Find Files (and Spyware) that are Hidden even when Show Hidden Files is Enabled

Posted by MickeyMouse in Windows

You can set Windows to allow you to set, edit, view, and delete hidden files. However, even though you have your computer set to show all hidden files, the OS still hides certain files from you. Some spyware is now using this technique as well.


You have your computer set to show all hidden files, so you would assume that you should actually be able to see all hidden files. unfortunately, this setting does not ensure that files are not still hidden.

Microsoft realizes that some files (such as files required for booting) should remain hidden from the user. These files will not be displayed even if you have Windows set to show all hidden files.

The problem with this is that some spyware programs are now using this property to hide their evil from the user. If you cannot see it, it is difficult to delete it.

Disclaimer: Using the following technique can damage your system if you delete the wrong files. Backup your system before you proceed.

    To see hidden files, type the following command from a command prompt:

    attrib /s | findstr SHR

Here is my output:
A SHR C:\WINDOWS\assembly\Desktop.ini
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\instance_Personal_32_1033.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_10.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_11.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_12.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_13.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_14.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_15.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_16.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_17.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_18.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_19.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_20.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_21.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_22.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_23.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_24.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_25.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_26.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_27.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_28.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_29.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_30.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_31.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_32.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_33.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_34.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_35.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_36.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_37.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_38.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_39.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_4.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_40.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_41.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_42.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_43.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_44.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_45.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_46.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_47.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_48.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_49.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_50.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_51.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_52.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_53.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_54.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab
SHR C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_9.cab
SHR C:\WINDOWS\system32\Restore\filelist.xml
SHR C:\AVG6DB_F.DAT
A SHR C:\boot.ini
A SHR C:\IO.SYS
A SHR C:\MSDOS.SYS
A SHR C:\NTDETECT.COM
A SHR C:\ntldr

    Do not remove one of these files unless you know that it is spyware or a Trojan.

    Here is the command:
    attrib -r -s -h trojanfilename
    (where trojanfilename = the file you want to delete)

    For example:
    attrib -r -s -h c:\windows\system32\ispyonyou.exe

    This command will not delete it. It will only unhide it so you can delete it through your regular methods.

Thanks goes out to SANS for reminding me about this hiding place.

 

About MickeyMouse


View more articles by MickeyMouse

The Conversation

Follow the reactions below and share your own thoughts.

16 Responses to “Find Files (and Spyware) that are Hidden even when Show Hidden Files is Enabled”

  1. March 08, 2009 at 5:15 am, Meggers said:

    to reply….isnt he saying files that won’t show even after you uncheck “hide operating files”? And for what system? XP or Vista?

    Reply

  2. March 10, 2009 at 2:15 pm, thay said:

    Remember… don’t be an idiot

    Reply

  3. March 11, 2009 at 3:39 pm, Sunday said:

    Good Job
    My Uncle gave me new system in which he uses in a cafe before but I have been trying to delete the programe {cyberklock } but all avail. The program deny me of entering add/remove program and run. And my brother is far away.What can I do?

    Reply

    • May 06, 2009 at 4:31 pm, bill said:

      Boot system in safe mode and try that way..

      Reply

  4. July 07, 2009 at 12:06 pm, Kamlesh said:

    Close all programs so that you are at your desktop.
    Double-click on the My Computer icon.
    Select the Tools menu and click Folder Options.
    After the new window appears select the View tab.
    Put a checkmark in the checkbox labeled Display the contents of system folders.
    Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    Remove the checkmark from the checkbox labeled Hide protected operating system files.
    Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.
    I have done these step but not successful.
    give me any other tips.

    Reply

  5. February 24, 2010 at 7:26 pm, Anonymous said:

    Had some Conflicker variant which did the following:

    Prevented all exe’s from launching.
    Disabled registry edits.
    set its own exe to be hidden and then turned off hidden files and blocked folder options.
    Luckily however it allowed me to use command prompt

    using attrib -r -s -h trojanfilename in cmd helped me to delete the virus exe. From here I could then launch exe’s and begin sorting this crap.
    After that its just a process of renabling regedit, reassigning the default program for exe’s using a registry entry, and then running MalwareBytes to clean up.

    Thanks alot to OP for the help.

    Reply

  6. April 07, 2010 at 11:10 am, Anonymous said:

    how to open command prompt ?? & how to set my pc in safe mode :(

    Reply

  7. April 27, 2010 at 7:08 am, mike said:

    dude super thanx i got this one stingy spyware surfin the web u helped me alo

    Reply

  8. October 08, 2010 at 2:10 pm, Pricetech said:

    Uncheck “Hide protected operating system files”

    Reply

  9. October 13, 2010 at 11:56 pm, Alexander said:

    Not good enough. I cloned a disk, and now have files which not even “administrator” can delete, nor can “administrator” change the attributes. I figure it is because I have taken the cloned disk (windows 2000) and attached it as a peripheral disk to a brand new system (windows xp.) The peripheral disk is now “F:”. My theory is that the file is associated with an identifier (like a guid) that says “administrator” the old system, but is an unknown user on the new system. And, there is nothing I can do. Somehow, the “administrator” in windows is impotent. I need to get out of this “windows” and “pc” world — things don’t work.

    Reply

  10. October 31, 2010 at 8:32 pm, guest said:

    thanks!! i had a trojan but not anymore with this command ;-)

    Reply

  11. January 01, 2011 at 12:48 pm, jeremy said:

    absolute life saver. thank you very much for this. worked a treat on herss.exe

    Reply

  12. May 18, 2011 at 5:35 pm, Philp said:

    Hi attrib /s I findstr SHR the same comand like dir / ah 

    Reply

  13. June 09, 2011 at 3:58 pm, Pai_mei said:

    Thanks!!! i had a virus i couldn’t remove and this helped me a lot

    Reply

  14. June 17, 2011 at 12:44 am, Greadman said:

    don’t forget with windows 7 or vista you have to run this as administrator otherwise you see nothing and the same will apply when trying to delete the files / folders

    Reply

  15. March 19, 2012 at 3:06 am, Onyinye said:

    I want to know how to delete cyberklock from my pc

    Reply

Leave a Reply

You may also like-

XP/2000: How to View (and remove) Hidden Files and FoldersThis tutorials shows the user how to view and delete the hidden files and folders on a microsoft windows system. A good reason exists ...