn72]

Might be worth just nuking it and starting over with your own disk TBH. Maybe there's something wrong with the refresh image its applying?

 

[glennd]

Might be worth just nuking it and starting over with your own disk TBH. Maybe there's something wrong with the refresh image its applying?

might be right. i'm going to stick with it for a while because i want to see it happen and because i know y'all are waiting with bated breath for the outcome.

i read that chrome and firefox are currently more susceptible to facebook virus than exploder...

 

[glennd]

update: i installed chrome, logged on to facebook and went looking for the post she described as being the video she looked at when things went wrong. i came across a video from movieworldaholics.com. I said to myself, "Self, what have you got to lose?" so i clicked on it and did every dumb thing you're not supposed to do. "Your movie player needs updating" "Your Java needs updating" "Your computer is infected, click here" "Your registry needs fixing" I clicked everything!!! As expected I ended up with a useless computer.

But it didn't trigger the Windows Refresh.

Now, I'm not a facebook person, perhaps someone can help. When i log on to the customers facebook page and start browsing down, it only goes back to Jan 15, 6 days, then it says "There are no more posts to show right now". How do i look at posts older than that?

 

[glennd]

I figured out facebook. The video in question is nowhere to be found but I'm fairly convinced now the problem originated from facebook. Doing a N&P using the recovery partition, install proper anti-virus and see how it goes.

 

[nlinecomputers]

I'm sorry. I still call bs. The end user tried to fix it herself and is too ignorant/stupid/impatient to watch what she is doing and used the refresh to nuke it. Or someone else, a friend, family member, etc helped her nuke it.


.

 

[Wilhelm Forsythe]

OK I found this forum after searching for "Windows 8 spontaneous refresh" because I am encountering the same problem!
Well, not me, but my customer.
After checking event logs and a boatload of other stuff, it was apparent that the computer had been totally refreshed the day previous. After some research I saw that the Asus U47A laptop in question will bring up a prompt to perform a system refresh after pushing the F9 key while booting.
The customer insisted he followed no prompts, installed nothing, and never did anything out of the ordinary prior to the incident.
That very same Dr. House quote popped into my head, so I told the customer not to hit F9 when he boots, or let his kids play with his laptop.
(My office generally chalked it up to bs, and agreed with my diagnosis.)

2 weeks later the machine is back on my desk. The customer had fallen asleep watching a DVD on his laptop, and let it go into sleep mode. The next day he powered the machine on just enough to get the disk tray to eject, then force powered it back off. The next time he opened his computer, he was looking at a fresh system restore.

Rootkit scans and malware scans were clean. User moron level is about a 4/10, so nothing extraordinary. I don't think he made a mistake he is aware of that caused this, or else he wouldn't have brought it back, since file recovery is impossible and we are kind of pricey.

I wonder if it's something in the Asus causing it? Some hardware feature that does more harm than good? Or as you said, some web application exploiting the machine? It's not unimaginable for a rootkit to get into the boot sector and run it's own flavor of deep freeze, I would think. I just want to get it moved along without losing his business.

Any suggestions?

TLDR: Me too, twice. I don't think its a PEBKAC either!

 

[glennd]

for the record my client's laptop is a Acer Aspire E5-521. I didn't know about the F9. I'm thinking it's not inconceivable a dodgy keyboard could make the boot up refresh thing happen... unlikely but not inconceivable. Otherwise I'm still at a loss....