Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files Hidden From Windows


  • Please log in to reply
14 replies to this topic

#1 RiffRafi

RiffRafi

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 27 March 2006 - 07:19 AM

How do I delete "Files hidden from Windows" ?

I have SpySweeper on my WinXP PC and when it runs, I get the message:
"SpySweeper has detected files that are hidden from Windows. Potentially, this indicates the presence of a rootkit".
Here is a copy of SpySweeper log:
03:26: potentially rootkit-masked files is in use. It will be removed on reboot.
03:26: båt+pizza+tull 081.jpg is in use. It will be removed on reboot.
03:26: båt+pizza+tull 099.jpg is in use. It will be removed on reboot.
03:26: båt+pizza+tull 077.jpg is in use. It will be removed on reboot.
03:26: båt+pizza+tull 098.jpg is in use. It will be removed on reboot.
03:26: båt+pizza+tull 100.jpg is in use. It will be removed on reboot.
03:26: båt+pizza+tull 094.jpg is in use. It will be removed on reboot.
03:26: båt+pizza+tull 087.jpg is in use. It will be removed on reboot.

SpySweeper was trying to remove the files at boot time, but failed.

These files are in a subfolder of my %TEMP%=C:\Temp folder, and have been there for a long time.
I get "Access is denied" when I try to rename/delete the folder containing those files.
I cant even see the content of this folder, not by using "Windows Explorer", and not from a DOS window.
My file system is NTFS, and when I run chkdsk, it does NOT report any errors.
I tried also scanning with Norton Disk Doctor, nothing found there either.

I think these files are NOT a rootkit, because I know how they got there...
It happened when I was moving a folder to C:\TEMP and got a blue screen. After I restarted, the files where there.

I have scaned my computer with tools like:
Norton antivirus 2005
HijackThis v.1.99.0.1
RootkitRevealer v.1.70
F-Secure BlackLight v.2.2.1031

None of them reported anything :thumbsup: , except SpySweeper

I tried to use:
Unlocker v.1.8.1 - the files are not locked.
ADS Spy v.1.7 - They dont have "Alternate Data Streams"

Any ideas on how to delete the folder/files?

BC AdBot (Login to Remove)

 


#2 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:06:25 PM

Posted 27 March 2006 - 07:37 AM

Well, some of what is happening I understand, some of it I don't frankly.

You cannot delete a file that is in use. Windows sees that these files are in use and so you cannot delete them. How do you we know that SpySweeper failed to delete them? Did you receive a message to that effect, or is it that they keep showing up with every new SpySweeper scan?

There is much malicious software out there that creates files in the temp folder each time you boot your computer. You may not be able to delete them. Or if you do succeed in deleting them they will just come back next time you boot.

I am a little puzzled by your comment of running High Jack This and it didn't report anything. It takes an expert with much training and experience to be able to successfully read a HJT log. I have been in training for quite some time on this very subject, and I have a ways to go! :thumbsup:

I suspect an infection of malicious software on your computer, or at least you need to be SURE you are not infected, either way I believe taking prepatory steps and ultimately posting a HJT log here at Bleeping Computer would be in order at this time.

First: Read the Preparation Guide found HERE. It is very important that you follow ALL of the instructions found within. (There are many important steps in this guide that may clean your computer.)

Second: Post your system information along with a brief description of the problems you are having, and your HJT log in the HJT forum found HERE.

NOTE: Please, after you post your HJT log DO NOT make another post in the HJT forum until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post there will be 1 reply. The team member glancing over the replies might think someone is already helping you out and will not respond. So, just make your post and let it sit there until a team member responds. The volunteers who work that forum are very busy, so please be patient and wait. It can sometimes take a few days for a response. If after 5 days you still have gotten no response, then post a link to your HJT log HERE.

Third: If, after finishing your work with the folks at the HJT forum you have issues with XP related to the removal of the infection, then come back in here and let us help you get your computer back to normal.

You are in good hands! Good luck!
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#3 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:06:25 PM

Posted 27 March 2006 - 11:53 AM

I agree that they may not be a rootkit. Did the file you were moving contain jpg's? Have you tried looking at them in Safe Mode? If everything else is running OK, I'd probably leave them alone. If they are part of a rootkit, and it's not one that there's a fix for, the only way to be rid of them is to format and re-install Windows. Somehow, the system crash may have moved the files but not registered them in the Windows API.

#4 RiffRafi

RiffRafi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 29 March 2006 - 08:03 PM

Hi

After checking with the "HijackThis Logs and Analysis" Forum, its concluded that I dont have any rootkit on my PC. :thumbsup:

Probably the best thing would be just to leave this folder alone...
But it leaves me with some questions:

What does it mean "files hidden from windows API" ?
When I search the net I get mostly issues related to rootkits, but not means to remove such files.

How does one make a file or folder "hidden from windows", or turn it visible again?
Anybody here that knows of any method to delete those files/folder, or check/change my rights on them?
As far as I can remember from windows NT, there was a way to find/change the owner of files/folders on an NTFS volume, Is it possible on XP? using what tool?

I would be happy to get any tips you guys have

Thanks

#5 ssfire

ssfire

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:25 PM

Posted 29 March 2006 - 08:30 PM

This little program may help I don't know for sure 'cause I have never used it.

http://www.majorgeeks.com/Delete_Doctor_d4473.html

Before you try it make sure you set a system restore point and back up the registry.
You might want to try cCleaner. Don't have the link to it off the top of my head though.

Good Luck

#6 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:06:25 PM

Posted 29 March 2006 - 11:15 PM

A rootkit was named after the practice in Unix and Linux of calling the main computer administrator "Root." It gives the person Root-like power over the system. The rootkit operates by being outside of the operating system. API (Application Programming Interfaces) is what reports the contents of the drive, and the rootkit hides by not being reported by it. Rootkit finders check with the API to see what is reported on the system, then do their own check outside of the API and report the difference. The system should be left completely alone while the rootkit finder runs or the report could be skewed by other activities being started on the system.

You turn it visible again with the tools like Blacklight and F-Secure. A similar problem is Alternate Data Streams. This was a process developed to allow PC's to share things with Macs. But the folks who developed them made them invisible. Ad-Aware has a scan for ADS's. These data streams are attached to existing files and unless you have a special reader, they are invisible. The only thing that actually shows is the original filename. Like rootkits, they can virtually do anything any other files can do.

ADS is a threat to NTFS filesystems. Rootkits primarily target OS's like XP, but could also be used for older OS's.

Since you were trying to move files when this happened and they became boogered, it's unlikely that this is an infection, but rather some broken files.

#7 RiffRafi

RiffRafi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 31 March 2006 - 06:46 PM

Hi

I tried all the suggested apps, DeleteDoctor, CCleaner, Blacklight.
None of them found these broken "hidden from windows" files/folder.

They where not found when I search for "Alternate Data Streams" with for ex. ADSSpy, so I dont think they are ADS files.

What makes me most frustrated :thumbsup: , is windows giving me the "Access is denied" message, when I try to browse the folder. If an administrator is denied access, what user will be granted access ?

Thank you for any help or tips

Edited by RiffRafi, 01 April 2006 - 02:57 AM.


#8 Redback

Redback

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Location:Near Tunbridge Wells, Kent, UK
  • Local time:10:25 PM

Posted 01 April 2006 - 06:10 PM

Aren't those file names are illegal under Windows and hence Windows can't delete them (or rename them). You might be able to do something in DOS but first you'll have to change the attributes of the folder and perhaps the files in order to see them.

#9 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:06:25 PM

Posted 02 April 2006 - 01:09 PM

Have you run error-checking? (Scandisk/Checkdisk?) Go to My Computer, right-click on the C: drive, click on the tools tab, click on the error-checking "check now" button and choose whether you want full or file checking. Good idea to do the full check to see if your hard drive is having problems.

#10 RiffRafi

RiffRafi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 02 April 2006 - 04:16 PM

Hi

I tried to run chkdsk on the disk, no errors where found.
When I try to rename/browse/delete the folder from windows or command prompt, in normat or safe mode, I always get the same message: Access is denied. :thumbsup:

I didnt find any way to change my rights on this folder.

I tried everything that I could think of, maybe someone has a better idea?

Thanks you all for your help so far

#11 JU$T1N

JU$T1N

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 02 April 2006 - 04:24 PM

As well as Users, Windows likes to have "permissions" on files too.
C:Temp is a system folder and alotta stuff needs to go in there on a regular basis.

As far as not being able to see any hidden stuff in there:

My Computer/Tools/Folder Options/View:
(Put a "dot" in: Show Hidden Files and Folders

might help

Cheers
JU$T1N~1

#12 HitSquad

HitSquad

    You're Bleepin' or you're Weepin'


  • Members
  • 1,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Momma
  • Local time:05:25 PM

Posted 02 April 2006 - 05:02 PM

I'd be tempted to try MoveOnBoot, see if it can do anything with them.
Use the freeware version 1.9.5

#13 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:05:25 PM

Posted 03 April 2006 - 01:22 AM

If they aren't causing a problem at this point I wouldn't mess with restricted Windows files and would leave them alone. A mistake could trash your op system and require a complete fresh install.

If you do decide to persue it, backup your registry and set a restore point so you can undo whatever you do if you have to.

#14 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:06:25 PM

Posted 03 April 2006 - 10:19 AM

Will this help?

Also, did you try renaming the file?

#15 RiffRafi

RiffRafi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 04 April 2006 - 09:36 PM

Hi

Herk, your link to Microsoft's Help page, did the trick :thumbsup:

After reading the help I figured that there must be a way to follow those instractions on "Taking ownership of a file or folder", since I didnt have a security tab on my folder/file properties.

So I started searching for the reason, and I found out why I didnt find how to change permissions on the folder...

In Windows Explorer "Folder Options/view" there is an option (the last one) called: "Use simple file sharing"
When this option is selected, the "Security" Tab in the Folder/file prperties, is missing.

After I unselected this option, I was able to add "full control" permision to myself, and after that, the folder and files are all visible and I could rename/delete/move them as I please :flowers:

Thank you all for your help and tips
and thank you Herk for the link, it was what made me understand what I was missing here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users