1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

XP, Folder Options will not allow view hidden

Discussion in 'Windows XP' started by 1gunsmith, Jan 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. 1gunsmith

    1gunsmith Thread Starter

    Joined:
    Jan 6, 2007
    Messages:
    11
    Windows XP service pack 2.
    I have a churches computer that was infected with "INFOSTEALER", "TROJAN.VB.jy" and "DOWNLOADER.CRYPTIC.f" that I volunteered to try to fix.

    I searched the threads and followed the instructions listed to remove them and was successful. Thankyou for the help.
    But still have the issue of not being able to change the "FOLDER OPTIONS"/ "VIEW"/ "HIDDEN FILES AND FOLDERS" selection has both "DO NOT SHOW---" and "SHOW HIDDEN----" selected. If I select either one it will stay only as long as I do not close the Folder Options box. As soon as it is closed it will again default back to both hide and show.

    I cannot find any threads with this issue except the mention in the one thread about "INFOSTEALER" that I used to get me this far. What did I miss?
     
  2. Augie65

    Augie65

    Joined:
    Mar 23, 2005
    Messages:
    6,052
    You can check your registry.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced

    Click on Advanced in the left panel and in the right pane look for Value Name Hidden. The Value Data should be set to 1 = show hidden, 2 = do not show. If you have two Hidden, just delete the one with value of 2.
    If you change, you have to reboot for the value to take effect.
    If this doesn't work, you might have to ask for help from JSntgRvr.
    He just solved a similar problem here except it was for Windows 2000.
     
  3. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    Give this a try:

    Start > Run > Regedit

    Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

    Modify/Create the Value Data Type(s) and Value Name(s) as detailed below.

    Data Type: REG_DWORD (Dword Value) // Value Name: NoSaveSettings
    Setting for Value Data: [0 = Disabled / 1 = Enabled]

    Exit Regedit and reboot.
     
  4. 1gunsmith

    1gunsmith Thread Starter

    Joined:
    Jan 6, 2007
    Messages:
    11
    I went to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
    Advanced and there were 2 with the Name Hidden. I deleted the one with value of 2 and on reboot it returned. I changed the value of the one with 2 over to 1 and rebooted and it returned with a value of 2.

    Next I tried HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and created "NoSaveSettings" in REG_DWORD with a value of 1 and rebooted and no change
    I changed it to value 0 and rebooted and still no difference.

    What keeps adding "HIDDEN" with a value of 2?
     
  5. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    Good question. You may want to try the Security forum and a log for their examination. There may still be processes running that are causing this.
     
  6. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    "there were 2 with the Name Hidden"

    So you had two registry keys with exactly the same name? No extra spaces on the end?
     
  7. 1gunsmith

    1gunsmith Thread Starter

    Joined:
    Jan 6, 2007
    Messages:
    11
    HIDDEN with a value of 2 when clicked "RENAME" highlights "Hidden"
    HIDDEN with a value of 1 when clicked "RENAME" highlights "Hidden "
    That is the difference, I think most would miss seeing the space at the end unless highlighted by clicking on "RENAME"

    I have already ran the programs "ATF Cleaner", "AVG Anti-Spyware", "Panda's ActiveScan", and "Combofix" before I posted this request for help.

    Any more suggestions?
     
  8. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    That's exactly what I was getting at. So what happens when you delete both and reboot?
     
  9. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    Every cleaner finds some things that others don't, so I wouldn't abandon the idea that the machine is still infected. They will keep reappearing with a reboot.
     
  10. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, 1gunsmith :)

    Download the enclosed folder and and extract its contents to the desktop. It is a batch file. Once extracted doubleclick on it. It shall produce two reports. Post the contents of both reports in your next reply.
     

    Attached Files:

  11. Bob Cerelli

    Bob Cerelli

    Joined:
    Nov 2, 2002
    Messages:
    22,468
    Some specific suggestions are ones I like to use:

    Spybot
    Ad-Aware
    Windows Defender
    CounterSpy (two week full version)

    Pest Patrol is another one that gets good ratings and I use but also costs

    So thre are others but typically when things remain, you need to run a few scans. I also like to get the updates and then run the scans in safe mode. It is not uncommon for programs to be running in memory when you do the scan otherwise which makes it more difficult to remove.
     
  12. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    If you follow JSntgRvr's advice, you will be in the hands of experts and we'll get to the bottom of this. :)
     
  13. 1gunsmith

    1gunsmith Thread Starter

    Joined:
    Jan 6, 2007
    Messages:
    11
    Hidden returned after deleting with a value of 2
    Hidden with a value of 1 returned after changing "Folder Options" in Explorer
    Contents you requested are below:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
    "Text"="@shell32.dll,-30500"
    "Type"="radio"
    "CheckedValue"=dword:00000001
    "ValueName"="Hidden "
    "DefaultValue"=dword:00000002
    "HKeyRoot"=dword:80000001
    "HelpID"="shell.hlp#51105"
     
  14. 1gunsmith

    1gunsmith Thread Starter

    Joined:
    Jan 6, 2007
    Messages:
    11
    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ServerAdminUI"=dword:00000000
    "ShowCompColor"=dword:00000001
    "HideFileExt"=dword:00000000
    "DontPrettyPath"=dword:00000000
    "ShowInfoTip"=dword:00000001
    "HideIcons"=dword:00000000
    "MapNetDrvBtn"=dword:00000000
    "WebView"=dword:00000001
    "Filter"=dword:00000000
    "SuperHidden"=dword:00000000
    "SeparateProcess"=dword:00000000
    "ListviewAlphaSelect"=dword:00000001
    "ListviewShadow"=dword:00000001
    "ListviewWatermark"=dword:00000001
    "TaskbarAnimations"=dword:00000001
    "StartMenuInit"=dword:00000002
    "StartButtonBalloonTip"=dword:00000002
    "Start_ShowNetPlaces_ShouldShow"=dword:00000041
    "NoNetCrawling"=dword:00000000
    "FolderContentsInfoTip"=dword:00000001
    "FriendlyTree"=dword:00000001
    "WebViewBarricade"=dword:00000000
    "DisableThumbnailCache"=dword:00000000
    "ShowSuperHidden"=dword:00000000
    "ClassicViewState"=dword:00000000
    "PersistBrowsers"=dword:00000000
    "Start_ShowNetConn_ShouldShow"=dword:00000042
    "Hidden"=dword:00000002
     
  15. 1gunsmith

    1gunsmith Thread Starter

    Joined:
    Jan 6, 2007
    Messages:
    11
    Logfile of HijackThis v1.99.1
    Scan saved at 8:42:57 PM, on 1/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
    C:\QUICKENW\QWDLLS.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Programmer\Desktop\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
    O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [DxDialog] C:\WINDOWS\system32\dxdlg32.exe
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122342934233
    O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: windows network (system) - Unknown owner - C:\WINDOWS\system32\system.exe (file missing)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/532893

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice