How to access files hidden by virus in Document and Settings in Windows 7 Directory

Hi Experts,

Our Manager Laptop was attack by a a Fake Scam AV " System Check". The operating System in his Laptop is Windiws 7. I want to retrieve his File and reformat the unit but could not locate his Profile. I thought his porfile was deleted by the Virus. During my removal process, I run a Sophos AV and saw that his File is in the "Document and Settings" but could not access it since "Document and Settings" in WIndows 7 is equivalent to "USER". Is there a way to access his File that is located in "Document and Settings" in Windows 7 environment while Im still cleaning his Unit?

I will create another question in removing the Fake Security Application Virus "System Check"

Thank You,

Kid
kidrock009Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ZShaverCommented:
No, Documents and Settings is a symbolic link to Users in Win7, it's not an actual folder.
If I were you I would try marking everything as not hidden
Go to the root of C,

Tools> Folder Options... show hidden files and folders AND show protected operating system files
and see if you can see the folder then, alot of times the virus will just mark the folder as a system folder or hidden folder
0
andytagonistCommented:
If you browse directly to it, it's there. C:/users/<username>/
0
ZShaverCommented:
you can also unhide it using attrib
"ATTRIB -R -A -S -H" c:\users\username /S

which will mark the user folder and everything under it as non-hidden, non-system
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

kidrock009Author Commented:
@andytagonist:

Hi Sir, user profile is not located on the folder due to the Virus Attack. I hope it just hide the profile

@ZShaver:
Will get back to you on this when I get back to the office aNd try your suggestion
0
ZShaverCommented:
without the quotes sorry lol

ATTRIB -R -A -S -H c:\users\username /S
0
Run5kCommented:
Did you already run a full scan with your antivirus application as well as a quick scan with Malwarebytes?

Some malware will flag your personal data files as hidden in an attempt to hold them hostage and get you to pay for their fix. After the malware scans have finished and you are reasonably confident that the operating system is clean again, try running the Unhide utility. It was written by a Microsoft MVP, and it is specifically designed to reset all of your files & folders to their default status: your personal data should be visible, while the critical system files will remain hidden.  ZShaver's suggestion is certainly good, but if you run this utility with full admin privileges it will ensure that all of you files & folders are reset to their proper status:

Unhide.exe - Download
http://download.bleepingcomputer.com/grinler/unhide.exe

Unhide.exe - Tutorial
http://www.bleepingcomputer.com/forums/topic405109.html
0
andytagonistCommented:
ZShaver and Run5k both gave good suggestions for undoing some other the apparent damage to your system...

but yes, the folder is most likely only hidden.  to get to it manually, open Windows Explorer, in the address bar type c:/users/<username> where <username> is his login (they should be the same name).
also, make sure you can view Hidden AND System files in View, Folder Options.  this will show

all of this is to get the files backed up.  you can eventually fix the issues one by one, but in the end, don't be shy about just reimaging the system and being done with it rather than spending too much time on it.  i've come across malware like this that tweaked with my file permissions AND hosed out my TCP/IP stack to where i couldn't even get on my local network...and that's just the damage i actually noticed--before reimaging.  
0
e_adamsCommented:
Please download a utility called Combofix. It should be located at www.bleepingcomputer.com, but Google it to make sure. This website will have the utility and complete instructions on how to use it.

Good luck,

Regards,

Elliot
0
Russell_VenableCommented:
Hi kidrock009,
The tool Unhide will restore all of your icons back to normal, commonstartup directory items, and a few others but lacks a few things. I have written this to help with your "Documents and Settings\User" directory to allow access again.

Download this vbscript and run in a command prompt using the command "cscript /nologo Givememyfolderback.vbs" and hit enter. This will restore NTFS security settings on the users folder in document and settings.
 Givememyfolderback.vbsTell me you have problems as I am not in area where I can properly test this out.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kidrock009Author Commented:
Thanks it work
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Disaster Recovery

From novice to tech pro — start learning today.