Find Files (and Spyware) that are hidden even when Show Hidden Files is enabled
Contributed by MickeyMouse 
October 12, 2004 
Tagged: Windows
You can set windows to allow you to set, edit, view, and delete hidden files. However, even when you do this, the OS still hides some files from you. Some spyware is now using this technique as well.
You have your computer set to show all hidden files, so you would think that you should actually be able to see all hidden files, right?
Not exactly.
Microsoft realizes that there are some files (like files required for booting) that should really, really be hidden from the user. These files will not be displayed even if you have Windows set to show all hidden files.
The problem with this is that some spyware programs are now using this property to hide their evil from the user. If you can’t see it, it’s hard to delete it.
Disclaimer: You can really screw up your system by deleting the wrong files using this technique. Really, really, really. Backup your system before preceding.
How to see them:
- Type this command from a command prompt…
attrib /s | findstr SHR
Here’s my output:
A SHR C:\WINDOWS\assembly\Desktop.ini
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Personal_32_1033.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_4.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab
SHR C:\WINDOWS\system32\Restore\filelist.xml
SHR C:\AVG6DB_F.DAT
A SHR C:\boot.ini
A SHR C:\IO.SYS
A SHR C:\MSDOS.SYS
A SHR C:\NTDETECT.COM
A SHR C:\ntldr
How to Delete Them:
- Remember… don’t be an idiot. Do not remove one of these files unless you know that it is spyware or a trojan.
Here is the command:
attrib -r -s -h trojanfilename
(where trojanfilename = the file you want to delete)
For example:
attrib -r -s -h c:\windows\system32\ispyonyou.exe
This command will not delete it. It will only unhide it so you can delete it through your regular methods.
Thanks goes out to SANS for reminding me about this hiding place.