Unhiding folders after Adware attack

By Mugsy
May 24, 2008
  1. I was hit by a nasty AdWare attack the other day, and after lots of hard work, was finally able to clean it off my system, but some of its effects linger on.

    One of the things that PoS Adware did was hide dozens of folders on my system. I was able to get most of them back by simply unchecking their "Hidden" property. Others, I had to go the more complex route of booting into Safe Mode and reassigning myself Full Permission over every drive & folder in the system.

    But certain key folders, namely "system32" and all "System Restore" backup folders, remain "hidden", (viewable only with the View Settings set to unhide everything) and nothing I do will let me change it.

    Even as Administrator in Safe Mode, their "Hidden" property checkbox is disabled/greyed-out.

    I am NOT about to reinstall Windows (XP sp2) just to fix this minor annoyance. I have the system running just fine otherwise and am not about to hand-install 77 MS Patch files again just to fix it. There *must* be a simpler answer.

    Any ideas anyone?
  2. gbhall

    gbhall TechSpot Chancellor Posts: 2,423   +77

    Try starting in safe mode (F8 at boot), and unset what is probably the 'system' flag on system32 folder. You should accept that under normal conditions nobody should see those folders, they are meant to be always invisible, especially system restore.
  3. Mugsy

    Mugsy TS Guru Topic Starter Posts: 361   +9

    Viewed fine before.

    I've never had a problem viewing the "System32" folder before.

    If you open up Windows Explorer and open the Windows folder, is your "system32" folder visible?

    Not sure what you mean by the "system flag".

    Thanks for the reply.
  4. gbhall

    gbhall TechSpot Chancellor Posts: 2,423   +77

    Most users who do not change their 'folder options' do not see system32. To see this you have to have set (under folder options / view) the option to 'show hidden files and folders'. You can see other system files by unchecking 'hide hidden files and system files'. The 'system' setting can be seen, set and unset using Dos commands (in XP, not sure about Vista) and applies in particular to system restore folder. You will be wise to leave all such settings on default settings, as this helps to hide them from malware, and people with more curiosity than sense.
  5. Mugsy

    Mugsy TS Guru Topic Starter Posts: 361   +9


    Since I'm obviously not "most users", this wouldn't exactly apply, now would it?

    I typically have Windows Explorer (Tools | Folder Options | View) set to "show hidden files and folders" and uncheck "Hide extensions", but leave "Hide Protected files and folders" checked. In this configuration, I've always been able to see key folders that are typically safe to access if you know what you're doing (and I do).

    However, after some nasty Ad Ware found its way onto my PC, it "hid" dozens of once visible system folders (to hinder its removal). The Ad Ware is now gone, but the folders it "hid" can now only be seen with the "Hide Protected" option unchecked... which reveals stuff you DON'T want access to, like "boot.ini" and "ntldr" (among dozens more).

    A brief list of some of the folders once visible using my preferred setting that are now "ghosted/faded" (indicating Hidden, and now only show with all protections disabled):

    ALL System Restore folders starting with "$" in c:Windows\ (Ad Ware hid them for obvious reasons)
    C:\Program Files\outlook\
    C:\Documents and Settings\Default User (and various folders inside, but not all)
    C:\Documents and Settings\LocalService (")
    C:\Documents and Settings\NetworkService (")

    Of course, among these, only the first four are of any importance.

    Booting into Safe Mode, logging in as Administrator, and setting all my permissions has ZERO effect. When right-clicking each item's folder properties, the "Hidden" checkbox is disabled (even as Administrator) and can not be unchecked.

    There must be a Registry setting that was changed. I can think of nothing else.

    Not having normal access to the system32 folder produces a number of problems and limitations (such as not being able to change/define helper applications), and of course, removing future malicious apps is also more difficult, so this needs to be corrected asap.
  6. gbhall

    gbhall TechSpot Chancellor Posts: 2,423   +77

    Ok your settings are the same as mine and now that you have given a list of folders, I can fully understand your position. I have a vague recollection of seeing this type of problem before, and as far as I remember, it was files/folders becoming set with the 'system' attribute. Malware can easily do this, as can Dos, with the attribute command. Read-only attribute will also cause the symptom.

    If you open a Dos box and navigate to a folder with a problem, (do you know your way round dos with the CD command?) type the command ATTRIB and see what it says. If I am right you will see an attribute S as well as A (ready for archive) and possibly H (hidden) and R (read-only).

    To see what ATTRIB can do, type ATTRIB /?

    It can with + and - set or unset all these attributes, and with /S can recurse through subdirectories as well. I would be surprised if this does not do the trick for you. Good luck.

    By the way, my crack about 'more curiosity than sense' in no way was implying anything critical about you, it was a general observation pertinent to many people who come to this site. With 236 posts, you would not be in that category. It is quite possible that the sort of technical info we give out could lead inexperienced people to dabble where they shouldn't oughta. Cheers.
  7. Mugsy

    Mugsy TS Guru Topic Starter Posts: 361   +9

    Thanks for the reply.

    I forgot to mention it before, but I tried the Attrib command to no avail. Response was "No permission", even when booting into "Safe Mode with Command Line" as Administrator.

    I'm pretty old-hat at this, going back to to the days of DOS and occasionally CP/M. :)

    This one really has me stumped. The only other time I've seen "Administrator" have "no permission" to do something, it was when I accidentally restored a file with security descriptors intact from a backup of a prior installation of Windows.
  8. gbhall

    gbhall TechSpot Chancellor Posts: 2,423   +77

    You could boot from a Dos floppy with ATTRIB on it to resolve your HD problems, but I think you have a much worse problem, that your user has become a 'restricted rights' user, including the main Administrator' user I expect. You therefore have no way to create a new user with full rights, or change any existing user to full rights. This needs research......

    try from
  9. Mugsy

    Mugsy TS Guru Topic Starter Posts: 361   +9

    Nope, not that way.

    Unfortunately, that's not an option. My C: drive is both NTFS format (not accessible from DOS) as well as RAID-0 (also not accessible from DOS).

    I have tried using the "Recovery Console" on the Windows CD, but it too gave no "no permission".
  10. gbhall

    gbhall TechSpot Chancellor Posts: 2,423   +77

    I would hope there is a possibility you could access the NTFS partition with raid-0 and it's file attributes from a bootable 'small linux' such as Ubuntu on CD.
  11. Mugsy

    Mugsy TS Guru Topic Starter Posts: 361   +9

    Will remain a mystery

    Ahead you again. :)

    I have Ubuntu-8.04 installed on a separate drive and while I can access normal NTFS partitions, it can't read Raid (unless it was installed on a Raid drive with the proper drivers installed). I've actually been searching for a way to access my Raid C: drive from Ubu, but every Linux tech is quick to steer me clear.

    From Linux, no matter how Windows is set, all hidden & protected files show up (eg: "boot.ini", "ntldr"), but Linux doesn't allow you to change Windows file attributes. Linux has it's own system for doing that, so even if I could access the files from Linux, I couldn't change them.

    I had a tiny bit of success this afternoon playing around with the WinXP CD "Recovery Console". I was able to unhide my "system32" folder (as well as the "$x$" System Restore backup folders) using the ATTRIBute command and later changing/editing securirty permissions for individual folders while in Safe Mode. But you can't access "c:\Program Files\" from the RC. I was, however, able to Move "c:\Program Files\outlook" to the root of C:\ and delete it from there (fortunately, I don't use Outlook... aka Look-Out!).

    I haven't figured out how to re-enable the ability to "unhide" folders Administrator can't alter (even when "Administrator" is the owner and with all permissions enabled), but at least I have the three biggest headaches out of the way now.

    At this point, I figure nothing short of a reinstall is going to fix this. Live & Learn. Thanks for all the help and good ideas, but this is one mystery that's probably going to remain a mystery. :(
  12. gbhall

    gbhall TechSpot Chancellor Posts: 2,423   +77

    Before you do a reinstall, try reverting to a much earlier date using recovery console. There are ways of recovering all six? system nests from RC, and perhaps you could go back far enough to recover enough utility to do a thorough check for 'orrible little menaces.

    Try Norman killer might offer some clues about access changes.

    Also a repair installation will be quicker than a reinstall, unless you think the problem is a still-existing malware that can only be removed by reformat.

    Please allow me one final observation from my own system. I have two partitions, one for the OS and installed programmes, another for my data. The OS partition is fully imaged every couple of months. As far as I can see, with a raid setup you have insulated yourself only from hardware failure - a lesser probability than software failure by quite a margin......
  13. Mugsy

    Mugsy TS Guru Topic Starter Posts: 361   +9

    Heh, I'm not re-installing anything. :)

    Unfortunately, there's no "Earlier date" to restore to because this problem is the result of having to reinstall Windows from scratch after my boot drive went bad and had to be replaced. Bought a brand new C: drive, formatted and installed XP from scratch, but held off on installing my anti-virus software to speed up reinstalling all my software. Unfortunately, one of the programs secretly contained adware. :(

    My anti-virus and "Ad-Aware 2008" are now installed, so I shouldn't get hit again, and I've managed to get back the few things I need, so I'm going to just live with the damage. If I need to unhide those folders in the future, I may revisit the issue, but I can live with things the way they are now.

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...