Cant make Windows Explorer show hidden files/folders

Nikhil

Skilled
Well, I go to Folder options and click "Show hidden files and folders".

BUt it is not shown. Irrespective of how many times I do it.

I was attacked by the "orkut virus" some time back. The one which says "Use IE or else.."

I stopped C:\heap41 from loading by going to startup and unchecking the box.

But it is clear that the virus hasnt been cleaned completely.

Also, I have NOD 32 and it scans my comp everyday. Hasnt found anything for the past 2-3 weeks. But this problem has been there for abt as long as that.

Any help ?? Please.

I use XP, BTW.
 
not trying to hijack the thread .. bt my Folder Option is not there itself ..
pls do post the reason and solution along wid nikhil's problem as well ..

@nikhil
both problems are kinda related so jst added mine here.. if u feel like u can ask the mods to delete my post.. u hv my consent in this regard..
 
Yes !! I am offended !! you are hijacking my thread !! You are a meanie !!

Mods, delete his post and ban him right away !! He is a terrorist !! Hijacking my thread !!!!!!! :mad: :mad:

lol..... j/k
 
:rofl:
mods .. pls cater to his needs and help me out from being branded as a terrorist ..
brrrr .. i am scared now that i offended nikhil ji ... oh lord gimme the strength to bear the bolts from him ..
 
@Nikhil

I think the registry has been corrupted by the worm. Do the following:

1. Copy following text into a notepad file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]

"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"

"Text"="@shell32.dll,-30501"

"Type"="radio"

"CheckedValue"=dword:00000002

"ValueName"="Hidden"

"DefaultValue"=dword:00000000

"HKeyRoot"=dword:80000001

"HelpID"="shell.hlp#51104"

and this one into one more notepad file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]

"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"

"Text"="@shell32.dll,-30500"

"Type"="radio"

"CheckedValue"=dword:00000001

"ValueName"="Hidden"

"DefaultValue"=dword:00000000

"HKeyRoot"=dword:80000001

"HelpID"="shell.hlp#51105"

Save both and change file extension from ".txt" to ".reg".

2. Run them by double clicking and clicking yes , ok.

Check whether the folder options is working properly now.

:)
 
Can't you just see them, or are they completely inaccessible? If they just remain invisible, then why the hell do you want to change them?? They'll be brilliant for hiding prawn! ;)
 
@spacescreamer:

here's a temporary solution for your problem. go to 'run' and run this command "Control Folders". it will show you folder options. will tell you what to do later.

:)
 
Here's the proper solution for spacescreamers problem::)


Option one:

1. Click Start - Run - type GPEDIT.MSC and press Enter key.
2. Expand To:
-User Configuration
-Administrative Templates
-Windows components
-Windows explorer

3. In the right-side pane, double-click the entry Remove the Folder Options
menu item from the Tools menu. Set the value to "Not Configured".

May require Log Off and Log in again.

Done

Option 2:

1. Copy this into a text file

'togglefolderopts.vbs - Enables/Disables Folder Options settings
'in Win95/98

Option Explicit
On Error Resume Next

Dim WSHShell, itemtype, n, MyBox, p, p1, p2, t, mustboot, errnum, vers
Dim urladdr

Set WSHShell = WScript.CreateObject("WScript.Shell")
p = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"
p1 = "NoFolderOptions"
p2 = p & p1
itemtype = "REG_DWORD"
t = "Toggle Folder Options"
mustboot = "Log off and back on, or restart your pc to"
mustboot = mustboot & vbCR & "effect the changes"

'This section tries to read the registry key value. If not present an
'error is generated. Normal error return should be 0 if value is
'present
t = "Enable/Disable Folder Options"
Err.Clear
n = WSHShell.RegRead (p2)
errnum = Err.Number

if errnum <> 0 then
'Create the registry key value for NoFolderOptions with value 0
WSHShell.RegWrite p2, 0, itemtype
End If

'If the key is present, or was created, it is toggled
'Confirmations can be disabled by commenting out
'the two MyBox lines below

If n = 0 Then
n = 1
WSHShell.RegWrite p2, n, itemtype
Mybox = MsgBox("Folder Options are now DISABLED" & vbCR & mustboot, 4096, t)
ElseIf n = 1 then
n = 0
Mybox = MsgBox("Folder Options are now ENABLED" & vbCR & mustboot, 4096, t)
WSHShell.RegWrite p2, n, itemtype
End If

2. Rename its extension from .txt to .vbs
3. Run the file and log off .

Done

Tell how it went ....;)
 
zhopudey said:
Can't you just see them, or are they completely inaccessible? If they just remain invisible, then why the hell do you want to change them?? They'll be brilliant for hiding prawn! ;)

what if I have already done that and now need to find the Prawn folder :rofl: :rofl:

j/k.

I need it to find the Local Settings folder which is hidden. Need to backup my firefox bookmarks. :p

@prash --- Will try out that registry fix you recommended.
 
ok i found a solution after googling it.

here it is and tell me if it is successfull or not.

first boot in to the safe mode.
go to windows search
advance options set to search the hidden files and folders
key word : svchost.exe
it should point to a folder in c:\heap41b with following files
[offspring], 2.mp3, Icon.ico, reproduce.txt, svchost.exe, drivelist.txt, script1.txt, std.txt and svchost.exe

if you look at the files in it it may point to the registry keys
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,2
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\

Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,2

now goto start > run > regedit

locate : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
in the “Checked all” key reset it back to 1 from 2

Now delete the folder C:\heap41a and clear all the key entries from this registry entry HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run which says heap41a

reboot to normal mode and you should be able to change folder options to show hidden files.
 
@ Prash ..

Hey thanks .. that was neat lil trick .. i think something went weird during installation .. mebbey thats y ..
actually now i like the situation .. ;) keep ur stuff for urself only .. no frnds can poke their noses.. now i need :
1) A permanent fix to this problem
2) Get this problem BACK in a neatly installed windows :D
@nikhil : Sorry again yaar :p
 
@nikhil and spacescreamer can you please post your Hijackthis logfile here.

it may also be able to track down the location of worm.

while you attempt the removal switch off system restore temporarily, and empty out the temp folders and then rescan with anti virus anti spywares and anti malware progs.

hijackthis is a system assessment program and also fixes some registry bugs.

download link

download it and save it to some folder in program files then run it and save a logfile (copy paste it or attach it here)
 
medpal said:
@nikhil and spacescreamer can you please post your Hijackthis logfile here.

it may also be able to track down the location of worm.

while you attempt the removal switch off system restore temporarily, and empty out the temp folders and then rescan with anti virus anti spywares and anti malware progs.

I cant access that folder as it is hidden !! The temp folder i.e

And what is hijackthis logfile ?
 
Nikhil said:
I cant access that folder as it is hidden !! The temp folder i.e

And what is hijackthis logfile ?
in answer to your question i have mentioned a download link to hijackthis in earlier post by way of editing so you may use it.
 
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:01:23 PM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\DU Meter\DUMeter.exe
F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
E:\Program Files\Eset\nod32kui.exe
E:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Nikhil B\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [DU Meter] E:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] E:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Flashget] E:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "E:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: &Download All with FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{492552D1-30BA-4D9A-825E-2EE8B1A43EBB}: NameServer = 202.9.145.6,202.9.145.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F302C49-A4C0-46CB-84B1-5C113FA6C19F}: NameServer = 85.255.113.123,85.255.112.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDE227DF-76CC-43B8-A4E6-5FE4D106B0E7}: NameServer = 202.9.145.6,202.9.145.7
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9795 bytes

I did what you said Doc.

Problem still not gone.
 
Perhaps you still have a virus/worm that is resetting these things after you reboot, try this piece of software to check and see if any unwanted programs are running, and hidden.

F-Secure BlackLight

I had a worm that was not showing up in anti-virus at all and was hidden, so I couldn't see it anywhere, this program helped me get rid of it. Also (only if you are happy with this choice) you can try turning off System restore on all drives temporarily, this will wipe out system restore data which is where a lot of these types of worms hide.... located in "System Volume Information"
After you have turned off system restore, reboot and check again for virus using Blacklight and then anti-virus, reboot... and make sure you turn on System restore again, and make a fresh System restore point afterwards, so you will have a fresh restore point if you run into any problems.
 
Gosh, its going too far i think. Let me tell you the exact steps to remove that worm. That worm is called as w32.USBWorm

Step 1:

First you need to see all the running processes on your system, for that you need to press Alt+Ctrl+Del. This will launch 'Task Manager' then click on Process tab to see all the running processes. Then you need to manually search for 'svchost.exe' (you will find many, but you need to carefully select the one which is having 'User Name' as your Windows login name). After finding the process, right click on the process and click 'End Process Tree', and then click on OK. This will kill the running virus on your system.

Step 2:

To remove the worm completely from your computer, you need to remove Registry keys written by the worm first

1. Go to Start ->Run, then type "regedit" (without quotes).

2. You need to navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\SHOWALL, Double click "checkedvalue" And reset the “CheckedValue†key to 1. This is to show all the hidden folders and files.

3. Then navigate to "HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run " and delete the "winlogon" key.
This will stop the worm installing at the start up. This is the portion which makes the worm to start all by itself
- Important
Step 3:

Now you need to search for the worm which is located on your harddisk.
For that,
1. Go to Start--> Search --> Files or folders --> All files and folders --> svchost.exe (use advanced search options and include hidden files and folders) and search in all drives.
2. After getting the file, go one step up to the folder it is located in (its name will be generally Microsoft powerpoint) and delete the folder.
Then run this app on your computer to avoid further attack of this worm. disinfectant.
This will disinfect the flash drive actually and avoids further infection.

It should work now, tell how it went...:)
 
Back
Top