What else besides a virus would keep turning on "Show Hidden Files" in WinXP

windows virus rootkit

I've got a couple of machines that definitely recently had viruses and very likely still do.

I've run Norton AV, Radix RootKit remover, Sophos Rootkit remover, Spybot, Ad-Aware, CA Antivirus Plus, AVG, AntiVir, SysInternals Rootkit Revealer and none of them can find any more nasties on these machines.

I've even taken out the hard drives, stuck them in a USB drive casing and scanned them from another virus free machine. Still nothing.

The Windows "Show Hidden files/folders" setting however keeps turning itself on. You switch it off click OK and straight away it's back on again.

I've monitored the registry key for the setting with SysInternals RegMon and that revealed that the setting was being reset by explorer.exe as soon as I change it manually.

Like I said I'm fairly certain that there is still some sort of extra sneaky virus or root kit on these machines but I'm now investigating the remote possibility that the viruses are gone and something else is resetting the "Show hidden files" setting.

Any suggestions? I'd really like to avoid a reformat of these machines.


You may also want to monitor these registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

A little bit of research shows a lot of viruses which tamper with all 3 registry entries. It is very likely there is still something on your system. Personally I don't feel safe using an OS after it's been compromised, even if a scanner picks up a lot of viruses and successfully removes them, who knows what it's left behind? If it is an option (even though you prefer not to), I would suggest you do a clean install. Immediately after all of your must-have programs and drivers are installed, make a backup image with Acronis True Image or Norton Ghost that you can fall back on. I would also suggest updating said backups frequently.


How many explorer.exe's are running? If there's more than one, then I'd be pretty certain that there's still something in the system.

Even if there's only one Explorer.exe, try killing all the Explorer.exe's in Task Manager and start it up again. Then see if the same issue happens.

-JFV

Related

Task Manager shows too many exe processes for Google Chrome [duplicate]
What are the limits of allocating my CPU cores to VMs?
PC power supply strange behaviour
Screen recording software on Mac? [duplicate]
Play movie from Windows Media to a DLNA TV: "failed to retrieve media information from media server"
Windows Wake-on-LAN from Sleep on Laptop
How do I remotely destroy parts of my Macbook hard drive?
How to only allow a program to write to a directory if it is mounted?
I'm using Windows, and I want to use Dropbox to back up a folder outside my Dropbox directory
Is there a quick way to create a hyperlink to open microsoft office document in an existing email chain?
How do I use media query to make form responsive for all devices
React Native unable to compile during npx react-native run android