Find Files (and Spyware) that are hidden even when Show Hidden Files is enabled
Contributed by MickeyMouse 
Tagged: Windows You can set windows to allow you to set, edit, view, and delete hidden files. However, even when you do this, the OS still hides some files from you. Some spyware is now using this technique as well.
You have your computer set to show all hidden files, so you would think that you should actually be able to see all hidden files, right?
Not exactly.
Microsoft realizes that there are some files (like files required for booting) that should really, really be hidden from the user. These files will not be displayed even if you have Windows set to show all hidden files.
The problem with this is that some spyware programs are now using this property to hide their evil from the user. If you can’t see it, it’s hard to delete it.
Disclaimer: You can really screw up your system by deleting the wrong files using this technique. Really, really, really. Backup your system before preceding.
How to see them:
- Type this command from a command prompt…
attrib /s | findstr SHR
Here’s my output:
A SHR C:\WINDOWS\assembly\Desktop.ini
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Personal_32_1033.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_4.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab
SHR C:\WINDOWS\system32\Restore\filelist.xml
SHR C:\AVG6DB_F.DAT
A SHR C:\boot.ini
A SHR C:\IO.SYS
A SHR C:\MSDOS.SYS
A SHR C:\NTDETECT.COM
A SHR C:\ntldr
How to Delete Them:
- Remember… don’t be an idiot. Do not remove one of these files unless you know that it is spyware or a trojan.
Here is the command:
attrib -r -s -h trojanfilename
(where trojanfilename = the file you want to delete)
For example:
attrib -r -s -h c:\windows\system32\ispyonyou.exe
This command will not delete it. It will only unhide it so you can delete it through your regular methods.
Thanks goes out to SANS for reminding me about this hiding place.
You may also like -
XP/2000: How to View (and remove) Hidden Files and FoldersAccess Denied -- How to Delete Protected or Spyware Files
Windows 7: How Do I View View Hidden System Files, Folders, and Drives?
Ubuntu: How to View Hidden Files and Folders
OS X: Easily edit hidden configuration files with TextEdit
How to View Hidden and System Files and Folders in Vista
Windows 7: How to Reset the Recycle Bin
Vista: How to Reset the Recycle Bin
Meggers said on March 8, 2009
to reply….isnt he saying files that won’t show even after you uncheck “hide operating files”? And for what system? XP or Vista?
thay said on March 10, 2009
Remember… don’t be an idiot
Sunday said on March 11, 2009
Good Job
My Uncle gave me new system in which he uses in a cafe before but I have been trying to delete the programe {cyberklock } but all avail. The program deny me of entering add/remove program and run. And my brother is far away.What can I do?
bill said on May 6, 2009
Boot system in safe mode and try that way..
Kamlesh said on July 7, 2009
Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.
I have done these step but not successful.
give me any other tips.
Anonymous said on February 24, 2010
Had some Conflicker variant which did the following:
Prevented all exe’s from launching.
Disabled registry edits.
set its own exe to be hidden and then turned off hidden files and blocked folder options.
Luckily however it allowed me to use command prompt
using attrib -r -s -h trojanfilename in cmd helped me to delete the virus exe. From here I could then launch exe’s and begin sorting this crap.
After that its just a process of renabling regedit, reassigning the default program for exe’s using a registry entry, and then running MalwareBytes to clean up.
Thanks alot to OP for the help.
Anonymous said on April 7, 2010
how to open command prompt ?? & how to set my pc in safe mode :(
mike said on April 27, 2010
dude super thanx i got this one stingy spyware surfin the web u helped me alo
Pricetech said on October 8, 2010
Uncheck “Hide protected operating system files”
Alexander said on October 13, 2010
Not good enough. I cloned a disk, and now have files which not even “administrator” can delete, nor can “administrator” change the attributes. I figure it is because I have taken the cloned disk (windows 2000) and attached it as a peripheral disk to a brand new system (windows xp.) The peripheral disk is now “F:”. My theory is that the file is associated with an identifier (like a guid) that says “administrator” the old system, but is an unknown user on the new system. And, there is nothing I can do. Somehow, the “administrator” in windows is impotent. I need to get out of this “windows” and “pc” world — things don’t work.
guest said on October 31, 2010
thanks!! i had a trojan but not anymore with this command ;-)
jeremy said on January 1, 2011
absolute life saver. thank you very much for this. worked a treat on herss.exe
Philp said on May 18, 2011
Hi attrib /s I findstr SHR the same comand like dir / ah
Pai_mei said on June 9, 2011
Thanks!!! i had a virus i couldn’t remove and this helped me a lot
Greadman said on June 17, 2011
don’t forget with windows 7 or vista you have to run this as administrator otherwise you see nothing and the same will apply when trying to delete the files / folders