I recently had a challenge of recovering lots of folders hidden by a virus on a drive. Some virus always hide files and folders in an external drive and create a new folder with an extension like .exe, .lnk and so on just to fake users to a malicious act. The truth is, most anti-virus will detect this virus and remove it, but it doesn’t return or restore the files and folders hidden by the virus. This is the ‘headache spot’!

A guy came to me asking how he can get his files & folders back after performing a virus scan on his external drive. I answered him: that’s simple, just make sure you have ‘Show hidden files, folder, and drives‘ checked under Folder Options->View->Hidden files and folders. Then go to the folder property and uncheck hidden. The annoying part is that, the virus has changed the folder ‘hidden’ attribute so it’s disabled and you won’t be able to modify it. The virus has modified the attribute of folders to be hidden.

To solve this issue, you will have to modify the folders and files attribute to restore them back to normal. You can do this easily by opening the command prompt (START MENU -> RUN. Type CMD and press enter). Go to the drive you want to work on e.g Type ‘F:’ and press enter. In the drive, type this command to restore all files and folders and press enter:

attrib -s -h *.* /S /D

That’s all! This command will restore all hidden(-h) files and folders (*.*) in that drive. You can also do this for a folder instead, by replacing *.* with the folder path(F:\theFolder). See all available attribute you can work with by typing this command and press enter:

attrib /?

Finish!
Thanks for reading.

Related Posts:

Tagged with:
 

52 Responses to HowTo: Restore Files Hidden by Virus on Windows 7

  1. I guess you missed the interesting thing about the virus. It doesn’t only change your file attributes to hidden and system, it also copies all content of the infected removable drive to your filesystem, thereby slowly chewing up your hard-disk space. You can find the actual folder somewhere in you AppData folder.

    • Thanks for your contribution. The whole antivirus process & cleanup wasn’t mentioned since the post focus was ‘How To Restore Files Hidden by Virus on Windows 7′.
      I believe the use of ‘Microsoft Security Essential’ will help you solve all that.

  2. avatar mike sia says:

    Wow! Thanks a lot for this, big help! more power to you!

  3. avatar mandy says:

    hi there!
    this doesnt work for me -.- cmd tells me that the code is invalid?!
    is this exactly what i have to tab in ? are there spaces? my hard drive is c…

    cheers
    mandy

    • When you open your command prompt from Run->cmd, the default directory should be ur logged-in account folder as in C:\Users\Silas>. You can change to you c: drive by typing “cd\” command. From the C:\> you can now work on the folder you want to.

  4. avatar Jobin T Philip says:

    It works. You can also restore deleted files by following the steps in this blog post

    http://techaiderpro.blogspot.com/2011/08/tricks-to-restore-deletedvirus-hidden.html

  5. avatar Jason says:

    Thanks for your help! I thought all my stuff was gone.

  6. avatar PalakSharma says:

    HOOOOO!!!!!!!!!!!!! you have once again helped me… you are god…. thank you … thanks a lot…..
    god bless you… u are a cyber lord….

  7. avatar Inigo Skylab says:

    I tried with the same command “attrib -s -h *.* /S /D” but I am getting message as “Access denied – file name” this goes till it comlete giving access denied message for all the files under C:\ dir. Please help me to fix this issue

    • You have to be specify on C: drive. You can only do that on non-system directories.
      Enable hidden folder to display from Folder Options->View->Hidden files and folders->Show hidden files, folders and drives. The you can reference with folder name((s) in your command. Hope this helps.

  8. avatar scott says:

    so i got the c and d drive but e drive wont work i type in (e:) but comes up saying the device is not ready any help would be great thanks

  9. avatar kf says:

    tried many time but at cmd prompt ‘access denied’…any advice…

  10. avatar Seth says:

    Thank you very much for your help. I was in danger of losing almost 300GB of information. I have now done the restoration by following the steps mentioned in this post

  11. avatar Muawia says:

    not working with me

  12. avatar EsPeea says:

    thanks very much…so helpful…very nice..thanks once again

  13. avatar Patch says:

    Hi,

    You shouldn’t run this with the -s switch as this removes the ‘System’ switch from vital system files.

    You should only run:

    attrib -h *.* /S /D

    Also whilst it easiest to run this on the root of your drive it will remove the hidden flag from _all files_ even if they should be hidden or not.

  14. avatar Mojtaba says:

    Thank you very much for this perfect tip.

  15. avatar raman says:

    even then i am unable to get
    help!! me

  16. avatar mhsharieff says:

    Thanks man, you made it so simple. Earlier I had literally spent half a day trying all others suggestions and it worked. Your method is class. Thanks again!

  17. avatar dheeraj says:

    That was awesome,I’ve never hd anything work so fine b4…

  18. avatar Asadullah says:

    Thanks buddy it works

  19. avatar firas says:

    I tried to do that but I got a message “access denied”

  20. avatar ilham says:

    Ok thank You for the information,.. It’s Successed

  21. avatar mako says:

    great info!!!!!! thankx man, you are the best!!!!!

  22. avatar MOHAMAD says:

    THANKS VEEEEEEEEEEEEEEERY MUCH ,,YOU ARE THE MAN

  23. avatar Kobus Groenewald says:

    Please help!!!!

    On my flash drive allthe files have been changed to filre name: ffffffff.fff with attributes of A SH. i have tried to rest the attibutes using cmd with the attrib command, but the messages state the following: Not resetting hiiden file, not resetting system file. Is there any way of recovering my data. this happened between 09H00 and 09h30 today.

    Thanks for the help

    Kobus

    • Try this:
      Backup the “visible” files with *.fff on your system(I hope your system has a good antivirus).
      Delete the visible file(ONLY) from your flash drive and run the command above.

      Most virus create a dummy file with similar names to you original files and hide the original files. Then, all you see is the fake dummy file with funny extension (.fff e.t.c)

  24. avatar Wan says:

    My hard disk have a hidden virus…how to safe the all file? Need help…

  25. avatar SIHARN says:

    Hi Sir,

    I did your method but the command says, access denied unable to change attribute. what should i do? Thanks in advance.

  26. avatar Muhammad Din says:

    i followed the instruction above.
    a got “access denied” .
    how to solve this.

  27. avatar Muhammad Din says:

    “access denied”
    even i already unhidden all my files in external drive,and follow your instructions.the files not show up in my external drive.pls help

  28. avatar Dr.Praveen says:

    Thanks a lot silas, i tried it and it was saying access denied. But when i checked the drive, all the folders were recovered.

  29. avatar Ali Babiker says:

    Thanks dear Silas. Your assistance restored my hidden files in the flash after a virus attack.
    I Very much appreciate your assistance.

  30. avatar p S says:

    thank you very much

  31. avatar praveen says:

    hi Silas Thanks for your advice i done your method in laptop but it saying Access is denied tell me any other way ,i have lost nearly 200gb data id hidden….

  32. avatar amiko says:

    Hello.
    thank you it helped me

  33. avatar Kush says:

    Hay buddy, thank you very much. This worked out with me :D

  34. avatar Vikrant S Patil says:

    Thanks much Buddy!, I had compiled a song collection painstakingly and I was almost about to format my drive before I saw your post. Kudos to you!

  35. avatar Liz says:

    Help – my command prompt seems to be locked to C:\Users\Monty whereas the affected file is C:\Files. How do I change the automatic address that comes up in cmd prompt so I can direct the code to the right place? I don’t want to start fiddling with the registry files :( Also, do I need to change the folder attributes after I run the code (sorry if it’s a stupid question)?
    Thank you

  36. avatar Liz says:

    Also, how does this virus get through the virus checker? Is there anything I can do to stop it happening again?
    Thks

  37. avatar Saif says:

    thanx for sharing this info. u’re awesome :)

  38. avatar Ariyalursam says:

    Wow i’ts really amazing. I recovered all my files and folders from my pendrive without digging folder options and creating new folders

  39. avatar bunty says:

    Good man it works…………..

  40. avatar Barbara says:

    I did this and also got a message “access denied”…
    but doing this added another hidden folder on my flash drive. When I deleted this folder, my files were not longer hidden.

  41. avatar Ikramu Masari says:

    Thank you alots!!! I recovered
    all my files and folders.

  42. avatar vijayan says:

    the below command worked for me

    attrib -s -h *.* /S /D

    thanks a lot

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>