Find Files (and Spyware) that are Hidden even when Show Hidden Files is Enabled

Posted October 12, 2004 by MickeyMouse in Windows

You can set Windows to allow you to set, edit, view, and delete hidden files. However, even though you have your computer set to show all hidden files, the OS still hides certain files from you. Some spyware is now using this technique as well.


You have your computer set to show all hidden files, so you would assume that you should actually be able to see all hidden files. unfortunately, this setting does not ensure that files are not still hidden.

Microsoft realizes that some files (such as files required for booting) should remain hidden from the user. These files will not be displayed even if you have Windows set to show all hidden files.

The problem with this is that some spyware programs are now using this property to hide their evil from the user. If you cannot see it, it is difficult to delete it.

Disclaimer: Using the following technique can damage your system if you delete the wrong files. Backup your system before you proceed.

    To see hidden files, type the following command from a command prompt:

    attrib /s | findstr SHR

Here is my output:
A SHR C:\WINDOWS\assembly\Desktop.ini
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Personal_32_1033.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_4.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab
SHR C:\WINDOWS\system32\Restore\filelist.xml
SHR C:\AVG6DB_F.DAT
A SHR C:\boot.ini
A SHR C:\IO.SYS
A SHR C:\MSDOS.SYS
A SHR C:\NTDETECT.COM
A SHR C:\ntldr

    Do not remove one of these files unless you know that it is spyware or a Trojan.

    Here is the command:
    attrib -r -s -h trojanfilename
    (where trojanfilename = the file you want to delete)

    For example:
    attrib -r -s -h c:\windows\system32\ispyonyou.exe

    This command will not delete it. It will only unhide it so you can delete it through your regular methods.

Thanks goes out to SANS for reminding me about this hiding place.

The Conversation

Follow the reactions below and share your own thoughts.