There is a hidden, and I mean well hidden, My Documents folder in the root and then there is the available Users folder. It sounds like the same one. I have only been able to see the My Documents folder using a Linux distro and that is where previously I was able to pull copies for the user (not my wife). I only found it then because I was doing a scan using the Linux distro to look for bugs. The user did not have any copies of some of the software on the system so a rebuild was not possible. Jon From: [email protected] To: [email protected] Subject: RE: [NTSysADM] Security question from a non-security person Date: Sun, 2 Nov 2014 03:23:00 +0000
Out of curiosity, what is the path you’re referring to as a second profile? The only thing I can think of that looks anything like a second copy is the “Documents and Settings” junction point on Windows Vista+ Matthew Topper From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Sunday, November 02, 2014 12:15 AM To: [email protected] Subject: RE: [NTSysADM] Security question from a non-security person Windows 7 Pro x64, no domain, and I don't think the shadow copies are on. I looked but did not see a restore from shadow copy available. I will look again. Jon From: [email protected] To: [email protected] Subject: RE: [NTSysADM] Security question from a non-security person Date: Sun, 2 Nov 2014 03:04:49 +0000 The only method anyone has had success with aside from paying the ransom or restoring from backup is pulling the data from a shadow copy. Shadow Explorer seems to work well for browsing them, though newer instances of the crypto viruses are clearing restore points as part of infection. Matthew Topper From: [email protected] [mailto:[email protected]] On Behalf Of Jon Harris Sent: Sunday, November 02, 2014 12:01 AM To: [email protected] Subject: [NTSysADM] Security question from a non-security person I am really hoping someone has an idea of how to go about this. Before I start let me say I have only gotten started on this but it is outside my normal area of expertise so I will be looking on the web. Issue Wife (yes my wife) ignored me about doing backups, not blocking updates, and being more careful about her browsing habits. She managed to get bit by a crypto virus which I can get the name of if necessary. All of her files have been encrypted including a 5.3 GB PST. Her email is Gmail and I set her up to use POP, more than that is just too hard for her. She is not dumb by any stretch just very stubborn, and in some computer areas extremely smart. Security is just not one of those areas. While I know enough to be able to do some simple security work I don't pretend to be a Security person. Anyway I have removed the bugs, all were specific to her profile only (thank God she is only a user). I have used a Linux distro to archive the two copies of her profile, you do know there are two copies right? Well anyway on a previous virus infection I got luck (to bad not this time) and only one of the copies was damaged. I am still doing some clean-up but at the moment it appears both copies were encrypted. Normally I would just tell the user, so sorry/to bad and blow the machine away and start over. That will not be possible as this is my wife and for those with a SO and like to keep peace in the house you would know that is not happening unless there is no other way. Question Has anyone found a way OTHER than paying these creeps off to get these files de-encrypted? Like I said I am still in the cleanup and getting the machine ready for use again and have not yet done any web searches. Oh and paying them off is not even is the room with the table! Side note Why is it the IT person is the one blamed when a user ignores what we tell them and gets bit by a bug? Thanks for any ideas or suggestions, Jon
